ML20154A742
| ML20154A742 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 04/29/1988 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| Shared Package | |
| ML20154A733 | List: |
| References | |
| TASK-124, TASK-OR NUDOCS 8805160139 | |
| Download: ML20154A742 (72) | |
Text
- - - - - __ _ - _
b EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION AUXILIARY FEE 0 WATER SYSTEM RELIABILITY (GENERIC ISSUE NO. 124)
WITH RESPECT TO CRYSTAL RIVER GENERATING PLANT, UNIT 3 l
l
)
l l
8805160139 880429 PDR ADOCK 05000302 P PDR
c' .'
CONTENTS A. EXECUTIVE
SUMMARY
AND CONCLUSIONS B. INTRODUCTION C. RESOLUT10F /PPROACH
- D. EVALUATIONS D.1 Design and Configuration D.2 Maintenance, Surveillance and Testing D3 Emergenev Operating Procedures D.4 Instrumentation and Control D.5 System Walkdown D.6 Training 0.7 Operating Experience and Peliability Analysis Appendix A - References Appendix B - NRC and Licensing Personnel Participating in AFW System Review i
FIGURES Figure Title ,
1 Flowpath for Emergency Feedwater -
2 Work Request Block Diagram 3 AFW Flow Control Valve EFV-55, with no Manual Operation Capability 4 DC Emergency Lighting in the AFW System Rcom 5 Steam Admission Valve ASV-5 6 Steam Admission Bypass Valve ASV-204 7 AFWS Turbine Overspeed Trip Fechanism and Trip and Throttle Valve ASV-50 8 AFWS Block Valve EFW-32 9 Turbine Generator with Locked Setting Knob, and Setting Instructions ;
10 Stop Check Valve EFV-7, Locked Open with a Chain and a Padlock 11 CR-3 LOMF and AFWS Actions 12 CR-3 Automatic Reactor Trips TABLES Table Title 1 Control Room Information Available to the Operator
? AFWS/EFIC Annunciator Alarms ii
CRYSTAL RIVER, UNIT 3 - AUXILIARY FEEDWATER SYSTEM OVERALL RELIABILITY ASSESSMENT A. EXECUTIVE SUWARY AND CONCLUSIONS This report contains the staff's assessment of the overall reliability of the auxiliary feedwater system (AFFS) for Crystal River linit 3 (CR-3). This review was performed in connection with the resolution of Generic Issue (GI-1?A),
"Auxiliary Feedwater System Reliability," which addresses AFWS reliability in certain plants.
AFWS reliability analyses indicated that many plants fall in the high ;
reliability range; however, several plants fell in the lower reliability '
range. While these plants met applicable licensing requirements for the AFWS, their system reliability was still in question. Some licensees for this latter group of plants implemented modifications to increase their AFWS reliabilities to an acceptable range. However, AFWS reliability for seven plants remained questionable. The plants in this category are Arkansas Nuclear One (ANO) Units 1 and 2, Fort Calhoun, Prairie Island Units 1 and 2 Rancho Seco, and CR-3.
The objective of the review under GI-124 is to evaluate the AFWS and to document any recomendations for further licensee action. This issue is considering the need for improvements in the AFWS beyond the original licensing basis.
The resolution approach adopted by the staff in its review of CR-3 relied on an audit of several factors that directly or indirectly affect the availability and reliability of the AFW system in addition to an assessment of numerical unavailability. These factors include design configurations; maintenance, surveillance and testing procedures and practices; operating l
j procedures; personnel training; operating experience; instrumentation ard .
control; and environment and accessibility for operator recovery actions I
i foitowing potential malfunctions. The AFWS numerical reliability criterion (10 4 to M 5 per demand) given in Section 10.4.9 of the Standard Review Plan (SRP) served as the basis for concluding that the AFWS in the seven plants of concern was acceptably reliable. Because the SRP criterion specifies censideratien of compensating factors such as the availability of other reliable decay heat removal metheds to justify a larger AFWS unavailability, an evaluation of compensatory features was also conducted.
A seven-person team reviewed documents and interviewed maintenance, operations, engineering, and training personnel and management. The review included a 3 day plant site visit.
The CR-3 AFW system flow paths are nomally open and discharge water to the steam generators without any AFW valve movement. The AFW system valve perfomance was reviewed by the staff in accordance with IE Bulletin 85-03, which describes motor-operated valve switch settings. CR-3 emergency operating procedures instruct the operators to initiate high pressure injection cooling ("feed-and-l bleed") if both the main feecwater and AFW systems are unavailable. Additional procedural guidance and clarity is necessary to utilize this mode of decay heat removal. The staff has concerns about "feed-and-bleed", including operability requirements and emergency operation (see Sections D.3 and D.7). However, the staff believes that the CR-3 "feed-and-bleed" system can be useful for primary system cooldown, as a backup to the AFW system, and a last resort if such a cooldev.n mode is initiated sufficiently early in the postulated event (see Section 0.7).
As discussed in Section D.7, CR-3's rate of unanticipated reactor scrams and loss-of-main feedwater (LOMF) events have been fairly high. In 1981, the rate of LOMF events peaked at eight LOMF events (events where one or more main feedwater purps tripped or flow degraded), with six of these events requiring AFWS actuation. In the same year, the plant had 12 unplanned reactor trips. The number of unplanned reactor trips decreased to two in 1984 but increased to nine in 1985, as compared to an industry average of 4.3 per reactor year for that year. The average rate of LOFF events for CR-3 is 4.7 per reactor year; 'be industry average for such events is 2 per reactor year. The yearly rates of LOMF, AFV initiation, and automatic reactor trips are plotted on Figures 11 and 12. Also plotted are the 3-year running averages (current year, the year before, and the year after) of the LOMF and the unplanned
?
0 C reactor trip rate. These figures show a trend for the rates of LOMF and reactor trips. Both peaked in 1982 and have declined since then. This may be indicative of increased licensee attention to and the effectivenss of the licensee's maintenance program.
The licensee conducted an AFWS reliability analysis that calculated an unavailability per demand of 4.7 x 10 4 using the methods and data presented in NUREG-0611 and NUREG-0635 (References 3 and 4). The licensee incorporated plant-specific failure data into the analysis in a separate study, and calcu-lated an unavailability of 1.7 to 1.9 x 10 # per demand. However, in the latter analysis, the licensee's departure from the methodology specified in the SRP makes it difficult to compare with the stated criterion. While the unavailability values calculated by the licensee exceed the SPP criterion of 1.0 x 10 4, the SRP states that alternate decay heat removal capabilities may be credited to o!fset the AFWS unavailability. The staff has interpreted the SRP criterion to pemit alternative means of decay heat removal through the steam generators as acceptable methods for improving decey heat removal capability when the AFKS does not meet the SRP numerical criterion. Examples include the addition of a third AFW pump or startup feedwater pump and AFW flow path and/or power supply interconnections between units. While the staff has also acknowledged the capabilty to remove decay beat in the "feed-and-bleed" mode, it has been considered a means of last resort and has not been found to be an acceptable alternative for removing decay heat because of the large uncertainties in its reliability, particularly with regard to operator action, and the potential adverse affects created by intentionally releasing reactor coolant into the containment. On the basis of the staff's evaluation of AFWS reliability and the SRP goal, the staff concluded that the licensee should ,
provide additional features for CR-3 to improve secondary side decay heat removal reliability such as those identified above.
The licensee was infomed of this conclusion, and in response, by letter dated March 25, 1988 comitted to install an additional source of secondary side decay beat renoval in order to reduce reliance on HPI / feed-and-bleed) cooling.
The details of the design and schedule for this modification will be developed in the future. With this comitment, the staff finds that appropriate irprovement in AFWS reliability will be provided to meet the SPP criterion.
3
7 On the basis of its review, the staff concludes that the CP-3 AFW system is generally well designed and instrumented. The staff also finds that the AFW system design and operation adequately consider other staff generic concerns raised within GI-124 (i.e., GI-68 with respect to environmental cualifications of the motor-driven AFW pump; GT-93 with respect to steam binding of the AFW pumps; GI-1?2.1.a.
b, and c with respect to isolation valve failure ar.d interruption and recovery of AFW flow; GI-122.2 with respect to initiation of feed-and-bleed; and GI-125.II.1.b with respect to single failure protection of existing AFW systems).
Therefore, the staff concludes that the licensee commitment to install an additional source of secondary side decay heat removal capability and consideration of the following additional enhancerents will ensure appropriate AFWS reliability. The licensee should implement changes based on the recomendations described below as appropriate. The staff considers GI-124 resolved for Crystal River, Unit 3.
The additional recomendations are:
(1) Some maintenance procedures did not have the necessary drawings, isolatinn reouirements or fire protection precautions. The licensee should review plant maintenance procedures and provide infomation that was missing (see Section D.? 2).
(2) Although about 75% of Priority 1 maintenance work as completed within approximately 1 month, the remaining 25% of that work required longer than 3 months to be completed. The licensee should 3et a goal for improving initiation and completion of Priority 1 work (Section D.2.2).
(3) Althcugh the licensee perfoms root cause analyses on high visibility ma,ior failures and transients, it does not have a femal root cause analysis pro-gram. The licensee should establish a femal root cause analysis program at least for the AFW and support system corponent failures (Section D.2.2).
(4) The staff found some discrepancies and deficiencies within procedures, such as missing equipment, references, the correct spare parts, and use of ambiguous teminology. The licensee shnuld improve its procedures by rectifyirg certain deficiencies (Section D.2.2).
4
(5) There are no standard maintenance or inspection procedures for the AFW pump turbine or the associated trip and throttle valve ASV-50. The licensee should develop standard maintenance and inspection procedures and determine an appropriate inspection frequency (Section 0.2.2).
(6) The licensee should perform a correlation between the predictive main-tenance program and the failure rate of the trended equipment to show the degree of effectiveness of such a program, or to point out other causes of equipment failure (e.g., human error). If the latter is determined, increased attention should be paid to operator performance (Section 0.2.2).
(7) Because of the relatively short time after loss of the secondary heat sink until high pressure inspection (HPI) cooling becomes essential, the licensee should take the following measures to improve the operator performance of the alternate decay heat removal imergency Operations Procedure (EOP) sections (see Section 0.3.2):
(a) The precise HPI cooling step in AP-380 should be indicated in AP-450.
(b) A time window should be specified and discussed in the operator training program. This window should indicate the length of time after HPI cooling criteria are met and before primary system saturation.
(c) Operator training on E0Ps should thoroughly explain the HPI cooling mechanism, flow characteristics and equipment capabilities, and initiation and termination criteria. E0P training should include
! simulator training.
(d) The licensee should reduce the E0P emphasis on operator training and memory by reducing the procedural ambiguities. The licensee 4 stated that Battelle Laboratories, Inc. has been contracted to review and improve the CR-3 E0Ps. The licensee should vigorously pursue the E0P improvement program.
5
(8) The licensee should improve the DC emergency lighting at the turbine-driven AFW pump location (Section 0.5.2).
(9) The training program for the new systems engineer position should include maintenance training or the engineer should be strongly encouraged to attend such training. The staff believes that this training will enhance the engineer's trouble-shooting and root-cause-analysis abilities (Section 0.6.2).
(10) The licensee should establish goals for decreasing the occurrance of loss of MFW events and unanticipated reactor scrams. These goals should be con- F sistent with the B&W Owners Group Safety and Performance Improvements Pro-gram (SPIP) recommendations as accepted by the staff. The licensee should then strive to achieve these goals in a timely manner (D.7.3).
(11) The licensee should address all the recommendations made in the Final Report of the B&W Owners Group SPIP Auxiliary Feedwater System Review, issued in May 1987. The licensee should then provide a schedule for implementing the relevant recommendations (0.7.3).
1 f
Il 6
1.
- 8. INTRODUCTION This report contains the staff's assessment of the reliability of the auxiliary feedwater system (AFWS) at Crystal River Unit 3 (CR-3), which is being done in connection with the resolution of Generic Issue (GI) 124. GI-124, "Auxiliary Feedwater System Reliability," addresses the reliability of AFW systems in certain plants. Reliability analyses for AFW systems indicated that many plants fell in the high reliability range * (References 3, 4, and 5), however, several plants fell in the lower reliability ranges. Licensees for 5,te of these plants implemented modifications to increase their AFWS reliability to an acceptable reliability range (high). However, the reliability of the AFW systems for seven plants remained questionable. These plants are ANO, Units 1 and 2, Fort Calhoun, Prairie Island, Units 1 and 2, Rancho Seco, and CR-3.
The eview of the Prairie Island plant, and initial review of ANO-2 under GI-124 have been completed (References 1 and 2).
I The objective of this review under GI-124 is to analyze the reliability of ,
the AFWS and to document any recommendations for further licensee actions.
Section C of this report discusses the NRC staff's resolution and evaluation philosophy for GI-124 and Section 0 presents detailed evaluations in various :
review areas. Appendix A contains the references. Appendix B lists the names of the NRC and licensee personnel who participated in this task.
- The reliability ranges in this context are defined as LOW (10 2 - 10 3 failures per demand), MEDIUM (10 3 - 10 4 failures per demand), and HIGH j (10 4 -10 5 failures per demand). '
l 7
I i ,
I
C. RESOLUTION APPROACH The staff believes that a high degree of availability and reliability for the AFWS can be achieved only if the system is adequately designed, properly maintained and well operated. Proper maintenance and operating practices help reduce component failures. These practices are enhanced by good training pro-grams for the maintenance and operations personnel, Good training programs also help the operations personnel understand the system's capabilities and its importance to safety. System understanding reduces failure as a result of maloperation of equipment and improves the likelihood of recovery in case of unanticipated component failures.
The staff believes that assessment of the above factors provides a signifi-cant indication of and basis for evaluating the degree of reliability of the AFWS. Therefore, the resolution approach adopted by the staff relied on an audit of several plant factors that directly or indirectly affect the availability of the AFW system. The items of this task include the following:
(1) Consideration of relevant information pertaining to the AFWS and support systems capability and reliability (e.g., systems descriptions, piping and instrumentation diagrams, logic diagrams, Safety Analysis Reports, AFWS Reliability Analysis, reports for the Institute for Nuclear Power Operations (INPO), reports from the NRC Offices for the Analysis and Evaluation of Operational Data and the former Office of Inspection and Enforcement, and staff Safety Evaluation Reports).
(2) Evaluation of plant operating experience with emphasis on the degree of failure repetitiveness and the rate of unanticipated automatic scrams.
(3) Evaluation of +.he AFWS maintenance, surveillance and testing, backlog of maintenance work-requests, and ability for failure root-cause analysis and l identification.
l (4) Evaluation of the clarity and accuracy of the AFWS-retated Emergency Operating Procedures, with emphasis on ease of recovery from faulted l
]
conditions, accessibility of equipment, and adequacy of instrumentation and Controls.
8
(5) Evaluation of the licensee's training programs for maintenance, operations, and engineering personnel.
(6) Appraisal of the system layout, eouipment labeling, environment during an accident, and equipment and surrounding cleanliness.
(7) Consideration of alternate plant features to maintain adequate core cooling if main and auxiliary feedwater systems becere inoperable.
(8) Review of plant modifications completed in response to the accident at three Pile Island Unit 2 (TMI-2).
The AFWS review team audit was not intended to replace other systematic staff reviews of any of these variables but to assess their effects on the overall AFWS reliability and availability.
When assessing the adequacy of AFW system reliability for the seven plants considered under GI-124, the staff used the numerical reliability criteria (no more than 10 # tn 10 5 failures per demand) of SRP Section 10.4.9 as a goal.
However, the staff did not rely solely on a rigorous numerical reliability assessment. The approach was to idertify deterministically, through the team inspection, those plant-specific items in AFW system design, maintenance, emergency operating procedures, training, and failure history that reduce, directly or indirectly, the reliability of the AFW system. The licensee / staff determined numerical AFW system reliability was supplemented by the credit that can be given for compensatino factors (e.g., AFW system crossconnections, startup feedwater pumps) in steam generator decay heat removal capability as has been the staff practice when crediting compensating features to justify a ]
lover AFWS availability per the SRP criterion. In determining such additieral credit, the AFWS review team relied on previous staff positions and on engineering judgmert. If the SRP criterion (HIGH reliability) was satisfied, the AFW syster was considered acceptably reliable. If the AFWS reliability did not satisfy the SRP criterinn, additional actions were evaluated /recoerended.
The licensee provided an AFWS reliability analysis to the staff. This analysis is further discussed in Section D.7.
9 e
The licensee previously performed a seismic qualification review (Reference 6)
- in accordance with Generic Letter 81-14, Seismic Resistance of AFW Systems.
That review determined that the AFWS has sufficient seismic capability to withstand a safe shutdown earthquake and accomplish its safety function.
In performing the overall AFWS reliability assessment, the staff reviewed licensee-supplied documents at NRC Headquarters and additional documents at the plant site, and interviewed maintenance, operations, engineering, and training personnel and management.
The AFWS review team consisted of five members from various technical disciplines, a team leader, and a contractor. The team effort included a 3-day plant site visit, and pre-visit and post-visit reviews. The names and organizations of the participants are listed in Appendix B.
l 10
. \
O. EVALUATIONS 0.1 Design and Configuration 0.1 1 Approach The staff reviewed the design and configuration of the CR-3 AFWS to assess overall system reliability. The documents reviewed included the AFW system ,
description (Reference 7); the design bases improved design control documentation for the AFWS (Reference 8); the emergency feedwater initiation and control system design documentation (Reference 9); the plant Technical Specifications; and previous staff evaluations of the AFWS. The staff also conducted a system walkdown to examine specific installation details and compare them to the system drawings. The system walkdown is discussed in section D.5.
D.1.2 Evaluation The Crystal River safety-related AFWS is seismic Category I, and consists of two pumps, one motor driven and one turbine driven (See Figure 1). Each pump will discharge 740 gpm at 1300 psig. Approximately 200 gpm is discharged back to the condensate storage tank for minimum recirculation. [I' should be noted that a licensee has filed a 10 CFR Part 21 notification with the NRC axpressing l concern about centrifugal pump operation at low recirculation flows and poten-tial pump damage as a result. The staff has issued an information notice (Reference 10) to all licensees.]
I 11 I I ,
Flow from both pumps is directed to both once-through steam generators (OTSGs) via 6-inch discharge lines. The motor-driven pump can be powered from one division of the emergency (diesel generator) power supplies. The turbine-driven pump is operated by a Terry turbine that receives steam supplied from both OTSGs through redundant DC motor-operated valves. A backup steam supply from fossil-fired Crystal River Units 1 and 2 can also be local-manually valved into service if required. The turbine is equipped with a Woodward governor and an overspeed ;
trip / throttle valve. The overspeed trip is mechanically actuated by the speed of the turbine shaft. Overspeed results in tripping the mechanical linkage that shuts the trip / throttle valvt and isolates steam flow to the turbine. The oversneed trip mechanism has to be reset manually at the equipment location before the pump can be operated again. The position of the trip / throttle valve ,
is indicated and alarmed in the control room.
Normal AFWS water supply is provided by the seismic Category I condensate storage tank (CST), which is located in an unprotected area; it contains at least 150,000 gallons of water, as required by the plant Technical Specification.
This volume is sufficient for decay heat removal (including the operation of two reactor coolant pumps) for approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. A backup source of water is available from the condenser hotwell. To improve AFWS suction availability and provide a fully ,rotected water supply, the licensee is installing a new dedicated emergency feedwater tank, which will be located in a seismic Category I, tornado-wind-and-missile protected structure. This tank will be operable by the end of the refueling outage that started on September 1987.
The AFWS is automatically actuated and controlled by the safety-related emer-gency feedwater initiation and control system (EFIC). The EFIC initiates both AFW pumps on receipt of any of the following signals:
trip of all four reactor coolant pumps trip of both main feedwater pumps low level in either OTSG low pressure in either OTSG I
l 12 J
The EFIC will also (1) isolate the main steam and feedw J w ~sMM to '.he broken steam generator; (2) enable the "feed only good geneyator circuitry" (F0GG); and (3) automatically control flow based on the appropriate OTSG level setpoint. The OTSG level to be maintained is dependent upon whether or not the reactor pumps are running and if adequate subcooling margin exists. The flow control valves are normally open, DC solenoid operated; the will fail open on loss of power. Each discharge line also contains a normally open, fail-as-is, l DC powered block valve for automatic isolation of an OTSG on indication of excessive depressurization (steam or feedwater line break). (Further discussion of EFIC is in Section D.4.)
Support systems for the AFWS include the nuclear services closed-cycle cooling system, which cools the motor-driven AFW pump lube oil. No external support systems are required for the turbine-driven AFW pump, which receives lube oil cooling from the condensate water from the pump discharge.
Because the steam supply line for the turbine-driven pump is normally pres-surized in the AFW pump area, the motor driven AFW pump is qualified for opera-
- tion in the harsh environment resulting from a postulated steam line break.
Therefore, room cooling is not required to support AFWS operation. This design resolves the concern identified in Generic Issue 68 regarding environmental qualification of the AFWS equipment in a steam environment.
Features are provided to improve availability of the AFWS pumps. A small, I normally open bypass line around the steam admission valves in the steam supply line to the AFW turbine keeps the turbine warm and prevents condensate accumulation in the line to reduce the chance of turbine overspeed as a result of a water slug on pump start. The steam supply line is also equipped with steam traps to further reduce condensate buildup. To protect against steam binding of the pumps, an operator touchs the AFW pump discharge lines every shift (in response to IE Bulletin 85-01) to check for possible backleakage of steam or hot water through the AFWS check valves. Procedures are in place to vent the pump casing should backleakage be suspected. This alleviates staff concerns raised in Generic Issue GI-93 with respect to steam binding of AFW pumps. In addition, each AFW pump receives monthly operability surveillance checks in accordance with the plant Technical Specifications.
13
The staff finds from its review of the design and configuration of the AFWS that the licensee has provided features that will minimize the types of com-
, ponent failures experienced at other plants. In particular, the staff finds the following:
(1) A warming steam line to the AFW pump turbine will preclude overspeed trip caused by a water slug.
(2) No strainers in the AFW pump suction lines precludes loss of suction if the strainers are blocked.
(3) Monitoring of the AFW pump discharge lines for unacceptable check valve backleakage precludes steam binding of the pumps.
(4) A normally open discharge flowpath reduces the concern for motor-operated valves failing to open on demand. (This alleviates staff concerns raised in Generic Issue GI-122.1.a. b, and c with respect to isolation valve failure, and interruption and recovery of AFW flow),
(5) There is minimal reliance on support systems to ensure equipment operability.
D 1.3 Conclusion On the basis of its evaluation, the staff finds that the AFWS design and config-uration provide adequate means of delivering the design flow to the OTSGs,
! and is not subject to single failures that could compromise system safety
! function. This alleviates staff concerns raised in Generic Issue GI-125.II.1.b i with respect to single failure protection of the AFW system. With the in-stallation of the dedicated emergency feewater tank, the AFWS has sufficient diversity and protection for water supplies. The staff, therefore, concludes that the AFWS design and configuration contribute to and enhance the system's reliability.
l i
14
O.2 Maintenance, Surveillance and Testing l
0.2.1 Approach
, The reliability of a system depends to a large extent on the maintenance programs applied. Proper maintenance of a system can generally be reflected by component failure rate during operation, surveillance, and testing.
The AFWS evaluation team audited the AFWS-related maintenance work requests for the past 36 months. Component surveillance results and maintenance and surveillance procedures were also examined. Members of the team interviewed the plant engineers, maintenance and operations personnel, and management on the practices and organization of the maintenance programs. Training of the maintenance and operations personnel was also explored; it is further discussed in Section 0.6.
Since the staff performed an evaluation of CR-3 maintenance program and practices in November 1986 (Reference 11), the AFWS review team used that report as a basis for its evaluation of the AfWS maintenance, surveillance, and testing program. Because that report deals mainly with the administrative, organizational, and maintenance department objectives and goals, this section supplements that report with respect to maintenance, surveillance, and testing procedures; work requests; ano root cause analysis.
- 0. 2. 2 Evaluation The CR-3 maintenance program is composed of three parts. The first part is periodic maintenance (or preventive maintenance), surveillance, and testing.
These activities are identified in the plant operating procedures, preventive maintenance (PM) procedures, and Technical Specifications. The second part of the maintenance program is predictive maintenance. This part of the program evaluates the periodic surveillance and test data to determine potential 15
[
system degradation. The third part of the maintenance program is corrective maintenance. This is identified in the plant maintenance procedures (MP) and the plant work requests. Although the maintenance department has management / maintenance teams touring the plant on a periodic basis to identify deficiencies, it is the responsibility of any plant worker to report any potential system or component failures.
The backbone of the maintenance program is the work request form, which is used to describe the requested work (component or system repair, or periodic main-tenance) and the procedures to be followed. A block diagram for the work request is shown in Figure 2. The requestor describes the malfunction, its location, the equipment or system affected; hangs a maintenance tag on the piece of equipment; and submits the work request form to his/her immediate super-visor for approval. After the supervisor approves the request, the supervisor forwards it to the appropriate or responsible section planning department.
Each of the three major maintenance departments (mechanical, electrical, and instrumentation and control) has its own planning section composed of one to two planners. If the responsible shop cannot be determined by the immediate supervisor, the work request is sent to the Operations Planning Section, which will determine the responsible maintenance section and fomards the work request to it.
The planner from the Operations Planning Section reviews the work request to determine if the problem was identified correctly and if adequate information is provided. He/she then assigns a priority to the job. The plant has four priority classifications as follows:
Priority 1: Technical Specification violation, p3rsonnel safety or action statements. The job is started immediately and work is continued until completed.
Priority 2: Regularly scheduled work (routine work)
Priority 3: Outage work Priority 4: Refueling outage work.
16
The priority may be changed by the planner's supervisor, depending on the criticality of the work. The planner next writes the work instructions. The planner references the appropriate procedures or modification approval records (MAR) in the work request and states that the work shall be done in accordance with these procedwas. The MAR is written by the Engineering Department and contains detailed work instructions. The planner has the option to write a troubleshooting work request that references the troubleshooting maintenance procedure MP-531 (Reference 12). Upon completion of the troubleshooting, the original work request may be updated by the planner or a new work request may be written. ,
If the work request involves safety-related equipment or certain security equipment, before it can be approved by the planning supervisor it is sent to Nuclear Quality Engineering (NQE) Department. NQE evaluates the work request to determine what quality control (QC) inspections are needed. This step is not required if the work request is for troubleshooting only.
The work request is then sent to the shift supervisor for approval and on to the appropriate shop for completion of the work. When the work is completed, the mechanic, electrician, or other craft person provides a summary of the 4 work done. The summary is signed by the immediate supervisor and sent to the Operations Planning Section. The summary is then reviewed by the Planning Section and by Maintenance Administration and then is sent to document control for filing.
Based on the review of the AFWS-related work requests generated during the past '
36 months, the AFWS team has the following observations:
(1) There were only about 15 Priority 1 work requests in this time period; this shows that the equipment is being well maintained.
(2) There were infrequent work requests dealing with repeat failures or prob-lems; this indicates that the planners and maintenance personnel are generally able to determine the root causes of failures.
17
(3) Themajority(about75%)ofthePriority1workwascompletedwithin approximately 1 month of the initial work request date. Themajorityof the Priority 2 and 3 work was completed within 2 months of the initial work request date. This generally indicates a small maintenance backlog and the timeliness of work initiation and completion. Statements made by the shop superintendents during the staff interviews were consistent with the above observation.
It has taken the licensee at least 3 months to complete the balance of the Priority 1 work. In one case, it took more thin a year to complete a particular job, and this was attributed to the paperwork rqt being completed. Considering the criticality of the Priority 1 work, the licensee should set a goal for improving work initiation and completion.
(4) The Work Requests reviewed by the team seemed to rely heavily on the use of maintenance procedures. Appropriate referencer (MPs, PMs, and Surveillance Procedures) were identified; however the necessary drawings, isolation requirements, ard fire protection precautions were not attached to the work requests. The licensee stated that they were normally attached. The copies provided the staff were incomplete.
The licensee has a trending analysis done by an outside consultant on certain equipment operating parameters (b',aring vibration, oil analysis, temperature measurements,etc.). These data are used to predict and prevent safety-related and critical equipment failures. Althcugh this program has been in operation for several years, the licensee stated that no correlation exists to show wheth'.-
the predictive maintenance program is sufficiently effective in reducing the failure rate of the trended equipment or to point out other causes of equipment ,
failure (e.g., human error). The licensee should perform such a correlation.
It should be noted that a 3-year running average of the loss of main feed-water events and the automatic reactor scram rate at CR-3 show a definite identifiable trend that peaked in 1982, but steadily decreased since then (see Section 0.7).
18
Although repeat failures were observed to be few, discussions with the licensee showed that there was no formal root cause analysis program in the maintenance department. The plant does, however, perfoi.n a root cause analysis on high visibility (major) failures and transients and trips. In these events specific plant procedures are followed in determining the root cause. The Operations Technical Advisor, using procedures, collects the operational data and determines the mot cause of the trip or transient. The Engineering Department, using sr ..ric plant procedures, evaluates the root causes of the equipment malfunction associated with the transient or trip. On other failures the Engineering Department may become involved in the evaluation of the problem only at the request of the Maintenance Department. If the Engineering Depart-ment is requested to perform a root cause analysis, the same procedures used to determine the root cause of a transient or trip would be followed in performing a root cause analysis of the malfunctioning equipment. The licensee has a goal of establishing a formal root cause analysis program; however, the objectives of that program have not yet been deterrrined. The staff endorses the implementation of the root cause analysis program at least for AFWS components and support systems.
The review team also has the following additional observations on the main-tenance, surveillance and testing program:
(1) Before any job is started, a safety briefing is held to go over the procedures and any personal safety aspects. If a job is unfamiliar or new, a pre-job meeting is held by the maintenance crew to discuss the procedures required and any special instructions or training.
(2) The licensee stated that the warehouse keeps a fair inventory of part, for plant repairs. However, for certain equipment, the licensee indicated 1 that it is easier to send the equipment back to the manufacturer for repair.
(3) The licensee is developing a new position in the Engineering Department for systems engineers. This type of engineer will be responsible for a particular system and will monitor its operating and maintenance history l and documentation. The staff encourages this idea and feels that such a 1 l
19 l l
l
Although repeat failures wt-re observed to be few, discussions with the licensee showed that there was no formal root cause analysis program in the maintenance department. The plant does, however, perform a root cause analysis on high visibility (major) failures and transients and trips. In these events specific plant procedures are followed in determining the root cause. The Operations Technical Advisor, using procedures, collects the operational data and determines the root cause of the trip or transient. The Engineering Department, using specific plant procedures, evaluates the root causes of the equipment malfunction associated with the transient or trip. On other failures the Engineering Department may become involved in the evaluation of the problem only at the request of the Maintenance Department. If the Engineering Depart-ment is requested to perform a root cause analysis, the same procedures used to determine the root cause of a transient or trip would be followed in performing a root cause analysis of the malfunctioning equipment. The licensee has a goal of establishing a formal root cause analysis program; however, the objectives of that program have not yet been determined. The staff endorses the implementation of the root cause analysis program at least for AFWS components and support systems.
The review team also has the following additional observations on the main-tenance, surveillance and testing program:
(1) Before any job is started, a safety briefing is held to go over the procedures and any personal safety aspects. If a job is unfamiliar or new, a pre-job meeting is held by the maintenance crew to discuss the procedures required and any special instructions or training.
(2) The licensee stated that the warehouse keeps a fair inventory of parts for plant repairs. However, for certain equipment, the licensee indicated that it is easier to send the equipment back to the manufacturer for repair.
(3) The licensee is developing a new position in the Engineering Department for systems engineers. This type of engineer will be responsible for a particular system and will monitor its operating and maintenance history and documentation. The staff encourages this idea and feels that such a 19
. .' l i
4 person would be an enhancement to any root cause analysis program at the ,
plant, because this engineer will be actively involved in the system operation and maintenance.
(4) The licensee stated that the technical library for maintenance manuals was located in the mechanical maintenance shop, and was readily available for all plant personnel. All the manuals were cross referenced by system, component, and manufacturer. The staff finds that this is a good policy in that all manuals are centrally located for easy reference.
(5) The licensee stated that the rate of maintenance staff turnover is low.
(6) Plant officials take pride in the predictive maintenance program, which has been in effect since 1978. This is evidence of the licensee's commitment to being able to anticipate system or component failures and correcting them, which enhances long-term operability and safety of the plant.
(7) Plant management seems to take pride in their work force. It was stated that reliance was placed on plant workers and periodic management / maintenance team tours are conducted to identify problems.
(8) All maintenance personnel hired by the plant start at the journeyman level and must go through the CR-3 training program. This ensures that there is uniformity in training of maintenance personnel and that they know the systems and procedures. There could, however, be a problem if the pool of trained journeymen in the CR-3 geographical area shrinks; then the company may have to consider training at the apprentice level.
(9) The maintenance, surveillance, and preventative maintenance procedures were of sufficient detail so that the procedures can be easily understood and readily accomplished. They are reviewed on a bi-annual basis and any comments are reviewed and incorporated as appropriate. The staff finds this to be a good policy. However, the staff found some discrepancies and 20
l 7- deficiencies within the procedures, such as the following: (a) necessary test / repair equipment not listed in the procedure; (b) appropriate references not listed (particularly in technical manuals); (c) ambiguous terminology and use of inappropriate terminology (i.e. , retermination to mean reconnect);
and (d) maintenance procedure MP-121 on pump repacking should include tables similar to the ones in MP-111 (Reference 12) Valve Packing Procedure and Specifications. The tables should show the pump and which type of packing to use for each pump (braided packing or grafoil loose ribbon).
As the procedure is presently written, it relies on the mechanic to either know what type of packing to use or he must disassemble the pump to determine the packing based on what was used before. This could lead to problems if the wrong packing is used. ;
l l
(10) There are no standard maintenance or inspection procedures for the auxiliary feedwater pump turbine or the associated trip and throttle valve ASV-50.
The licensee stated that maintenance / inspection procedures would be written in a work request on an as-needed basis. Considering the criticality of these components, the staff believes it would enhance the reliability of the turbine-driven AFW pump if the licensee inspects the turbine and valves internals on a periodic basis. Based on the staff's evaluation of other plants with similar components and frequency of use (surveillance testing and emergency actuations), the staff believes that a procedure should be developed to disassemble and inspect the components on a regular frequency.
0.2.3 Conclusions The AFWS team reviewed the CR-3 maintenance, surveillance, and testing proce-dures, and took a note of the manner in which these procedures are implemented, the licensee's statements vnd commitments, and this work-related attitude of the maintenance and engineering staffs. The AFWS review team concludes that s;bject to the staff's recommendations above and in Sections D.6 and 0.7, the maintenance and surveillance programs do not degrade AFWS reliability.
21
D.3 Emergency Operating Procedures D 3.1 Approach The staff reviewed the Crystal River emergency procedures (Peference 13) for use of the AFWS and other decay heat removal means in accident and transient conditions. These procedures are symptom oriented and are based on the most recent Babcock and Wilcox Abnormal Transient Operating Guidelines (AT0G).
Of particular interest are the Emergency Feedwater Actuation (AP-450) and Engineered Safeguards System Actuation (AP-380) procedures, which provide guidance to the operator for ensuring a means of decay heat removal following a transient condition when the nonnal means (main feedwater system) is not available. These procedures were discussed with the licensee's operating staff in order to better understand how and when the operators will use the procedural guidance in detennining actions to be taken given various failures in the AFWS.
D.3.2 Evaluation Procedure AP-450 is used by the operators whenever the AFWS is to actuate.
The procedure instructs the operator to establish a heat sink with the OTSG by verifying proper OTSG 1evel with either AFWS or main feedwater system providing flow. The reouired OTSG 1evel is dependent upon whether the reactor coolant pumps are running and whether adequate subcooling margin exists. With no main l
feedwater or AFW available, the operator is instructed to start "HPI/PORY coolitig" and refer to Procedure AP-380. AP-380 instructs the operator to start both HPI pumps, then open the power operated relief valve (POPV). Although these instructions are simple, no additional procedural guidance is given regarding the specific plant conditions to be observed or satisfied before HP!/PORV cooling or "feed-and-bleed" is initiated. Moreover, the precise step in AP-380 tc which the operator is to proceed for instruction on "feed-and-bleed" l
initiation is not indicated in AP-450.
22 l
In response to the above observation, the licensees' representatives, who included a shift supervisor and a senior reactor operator, indicated that the 6perators have received significant training on loss-of-all-feedwater events and feed-and-bleed cooling. They added that operators have also undergone substantial sirulator training in this area. For that reason, the licensee stated that reliance is placed on their knowledge to ensure that the correct steps are taken to confirm a loss of the secondary heat sink and then to promptly and correctly initiate feed-and-bleed. The licensee also stated that the operators are trained that there is limited time available to take the necessary actions to ensure decay heat removal following a loss of the OTSGs. The importance of these actions are recognized by the licensee since the B&W ATOGs do not incorporate any means of decay heat removal other than "feed-and-bleed" as a backup to the main and emergency feedwater.
Other means of decay heat removal on loss of main and emergency feedwater, such as rapid depressurization of a steam generator and feedwater addition by use of a condensate purp are nonr. ally included in the emergency operating procedures for Westinghouse and Combustion Engineering designed plants. However, because of the smaller secondary side inventories in B&W plants and shorter times to core uncovery on loss of all feedwater, no method other than prompt feed-and-bleed ccoling is considered viable when there is a loss of main feedwater and AFWS on these plants.
The staff believes that because of the relatively short time after loss of the secondary heat sink until HPI cooling becomes essential, the following should be done: (a) the precise HPI cooling step in AP-380 should be indicated in AP-450, (b) a time window should be specified and discussed in the operator training program (indicating the length of time after HPI cooling criteria are met and before primary system saturation), and (c) the training program should thoroughly explain the HPI cooling mechanism, flow characteristics and equipment capabilities, and initiation and termination criteria. E0P training should also include simulator training.
The staff has also observed that the emergency procedures provide no instruction for a parallel effort to recover a secondary heat sink (either main feedwater or AFWS). The staff did note, however, that AP-380 provides guidance on transfer 23
from feed-and-bleed back to a secondary heat sink once either main or emergency feedwater flow is reestablished. The licensee indicated that although it is not specifically stated, the plant operators will be making every effort to restore the AFWS or recover main feedwate. as the preferred reans of decay heat removal.
The licensee also informed the staff that Battelle Laboratories, Inc., has been contracted to review the CR-3 operating and energency procedures and propose human factors improvements. The question of procedural ambiguity will be considered as part of the Battelle effort. The staff believes this is ar important task because of its concern that the current emergency procedures place excessive emphasis on operator training and memory and do not provide a sufficient level of detail, as discussed above. As further amplification of this concern, the staff notes that the licensee has received notices of violation in the past for failure to follow procedures. The licensee indicated that these resulted from cases where procedures were not specific, and the operator took actions based on experience and past practice.
E0P improvements sought in the discussion above also address staff concerns raised ir Generic Issue GI-122.2 with respect to initiation of feed-and-bleed.
D.3.3 Conclusion On the basis of the above, the staff concludes that the licensee's emergency procedures for response to off-nortnal conditions involving AFWS actuation and loss of secondary heat sink are generally well structured. However, the staff believes that additional detail and specificity are needed to enhance the operator's response to abnormal transients by reducing reliance on their experience and memory. Therefore, the staff reconnends that additional guidance be provided to the operator for initiating feed-and-bleed. The operators should be fully aware of the time available to take the necessary actions to preclude primary coolant saturation and core uncovery. This effort should be part of the current human factors review of the plant procedures.
24
I O.4 Instrumentation and Control 0.4.1 -Evaluation Approach One of the objectives of the review team was to audit the AFWS instrumentation and control circuits which include the newly installed EFIC system. As part of that audit, the review teams conducted a walkdown of the as-built system and compared it to the design in the following areas:
(1) electrical and instrumentation control system drawings (Reference 14) for conformance to Standard 279-1971 of the Institute of Electrical and Electronics Engineers (IEEE) (i.e., independence, single failure, automatic, and manual initiation) and NUREG-0737, Item II.E.1.2 (2) control room and drawings to verify that the operator has indication for normal and abnormal conditions (loss of main feedwater and loss of offsite power) in accordance with tne Emergency Procedures and Regulatory Guide 1.97, "Instrumentation for Light Water Cooled Nuclear Power Plant and Environs Conditions During and Following an Accident" D.4.2 Evaluation The CR-3 AFWS is a Class 1E system consisting of two independent trains.
Each train is capable of supplying emergency feedwater to either or both OTGSs, from either of two water sources, under automatic or manual initiation and control. Figure 1 is a piping and instrumentation diagram of the AFW system; a system description is given in Section 0.1.
The condensate storage tank (CST) is the main source of AFW supply; the main condenser hotwell is the alternate source.
Valves EFV-1 and EFV-2 are interlocked so they can be opened only if at least one of the two DC powered condenser vacuum breaker valves is open. A common cause failure could affect the vacuum breaker valve position or the interlock circuitry for the valves EFV-1 and -2, thus preventing the access to 25
s I
the hot well water. However, there is sufficient time after the low level signal to change suction sources before the AFW pumps net positive suction head (NPSH) is lost. If the remote-manual switching of pumps suction fails,
' an operator is dispatched to open or close the proper valves.
The AFW pumps discharge through their de-energized and locked open stop-check valves EFV-7 and EFV-8. The pump discharge lines may be cross-connected through a 6-inch line containing two locked closed manual valves, EFV-12 and EFV-13.
The two AFW trains are powered from diverse power sources. AFW pump EFP-2 is turbine driven, and AFW pump EFP-1 is AC motor driven, with back-up power from the emergency diesel generator. Valves EFV-3, EFV-4, EFV-7, and EFV-8 are locked open with their power supplies disconnected both locally and at the motor control center.
The EFIC system determines the need for emergency feedwater by continuously monitoring certain plant conditions, actuates the AFW system by starting both pumps and opening valves as necessary to provide a flow path to the OTSGs, and then controls the water flow to maintain the water level in the steam generators. Additionally, the EFIC system performs the following functions:
(1) Controls the rate of OTSG water level increase to minimize overcooling of the primary system. The rate of level rise is controlled between 2 and 8 inches per minute, and increases with the OTSG pressure. This automatic function can be overridden and manually controlled outside these limits.
(2) Isolates the main steam and main feedwater line of a depressurized steam l
generator.
l (3) Selects the appropriate steam generator (s) to supply AFW in the event of a steam or feedwater line rupture. This function is called "feed only good generator" (FOGG).
(4) Terminates AFW to a steam generator that approaches an overfill condition.
l 26
(5) Controls the atmospheric dump valves to maintain steam pressure at a predetennined setpoint.
j The EFIC system consists of four separate channels: A, B, C, and D. Each channel is contair.ed in a separate cabinet and powered from a separate vital AC bus through an inverter. The EFIC cabinets are located in separate rooms of the control complex. Each channel receives analog inputs from steam generator level and pressure instruments on each OTSG. The instruments that provide input to the EFIC system are dedicated solely to EFIC and have no other plant control functions. All four EFIC channels receive the following analog inputs:
- "Low Range" Level (0-150 inches) from the A and B OTSG The transmitters for this signal use the same lower taps as the startup range instruments. The upper taps for these instruments use existing, previously unused taps located at the 277-inch level on the OTSGs, This signal is used for the detection of low level conditions and for level control when the system is :entrolling at the low level setpoint (24 inches).
- "High Range" Level (0-100%) frem the '. and B OTSG The transmitters for this signal use. the same level taps as the cperating range instruments. This signal is used for detection of high level con-ditiens (overfill) and for level conditions when the system is controlling at the 65% or 95% ECC setpoints.
- OTSG Outlet pressure (0-1200 pSIG)
The transmitters for this signal use the pressure taps that were formerly used by the main steam rupture matrix pressure switches. This signal is used for detection of low OTSG pressure, differential pressure between the A and B OTSGs for the FOGG logic, control of the atmospheric dump valves, and temperature compensation of the level signals.
27
The OTSG 1evel signals are temperature compensated by a compensation module located in each of the EFIC cabinets. Compensation is based on the saturation temperature.for the indicated OTSG pressure.
Each EFIC channel also receives the following digital inputs from NI/RPS, and ESAS as follows:
(1) both main feedwater pumps tripped and reactor power > 20%.
(2) reactor power > 10%; this signal is used as a permissive to allow bypassing of AFW initiation on loss of all reactor coolant pumps (RCPs).
(3) RPS channel in bypass.
(4) Stop/run status of all RCPs from the pump power monitors.
Channels A and B only also receive input signals from the engineered safeguards actuation system (ESAS). If both the A and B ESAS HPI channels are actueted, both trains of AFW will be initiated.
During plant operation, the EFIC system constantly monitors the input signais to determine if a condition has developed that requires the initiation of AFW.
The analog signals are also compared to predetermined setpoints in bistable relays, and an AFW initiate signal is issued if a parameter increases or decreases beyond the setpoint. These bistable relays (unlike the ones in the RPS) will automatically reset when the initiating parameter returns to its normal operating band.
The digital inputs from ESAS and NI/RPS actuate digital logic in EFIC to initiate AFW if conditions require it. Each EFIC channel can issue an initiate command, but an actual AFW initiation will take place only if at least two channels issue initiate commands.
All four EFIC channels input their initiate commands to the AFW trip logic modules. These trip logic modules are physically located in the A and B EFIC channel cabinets.
28
The trip module located in the A cabinet actuates the A AFW train (motor-driven pump), and the trip module located in the B cabinet actuates the B AFW train (turbine-driven pump). To cause a train of AFW to initiate, both the Bus 1 and Bus 2 relays must be energized for both relays to be energized; at least two channels of EFIC issuing an initiate command will result in the actuation of at least one train of AFW. Because all four EFIC channels monitor the same parameters, they all issue initiate commands at the same time, and both AFW trains start anytime AFW is initiated.
The AFW actuation logic is called a 1-out-of-2 taken twice logic, which refers to the channel coincidence logic required to cause an actuation. The exception to the logic is the actuation of AFW when HPI is actuated. The logic from the ESAS is input directly into the AFW trip circuits and does not require any EFIC coincidence logic. If HPI is actuated in both the A and B channels, both trains of AFW will be actuated.
The EFIC system wil automatically initiate AFW upon detection of any of the following conditions:
(1) Loss of both main feedwater pumps and reactor power > 20%.
(2) Low level (1 6 inches) in either OTSG.
(3) Loss of all RCP:;.
(4) Low pressure (i 500 PSIG) in either OTSG.
(5) HPl actuation of both A and B ESAS channels.
When the AFWS is actuated the following actions take place:
AFW TRAIN A:
Motor-driven AFW pump (EFP-1) starts.
Valve EFV-2 receives an open signal (although, the licensee stated that EFV-1 and EFV-2 both have their power removed during normal operation to protect against inadvertent opening).
29
The control valves EFV-57 and EF-58'are released and allowed to control flow. These valves are normally in the full open position when no actuation signal is present.
Vector logic is enabled.
AFW TRAIN B:
Valves ASV-5, ASV-204, MSV-55, and MSV-56 receive open signals.
Valves EFV-1 receives an open signal.
The control valves EFV-55 and EFV-56 are released and allowed to control flow. These valves are normally in the full open position when no actuation signal is present.
Vector logic is enabled.
After AFW has been actuated, flow will be controlled by modulating the AFW control valves to maintain OTSG level at setpoint. If the control valves H/A stations had not been in "Auto", the AFW actuation will cause them to be placed in auto. The setpoint to be maintained is automatically determined by the control modules located in the A and B EFIC cabinets. The module in the A cabinet controls flow from the A AFW train to the A and B OTSG, and the module in the B cabinet controls flow from the 8 AFW train to the A and B OTSG.
If AFW is actuated and at least one RCP is running, the system will control OTSG level at approximately 24 inches. This control setpoint is completely separate from the ICS low level limits. If no RC pumps are running, the control module will select a setpoint of 65% on the EFIC high range instru-ment. The control modules also have a ramp rate function that controls the rate of OTSG level increase between approximately 2 and 8 inches per minute.
The parameter that determines the actual ramp rate is OTSG outlet pressure 30
l When pressure is at the low end of the control band (about 800 psig), the low ramp rate is selected. For higher steam pressures, the ramp rate will be proportionally higher, up to a maximum of 8 inches per minute when steam pres-sure is about 1050 psig.
When a decrease in level setpoint occurs, the controller reduces the setpoint at 200 inches per minute. These rate limits may be defeated by taking the control valve H/A stations located on the PSA panel to HAND. If AFW is initiated and a condition occurs that requires that the OTSG level be raised to the ECC level (95%), the operator may manually select this setpoint from the setpoint station on the PSA/EFIC panel. While the system is in this mode, the operator may manually select between the 65% and 95% level setpoints, as conditions warrant. However, if an RC pump is started, the system will automatically select the 24-inch setpoint.
The vector logic or control logic is used to terminate AFW flow to a steam generator if its level is too high (AFW Overfill) or if its steam pressure is too low (FOGG) logic.
The vector logic differs from the initiate logic in that the OPEN/CLOSE commands are issued to the AFW control and isolation valves directly from each individual EFIC channel. Each EFIC channel has the responsibility for 2 valves as follows:
EFIC channel A controls valves EFV-57 and 58 EFIC channel B controls valves EFV-55 and 56 EFIC channel C controls valves EFV-11 and 32 EFIC channel D controls valves EFV-14 and 33 Vector logic can only command the valves to be fully open or fully closed; is completely separate from the analog control circuits that modulate the control valves to maintain OTSG levels. The vector logic is blocked from per-forming any functions based on low OTSG pressure until it receives a VECTOR ENABLE input, which is provided by the initiation of AFW.
31
Once the VECTOR ENABLE signal input is provided, the logic continuously moni-tors OTSG pressure and will issue OPEN or CLOSE commands to the AFW control and/or isolation valves. Under normal circumstances, when AFW is initiated with no low OTSG pressure or high OTSG level signal present, the vector logic will issue OPEN comands to the AFW isolation and control valves. The command is issued to the AFW isolation valves even though they are normally open. The OPEN command issued to the AFW control valves simply clous a con-tact in the control circuit that is open when there is no AFW initi '. ion signal present and allows the OTSG 1evel control circuits to modulate the valves as necessary. Should a high level condition occur, the vector logic will close the isolation and control valves to the affected steam generator. It will also issue open commands when OTSG level decreases to the RESET level.
This EFIC AFW overfill protection feature does not require that AFW be initiated in order to perform its function. The vector logic will also open or close the AFW isolation and control valves in response to signals from the F0GG logic.
When the vector logic is enabled and no AFW overfill signal is present, the valve open/close commands are determined by the relative values of the OTSG pressures as follows:
SG-A valves SG-B valves '
Pressure Status comand command SG A and B > 600 psig OPEN OPEN SG A > 600 psig and SG B < 600 psig OPEN CLOSE SG A < 600 psig and SG B > 600 psig CLOSE OPEN SG A < 600 psig and SG B < 600 psig AND SG A and B within 125 psig OPEN OPEN SG A 125 psig > SG B OPEN CLOSE SG B 125 psig > SG A CLOSE OPEN 32
Lights at the top of each EFIC cabinet indicate the OPEN/CLOSE command being directed to that channel's vector valves.
After an AFW initiation, the operator may gain control of the system pumpr and isolation valves by pressing the MANUAL PERMISSIVE button for the appropriate AFW train (A or B). This will allow the operator to shut down pumps and position valves as required to handle the situation. When the system is placed in MANUAL, the trip busses are cleared, and if the AFW control valves are left in AUTO, they will return to the fully open position.
Loss of power to the EFIC system or component failures within the EFIC cabinets will result in an INITIATE signal from the channel that is experiencing the problem. A total power failure to the C or D EFIC cabinets will result in these channels issuing an INITIATE signal to the trip logic modules in the A and B cabinets.
A complete power failure to the A or B EFIC cabinets will result in a loss of function of the associated train of AFW and all other functions carried out by the affected channel of the EFIC system. For example, a loss of power to the A EFIC cabinet will result in the loss of function of the A (motor-driven) AFW train and also the MSLI and MFWI functions from the A EFIC system. The motor-driven pump may be started, but there will be no way to control the flow control valves, which will be wide open. The loss of power to the A cabinet will also result in an INITIATE signal from the A EFIC channel to the trip logic in the B cabinet. The B EFIC channel will then be in a half-trip situation. In this case, an INITIATE signal from either the B or D channel will result in the initiation of AFW, and MSLI or MFWI, whichever function is called for. The above logic will also apply to the A EFIC channel if the loss of power occurs in B, except that the additional INITIATE signal will have to come from l
channel C or D to complete the half-trip into a trip.
To prevent inadvertent initiations of EFIC functions as a result of voltage i surges caused by changing of power supplies (inverters), the A and B EFIC cabinets each have a bistable module that monitors the 15-v DC power supply to the channel trip logic. In the main event of a reduced voltage condition, this 33
bistable will trip and result in the interruption of power to the entire cabinet. This will result in a full loss of power to the affected cabinet (A or B), as discussed above.
After the installation of EFIC, numerous AFW initiators were experienced (e.g.,
turbine trips or main steam isolation valve (MSIV) closures). These initiations were caused by indicated low OTSG levels, which were caused by pressure spikes that resulted from the closing of the turbine throttle valves or, in some cases, the MSIVs. The pressure spikes sere momentary in nature and quickly cleared when the transient was over. Once the pressure spike cleared, the OTSG 1evel indication returned to normal.
To stop these inadvertent AFW initiations, the licensee installed a time delay relay between the low level initiate bistable and the AFW initiate module in each of the four EFIC cabinets. These relays insert a 2.5-second delay between the bistable trip and an AFW INITIATE command before it is issued to the trip logic. This delay allows the pressure spike to clear and the bistable to reset before the AFW initiation occurs. The delay only affects the AFW initiation based on low OTSG level. All other AFW initiation functions are unchanged.
The time delay relay mentioned above is not seismically qualified. However, the licensee stated that a seismically qualified solid state relay mounted on the bistable is to be installed during the refueling outage, which began September 19, 1987.
While the system is operating in the manual mode after an AFW initiation, if the condition that caused initiation clears, the system will revert back to the automatic mode of operation; it will reinitiate AFW if a condition occurs that requires it.
The AFW trains may be manually actuated by the operator by pressing both AFW INITIATE buttons on the control panel. The system will respond in exactly the same way as if it were automatically actuated.
- 34
During the audit, licensee personnel advised members of the team that in the B EFIC channel, a non-safety-related cable was routed in close proximity to safety related cables within the upper region of the channel compartment.
The worst case event, due to a failure of the cable, would result in a loss of power to the B channel. This event is not considered to be significant to plant safety because the A channel is totally redundant to the B channel, and all EFIC safety functions would still be available. Prior to the audit, the licensee had issued a Nonconforming Operations Report and a Field Problem Report Evaluation / Resolution Sheet. A work request, number 81681, has been initiated to resolve this non-conformance. The work is scheduled for completion during the September 1987 outage. The AFWS review team finds the licensee's actions acceptable.
To ensure the reliability of the EFIC system, a surveillance and maintenance program is in place, which includes the following surveillance procedures:
(1) SP-183 EFIC Transmitters Channels Calibration The objective of this procedure is to provide a frethod for calibrating the EFIC steam generator level and pressure transmitters and the emergency feedwater flow transmitters at refueling intervals.
(2) SP-416 Emergency Feedwater Automatic Actuation The objective of this procedure is to verify the overall operability of the EFIC system. This proedure will verify EFIC channel inputs, EFIC channel outputs, all EFIC bypass functions, EFIC controller response and internal setpoints, EFIC initiate functions, EFIC trip functions (automatic and manual), and EFIC alarm and ccmputer functions. This i
procedure is performed each refueling outage only if cold shutdown has not occurred.
(3) SP-146 EFIC Monthly Functional Test The objective of this procedure is to verify the operability of the inservice bistables internal to the four EFIC channels. This procedure is performed monthly.
l 35 l
l
Fuse and thermal overload setpoint maintenance and calibration is provided for in the licensee's Quality Operating Manual. This manual contains procedures for checking and set 4 ng overcurrent relays. This is performed at each refueling outage. For certain other motor overloads, Gilbert Associates, Inc. has sized the thermal overloads. In addition, the associated valve operators and valves are stroked while the overload protection is monitond.
The CR-3, design provides instrumentation for the operator to use during all modes of normal operation, including operational transients, and to verify safety system performance following an accident and manually perform required safety functions. The information for the EFIC and AFW systems includes indicators, records (for level, pressure, and flow), status lights for pumps, valve position indication, annunciators, and alarms.
The scope of the staff review audit included tables of system variables and component states to be indicated, functional diagrams, electrical drawings, emergency procedures, and submittals on conformance to Regulatory Guide 1.97.
The information available to the operator in the control room is shown on Table 1. AFWS annunciator alarms are shown on Table 2.
D.4.3 Conclusion Relevant logic diagrams and simplified diagrams (Reference 14) were reviewed to determine if a single failure of equipment (or single error by operators) could prevent the accomplishment of the safety function (to provide adequate cooling water to the steam generators following transients and accidents). On the basis of its review of the AFWS, which includes the EFIC, the staff concludes that the system is designed with due consideration of safe failure modes, if conditions such as disconnection of the system or loss of energy are experienced.
Therefore, the staff finds that the AFWS satisfies the requirements of GDC-23, "Protection System Failure Modes."
The staf f also concludes that the EFIC and AFW system design provide the necessary provision to sense accident conditions and anticipated operational occurrences that will satisfactorily initiate the operation of the AFW system. Therefore, the staff finds that the AFW system satisfies the requirements of GDC 20, "Protection System Function."
36
l Table 1 Control Room Information Available to the Operator EFV-1 C/S EFP-1 flow 0-820 gpm EFV-2 C/S EFP-2 flow 0-820 gpm EFV-11 C/S EFV-14 C/S OTSG-A low level 0-150 inches EFV-32 C/S OTSG-A high level 0-100%
EFV-33 C/S OTSG-B low level 0-150 inches OTSG-B high level 0-100%
ASV-5/20^ C/S OTSG-A HDR Pressure 0-1200 psig OTSG-B HDR Pressure 0-1200 psig EFV-55 HAND / AUTO CST level 0-35 feet EFV-56 HAND / AUTO Hotwell level 0-130 inches EFV-57 HAND / AUTO EFV-58 HAND / AUTO 37
.' o Table 2 AFW/EFIC Annunciator Alarms AFW FLOW PATHS NOT FULLY READY EFV-3 NOT FULL OPEN EFV-4 NOT FULL OPEN EFV-7 NOT FULL OPEN EFV-8 NOT FULL OPEN EFV-11 NOT FULL OPEN EFV-14 NOT FULL OPEN EFV-32 NOT FULL OPEN EFV-33 NOT FULL OPEN FWV-34 NOT CLOSED FWV-35 NOT CLOSED MOTOR-DRIVEN PUMP EFP-1 OUT OF SERVICE (BREAKER RACKED OUT)
EFP-1 LOSS OF DC CONTROL PWR EFP-1 CONTROL SWITCH IN PULL TO LOCK EFP-1 HOTOR OVERLOAD EFP-1 MOTOR TRIP EFP-1 FAIL TO START EFP-1 AUTO-STARTED EFP-1 DISCHARGE PRESSURE LOW DIESEL GENERATOR In 30-minute rating At 25 minutes of 30-minute rating 38
Table 4-2 (continued)
- CHEMICAL ADDITION TROUBLE EFT CHEMICAL SOLUTION TANK LOW LEVEL EFP-3 CHEMICAL ADDITION PUMP INOPERABLE
- TURBINE-DRIVEN PUMP MSV-55 NOT OPEN MSV-56 NOT OPEN AFW INITIATED AND EITHER ASV-5 or ASV-204 NOT OPEN, AFTER A 5-SECOND TIME DELAY EFP-2 TURBINE TRIPPED ASV-50 NOT OPEN EFP-2 FAIL TO START EFP-2 AUTO STARTED
' AUXILIARY FEEDWATER SYSTEM ACTUATED _
i
- A STEAM LINE ISOLATED
- A FEEDWATER LINE ISOLATED
' EFIC BYPASSED EFIC CHANNEL (A or B or C or D) BYPASSED (Maintenance)
(Will also a73rm when any test switch is in other than the NORMAL position) i 39
It was determined that adequate independence between trains was provided so that any single failure of components in a train will not prevent the other train from completing its safety function. In addition, it was demonstrated that the EFIC and manual initiation signals and circuits for the AFWS also comply with the single failure criterion. On the basis of its review, the staff concludes that the CR-3 AFWS instrumentation and control circuitry conform to the design-basis requirements of IEEE-Std-279-1971 and enhances the reliability of the AFWS.
The staff also concludes that the information system important to the AiWS includes appropriate variables and that their ranges are consistent with the guidelines identified in Regulatory Guide 1.97. Therefore, the staff finds that the information systems satisfy the requirements of GDC-13, "Instrumentation and Control," for monitoring variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions.
0.5 System Walkdown 0.5.1 Approach A key part of the staff's site visit to Crystal River was an AFWS walkdown.
The walkdown afforded the staff the opportunity to examine the as-built system configuration, specific components, location of equipment, and potential inter-action with surrounding equipment. The system walkdown had two main objec-tives. One was to confirm that the installed system conformed to the staff's understanding of the system design basis as identified in previous evaluations and to determine if the system is subject to any previously unidentified common cause failure mechanisms or hazards (e.g., flooding, fire, missiles, suction strainers, etc.). The other main objective was to examine the ease of operator access to vital equipment for performing necessary recovery actions, including an assessment of local emergency lighting, comunications, and other factors.
40
The walkdown covered the entire piping and component layout from the condensate storage tanks (the existing tank as well as the new tank which is currently under construction) through the pumps to the discharge line valves; it included the turbine-driven AFW pump steam supply line, support system piping, switchgear, and local and remote controls and instrumentation.
- 0. 5. 2 Evaluation On the basis of the walkdown, the staff was able to confirm that the as-built configuration was in conformance with the design basis and previous evaluations, particularly the NUREG-0737, Item II.E.1.1 evaluation. The staff confirmed that the correct valves were locked in their proper position with a chain and padlock.
Further, the internals of the single valve in the suction line to the AFW pumps from the existing condensate storage tank have been removed to eliminate this as a single point of vulnerability that could cause a loss of suction supply. The staff also noted that the four AFW flow control valves were not provided with a hand wheel for local operation, (Figure 3). These valves, EFV-55, -56, -57 and -58 (Target Rock, electrically positioned control valves) are spring loaded, solenoid-operated valves; they are designed to fail open upon loss of electrical power. Position indication for these valves is provided in the control room and on the remote shutdown panel. No position indication or control capability is provided at the valve locationr.
These valves are modulated by the EFIC system to control the flow to each OTSG; they use a 4- to 20-milliamp signal. This signal controls a 125V DC motive power, which effects the valve movement. No single failure will stop the flow to the OTSGs by closing all four valves. If a common mode failure causes the electrical
'ignals to close the valves, the operator may interrupt the power to the valves l
and thus cause them to fail in the open position.
From the walkdown, the staff also confirmed that no additional source of common cause failure appeared to be present in the area containing the AFWS components.
l l
The staff verified that electrical components including the AFW pump motor, motor-operated discharge block valves, and flow control valves, and instrumenta-tion including flow indication and the EFIC system were qualified for the steam 41 t
4- environment resulting from a postulated break in the normally pressurized tur-bine-driven pump steam supply line located in the pump area. This alleviates the concerns raised in Generic Issue GI-68 with respect to the environmental qualifications of the AFWS equipment in a steam environment. The staff noted that the pumps were separated by a wall that provides internal missile protec-tion. Flood protection is provided becuase the essential equipment is located in a large open area of the intermediate building. Also, no strainers were present at the AFW pump suction, which removes the potential for suction strainer blockage.
In addition to the above, the staff confirmed that one train of the AFWS was provided with fire protection in accordance with the criteria of 10 CFR 50, Appendix R. One of the AFWS block discharge valves on each of the two flow trains is entirely enclosed in a box constructed of fire-retardant material.
The staff expressed concern about accessibility to the valves for maintenance purposes or for potential emergency recovery actions. However, the licensee indicated that the fire-retarding box material can easily be torn open; it can also be reconstructed following regular mainter.ance or emergency handling of the valves.
The licensee has initiated a program according to the guidelines of IE Bulletin 85-01 regarding steam binding of AFW pumps. The licensee monitors (by touching) the AFW pump discharge lines once every shif t to verify that back-leakage of steam or hot water from the OTSGs through the discharge line check valves is not Excessive. If the AFW pump discharge line is hot to the touch, the operator is instructed, by procedures, to vent the pump casing. The licensee stated that no incidents of backleakage have been identified at CR-3. This addresses staff concerns raised in Generic Issue GI-93 with respect to steam binding of AFW pumps.
The staff notes that additional protection against loss of suction will be provided after startup from the next refueling outage by the addition of the dedicated AFW tank. This tank, which is currently under construction, is located in a seismic Category I, tornado-wind-and-missile protected enclosure. It will serve as a source of AFW supply and will contain water in excess of the minimum required by the plant's Technical Specifications.
42
Part of the system walkdown included an evaluation of the plant communication and lighting systems in the AFW areas. The communication system for the remote shutdown area and the EFIC control panel areas consists of two independent telephone systems (normal line and a dedicated "red" line), the plant public announcement (PA) system, a telephone jack system (whereby a portable handset can be plugged-in and used), and hand-held radios. The review team found this to be satisfactory for this area. The communication system for the AFW pump cubicle area consists of a telephone in a soundproof booth and hand-held radios.
However, there was no evidence of the plant PA system, the "red" dedicated tele-phone system, or the telephone jack system in the immediate vicinity. The re-view team finds the communication systems available in the AFW pump cubicle area to be minimal but acceptable.
The lighting system for the AFWS areas (pump cubicles, EFIC panel rooms, and remote shutdown area) consists of normal and emergency AC flourescent fixtures and battery pack incandescent lighting. The review team found this to be ade-quate for the EFIC cubicles and the remote shutdown area. However, for the AFW pump cubicle area, the lighting is inadequate, particularly during the postulated station blackout scenario when dependence on proper operation of the turbine-driven AFW pump is imperative. The DC emergency lighting in this area consists of a battery pack located in the overhead; it provides general area lighting for the motor-driven AFW pump cubicle, the turtine-driven AFW pump cubicle, and the access to those areas (Figure 4). Because of the amount and location of piping and cable raceways in the overhead, the aiming of the incandescent lights, the loca-tion of the turbine governor controls, and trip and throttle valve and various AFW valve control / status panels, the review team concluded that DC emergency lighting would not provide adequate illumination to control or monitor the AFW system during accident and transient conditions. The staff was informed that the licensee was in the process of upgrading the emergency lighting in the plant in accordance with 10 CFR 50, Appendix R. This may alleviate the staff's concern in this area. However, adequate lighting for the turbine-driven AFW pump cubicles, as well as the AFW valve and pump control panels is important. The illumination level should be a minimum of 10 foot-candles at the work station (NUREG-0700).
43
The evaluation team has the following additional observations:
(1) During the AFW system walkdown the staff noted that the degree of equip-ment and structural cleanliness was very good 1 (2) The AFW system components are easily accessible for short-term remedial actions (e.g., manually starting the turbine-driven pump by opening the steam admission valves ASV-5 and ASV-204, or resetting an overspeed trip by resetting the overspeed mechanism on the trip and throttle valve ASV-50; see Figures 1, 5, 6, and 7), or for long-term remedial actions (e.g., manually controlling the AFW flow to the OTSGs locally at valve locations EFV-11, 14, 32, and 33, see Figure 8).
(3) The licensee posts simplified instructions at the equipment locations.
This helps speed equipment resetting or adjustment under stressful con-ditions (see Figures 7 and 9).
(4) Labelling of plant equipment and indications of flow directions are good.
This reduces the potential for confusion in emergency situations (see Figures 3, 5 through 8 and 10).
(5) A number of valves were locked in the open position, while others were locked closed. The team also noted that the turbine governor adjustment knob is locked (see Figure 9) and the licensee used chains and padlocks (see Figure 10). This ensures that the valve positions and governor's adjustment knob will not be changed without proper authorization.
- 0. 5. 3 Conclusions On the basis of the walkdown, the staff concludes that the as-built configuration of the AFWS is consistent with the design-basis documentation.
In addition, the staff concludes that identifiable common cause failures have been adequately considered by the system design, configuration, and layout.
If the licensee gives appropriate consideration to the staff concerns identified above, the staff concludes that the AFW system as designed, installed, and instrumented, contributes to safe and reliable operation during accident or transient conditions.
44
D.6 Training 0.6.1 Approach The evaluation team reviewed the CR-3 training program to establish an understanding of the licensee's commitmant to maintain and enhance the proficiency level of its maintenance, operations and engineering staffs. The review consisted mainly of interviews with training instructors and the training coordinator.
The team also inspected some training documentation and training equipment.
D. 6. 9. Evaluation The CR-3 Training Group is located at a licensee-owned off-site training facility and is composed of four groups. The operator training group is charged with operator and non-licensed-operetor training. The technical training group is charged with maintenance training (electrical, mechanical, and instrumentation and control) and health physics trai.1ing. The control group is charged with the administrative control of the training program (e.g., documentation, computer tracking of employee training / qualification),
and the training library. The academic training group is charged with development of lesson plans and instructor training.
All maintenance personnel hired by the plant are already qualified as journey-l men. However, they must take the Florida Power Corporation's (FPC) training i program for CR-3. The program consists of up to 2 years of both schooling and on-the-job training. The training program also includes continuing training and refresher courses.
The journeyman undergoes approximately 2 years of training depending on his/her qualifications. Within the first 6 months he/she takes a systems training course and a procedures course, which deals with adherence to plant procedures. He/she then, depending on his/her speciality, takes between 500 to 700 hours0.0081 days <br />0.194 hours <br />0.00116 weeks <br />2.6635e-4 months <br /> of funda-mental and plant specific training over the balance of the 2 year period.
This portion of the program makes use of the job performance manual, which is a 45
l
\
check-off list for specific tasks. To be quilfied, the journeyman must demorJ; ,ompetency to perform a specific task (e.g., repair a l pump, repack a valve, etc.). The qualification may require some additional classroom training before the job is performed in the plant. Classroom training is required for tasks affe-ting safety-related systems and/or componants. On-the-job training is performed with supervision until the trainee has been qualified.
If someone is hired at the apprentic9 level, that person is encouraged but not required to complete the basic apprentice level courses at a community college or its equivalent. Although the licensee will pay for the apprentice level courses, the employee must do this on his/her own time and at his initiative.
He/she still is required to complete the licensea's training course, which only requires that tha employee pass the task requirement / knowledge to be qualified to perform the task.
In addition to the journeyman training program, the CR-3 Training Department also has a requalification/ continuing-refresher training program. This program consists of approximately 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> of training per person per year. It stresses important ano safety-related systems and equipment and is continually updated to incorporate new equipment, data and techniques. It also makes extensive use of vendor training materials and methods. The licensee stated that all new contracts for new equipment will include a requirement that the vendor train plant personnel on such equipment. In addition to the 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> of training per year, if an employee has been away from a task or has not per-formed the task for approximately 6 months, or has lost the skills required to perform the tasks as determined by his/her supervisor, he/she is required to take retraining and/or requalification ceurses on the task prior to performing the task.
Through its inspection of training documentation and through interviews, the evaluation team found the maintenance training program to be thorough and detailed. It makes extensive use of manufacturer materials, technical bulletins, sales bro-chures, technical manuals, demonstration models, actual plant equipment (e.g.,
I EFIC cabinets), spare and used plant equipmeat and parts, and on-the-job training.
INPO accredition of the maintenance training program was recently received.
i 46
i During the discussions on the maintenance training program, the staff found that the Engineering and Operations Departments were not fully incorporated into this training program. Personnel were encouraged to take the courses but were not required to do so. Training for the new systems engineer position (discussed in Section D.2) will be the same training as that given to the plant engineers. They would be given the option to audit or sit-in on the maintenance course associated with the systems for which they are responsible.
The review team recommends that the system engineer be required (or, as a mini-mum, strongly encouraged) to take the maintenance courses, qualification courses, and continuing education courses associated with the system for which he/she is responsible. The staff believes that such courses will enhance the engineer's trouble-shooting and root cause analysis capabilities for the auxiliary feed-water system.
Because operator training has been extensively considered by the NRC, the evalua-tion team spent only a modest effort in that area. However, the review team did receive a condensed version of the 8-hour AFW system presentation given to operators at CR-3. The review team found this AFWS presentation informative, thorough and accurate.
D.6.3 Conclusions The evaluation team finds that the licensee's commitment to and implementation of the training programs as stated by the licensee and discussed above promote good understanding of plant operation in general and, in particular, enhance the licensee's ability to minimize system malfunctions and improve the likelihood of recovery once a malfunction takes place. The evaluation team concludes that the CR-3 training program contributes to and enhances the AFUS reliability.
47
D 4 0.7 Operating Experience and Reliability Analysis D.7.1 Approach The staff reviewed the following documents as part of its evaluation of operating experience and reliability evaluation: Licensee Event Reports (LERs) related to the AFWS issued since initial operation, the forced outage / scram re-cords since initial operation, the AFW Reliability Analysis (Reference 15), and date provided by the licensee on April 23, 1987 regarding the operating ex-perience of the main feedwater system, AFW pump failures, the results of the CR-3 AFW Reliability Study using NUREG-0611 data and assumptions, and the human error reference for feed-and-bleed analyses. The staff also reviewed loss
> of offsite power operating experience since initial operation (Reference 16),
emergency diesel cenerator experience for 1983-1985 (Reference 17), and industry-wide experience with loss of offsite and onsite power reported in NUREG-1032 (Reference 18). The staff also discussed with the licensee the latter's statistical analysis relative to equipment failures. The licensee's operating experience and relitbility analysis were then compared with those of the rest of the indus-try and with SFP Section 10.4.9.
D.7.2 Evaluation In recent years the licensee has made improvements to the operational reliability of the AFW system, including the installation of the EFIC system to initiate and control the AFW system, an improved condensate storage tank, and removal of valve internals from the single suction valve to the AFW pumps.
Operating experience with the AFWS was reviewed over the life of the plant.
The licensee has provided the following AFW pump demand / failure data for the period September 18, 1978 - December 31, 1986:
Motor-driven Turbine-driven Demands pump pump Test 79 79 Actual 34 34 Post-maintenance 15 34 T7F TT7 Failures 0 1 48
. . -_ _ = _ - - ._ -
7 Although only one pump failure on demand is noted above, LERs indicate a number of instances when an AFW flow train was found to be inoperable or degraded for various reasons. These included an overheated packing gland, burnup of valve motor operators, incorrect AFW turbine governor setting, voiding of AFW line due to backleakage through check valves, operator error, inadvertent maintenance personnel action, and flow valve stuck on its seat. All of these problems were investigated and actions were taken that were intended to prevent or reduce the likelihood of their recurrence.
Operating experience with the main feedwater (MFW) system is important because loss of MFW represents demands or challenges to the AFWS. A lower-than-average reliability of MFWS requires a higher-than-average reliability of the AFW system in order to retain about the same overall reliability of removing reactor decay heat using the steam generators. According to the licensee (Reference 18), over the 9 year period (1977 through 1985), the plant experienced 44 LOMF transients. Two of those are MFW pump trips (with no MFW flow degradation) caused by AFWS initiation. These two events do not constitute LOMF transients where the AFWS would be required to initiate. The system has since been modified so that an AFWS initiation will not cause MFW pump trips. Discounting the above two LOMF events, the plant has experienced 42 LOMF events, 30 of which required AFWS initiation. A LOMF event is defined as any event where one or more MFW pump is tripped or its flow degraded. The 9 year average of the LOMF transients is, therefore, 4.7 per year with those requiring AFWS actuat. ion 3.3 transients per year. The rate of LOMF events for this plant is more than double the national average of about 2 per year.
The unplanned reactor trip frequency is important because each trip represents a challenge to the MFW system and potentially to the AFW system. The average CR-3 trip rate is 7.6 trips per year (excluding the first 6 months of 1985 when the plant was shut down for repairs). The CR-3 reactor trip rate does not have an identifiable trend with the highest rate of 12 trips per year (1981 and 1982) and the lowest rate of 2 trips per year (1984). The trip rate for 1985 was 9 trips per year as compared to a national average of 4.3 trips per year for that year (Reference 20). The yearly rates of LOMF events /AFWS actuations, and of 49
unanticipated reactor trips are plotted in Figures 11 and 12, respectively.
Also plotted are 3-year running averages of these variables. As can be seen from the ficures, there is an identifiable trend for both LOFF and the reactor scram rate. Both running averages peaked in 198?, but steadily declined since then. This may be indicative of the effectiveness of the maintenance program performed on the MFW system and the root cause determination process.
Offsite power, or as a backup, emergency onsite power is required to operate the motor-driven train of the AFW system. The operating experience of the CR-3 niant with respect to loss of offsite power has been relatively good. Only two events of significance were identified for the period from initial operation through 1985 (Reference 16), and neither of these events was included in the categories of most significant loss-of-offsite power events occurring in the United States. Part of the reason for this is that fossil-powered Units 1 and 2 at Crystal River can also supply power to CR-3 and, in particular, to the motor-driven EFW pump.
Emergency onsite AC power at CR-3 is provided by two emergency diesel generators (EDGs). The operating experience of the:e EDGs for 1983-1985 is reported in Reference 17. The unrtsiability of the CR-3 EDGs averaged over the 3 years is about 0.02 unavailability per demand, which is the same as the national average.
The U.S. average EDG unreliability is reported as 0.02 in NUREG-1032 (Peference 18).
The latest SALP rating for CR-3 covered the period of March 1986 through October 1987, and were 2, 1, 3 and 2 for operation, maintenance, surveillance, and training respectively. The SALP ratings for operation and maintenance have remained as they were for the preceding rating period. However the rating for the surveillance has dropped from 2 to 3, while that for the training improveo from 3 to 2. If the surveillance of equipment in general, and the AFWS in particular, is not improved, this could result in a reduction in the AFWS reliability.
50
The licensee has completed an AFWS reliability study using the methods and data presented in NUREG-0611 and NUREG-0635 (References 3 and 4). An AFWS unavailability per demand of 4.7 x 10 4 was calculated. The licensee has incorporatad plant-specific failure data into the analysis in a separate study, and calculated an unavailability of approximately 2.0 x 10 # per demand. However, in the latter analysis, the licensee's departure from the methodology specified in the SRP makes it difficult to compare with the stated criterion or with other analyses.
The staff has some reservations about the data treatment and modeling in the latter study, but they are not crucial to the results of this evaluation. The unavailability values calculated by the licensee are higher than the high end of the range specified by SRP Section 10.4.9 (1 x 10 #), and without adequate compensating factors, the AFWS reliability is considered unacceptably low.
The licensee proposed reliance on the "feed-and-bleed" mechanism as a com-pensating feature and estimated a very high reliability for it (1 x 10 4 prob-ability of failure on demand, given a loss of all feedwater). It is the staff's position that feed-and-bleed can serve as a backup to the AFWS in emergency procedures should all feedwater be lost, but as such is a last resort for providing decay heat removal. It has been analytically shown (Reference 21) that a feed-and-bleed system arrangement similar to that of CR-3 can provide an adequate means of decay heat removal if the feed-and-bleed mechanism is manually initiated prior to reactor coolant saturation. The CR-3 feed-and-bleed system consists of three HPI pumps with a shutoff head of about 2800 psia, and one PORV and two safety valves. Each HPI pump is capable of providing about 270 gpm at the safety valve setpoint of 2500 psia. Reference ?1 describes RELAP-5 calculations for a total loss of feedwater event, and concludes that the feed-and-bleed mechanism is capable of adequately removing the generated l decay heat with only one HPI pump and the pressurizer safety valves.
However, uncertainties about the operator's decisional, procedural, and performance abilities under stress, do not permit crediting feed-and-bleed as l
! a reliable compensatory decay heat removal feature for resolution of GI-124.
These uncertainties and concerns regarding intentional release of reactor
! coolant into the containment, cannot justify this method of removing decay heat as a suitable compensatory feature. Therefore, additional features to improve the AFWS unavailability and secondary side decay heat removal capability are considered necessary.
51
_ _ _. _ _ _ _ _ . _ _ ___ .~ _______. _ _ _ _ _ _ _ . . _
As indicated previously, the licensee's completion of the connitment to install an additional source of secondary side decay heat removal capability will resolve this concern.
D.7.3 Conclusion Based on the staff evaluation as discussed above, the staff concludes that completion of the licensee's connitment to install an additional means of secondary side decay heat removal capability resolves the staffs concerns for a reliable AFWS. However, the licensee should consider the following additieral recommendations for improved plant performance and AFWS challenge rate reduction.
(1) The licensee should establish goals for decreasing the occurrences of LOPF events and unanticipated reactor scrams. These goals should be consistent with the B&W Owners Group Safety and Performance Improvement Program (SPIP) recommendations as accepted by the staff. The licensee should then strive to achieve these goals in a timely manner.
(2) The licensee should address all the recommendations made in the Final Report of the B&W Owners Group SPIP Auxiliary Feedwater System Review, dated Fay 1987. The licensee should then provide a schedule for implementatier of the relevant recommendations.
52
i APPENDIX A REFERENCES
- 1. Lear, G., NRC letter to D. Musolf, Northern States Power, "Prairie Island, Units 1 and 2 AFWS Reliability Assessment Report," November 25, 1986.
- 2. Beckjord, E., NRC, Director, RES, memorandum to T. Murley, Director, NRR, "ANO-2 AFWS Reliability Assessment Report," July 13, 1987.
- 3. U.S. Nuclear Regulatory Commission, NUREG-0611 "Generic Evaluation of Feedwater Transients and Small Break Loss of Coolant Accide +,s in Westinghouse Designed Operating Plants," 1980.
- 4. U.S. Nuclear Regulatory Commission, NUREG-0635, "Generic Evaluation of Feedwater Transients and Small Break Loss of Coolant Accidents in CE Designed Operating Plants," 1980.
- 5. Thadani, A., NRC, memoranda to 0. Parr, dated October 17, 1983, October 23, 1983, and November 9, 1984.
- 6. Stolz, J., NRC, letter to W. Wilgus, FPC, August 9, 1983.
- 7. Florida Power Corporation, System Description, 15-1121209-06, for Emergency Feedwater System.
4
- 8. Florida Power Corporation, Improved Design Control Documentation, Design Basis for Emergency Feedwater System.
- 9. Crystal River Unit No. 3, Emergency Feedwater/ Emergency Feedwater Initiation and Control Design Documentation.
l 10. U.S. Nuclear Regulatory Commission, Information Notice No. 87-59:
"Potential RHR Pitsp Loss," November 17, 1987.
l 53
- 11. Silver, H., NRC letter to W. Wilgus, Florida Power Corporation, March 3, 1987.
- 12. Florida Power Corporation Maintenance Procedures: MP-111, Valve Packing; MP-121, Pump Packing; MP-531, Trouble Shooting Maintenance Procedures;
- 13. Florida Power Corporation Emergency Procedures:
Engineered Safeguards System Actuation, AP-380, Revision 07.
Emergency Feedwater Actuation, AP-450, Revision 06.
Steam Generator Isolation Actuation, AP-460, Revision 02.
Natural Circulation, AP-530, Revision 05.
Reactor Protection System Actuation, AP-580, Revision 07.
Inadequate Core Cooling, EP-290, Revision 05,
- 14. Florida Power Corporation Logic Diagrams:
Title DWG, No.
MOTOR DRIVEN EMERG. FEED PP 3A (EFP-1) 4160V B-208-026 EF-01 MOTOR DRIVEN EMERG. FEE 0 PP 3A (EFP-1) 4160V B-208-026 EF-01B CST 150 TO MTR DRIVEN EF. PP 3A EFV-3 TURB MCC 3A B-208-026 EF-02 CST ISO TO TURB , DRIVEN EF. PP 3B EFV-4 TURB MCC 3B B-208-026 EF-03 MTR DR EF PP 3A AUX FDWATER STOP CK TO STM GEN EFV-7 B-208-026 EF-04 MTR DR EF PP 3A AUX FDWATER STOP CK TO STM GEN EFV-8 B-208-026 EF-05 HOTWELL 150 TO TURBINE DRIVEN EF PP 4B EFV-1 B-208-026 EF-06 HOTWELL ISO TO TURBINE DRIVEN EF PP 3A EFV-2 B-208-206 EF-07 T.C. EMERG. FEED PUMP 3B AND AUX FW DISCHARGE 150 TO STEAM GEN EFV-11 B-208-026 EF-08 T.D. EMERG. FEED PUMP 3A AND AUX FW DISCHARGE 150 TO STEAM GEN EFV-14 B-208-026 EF-09 T.D. EMERG. FEED PUMP 3B AND AUX FW DISCHARGE 150 TO STEAM GEN EFV-32 B-208-026 EF-10 T.D. EMERG. FEED PUMP 3A AND AUX FW DISCHARGE 150 TO STEAM GEN EFV-33 B-208-026 EF-11 54
)
- 14. Logic Diagrams (Continued):
Title DWG, No.
EFIC MATRIX "A" CONTROL AND EFW ACTUATION "A" B-208-026 EF-15 EFIC MATRIX "B" CONTROL AND EFW ACTUATION "B" B-208-026 EF-16 EMERGENCY FEE 0 WATER VALVE -55 B-208-026 EF-17 EMERGENCY FEE 0 WATER VALVE -56 B-208-026 EF-18 EMERGENCY FEEDWATER VALVE -57 B-208-026 EF-19 EMERGENCY FEEDWATER VALVE -58 B-208-026 EF-20 EFICCONTROL"C";fNDEFWACTUATION"C" 3-208-026 EF-21 EFIC CONTROL "0""AND EFW ACTUATION "D" B-208-026 EF-22 ELECTRICAL ONE LINE COMPOSITE EC-206-011 GENERATION AND RELAYING 4160V BUS EC-206-014 GENERATION AND RELAYING 4160V ENG. SAFEGUARD BUS EC-206-015 GENERATION AND RELAYING 448V ENG. SAFEGUARD BUS EC-206-017 4160V SWITCHGEAR UNIT 3A EC-206-022 4160V SWITCHGEAT UNIT 3B EC-206-023 4160V SWITCHGEAR ENGINEERED SAFEGUARDS BUS 3A EC-206-024 4160V SWITCHGEAR ENGINEERED SAFEGUARfJS BUS 3B EC-206-025 ENGINEERED SAFEGUARDS BUSES 3A AND SB EC-206-033 ELECTRICAL ONE LINE 260/125V D.C. SYSTEM EC-206-051 MCCES-3Al-AUXikig-95'-0" EC-206-054 MCC ES-3A2 - AUX BLOT - 119'-O' EC-206-055 MCC ES-381 - AgBL 119'-0" s > [' .
EC-206-056 MCC ES-3B2 - AUR 5 -
9 5 ' - O'k.+ - 2 -206-057 480V MCC ES-3A3 DG-[ 3--
-- t 5 -206-074 480V MCC ES-3B3 e M .; I -206-075 AUX FW SUPPLY ISO TO STEAM GEN 3A FW-35 ~ B-208-032 FW-28 AUX FW SUPPLY ISO TO STEAM GEN 3B FWV-34 B-208-032 FW-29 AUX FW SUPPLY 150 TO STEAM GEN 3A FW-36 B-208-032 FW-30 AUX FW SUPPLY ISO TO STEA'i GEN 3B FWV-33 B-208-032 FW-31 STM. GEN 3A MAIN STM. 150 MSV-179 TURBIN MCC 3A B-208-039 HS-15 MSIV MSV-411 AND MSV-41? B-208-039 MS-18 55 s
Simplified Diagrams EFW SYSTEM FIGURE 7-26 SHEET 1-6 MAIN AND REHEAT STEAM FD-302-011 (P & ID) SHEETS 1 & 2 AUXILIARY STEAM FD-302-051 (P & 10)
FEEDWATER STEAM FLOW FD-302-081 (P & ID)
E.F. SYSTEM FLOW DIAG FD-302-082 (P & ID)
C.D. SYSTEM FLOW DIAG FD-302-101 (P & ID) SHEETS 1 & 2
- 15. Simpson, E. C. , FPC, letter to J. Stolz, NRC "The Crystal River-3 EFWS Reliability Analysis," December 2, 1986.
- 16. "Losses of Offsite Power at U.S. Nuclear Power Plants," NSAC Report 103, May 1986.
- 17. "TheReliabilityofEmergencyDientlEderatorsatU.S.NuclearPower Plants," NSAC Report 108, September 1986.
.5
- 18. U.S. Nuclear Regulatory Commission, N Q 1032.
- 19. Bright, R. , FPC letter to H Silver, NRCc3pril 23,1987.
g
- 20. Instituteher Noclear Power Operations, INPO 86-012. "Unplanned Automatic ScramsinUiMElkc.G.eneratingUnitsin4985,"April 1986.
y :x,i' ^ ,-- -
A
- 21. U.S. Nuclear eg ,
iohlMt5[tR-4966, "Evaluation of Operational Safety at B&W giants,*'D/ aft Report, Volume II, July 1987.
T L
56
I APPENDIX B NRC AND LICENSEE PERSONNEL PARTICIPATING IN AFW SYSTEM REVIEW NRC Personnel AFWS Review Team i .
Warren Minners, Team Leader, RES Sammy Diab, Task Manager, NRR g Jerry Wermiel, NRR "
Robert Giardina, NRR Gordon Edison, NRR Paul Shemanski, NRR Max Yost, INEL
^
Harley Silver, Licensing Project Manager J. E. Tedrow, NRC Resident Inspector T. F. Stetka, NRC Senior Resident Inspector
_c
~
Florida Power Corporation PersonneT" ,E s . . .
Ronald Bright M. S. Mann C . ,.
W. L. Rossfeld ri" 4- f '
M. W. Averett g ,. ; cf j -
.g E. M. Good b M- @ 'W i
- K. R. Wilson e W W W ...c . ~.@'
.p. ._
gp _
3 m~ . .. c.. Q, _+; .
- =
M. E. Collins w g*-_c --
-o g "' ..
g P. F. McKee k ; <, -
d ~' + -
R. A. Becker Ray Wittman Harold Walker Richard Brown R. Widell l
57
1 Ness-Sa'atdtC, p'e[s]
I anse.masruns '"l
'" g et.s sress Sas k.
j 95878 3 4 3 q p DB 30 hlJe ,,
i
&sT-80 g3v.33 -
Evam svamm I8 l
l DC- B DC-B .
x asy-ss - arv-e6 18 t0 6W x
DC ""* ~"" ~
gu-
- grime 333> [ g w.3, j
W .:.-;,,n,,
, s.v- e.& enty-ta r
=.-tm ~~ ~ ~ ~ w Ag * '**
=
\
'*'~ \
TL.i _ff;_#
- ~ ,B ',B "-*
J
-w m (,. .
~5 v-2. ,
m.
i 6
se x= au-o.
EFID-e 'r Efv-M 4_,, EKv6 i
g i
)u;< a
! ,, .. % g =c-A oc -=
[p c 8, w'
! . y -
-x !
'E" I
'
- w~ '
I Q [Lr
""f u 4- M.,v. 4' s%, e, x-s r** * ~
y' ' A >c.-.3 ~
f _L4 6 o r
'- 1
+ m,
a 3
_ ;gf' 1 a, ,, s em.sm c. 6 w-se
,{,
i q g :PN .
l .
, "f .
, L v arv-.
gi.g ,
o
. g-.1 hh.,..an_ } rw- > >
p..
g i l =
- 4
-EU . ., ,_-
i a>
s q. = 1 1
- == , arv-u a,v .
crP-3 h bt-4 Dc-8 g ID 4,
lL F i- 1l t
arv-se j
De-D C- n = oc.
A : bc_w Wgwqg a- ., . ,, bc-15 gt v-se Dt4 i
i "G1 FLOWPATH FOR EMERGENCY FEEDWATER 4
.- _ _ ~ _ . _ __ _ __ __ _
is eso sted k.Edtn
. . = = . reo <=f 1>
erartv.tede Arfdae46 e
. erg Vf6 ,,, a/ 9 4
e.an To J.##. - -TAT. . e.n e J ftf #88 s.e.=.
, ~ . -
m I
. e ,. r .n i #f thpam a law t for65 Le na6 J8(C 4
k.. ra....,. en l o m. ,. s e
. rw 3.
Vfa 9 .* .. 'M 4 , ,,e
~e<
4,,..,.. . o %_._3.:
yw. ,.. m . ,%eq
,, 4
.' s .. . ,
o% -
~
.. L-
\- .:., , , ==; 4 .. .
- . K M'_s %.
- -L '. : ' --w
~
-g .
-M. n r i r gg- 3*A: . -
, ' ~ . . . - -
hJ a %L 4
(SAFT
...%Mb . ... .
. ~ ,3 J Y"Y I%h IMock )lagrew 9 =9ha v4,5.v ' n M $8de F4 b
. 4 ta.ea n t e v .c .e F.. e
_.a
1 j
1 l
)
l l
\
I i
1 o
f t
s 4
- e j m -
2 S ,
~
i
~ \
2 \
\
. h. t Tig ua. J AFW flow Ce.%\ %)ve;E.VV-Sf w,4 i re n 4 epv W und(%.
DJA. oIA M\OPA m bh d F5 r
l l
i i
l l
.__,__._-m ama,- mm ,_._.4 _-.= ._m zms..--- . ._a a a m a n.w u e -._.4es..,s .m .4a .e.a__m_- - - . -uma....s . 44W.*_- ~e....-se.. _a_., .==-A44 4eA4u4_.
l i
i i
s . 1 T
\
. \
s s
i
.\ -
\
a
\
' .t
\ . .
s o
\
\ '
S\
s
\
c*
tog, h,
\
\ o 1
' s s x
\ d x
\
h %
\ i
\ .
4
\ ,
\
\
\
-; \
\
\
\
\
I l
i
\______ _ ._ . . .
,4 __ #.Ea---.m__Ms4 4s a .amm - de6. 4 e n
- 1 i
1 1
}
8 l ,
i ,1 i
)
l
- f. ! *.l
- s. e g _% (
.t ..
1 :
i9
- u1 ~1
- A L_
I I l l i
f
- 4 -
1
- e t i
(
4 R$ wt 5 Sb AdduieVen i ASV-5 l I
L l
-d-m-- m.- .4 a-sdrM 44S -M- -A5.-.A -
W--.mh4 hM h am -mmhAhm -A--we A- hmm--JA.a m . u at, 2
l I
l
' i g
l r
i n
l i
bfL N b N PM S$i m %I W\w. AsV-so4 l
I l
l
,mhmma-a _ _h,...aus.u.e,,.aa_4.u_.m-h.a h.esar A4 e -n__-4.mmbme5.am amw mme .mg._Ay -m .,m,,~.ma-,_u _,,_m__Aa-h.amkm_jh 2. _a. 3 -,J_,,. _.g m a _ aa_
b a
0 0 0
i i
r i
r
~
I 1
F
(
F73uit 7 AT W 5 T A M h e, ped :
TQ M ar6sm ard4bt TQ a4%H\tWle i (A SV-50) -
t I
1
i l 1
e G 1
I I
1 i
I d
l l
i a T
@ g
- . ! N 1 ' . 42;;)f,[ ,Id/
, . - - ' g 3 , .' ( ,
p ),1 l '
',p . J' . ~,k- '
m :.; - , ,l .
- i ; ;,
, 5, ;,fhf 2
9 ?, l g **
g, ' \
g
. M
,e: -
.. 9 . 9 :.~1 k- !
. ., ~, ' . -.i. '
d s .,,. ' g-h & ;; , - %,. ,;p h .': x - };
I i
p
. p}.:p4z gy 6
t LM f N
l t
l l
i t
I i
I
- J'mSM-Ah.-24.=R b.42 4 g--Am.d4hm.he wha 4W- - ' - --m- 4.mi e mmma -wha 4 m - mm m r m . h.mm.._ .am,_4 ats__Ame,,_aa44 _ __.-an,,,
i
- l- -
4 l
. l5 .A
! m .. .
g .
I ftps 7 W Tea %vernoe j ut% tk Ye4 stWA l bb 4 senig Whh 3 [
l l
- r. 4 ma. A w -JB ah.a .wDaau4 emmam - w e - us.m- am4_- 2 -aa-_m.ag_,a _,h,__m_ae am.m,.m ,mm eetm.a,A.mm,s,__m.usmarme-.eA.hMmm_atamm a _ m m m.ama mi.mmre-4,..
- \
l .
i 1
l I
i i
=
m b 7'
<o f
l 6 i fr>. f t
,gr >
i
$$Lk~
> i
, . rs l u;
P
}{g*t I
r ny '
[Lr rg, y f,
l l
I l
l P
- O Loer <ms + 3 r M,-
- - _. wws .duk u.. '9t jf. -. ,
14
- 4 i:
i 10 t ,
.. _ _ . 4
& kW \
lo .
i \ ,
. - i .
~ '
4 '
) I [14M
%~~ s
/
l l
I I
s
%=.
s
- . 3 o
- n. y,ng u v tam ,s ,1 so u n ts Vi.Il3 CR-3 LOMT ad.AWS W% ,
h Y N 4 (Ws % plad ws4 W etdw n G., ab .t 6 e4*
- 4* Vak w 4 ttgf. ad 49t1 44 oWeeJ veWollj W % \sm o O 3 h e . . i.3 * <ty t.
R.ak po 3.% _-
g _
i4
~
i2 to g
6 . .-
q t
d 000/$1)
Tip l2- CM AwWke ReeAr' taps y nat.. , w m s a a a. q ~ a ;,, a m
- V'eLa 4ka. p e% vsa t th*M 6d e O Sbl*D b y
- Valv tg kv \% O eed 1911 w 6^4 Ob 4 ,at) w O lh 4 ee. $b4 Ws M.a. .
p ,.
Document Name:
. e o CR-3 GI-124, AFWS REPORT Requestor's ID:
FAIRCLOT Author's Name:
- j. wemiel Document Coments:
resol. of GI-124, auxiliary feedwater system reliability, c.
4 g r s_ ( a
, , =%
i 1
l l
i I
i