ML20207Q210
| ML20207Q210 | |
| Person / Time | |
|---|---|
| Issue date: | 12/31/1986 |
| From: | Ornstein H NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | |
| Shared Package | |
| ML20207Q205 | List: |
| References | |
| NUDOCS 8701270017 | |
| Download: ML20207Q210 (140) | |
Text
K, F
/ .. x f
PRELIMINARY DRAFT CASE STUDY REPORT AIR SYSTEMS PROBLEMS AT U.S. LIGHT WATER REACTORS DECEMBER 1986 Prepared by:
Dr. Harold Ornstein Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data U.S. Nuclear Regulatory Commission This report documents the preliminary results of an ongoing study by the Office for Analysis and Evaluation of Operational Data with regard to a number of operating events. This report is issued for review and comment as part of the " peer review" process used for AECD case studies.
Since the study is ongoing, the content, findings and recommendations are preliminary and may not represent the final position of AE00, the responsible program office or the Nuclear Regulatory Commission.
8701270017 861216 NEXD PDR ORG L
E 4 %i f TABLE OF CONTENTS Page EXECUTIVE
SUMMARY
............................................... v
1.0 INTRODUCTION
............................................... 1-1 2.0 AIR SYSTEM DESCRIPTIONS .................................... 2-1 2.1 Function and ourpose .................................. 2-1 2.2 System Design and Operation ........................... 2-1 2.3 Safety-Related Functions .............................. 2-5 3.0 AIR SYSTEM REQUIREMENTS .................................... 3-1 3.1 Air Quality Requirements for Pneumatic Equipment ...... 3-1 3.2 Industry Standards .................................... 3-2 3.3 NRC Requirements ...................................... 3-2 4.0 AIR SYSTEMS FAILURE MODES AND EFFECTS ...................... 4-1 4.1 Contamination ......................................... 4-1 4.1.1 Water .......................................... 4-1 4.1.2 Particulates ................................... 4-1 4.1.3 Hydrocarbons ................................... 4-2 4.2 Air System Component Failures ......................... 4-2 4.2.1 Compressors .................................... 4-2 4.2.2 Distribution Systems ........................... 4-3 4.2.3 Dryers and Fi l te rs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.2.4 Accumulator Check Valves ....................... 4-3 4.2.5 Design, Installation, and Maintenance Errors.... 4-3 5.0 OPERATIONAL EXPERIENCE ..................................... 5-1 5.1 Safety Systems Failures ............................... 5-1 5.1.1 Shutdown Cooling System - Palisades ............ 5-1 5.1.2 Auxiliary Feedwater Systems .................. 5-2 5.1.2.1 Turkey Point 3 and 4 .................. 5-2 5.1.2.2 Indian Point 2 ........................ 5-9 5.1.3 BWR Scram Systems .............................. 5-10 5.1.3.1 Susquehanna ........................... 5-10 5.1.3.2 Dresden 3 ............................. 5-14 4
I i
t
, i, ,T TABLE OF CONTENTS (Continued)
Page 5.1.4 Power-Operated Relief Valves and Low Temperature Overpressurization Protection Systems .......... 5-15 5.1.4.1 Ginna Tube Rupture Event .............. 5-15 5.1.4.2 Westinghouse PWR Low Temperature Overpressurizations ................... 5-18
-5.1.5 Service Water and Component Cooling Water Systems ........................................ 5-19
- 5.1.5.1 Service Water System - Calvert Cliffs 1 and 2 ........................ 5-19 5.1.5.2 Component Cooling Water System - Calvert Cliffs 1 and 2 ........................ 5-21 5.1.5.3 Salt Water Cooling System -
San Onofre 1 .......................... 5-21 5.1.6 Main Steam Isolation and Feedwater Isolation Valves ......................................... 5-22 5.1.6.1 Byron, Callaway, Sumer and Vogtle .... 5-22 5.1.6.2 Turkey Point 3 and 4 and H. B. Robinson 2 ...................... 5-25 u 5.1.6.3 Brunswick ............................. 5-26 5.1,7 Emergency Diesel Generators .................... 5-28 5.1.7.1 Air Starting System ................... 5-28 5.1.7.2 Pneumatic Controls - Cooper-Bessemer, Nordberg .............................. 5-28 5.1.7.3 Emergency Diesel Generator Cooling -
Mair.e Yankee, Haddam Neck ............. 5-29 5.1.8 Sa fety Inj ec ti on Systems . . . . . . . . . . . . . . . . . . . . . . . 5-30 5.1.8.1 Fort Calhoun ........................... 5-30 5.1.8.2 Point Beach 1 and 2 ................... 5-30
- 5.1.9 Containment Isolation Valves -
Grand Gulf 1 and 2 ............................. 5-31 5.1.10 Reactor Coolant Pump Seal Injection ............ 5-33 5.1.10.1 B&W Generic ........................... 5-33 5.1.10.2 St. Lucie .............................. 5-34 5.1.11 Reactor Cavity and Spent Fuel Pool Pneumatic Seal Failures .................................. 5-35 5.1.11.1 Haddam Neck ........................... 5-35 5.1.11.2 Susquehanna 1 and 2 ................... 5-35 5.1.11.3 Rancho Seco ........................... 5-37 11
8 14 0 4
TABLE OF CONTENTS (Continued)
Page 5.1.11.4 Arkansas Nuclea r One Unit-2 . . . . . . . . . . . 5-37
-5.1.11.5 San Onofre 2 .......................... 5-37 5.1.11.6 Sequoyah 1 and 2 ...................... 5-39 4
5.2 Foreign Reactor Experience ............................ 5-39 5.2.1 Loss of Contai nment Integri ty . . . . . . . . . . . . . . . . . . 5-40 5.2.2 Loss of Fuel Pool Inventory .................... 5-40 5.2.3 Low Reactor Coolant System level ............... 5-40 6.0 ANALYSIS AND EVALUATION OF OPERATIONAL EXPERIENCE . ......... 6-1 6.1 Analysis and Evaluation of Safety, Safety-Related, and Important-to-Safety System Failures ................... 6-1 6.2 Analysis and Evaluation of Reactor Transients and Safety System 0egradations............................. 6-3 6.2.1 Trends and Patterns Analyses ................... 6-3 6.2.2 Reactor Trip Analyses .......................... 6-4 6.2.3 H. B. Robinson Study ........................,... 6-5 6.3 Patterns Observed Regarding Failures of Air-0perated Components ............................... 6-7 6.3.1 Component Contamination ........................ 6-7 ,
6.3.2 Accumulator Failures ........................... 6-9 6.3.3 Individual Component Failures Resulting in Loss of Ai r Sys tem Events . . . . . . . . . . . . . . . . . . . . . . . . . 6-9 6.4 Pisk Assessments ...................................... 6-10 6.4.1 Calvert Cliffs ................................. 6-10 6.4.2 Oconee Unit 3 .................................. 6-11 6.4.3 NRC Pressurized Thermal Shock Program .......... 6-12 7.0 FINDINGS ................................................... 7-1 7.1 Root Causes of Air Systems Problems ................... 7-1 7.2 Consequences of Ai r Systems Problems . . . . . . . . . . . . . . . . . . 7-2 7.3 Risks, Cost-Benefit ................................... 7-3
8.0 CONCLUSION
S ................................................ 8-1 -
9.0 RECOMMENDATIONS ............................................ 9-1 111
o *f 5 TABLE OF CONTENTS (Continued)
P_agg
10.0 REFERENCES
................................................. 10-1 APPENDICES APPENDIX A PARTIAL LISTING 0F AIR-0PERATED EQUIPMENT FAILURES SORTED BY FAILURE MODE ,
APPENDIX B TECHNICAL REVIEW OF EMERGENCY DIESEL GENERATOR COOLING SYSTEM FAILURES DUE TO AIR SYSTEMS INTERACTIONS 1 APPENDIX C OPERATION OF RALPH A. HILLER COMPANY AIR SPRING ACTUATORS LIST OF FIGURES Figure 1 Simplified Diagram of a Typical Air System at a One-Unit Station (PWR) .................................... 2-3 2 Sc ram Va l ve Arra ngement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5- 12 3 Layout Drawing of Scram Pilot Solenoid Valve .............. 5-13 4 Low Temperature Overpressure Protection System at Ginna .................................................. 5-17 5 ANO-2 Spent Fuel Pool ..................................... 5-38 LIST OF TABLES Table 1 Equipment and Systems Which Utilize Instrument Air ........ 2-2 2 Air System Malfunction Which Resulted in Multi-Plant Transients ................................................ 2-6 3 Effects of the Presence of Particulates in the Instrument ~
Air System Upon Safety-Related Equipment at Tu r k ey Po i n t 3 a nd 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 4 4 Maximum Acceptable Particle Size for Reliable Operation of Safety-Related Equipment at Turkey Point 3 and 4 .......... 5-6
^
5 Turkey Point Unit 3 Auxiliary Feedwater Valve History During July 1985 .......................................... 5-8 6 Plants with Air Check Valves / Actuators Similar to Byron 1.. 5-23 7 Benefits of Improving Instrument Air Systems............... 6-5 8 Safety Systems that Interface with the Instrument Air System at H. B. Robinson .................................. 6-7 9 Core Melt Frequency Attributed to Compressed Air System Failures at Oconee 3 ...................................... 6-12 iv
e d i * ,
EXECUTIVE
SUMMARY
This study provides a comprehensive review and evaluat-on of the potential safety implications associated with air system probler at U.S. light water reactors (LWRs). The report analyzes cperating data 'acusing upon degraded air systems, and the vulnerability of safety-related equipment to common mode failures associated with air systems. The repcrt analyzes this data from the perspectives of trends and patterns, risk assessments, and cost / benefit studies.
Several recommendations are presented to reduce risk, enhance safety, and improve plant performance.
Air systems are not safety grade systems at most operating plants. As a result, plant accident analyses assume that safety-related equipment dependent upon air systems will either " fail safe" upon loss of air or perform its intended function with the assistance of backup accumulators. This report highlights 29 failures of safety-related systems that resulted from ougraded or malfunctioning air systems. These failures contradict the assumption that safety-related equipment dependent upon air systems will either " fail safe" upon loss of air or perform its intended function with the assistance of backup accumulators. Some of the systems which were significantly degraded or failed were decay heat removal, auxiliary feedwater, BWR scram, main steam isolation, salt water cooling, emergency diesel generator, containment isolation, and the fuel pool seal system.
The root causes of most of those failures were traceable to design and/or management deficiencies. The design and operating problems found appear to reflect a lack of sufficient regulatory requirements and review, and the view by many applicants and licensees that air systems are not highly important to assuring plant safety.
We view the events in which safety systems have been adversely affected by degraded or malfunctioning air systems as important precursor events. They indicate that further industry or regulatory actions are necessary to assure that air systems are maintained and operated at levels which will enable plant equipment to function as designed and are not subject to unanalyzed failure modespossiblyresultinginseriousconsequences. Up to now, such failures v
- t
a $
_ , e_
have not occurred in connection with a limiting transient or accident and, therefore, no serious _ consequences resulted.
T*e report addresses specific deficiencies which were found in the following areas: (1) mismatched equipment - the air quality capability of the instrument air system filters and dryers do not always match the design requirements of theequipmentusingtheair;(2)maintenanceofinstrumentairsystemsis'not always performed in accordance with manufacturer's recommendations;'(3) air abality is not usually monitored periodically; (4) plant p' rsonnel e frequently do not understand the potential consequences of degraded air systems; (5) operators are not well trained to respond to losses of instrument air, and the emergency operating procedures for such events are frequently' inadequate; (6) at many plants _the response of key equipment to a loss of instrument air has not been ve'rified to be consistent with the FSAR; (7) safety-related backup accumulators do not necessarily undergo surveillance testing or monitoring t'o
~
confirm their readiness; and (8) the size and the seismic capability of safety-related backup accumulators at several plants have been found to be inadequat'e.
The recommendations from this study address: (1) ensuring that air system quality me'ets the requirements specified 'by the manufacturers of the plants' air-operated equipment; (2) ensuring adequate operator response by formulating ard implementing anticipated transient and system recovery procedures for 1 css-of-air events; (3) improving training to ensure that plant operations and maintenance personnel are sensitized to the importance of air systems and the vulnerability of safety-related equipment served by the air systems to comon modefailures;~(4)confirmingtheadequacyandreliabilityofsafety-related backup' accumulators; and (5) verifying equipment response to gradual losses of air to ensure that such losses do not result in events which fall outside FSAR analyses, vi
8 st ,
1.0 INTRODUCTION
Pary U.S. light water reactors (LWRs) rely upon air systems to actuate or' control safety-related equipment during normal operation. However, at most LWRs the air systems themselves are not classified as safety systems. Plant safety analyses typically assume that nonsafety-related air systems become inoperable during transients and accidents, and that the air-operated equipment which is served fails in known, predictable modes (e.g., fails open, fails closed, fails as-is).
Ir addition, air-operated equipment which must function during transients or accidents are provided with a backup air (or nitrogen) supply in the form of safety grade accumulators to ensure that the equipment can continue to perform its intended functions.
On March 10, 1980, a prolonged loss of all salt water cooling occurred at San Orofre Unit I due to air system problems (Ref.1). A significant cause of the
~
event was desiccant contamination found throughout the air system. An evaluation of the incident revealed that numerous safety-related systems could have been adversely affected by the desiccant (Ref. 2). Because of the seriousness of the cause and potential consequences of the San Onofre event, it was reported to Congress as an Abnormal Occurrence in February 1981.
Many other significant operational events since the San Onofre occurrence have been traced to air system design, operation or maintenance deficiencies. A previous study by ORNL on the operational performance of air systems found that air system problems do not pose a significant challenge to plant safety, and thereby concluded that no changes to the existing NRC regulations were required (Ref. 3). However, potential common cause failures resulting from air system degradations were not considered in this earlier study. In addition, the study did not focus on air system malfunctions or degradations which might initiate, complicate or increase the severity of transients or accidents. How-ever, we find in the reported operational experience examples of air system malfunctions that have initiated or exacerbated significant events, including:
1-1
P Ii 6 A feedwater transient caused by water in the instrument air system, which developedintothecoremeltaccidentatTM!-2(Ref.4).
. A steam generator tube rupture event at Ginna in 1982, exacerbated by dirt in the instrument air lines (Ref. 5).
. A loss of decay heat removal and significant primary system heatup at Palisades, caused by an air system malfunction (Ref. 6).
. The prolonged loss of salt water cooling at San Onofre 1 in 1980, caused by desiccant contamination of the air system (Refs. 1, 2).
. A loss of the auxiliary feedwater systems at Turkey Point Units 3 and 4 in 1985, caused by water and dirt particles in the air system (Refs. 7, 8).
. The inability to scram four control rods at Susquehanna 1 in 1984, caused
. by oil in the air' system (Ref. 9).
The following sections of this study provide a comprehensive review and evalua-tion of the actual operational experience and the potential safety implications associated with air system problems at U.S. LWRs. The study also is intended to evaluate the various modes of air system perfonnance problems, and to discuss the significant plant responses to air system losses not fully addressed in previous reports. Also, several recommendations are presented to address the major deficiencies and design weaknesses noted in the review.
/
1-2
- i 8 a
i I.0 AIR SYSTEM DESCRIPTIONS 2.1 Function and Purpose Most LWR plants have several air systems.* Generally, the highest purity air system, frequently referred to as the " instrument air" (IA) or " control air" (CA) system is used for vital instrumentation and controls (e.g., safety-related diaphragm or cylinder actuated valves, safety-related current-to pressure [I/P]
or electro-pneumatic [E/P] converters). Instrument or control air systems also are used to provide motive power for nonsafety-re.ated equipment at some plants.
Table 1 lists several important LWR systems which utilize IA (or CA).
Most LWR plants also have lower quality air systems, frequently called the
" plant air" (PA), " service air" or " station air" systems. These lower quality air systems are usually allowed to operate with larger size particulates, and with higher moisture and oil content than the IA systems. The PA systems are commonly used for nonsafety-related equipment, routine maintenance activities, pneumatic tools, breathing air,** etc.
2.2 System Design and_ Ojeration A simplified diagram of a typical air system at a single unit station is shown in Figure 1. Nuclear plant air systems generally have two branches--the higher quality IA (or CA) branch and the lower quality service or plant air branch.
Although operating at different qualities, both branches are usually supplied from the same air compressors. Air for the instrumentetion or control branch
- Since air systems are generally categorized as nonsafety, balance of plant systems, their de:igns vary significantly from plant to plant, reflecting utility and architectural engineer preferences. This section has been generalized to indicate common features among widely varying systems.
- Some plants tap into the IA system to use it for breathing air on a temporary basis.
2-1
i Table 1 Equipment and Systems Which Utilize Instrument Air
- 1. Scram System
- 2. Reactor Coolant System (Pump Seals / Relief Valves)
- 3. Safety Irjection System 4 Auxiliary Feedwater System
- 6. Chemical Volume Control System / Charging and Letdown System /Boration System
- 7. High Pressure Injection /Make-up System
- 9. Low Temperature Overpressurization Protection System
- 10. Component Cooling Water System
- 11. Decay Heat Removal System
- 12. Service Water System
- 13. Emergency Diesel Generators 14 Reactor Cavity / Spent Fuel / Fuel Handling System
- 15. Torus and Drywell/ Vent and Vacuum System
- 16. Station Batteries
- 17. Main Steam System / Main Steam Isolation Valves / Auxiliary Boiler IE. Reactor Building / Auxiliary Building-Ventilation and Isolation System i
- 19. Main Feedwater System /Feedwater Isolation Valves
- 20. Condensate Systen/ Polishers /Demineralizers
- 21. Moisture Separation / Reheat System
- 22. Containment Atmosphere System
- 23. Standby Gas Treatment System 24 Floor / Sump Drain System
- 25. Sampling Systems
- 26. Fire System
- 27. Turbine-Generator System 4
- 0 $
2-2
COMPRESSOR '
. AIR
, 6 INTAKE AIR \
FILTER RECEIVER
_
- SHOPS AND N WAREHOUSE X HEADER j COMPRESSOR TO *lON EXCHANGERS AIR
- PURIFICATION /
aw INTAKE AIR DEWNERAWER FILTER RECEIVER bb
- WASTE GAS VENT 1 f SYSTEM D
g MD
- REACTOR BUILDING SERVICE HEADER COMPRESSOR
- COOLING TOWER AIR 6 INTAKE AIR
- SPRAY POND RECEIVER DRYER DRYER FILTER
, re
! J.
l
- FEEDWATER VALVES
- ATMOSPHERIC F F DUMP VALVES I 1 1
- TURE J- E BYPASS h h y VALV ,
E E R
- REACTOR BULDING R
4
- COMPONENT COOUNG WATER SYSTEM l'
- MAKEUP WATER TREATMENT SYSTEM
- HYDROGEN ANALYZER
- TURB NE BUILDING
] '
T ?AE GEN DIESEL GENERATOR AIR START COMPRESSOR l
FIGURE 1 SIMPLIFIED DIAGRAM OF A TYPICAL AIR SYSTEM AT A ONE-UNIT STATION (PWR) i
usually is purified and dehumidified at the beginning of the IA branch. Air flowing in the plant or service air branches usually is unfiltered (no filtra-l tion downstream of the compressor intake screens), and is not . dehumidified.
' A dehumidification may be performed by either the desiccant stack drying method, er by the refrigeration condensation method. In some plants refrigeration and 4
cesiccant type dryers are used in series. As shown in Figure 1, filtration is performed by filters downstream of the dehumidification eouipment and by in-line s
filters (i.e., satellite filters, or filter regulators) imediately upstream of (or an integral part of) the equipment which uses the air. Some plants do not have in-line filters.
Typical air systems are made up of two or more 100% capacity compressors which deliver air at a pressure of about 100 psig. When the IA system pressure decreases below a predetermined setpoint (typically in the range of 70-80 psig),
the redundant air compressor (s) is automatically started and the PA system is i shed from the main air header. In addition to the redundant air compressors, many plants have other backup air sources which can' be utilized (e.g., portable skid-mounted diesel-driven or gasoline-driven compressors). At some plants, the backup air supply is of relatively low quality and may be fed directly into the IA system header downstream of the dryers and filters.
Accordingly, when these backup sources are operating, the potential for con-taminating the IA system can be significantly increased.
At most plants, the air lines penetrating containment are equipped with an automatic isolation valve which closes on a containment isolation signal.*
Some plants have a different and separate air system to supply air-operated '
equipment inside containment. One advantage of such a configuration is that the air supply inside containment is not necessarily lost due to a containment isolation. In addition, since the system draws upon the containment atmosphere for its supply, a malfunctioning IA system inside containment does not have the potential for causing a containment pressure increase.
- In such plants when the isolation occurs the air supply (and pressure) to the air headers inside containment is lost.
2-4
b t I J The IA systems at some multi-plant stations are designed so that they can be interconnected if needed. Cross-connecting plant air systems provides redun-dancy; however, when the plant is operating with such interconnections, the risk of multiple equipment loss resulting in simultaneous system transients (including a reactor scram) initiated by a loss of the air system is increased.
Single air system malfunctions have been responsible for multi-plant transients and scrams. Some examples of multi-plant transients resulting from air system malfunctions are provided in Table 2.
2.3 Safety-Related Functions Air systems at most U.S. LWRs are not categorized as safety systems or systems important to safety. Consequently, most safety analyses assume that air systems fail to maintain operating air pressure during postulated transients and acci-dents. Safety analyses assume that (unless there is a safety-grade source of air or nitrogen) air-operated equipment will " fail" to a known state in accord-ance with its design. For example, air-operated valves may fail open, fail closed, or fail as-is. Such equipment " failure" assumptions can be avoided if, for example, the air system is qualified as safety-grade, or if backup local accumulators (bottles)areprovidedneartheequipment. The isolation boundary between the safety-grade accumulator and the nonsafety grade air system is usually a check valve. Some plants have qualified safety-grade air systems which are assumed to be available during transients or accidents. Plants in this category include Zion 1 and 2, which have " penetration pressurization air compressors," and Sequoyah 1 and 2 which have " auxiliary control air compressors" installed for this purpose.
2-5
Table 2 Air System Malfunctions Which Resulted in Multi-Plant Transients Plants Date Description of Event Reference Brcwns Ferry 8/28/78 The cylinder head of I air PNO-78-147 1.2.3 compressor failed, and there was a loss of control air to all three units. Units 1 and 2 were scrammed while Unit 3 was already shut down.
LaSalle 10/25/83 Loss of cooling water to 10 CFR 50.72 1,2 Unit 2 service air compressor 10/25/83 resulted in loss of Unit 1 IE Daily Report IA. Unit I was manually 10/26/83 scrammed.
Grand Gulf 7/2/84 Unit I had a reactor scram LER 1,2 after the loss of the Unit 2 84-033 air compressor. (The scram occurred subsequent to scram pilot valves drifting open, low IA pressure and high scram discharge volume level.)
PcGuire 11/2/85 Break in compressor discharge LER 85-034 1,2 line resulted in loss of IA 10 CFR 50.72 to both units, and scram of reports 2615, both units on low steam 2618, 3335 generator level.
f 2-6
3.0 AIR SYSTEM REQUIREMENTS 3.1 Air Qu_ality Requirements For pneumatic Equipment Because of the materials and the small clearances of the internal moving parts of pneumatic equipment, clean, dry, and oil free air is required for reliable, trouble-free operation. The level of contamination at which pneumatic equipment performance degrades or fails completely depends upon the equipment's specific design features. For example, particulate contamination has been found to be responsible for many solenoid air pilot valve and system check valve malfunctions.
Observed pilot valve failures have inclu'ded particulates blocking the internal air passageways and air exit ports. Particulate buildup has also been known to prevent air line check valves from seating properly. Leakage of accumulator check valves has resulted in compromising the safety function of backup accu-mulators and has adversely affected safety-grade equipment. Air system oil contamination has been responsible for gum or varnish buildup which resulted in sticking valves. Oil contamination has also been responsible for degradation and failure of solenoid air pilot valve seals.
A major solenoid valve manufacturer whose solenoid valves are used as pilot operators on thousands of control valves in U.S. LWRs does not specify any quantitative air quality requirements. The statement made by the manufacturer in technical bulletins is that the valves are "for (oil free) instrument air" use. However, " oil free" is not defined in the manufacturer's literature, and the manufacturer does not specify maximum allowable particle size or moisture content. The valve manufacturer's engineering staff recomends the use of strainers tpstream of the valves. The minimum size strainer that the valve manufacturer supplies is 250 microns, whereas the air quality standard of the American National Standards Institute (ANSI) specifies a maximum particle size of 3 microns.
/
3-1
~ _ -
i i, .
l l
l 3.2 _ Industry Standards Tre ANSI stor/ard MC 11.1-1976 (ISA-57.3), " Quality Standard for Instrument Air" (Ref.10) establishes IA quality limits to preclude malfunctions of equip-rent supplied by the air systems. The standard specifies: a maximum allowable l <ewpoint(tolimitmoisturecontent),amaximumallowableentrainedparticle l
l size (topreventplugging,wearanderosionofpassagesandorifices)anda l maximum allowable oil or hydrocarbon content (to avoid malfunction from clogging l and wear of components). For outdoor service, the dewpoint must be at least i
10*C below the minimum local recorded ambient temperature at the plant site while, for indoor service, the dew point must be at least 10*C below the minimum temperature to which any part of the IA system is exposed, but not higher than 2'C. Entrained particles must not exceed 3 microns, while the maximum oil or hydrogen content cannot exceed 1 part per million. The standard also addresses l
permissible levels for corrosives and toxic contaminants.
3.3 NRC Requirements Over a period of years, the NRC has issued several regulations and guidelines l for air systems. However, older plants are not required to meet any of the NFC's regulations or guidelines on air systems. In contrast, " safety-related" compressed air systems at newer plants and plants presently under construction are required to meet ANSI MC 11.1-1976 (ISA-57.3), Pegulatory Guide 1.68.3, "Preoperational Testing of Instrument and Control Air" (Ref. 11), and Standard i ReviewPlan9.3.1,"CompressedAirSystem"(Ref.12).
l Regulatory Guide 1.68.3 requires that new plants (licensing actions after May 24, 1982) perform specific preoperational tests on the instrument and control air systems. Those tests must simulate both rapid and gradual pressure losses in the air system. Regulatory Guide 1,68.3 also requires that new plants l meet the requirements of ANSI MC 11.1-1976(ISA-57.3),andthatallplantswhich undergo major nodifications or repairs to the instrument and control air system, or portions thereof, perform similar tests prior to restart. However, once the preoperational(orpost-modification)testinghasbeensuccessfullycompleted, there are no requirements that plants continue to meet the ANSI MC 11.1 1976 (ISA-57.3) requirements.
3-2
. .i ,
Regulatory Guide 1.68.3 was preceded by Regulatory Guide 1.80 "Preoperational Testing of Instrument Air Systems" (Ref.13). Regulatory Guide 1.80 addressed I A, but not control air. It required plants to verify that IA met " cleanliness
'reautrements" with respect to oil, water, and particulate matter entrained in the product air. It did not provide the required cleanliness specifications, however, and it did not require the plants to continue to meet the " cleanliness requirements" after successfully completing the preoperational (or post-modification) tests.
Standard Review Plan 9.3.1, " Compressed Air System " provides NRC's review plan for safety-related compressed air systems (SRCAS). The review evaluates the conformance of the SRCAS design, testing and operating characteristics with General Design Criteria (GDC) 1, 2 and 5. The review identifies safety-related air-operated equipment that is supplied by the compressed air systems, reviews equipment failure modes, and determines the effects of the postulated failures upon plant response during transients and accidents. The review also addresses the design of the SRCAS with respect to the capability of the system to supply high quality lA which meets ANSI Standard MC 11.1-1976 (ISA-57.3). However, once a plant is licensed, there is no clear requirement that the air systems continue to meet the ANSI /ISA air quality standard. Although Standard Review Plan 9.3.1, paragraph !!!.2.b.l.4 states that, "A regular periodic check should be made to assure high quality instrument air," this requirement is contained in a section of the standard review plan that addresses system design relating to corrosive contaminants, hazardous gases, etc., in the IA. The requirement does not address actual air system operation subsequent to startup.
s 3-3 3
4 1.0 AIP SYSTEMS FAILURE MODES AND EFFECTS 4.1 Contamination 4.1.1 Water Poisture in the air is one of the most frequently observed contaminants in air systems. Water contamination results from inadequate dryer and/or moisture separator operation. Water droplets entrained in the air can initiate the formation of rust or other oxide particles @ust and particulate contamination are discussed in Section 4.1.2).
4 Water droplets can cause the malfunction of E/P or I/P converters by blocking internal passageways, or by forming corrosion products which block internal passageways or cause sticking or binding of moving pdrts. In addition, water droplets can obstruct the discharge ports on solenoid air pilot valves, degrading their ability to function properly. Fuithermore,' moisture can cause corrosion of air system internal surfaces as well as the internal surfaces of equipment connected to the air system (e.g., valve bodies). Rust and other oxides have.
been observed to cause the exit orifices of air pilot valves and other (air-operated) equipment to be partially or totally blocked, resulting in degraded equipment operation or complete loss of function. Additionally, rust particles on the inside of the piping or connected equipment have the potential to be disiodged during severe vibrations (e.g., earthquake or water hamer), which could lead to comon mode equipment failures.
4.1.2 Particulates Particulate matter has been found to have degraded or prevented air from venting through discharge orifices of solenoid air pilot valves and valve air operators.
A cingged orifice changes the bleeddown rate, which affects the valve opening or closing times and can result in stuck valves. Additionally, sr all particles
' 4-1 e
. , . _ ~ - _ - - - . _ . _ _ ___.~___.--_..--.-__--_n-, ,._ , ---
s a. .
have been found to have prevented a E/P or I/P converters from functioning properly (i.e., open or close upon demand). Abrasive or gritty-like particulate ratter (e.g., air dryer desiccant) has been found to damage solenoid air pilot valve seals (0-rings), preventing air-operated valves from functioning properly.
4.1.3 Hydrocarbons Hydrocarbon contamination of air systems can cause sluggish valve operations as well as a complete loss of valve motion. Hydrocarbons (e.g., compressor oil) have been observed to leave gu my-like residues on valve internal com-ponents. This causes the valves to operate sluggishly, erratically, or even stick completely. Hydrocarbons have also been found to have caused valve seals to become brittle and to stick to mating surfaces, thereby preventing valve motion. In some cases, the seals were found to have torn apart or to have flaked off, resulting in loose particles which blocked air discharge orifices.
4.2 Air System Component Failures 4.2.1 Compressors In most plants, instrument and service air systems include redundant compressors, but generally are not designed as safety-grade or safety-related systems. As a result, a single failure in the electric power system or the compressor cooling water supply system can result in a complete loss of the station air system compressors. Because the plants have redundant air compressors and automatic switching features, single random compressor failures usually do not result in total loss of air systems. Most air system compressors are of the oilless type.
However, some plants have used non-oilless compressors, and have experienced oil contamination of their air systems. Similarly, the temporary use of non-oillessbackuporemergencycompressors(e.g., skid-mounted, diesel-operated) without adequate filtration and drying can result in significant air system
, degradation.
4-2
. .s ,
4.2.2 Distribution Systems Since most instrument and service air systems are not designated as safety-grade, o'r safety-related, they are vulnerable to a single distribution system failure.
For example, a single branch line, or distribution header break can cause depressurization in part, and possibly all, of an air system.
4.2.3 Dryers and Filters l
Single failures in the IA filtration or drying equipment can cause widespread air system contamination, resulting in common mode failures of safety-related equipment. For example, a single failure such as a plugged or broken air filter, a malfunctioning desiccant tower heater timer, or a plugged refrigerant dryer drain can cause dessicant, dirt or water to enter the air lines. As discussed in Section 4.1, such contaminants can result in significant degradation, or even failure, of important air system components.
4.2.4 Accumulator Check Valves Undetected accumulator check valve leaks could prevent safety-related equipment from performing its safety function upon loss of IA. Contaminants in the IA system can also cause multiple undetected accumulator check valve failures, which could prevent redundant safety-related equipment from performing its intended function.
4.2.5 Design. Installation, and Maintenance Errors Plant safety analyses assume that safety-related, pneumatically-operated equip-ment responds to the loss of IA in a mode which is in accordance with the equip-ment design. For example, valves may be designed to fail open, fail closed, fail as-is, or to continue to operate with the assistance of safety-grade accumulators. However, design, installation, or maintenance errors can invalidate such assumptions, resulting in equipment operating in a manner dif-ferent from that assumed in safety analyses. Such reported errors include:
inadequate accumulator sizing, inadequate seismic supports for lines connected to the accumulators, valves with incorrect loss-of-air failure modes, and 4-3
i i. .
incorrectly installed inlet and exit air supply lines from testable check valve air operators.
I 4-4
a , s 5.0 OPERATIONAL EXPERIENCE This section presents 29 operational events at U.S. LWRs in which a safety-related system
- failed because of degradation or failures of air systems or air-operated equipment. Eleven different safety-related systems were involved.
These events were chosen to show the wide variety of safety-related systems that would be impaired by faulty air systems or failures of air-operated equipment; this section is not intended to present a complete listing of all such events.
Many of these events illustrate the common mode fcilure potential that air systems can have to cause multiple-independent trains of safety-related systems to fail, in addition, this section provides brief descriptions of similar events that have occurred at foreign LWRs.
Additional operational experience is presented in Appendix A, which contains a tabulation of about 150 equipment failures sorted by cause. It presents a representative cross-section of such events, and is not intended to be a com-plete tabulation of all such failures. Most of the safety-related failures presented in this section are not repeated in Appendix A. Appendix A does not include the many MSIV failures events which are identified by NRC's Office of inspection and Enforcement in Reference 14.
5.1 Safety Systems failures 5.1.1 Shutdown Cooling System - Palisades l
l In 1978 and 1981, two separate events occurred at the Palisades plant in which shutdown cooling system flow was lost (Refs. 6 and 15). On both occasions, water in the IA sy, tem filled a valve positioner, causing the control valve l to fail closed. The 1978 event lasted for 45 minutes, allowing the primary l
l
- In this report the term " safety-related systems" will be used interchangeably with safety systems, safety-related systems, and systems important-to-safety.
5-1 ,
j
coolant system to heat up from 130'F to 215'F. The 1981 event lasted over li-hours, allowing the primary coolant system to heat up from 123*F to 197*F.
The licensee reported that water entered the IA line due to improper air dryer operation. The dryer purge valve had apparently been throttled excessively, causing insufficient air flow during the dryer's regeneration cycle (Ref. 6).
The licensee also discovered a construction error in the air receiver tanks' discharge lines. Contrary to the design drawing, the lines were located at the bottom of the tanks instead of at the top. This arrangement increased the potential for water accumulation and entrainment in the downstream air system piping. The Palisades events clearly illustrate that moisture buildup in air lines can cause failure of air-operated valves, particularly during periods of high demand (Ref. 16).
5.1.2 Auxiliary Feedwater Systems 5.1.2.1 Turkey Point 3 and 4 During surveillance testing from July 21-26, 1985, Turkey Point Units 3 and 4 experienced recurrent failures of the auxiliary feedwater (AFW) system due to IA system contamination (Refs. 7,17,18,19,20). The recurrent problems involved simultaneous failures of the AFW flow control and steam generator bypass valves. During the events, E/P converters and pneumatic valve positioners experienced common mode failures. The three turbine-driven AFW pumps (which serve both Turkey Point units) experienced overspeed trips which were compli-cated by the sticking of multiple flow control valves and sluggish steam generator bypass valves.
The plant operations staff had been aware of an IA system water accumulation j problem for some period of time. However, the operations staff was unaware of the potential problems which might be caused by the water. Accordingly, the
! operations and maintenance staff initially attempted to correct the AFW control valve problem, as they had previously, by blowing down the air regulators (i.e.,
fix the symptoms). The procedure was not successful in restoring the functional reliability of the valves. When they became aware of the problem, the licensee's engineering staff hypothesized that corrosion products formed inside the IA 5-2 l . . _ __ . -
. s system may have been a source of the gross degradation. With the subsequent realization that contaminated IA might be the root cause of many of the recur-rent AFW system problems, the licensee requested the architect engineer to evaluate the effect of contaminants in the IA supply on the safety and non-safety-related equipment. The architect engineer also was requested to deter-mine the maximum particulate size that the safety-related instrument air system ecuipment could accommodate without adverse effects, and the effects of partic-ulates on the IA system. The architect engineer's analysis determined that many safety-related devices could be adversely affected by particulates in the IA system. The safety-related systems which could be affected are:
. Secondary system (steam dump to atmosphere)
. Salt water system (flow from the essential heat exchanger)
. Charging system
. Residual heat removal (RHR) system
. AFW system As shown in Table 3, at Turkey Point the AFW system for both units could be lost as a result of IA system contamination (Ref. 21). It is important to note -
that in July 1985, several of the AFW system flow control valves failed simul-taneously as a result of IA contamination. In addition, the nonsafety-related main feedwater bypass valves have experienced simultaneous common mode failure (closed) as a result of water in the IA. This failure is potentially signifi-( cant because the bypass valves are used to control the diverse nonsafety-related backup AFW flow provided by the two motor-driven startup pumps. Failure of the main feedwater (MFW) bypass valves could result in the loss of AFW diversity.
l At the licensee's request, the architect engineer canvassed manufacturers of the safety-related equipment that had been determined to be susceptible to IA contamination, and to failure in an " unsafe manner." The vendors were requested to provide information on the susceptibility of the equipment to particulates in the IA system. Some vendors indicated that if their equipment was supplied with IA which met the ISA standard, no failures should be expected. However, since the ISA standards, which allow a maximum particulate size of 3 microns, were not met at Turkey Point, the vendors were subsequently requested to provide information on the maximum particulate size that would not impair the operation 5-3
/
___a .. . , _ . __ _ __
4 Table 3 Potential Effects of-the Presence of Particulates in the Instrument Air System Upon Safety-Related Equipment at Turkey Point 3 and 4 (Ref. 21)
Components Affected Result of Each Failure All flow control valves for AFW " Control of valve is lost. AFW to to steam generators for both units S/G cannot be established, or may CV-3-2816, 2817, 2818 not be controllable" CV-4-2816, 2817, 2818 CV-3-2831, 2832, 2833
-CV-4-2831, 2832, 2833 All AFW pump turbine differential " Trip and throttle valve control pressure transmitters and speed will be unavailable. Trip and controllers for both units: throttle valve position is CPT 2401, 2402, 2403 indeterminate for component DPC 2401, 2402, 2403 failure" All AFW flow avg I/P converters " Automatic or Manual control of for both units: the AFW pump to Steam Generator Y-3-1401, 1457, 1458 supply valves may be unavailable."
Y-4-1401, 1457, 1458 5-4
. .s ,
of their safety-related equipment. Table 4 presents the results of that survey (Ref. 22).
A review conducted by the licensee found that most of.the safety-related equip-ment installed in the plant was not equipped with the filter sizes recommended by the manufacturers. For some equipment, no filters were installed. The licensee subsequently purchased and installed the correct size filters upstream of the safety-related equipment.
In addition to the engineering support from the architect engineer, the licensee obtained the services of a consultant with extensive knowledge of IA systems.
Based on the consultant's evaluation, the licensee initiated the following modification, repair, maintenance, testing and surveillance activities on the IA system and components that had previously been effected by contaminated air:
. The air dryer dessiccant columns and post dryer air filters were changed out; Individual filters were either installed or replaced upstream of critical components in the AFW and MFW systems (e.g., valve positioners, I/P converters);
The selector switches, cycle timer, and three-way valve limit switch on the No. 4 instrument air dryer were replaced;
'. Periodic dew point checks were initiated at critical locations (e.g., air dryer outlet, AFW and MFW regulators);
. Control valves and regulators associated with the AFW and MFW systems were blown down and cleaned out; and
. Provisions were made to periodically blow down the IA system including the moisture separator and low points of the system which tend to collect moisture.
5-5
Table 4 Paximum Acceptable Particle Size for Reliable Operation of Safety-Related Equipment at Turkey Point 3 and 4 (Ref. 22)
Maximum Acceptable Function Component No. Manufacturer Filter Size (Microns)
Steam dump CV *-1606 Fisher- 40 to atmosphere -1607 Governor
-1608 Salt water CV *-2201 Fisher- 40 from essential -2202 Governor heat exchanger Charging HCV *-121 Fisher- 40 flow to reactor Governor coolant system RhR outlet 1/P *-758 Fisher-Governor 40 flow control HCV *-758 Continental 25 AFW to CV *-2816 Valtek 25 steam generator -2817
-2818
-2819
-2831
-2832
-2833 i AFW flow I/P F/Y *-1401A-6&B-6 Masonellian 5 converter -1457A-6&B-6 i -1457A-6&B-6 l
t i
- Indicates two components: replace
- by 3 for Unit 3 and by 4 for Unit 4 (e.g.,CV*-1606=CV-3-1606andCV-4-1606).
t, 5-6 l
l L
Table 5 provides a' history of AFW valve problems that were experienced on Unit 3 during July 1985. It should be noted that the AFW system lineup is such that failures of steam generator flow control valves CV2831, 2832, and 2833 constitute a loss of train No. 2, which serves the 8 AFW pump, and failures of CV2816, 2817, and 2818 would constitute a loss of train No.1, which serves the A and C AFW pumps. As noted in Table 5, air system contamination had.the potential to render both AFW trains inoperable. On July 25, 1985, by 5:40 a.m. all 12 regulators had been cleaned; however, less than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> later one of the valve positioners again failed. By 12:37 a.m. on July 22, 1985, AFW control valve CV-2833 was cleaned and released for operations. Three minutes later, the level in steam generator 8 dropped, resulting in an AFW actuation. Subsequently, the A and C turbines tripped on mechanical overspeed anc the B pump operated erratically and tripped on electrical overspeed. At that point, all three AFW turbines were inoperable. The operator reset the mechanical overspeed trip and restarted one of the AFW turbines.
Subsequent to the TMI accident, the NRC and the licensees have been focusing attention on the potential that a loss of IA would have upon the operation of the AFW system. Like many other PWRs, Turkey Point 3 and 4 installed backup nitrogen accumulators to assure that the AFW cce ols would be available upon the loss of IA. In 1985, the NRC resident inspectors found, however, that:
(1) The Turkey Point plant staff did not have adequate procedures to enable operators to operate the AFW system upon loss of the IA system.
(2) The backup accumulators were not being tested to confinn that the AFW system would operate properly upon a loss of the IA system.
1 (3) The accumulators would provide only 6 minutes of control air to the AfW system vs. the licensee's design value of 30 minutes. A test confirmed the inspector's calculations.
(4) The supports for the tubing connecting the nitrogen accumulator to the AFW system were not spaced in aci:ordance with the architect engineer's recom-mendations. As a result, the possibility existed that the " safety-related" nitrogen accumulator backup system would not be capable of performing its intended function subsequent to a design basis accident. (Refs.19and20).
5-7 ,
Table 5. Turkey Point Unit 3 AFW Yalve History During July 1985 (kef. 18)
Day' Date Time Event / Corrective Action Sunday 7/14 2003: CV-2833 sticks open. Cleaning positioner booster solves symptom.
Fonday 7/22 0000: CV-2833 fails to reclose. Actuation of blow out plug on positioner allows valve to close. While attempting to check calibration of CV-2833 found I/P would drif t up slowly. Trouble shooting finds I/P exhaust port clogged. 1/P cleaned,-calibrated and reinstalled.
Cleaned positioner, verified loop cal. Released to operations 9 12:37.
Wednesday 7/24 0640: CV-2832 & CV-2833 fails to reclose.
0730: All six I/P's and positioners are cleaned. Cleaned and calibration checked "B" train. Found CV-2831 1/P non-linear due to fouled booster port on I/P. Stroked all valves satisfactorily. Released to operations at 12:20.
1244: CV-2833 failed to close on AFW test. Actuated blow out plug on position EER, restroked 5 times satisfactorily.
1400: CV-2833 positioner's regulator inspected. Found moisture and a thin undefined film in regulator.
Blew down instrument air lines to both trains and found moisture, and an undefined black substance in lines.
- Thursday 7/25 0540: Cleaned all (12) regulators and swapped AFW control valve positioners for CV-2833 & CV-2817.
0913: CV-2817 fails to reclose. Decision made to replace positioner on CV-2817 with a QC positioner from the chiller system.
1705: CV-2817 stroke checked and released to operations.
Friday 7/26 0950: CV-2817 did not fully close. Found positioner was inadequately set for valve travel. Adjustem >troke on positioner and released to operations.
5-8
...: .i ,
As a result of the aforementioned deficiencies, the~1icensee improved the subject reocedures, modified the backup nitrogen accumulator system, and committed to 1.olementing appropriate operator training. However, backup accumulators were not provided for the MFW bypass valves which control the diverse AFW flow (trotor-drivenstandbystartuppumps).
The licensee recognized the severity of the IA degradation problem and took appropriate corrective actions in July 1985. However, two months later, on September 20, 1985, plant operators allowed the IA to completely bypass the dryers. The Unit 4 IA dryer was removed from service due to a purge valve failure (Ref. 23) and rather than routing the air through the Unit 3 air dryer (in accordance with approved operating procedures), the plant operators allowed the air to completely bypass all dryers. In approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the Unit 4 air dryer purge valve was repaired and the system was returned to normal operation. However, during the 6-hour period that the air dryers were bypassed,
~
truch' safety-related air-operated equipment were put at risk to comon mode failure as a result of moist IA. Although there were no immediate component failures, the maisture which entered the IA system during that 6-hour period had the potential to cause longer term effects such as' pitting, corrosion, and oside formation on the IA system surfaces which could result in future equipment real func tions.
5.1.2.2 Indian Point 2 Indian Point 2 has also experienced AFW regulating valve problems as a result of moisture in the IA system (Refs 24 and 25). These problems were manifested in sluggishly operating AFW flow regulating valves. The valves had to be manually controlled to prevent overfeeding the steam generators. Similar to Turkey Point 3 and 4, moisture in the instrument air system caused the I/P converters to malfunction. The licensee's short term corrective action was to blow down the IA lines and clean and recalibrate the I/P converters. Over a 5-year period, poor quality IA has caused many I/P converter failures at Indian Point 2. Some of the components affected have been the AFW flow regulating valves, the charging pump flow control valves, and the MFW flow regulating valves.
5-9
The Indian Point 2 IA system uses refrigeration-type dryers in series with des-iccant-type dryers. The Indian Point 2 IA system has been cited, however, for having many recurring maintenance work orders on this system (Ref. 26). Because of faulty dryer operation, the licensee is presently considering modifying the lA drying system. The licensee has indicated that IA system maintenance has been a major source of recurring maintenance operations - with most of the problems emanating from the refrigeration dryers. The Indian Point 2 IA system lines are all copper, to minimize rust potential. However, the IA system does not have
- any " satellite" filters upstream of the air-operated equipment, to minimize contamination from small particulates.
5.1.3 BWR Scram Systems 5.1.3.1 Susquehanna On October 6,1984, while Susquehanna 1 was operating at 60% power, two control rods failed to insert during individual rod scram testing. Further scram test-ing revealed that a total of four rods would not insert while nine additional rods hesitated before in'serting. A similar event had occurred previcusly at Susquehanna on June 13, 1984, when several control rods hesitated momentarily before inserting (Ref. 9). Two of the control rods that failed to insert on October 6 had not met the technical specification scram time requirements on June 13. The licensee did not become aware of the June 13 malfunctions until the October 6 failures were investigated.
The October 6 failures were attributed to common mode contamination of the IA system. The combination of contaminants (oil and/or water) and high tempera-tures (140'F) caused the scram pilot solenoid valve -(SPSV)* internals to de-grade and become stuck. The SPSV polyurethane disc holder subassembly seats
}
were found to be stuck to the SPSV exhaust port orifice. This prevented air
, & from the scram inlet and outlet valve air operators from bleeding off through the SPSV exhaust ports, which prevented the scram inlet and outlet valves from s
- Susquehanna 1 and 2 and some of new BWRs use ASCO "T" solenoid valves. Most '
BWRs use the valves discussed in Section 5.1.3.2.
s 5-10 I
~v -,------,,n.- , - , . , , , , , , , - - , _ , - , - - --nn--.,n-n,_n- .n---, <,,,,c.,,., - - , , - - - - , - ~ -- n - - -- - v-,--n - -
opening. Figure 2 illustrates the scram valve arrangement, Figure 3 shows the internal components of the SPSV.
rdependent laboratory examinations of the failed solenoid pilot valves con-cluded that the polyurethane parts degraded because of a combination of con-tamination in the IA and elevated temperature (Ref. 27). The first laboratory
, (Franklin Institute) cited the failure mechanism as hydrolytic decomposition of the polyurethane seats due to a combination of water and elevated temperatures.
The second laboratory (General Electric) indicated that polyurethane seat fail-ure was caused by contamination of the IA with a synthetic diester oil (SDO, which is a plasticizer). Both Franklin Institute and General Electric recom-mended replacing the polyurethane seats with a seat material capable of operat-ing at high temperatures and having an improved contaminant resistance. The
- recomended material was Viton-A. The licensee changed out all of the SPSV polyurethane seats on Units 1 and 2 (i.e., about 290 seats) for all Unit I control rods, half of the Unit 2 control rods, and all the backup scram valves.
(Half of the SPSV discs for the Unit 2 control rods had already been replaced in 1983 with Viton-A discs.)
It is important to note that due to the common air supply, the comon mode failure potential (i.e., water / oil and high temperature *) which existed for the ll nit I and 2 control rods, also existed for the SPSVs that actuate the backup scram valves. The backup valves are intended to provide a diverse scram capa-bility te protect against common mode failures.
The licensee's investigation found also that the pilot solenoid valve for the scram discharge volume vent and drain valves on Unit 1 had a polyurethane disc
! which was also susceptible to the same type of failure. The solenoid pilot valves for the vent and drain valves were also replaced with other pilot valves having Viton-A discs.**
- The $PSVs for the backup scram valves are not normally subjected to tempera-tures as high as the scram inlet and outlet valve SPSVs. However, they are tested less frequently than the scram inlet and outlet valve SPSVs.
- The valve chosen was a larger size, made by another manufacturer. The original Unit 1 valve was undersized and the replacement made was the same as the one on Unit 2.
5-11 l
DC DC. bPI PS VENT 75 PSIG m1 6 "
,1 L ~
V H/L , ,
' CONTROU7 k" if , , , ,
, .J F^^ CONTROL l
AIR ,
r m P i t d ' - " -
P2 Y ' ' ROOM
h 7s PSiG _ _ A _
COeTROL MR *
" ~
d ' Y '" s
- t VENT RPSA RPSB 44- = , . , ,
l,
, B,ACKUP SCRAM VALVES , A " "A 9 m- " "
$p v
g - VENT I
! Y '
d ' SCRAM d SOLENOID i M VALVES s i CHARGING WATER , '
- j VENT 3 kVENT k i n 9 m i Q SCRAM DISCHARGE ," ," ,"
, 8 m[m VOLUME
~ k v ,
HI-HI O --
c OUTLET VOLUME H1' SCRAM FROM OTHER g3 q ,
I SCRAM OUTLET w NOTE: SCRAM INLET I Ls EE INLU VALVES ALARM AND OUTLET ISOLATION.
SDV 4 g VALVES ARE AIR TO l
NOT 6, CLOSE WHILE SCRAM 3y
) A j k Y Y db V DRAINED 9 t DISCHARGE VOLUME VENT AND DRAIN 3
VALVES ARE AIR i
- N2 a
8 7 %
" " TO OPEN i CHARGING /
i t l'
RBEDT I
FIGURE 2 SCRAM VALVE ARRANGEMENT ,
l i .
e e *
-C. .
i
! r 1
- g -..*.
I, ,
N i
^ t.M.,
,,e.o ..
'**'.8 8"C.&.#.8888.a}
4, .
i
[,O e. -.$.ne..
i ,.
1 , s=n# .*
- . . .y ~* ..
- {'
w
..n a i s o _
i o .e ia.wmeaa
m.m c 3 .s a.in p3
- a88' *"'
n.. an*
N- '/.
prJ s.t 6m.s ,
- (- -
,,,,.. g f
, u*. n,
, ka==.*
,un. s.
c n, an. s.
a
< , , : r
- -a u==sv4 seeam' a
N, CM' **
\ Q ==- =.
Qy .-. *
... - =
===* J9%,('
( ,
- . g a .u.
se.c.cm, .r T
== . c c
sn= 6...c ac e e .r. en. va . e,"r fu :.
3
' a.u. a **
4..su G C.
T We g.vg. .g.e gayg . w. u K e. s3e FRONT VIEW '*""'*""*
FIGURE 3 LAYOUT DRAWING OF SCRAM PILOT SOLENOID VALVE i
i
The October 6, 1984, scram system degradation at Susquehanna was later to be reported to Congress as an abnormal occurrence (Ref. 28). The NRC staff con-cluded that the event involved a " major degradation of essential safety-related equipment," and demonstrated the plant's susceptibility to common mode failure.
The failure cause reduced the " required high probability of shutting down the reactor in the event of an anticipated operational occurrence" (Ref. 28).
Another scram discharge volume (SOV) system component failure attributed .to contaminated air occurred at Susquehanna 1 on December 21,1984(Ref.29).
'Ouring surveillance testing a solenoid air pilot valve which controls the 50V vent and drain line isolation valves malfunctioned as a result of particulate matter that was lodged between the pilot valve disc and the valve seat. As a result the SDV vent and drain valves were stuck open. Since the reactor was at power, if the pilot valve had failed to fully seat after a scram, the po-tential for an unisolated primary leak outside containment would have signifi-cantly increased.
5.1.3.2 Dresden 3 During recovery from a reactor scram from 81% power on September 19, 1985, Dresden 3 experienced a leak of reactor coolant outside primary containment.
The leakage path was through the scram outlet valves and the SDV vent and drainvalves(Refs. 30,31,32).
1 After the reactor scrassed, the control room operators attempted to reset the reactorprotectionsystem(RPS). RPS channel A was successfully reset but channel B could not be reset.* This channel configuration allowed SPSVs to vent air, resulting in reduced air header pressure. The reduced air header pressure (38 psig) was sufficient to allow the 50V vent and drain valves to open (opening pressure M 8 to 15 psig), but it was not sufficient to enable the scram inlet and outlet valves to reclose (m42 psig required to close). For approximately 23 minutes reactor coolant leaked outside primary containment into the reactor building. The high temperature reactor coolant flashed to
- Channel 8 remained tripped because of stuck contacts on the reactor mode switch. However, a similar event could be initiated by a similar half scram caused by errors in maintenance or surveillance preceded by a full scram.
5-14 1
steam, resulting in elevated radiation levels on the first three floors of the reactor building. .
Subsequent scram system tests indicated that many of the SPSVs had degraded internal parts (e.g., o-rings, diaphragms). Several SPSVs which had been re-cently refurbished, however, also leaked as a result of the half scram configuration.
A similar event had also occurred in 1972 at Dresden 2. An IE information notice (Ref. 33) was issued after the event to alert ifcensees of the potential for reactor coolant leakage at BWRs having two separate ASCO scram pilot air sole-noid valves. This potential was not associated with plants having the ASCO "T" solenoid valves.
- 5.1.4 Power-Operated Relief Valves and Low Temperature Overpressurization Protection Systems 5.1.4.1 Ginna Tube Rupture Event On January 25, 1982, the Ginna nuclear power plant experienced a steam generator tube rupture and reactor trip from 100% power. Shortly after the reactor tripped, IA inside containment was automatically isolated due to an actuation of the engineered safety features actuation system (ESFAS). As a result, control of numerous valves inside containment was lost (e.g., the chemical and volume control system (CVCS), charging and letdown line valves, the pressurizer spray valveandtheauxiliarypressurize:sprayvalve). The IA supply to the pres-surizer PORVs was also isolated, although nitrogen (stored in backup accumula-tors) could be used to actuate the PORVs. Recovery from the rupture was thereby significantly hampered by malfunctioning and inoperable air-operated valves (Ref.5).
To facilitate recovery, the operators reset safety injection. When the ESFAS was reset, IA and control of many of the air-operated valves inside containment was restored. The operators attempted to reduce primary system pressure by cycling one of the pressurizer PORVs after IA was restored. (Thebackup nitrogen system could have been used earlier while the IA system was isolated, 5-15
, .o .
but, as noted in Ref. 5, the IA system was the " preferred system for control-Mng the pressurizer PORV..."). The PORY was successfully cycled three times within 2 minutes, but failed to reclose after the fourth time it was opened.
To terminate the RCS blowdown (concurrent with the steam generator tube rupture),
the operators closed its associated block valve. The operators eventually suc-cessfully shut the plant down. However, if the operators had failed to recog-nize that the PORV was stuck open, or if the block valve had malfunctioned, the operators' ability to bring the plant to a safe shutdown would have been seriously impacted.
Following the event, the licensee performed several tests on the PORV that had stuck open. The tests concluded the following:
. Failure of the PORV to reseat was most likely caused by dirt in the instru-ment air.
. Dirt in the instrument air was believed to have plugged the air discharge linesdownstreamofthePORVactuators(solenoidvalves;seeFigure4).
. The plugged discharge line had blocked bleedoff, thereby preventing closure of the PORV.
. Prior to the event, the licensee had intentionally crimped the air discharge line in order to increase the PORY closure time for operation in the low temperature overpressurization (LTOP) mode. However, a review of vendor installation and maintenance instructions conducted after the event found that restricting the exhaust lines was specifically prohibited. The ven-dor's instructions also indicated a need for a filtered air supply, ilowever, no " satellite filters" had been installed in the IA system.
Prior to returning to power, the licensee replaced the discharge line to remove the crimps. However, the licensee did not install " satellite filters" upstream of the valves.
5-16
i n
sd- t '
$ S*
, w , ..
O
$.*'8A i
[ 2.
h-a M ""
sv AsCo i .5,.. , -
v #
v.=
0 us
- a. .- + e =.
.r V s
h f% * .
~
u W ** _ -
sv a Asco h
M l
i V ***" ?
- Dk: ::ki-v.m ,cy
, sis sie ecv i
a3,c em m *
sponvi vsa m 8*0* V' i m
,cy' Pcv e34 433 y a J Pe aw v.*
1 FIGURE 4 LOW TEMPERATtlRF OVFRPRFSCIIRp ennTs t' Ten *8 CV""* " " " ' ' '
5.1.4.2 Westinghouse PWR Low Temperature Overpressurizations This section discusses several LTOP events which occurred at selected Westinghouse PWRs. A comprehensive study and listing of LTOP events is provided in Reference 34 There have been many events at Westinghouse plants in which the loss of IA resulted in an LTOP of the reactor coolant system (Refs. 35, 36 and 37).
Typically, in these events, the loss of IA resulted in closure of the letdown line isolation valves, the opening of valves in the charging line, and an in-crease in the charging pump speed (i.e., flow). One such event occurred at Farley 2 on October 15, 1983.
The plant was " solid" (in preparation for startup). An (gerator inadvertently isolated the 1A system. As a result, while the charging pump was on, the let-down line isolated (per design) and the throttle valve in the charging line opened to its full open position (per design). The RCS pressure increased and relieved through one RHR pump suction relief valve. The other RHR train's relief valve was unavailable. The RCS pressure rose to 700 psi which was in excess of the FSAR's calculated value for an LTOP event. (Ref.37)
Other IA failures have caused events at many plants in which the PORY or LTOP protection system were degraded or made inoperable (Refs. 38,39,40). A review of these operating experiences has shown that human error, technical specifica-tion deficiencies and equipment failures can increase the likelihood of an air system-induced LTOP event, which can result in the 10 CFR 50 Appendix G limits being exceeded. A discussion of the causes of some of these events is presented below:
Maintenance, surveillance, or testing errors made during shutdown could negate LTOP protection features. As a result, features which are relied upon to limit primary system pressure may be rendered inoperable, thereby resulting in primary system pressurization in excess of Appendix G limits.
For example, an event occurred at Point Beach Unit 2 in which a human error associated with the !A and backup nitrogen control for PORVs pretented a PORV from operating to mitigate the pressurization event. The PORV was 5-18
o o. ., t blocked for 4 months because an IA valve had been left closed. The event '
~
was attributed to a procedural inadequacy in which the maintenance personnel were not specifically instructed to reopen the valve after the maintenance was completed. (Ref.40.) ;
1 As noted in an earlier study (Ref. 34), the technical specifications for many PWRs allow redundant PORVs which aie relied upon for LT0P mitigation to be inoperable for up to 7 days. Between 1980 and 1983, 37 LTOP events t were reported in which one or both trains of the overpressure mitigation system were disabled. In 12 of the events, both trains were inoperable. ;
Essentially, the LT0P protection system was prone to single failures.
^
Another AE00 study (Ref. 41) indicated additional technical specification inadequacies of LT0P protection systems. i l
Two LTOP events which occurred at Callaway (Ref. 42) were induced by air system l problems. On a loss of air, the positive displacement charging pump went to full !
l I speed, accompanied by closure of the letdown line and full opening of the valves in the charging / makeup line. The LTOP mitigation system functioned properly f l (the PORV opened manually during one event, and operated automatically during t'heotherevent-botheventstakingplaceonthesameday). However, if one l PORY had been out of service (as allowed by plant technical specifications for 7 days), and the other valve malfunctioned, a potentially serious event could i have occurred, since the primary system was " solid." l 5.1.5 Service Water and Component Cooling Water Systems l 5.1.5.1 Service Water System - Calvert Cliffs 1 and 2 l
l On May 20, 1980, with the reactor operating at 1005 power, an air compressor intercooler at Calvert Cliffs Unit 1 developed a leak which resulted in loss of l
l theUnitIservicewatersystem(Refs.43and44). Leakage of air into the r service water system caused pump cavitation, which subsequently shut down both service water pumps. The loss of service water flow caused the feed pump turbine bearing and the main turbine bearing temperatures to increase. The operators responded by manually scramming the reactor. !
l L
5-19 l
2 - .- . - - - - ... - ..-_-
The Unit 1 instrument and plant air compressors alsa tripped on the loss of service water. The Unit 2 PA system then automatically supplied air to the ll nit 1 IA and PA systems via the cross-connection line. kith the Unit 2 com-pressors supplying air to both the Unit 1 and Unit 2 air systems, a reduction in the Unit 2 air system pressure occurred. %n attempt was made to prevent loss of the Unit 2 IA system by diverting a limited amount of Unit 2 service water to the Unit I air compressors. However, the operators received alarms indicating cavitation of the Unit 2 service water system pumps. The indicators included low service water header pressure and high head tank level. Those signals were sinillar to those previously received for the Unit 1 service water pumps when they cavitated. In order to avoid losing the Unit 2 service water-system, the operators reclosed the valves in the cross-connect line. Following this action, the Unit 2 service water system returned to normal.* If the operators had allowed the Unit 1 air compressors to be cooled by Unit 2 service water, this event might have resulted in the simultaneous loss of service water at both Units 1 and 2, in addition to a simultaneous loss of IA at Units 1 and 2.
- 1though the actual safety consequences of the May 20, 1980 event were limited, the event demonstrates the vulnerability of redundant safety-related systems in adjacent units to a single failure in the nonsafety-related air system. At Calvert Cliffs the service water system provides cooling to the emergency diesel generators, the containment air coolers, and the spent fuel pool heat enchangers.
A similar event occurred at Calvert Cliffs about 3 months later (Ref. 45).
During the latter event, a different tube leaked in the air compressor after-cooler, causing a flow of air into the service water systes. The air which accumulated was vented and the service water system continued to operate satis-factorily. The licensee's planned corrective action was to change out the ;
af tercooler tubing.
o
- Subsequent to shutdown of the Unit 1 air compressor IA continued to leak through the intercooler into the Unit 2 service water system.
5-20
s
!.1.5.2 Component Cooling Water System - Calvert Cliffs 1 and 2 On October 22, 1981, plant personnel at Calvert Cliffs Unit I discovered that air-operated isolation valves on the component cooling water system would fail open on a loss of air or electrical power, even though the fail safe position (plant safety analysis assumption) is to have them fail closed upon loss of air or electrical power (Refs. 46 and 47). Safety-related equipment served by the component cooling water system includes the shutdown cooling heat exchangers, the letdown heat exchanger, the reactor coolant pump seals, the HPSI pump seals, and the LPSI pump seals. Five years earlier, the licensee had issued facility change requests to modify the valves, but implementation of the requests had been delayed.
Af ter the deficiency was rediscovered on Unit 1, instrumentation and control (l&C)personnelwererequestedtoevaluatethecorrespondingUnit2valvesand determine their failure positions. The IAC personnel examined the valves and reported that they would fail closed on a loss of air or electrical power. The /
next day, the NRC resident inspector requested that the Itcensee reverify the Unit 2 valves' failure positions. It was then discovered that the Unit 2 valves would also fail open (unconservatively) on a loss of air or electrical power.
5.1.5.3 Salt Water Cooling System - San Onofre 1 On March 10, 1980, with the plant operating at 100% power, San Onofre Unit I sustained a total loss of salt water cooling for 58 minutes. Subsequent in-vestigations performed by the Itcensee concluded that desiccant contamination of the IA system was one of the principal causes of the event. Desiccant par-ticles in the IA had acted as abrasives and degraded an 0 ring seal of an air-operated valve, thereby disabling one of the salt water cooling system's redun-dant trains. Later analyses (Ref. 2) indicated that under certain conditions (e.g., in the early stages of RHR operation), a total loss of the salt water cooling system could lead to damage to safety-related equipment in only a few minutes. Some of the safety related equipment which could be so affected are RHR heat exchangers, charging pump oil coolers. 'RHR pumps, spent fuel heat ex-changers, and recirculation heat exchangers.
5-21 f
L Fortunately, the March 10, 1980 loss of salt water cooling event (and four sub-l sequent similar events at that plant) did not occur during the early stages of
- P operation. To improve the reliability of the salt water cooling system, Pe Ifcensee removed its inter-dependency on the air system by replacing the air-operated valves with check valves and administrative 1y controlled motor-c;erated valves in series, f
5.1.6 Main Steam Isolation and Feedwater Isolation Valves 5.1.6.1 Byron, Callaway, Summer and Vogtle Osring startup testing on March 14, 1985, the Byron 1 plant was intentionally !
tripped from 12% power as part of a loss Qf offsite power test (Ref. 48). With the loss of ac power, the station air compressor tripped, resulting in a grad.
val depressurization of the IA system. During the' transient, a low steam line ,
pressure signal occurred and two of the four main steam isolation valves (MSIVs) closed. One MSIV remained fully open, and the other closed only partkHy.
Attempts to manually close the two valves were unsuccessful. Operators even-tually were able to close the valves with the assistance of air-powered hydraulic pmps af ter IA pressure was restored.
Each MSIV is provided with an accumulator bottle isolated from the MS!V by two check valves. The purpose of the check valve is to allow accumulator air to !
provide motive power to the MSIV in the event of a loss of the !A system. f Subsequent bench testing of spare valves and in-situ testing of valves which were installed in the plant revealed that 11 out of 19 air check valves associated with the MS!V accumulator bottles would not close tightly on a f graduallossofIApressure(therearetwoaircheckvalvesperMSIV). However. l testing showed that the valves would close properly for a rapid loss of IA pressure. :
NFC issued an information notice on this event to all U.S. nuclear power reactor facilities (Ref.49). The information notice reported that many U.S. plants ,
are known to depend upon the same type of air check valve / actuators to close [
MSIVs and feedwater isolation valves (FWIVs) upon loss of IA. The list of known l applications appears in Table 6.
1 5 22
f . .. ,
l l '
Table 6 Plants with Air Check Valves / Actuators Similar to Byron 1 l Plant ,p>11 A cation i 8'yrioii 2 M5IV Braidwood 1, 2 MS!V Callaway MSIV, FWlV Wolf Creek MSIV, FWlV l '
WNP 3 MS!V Palo Verde 1, 2, 3 MSIV, FWlV Millstone 3 FWlV Summer FWIV Waterford 3 FWlV Vogtle 1, 2 FWIV i
i l
i:
l f
l l
l 5-23
Each MSIV at Byron and Braidwood has two check valves in the air supply line to the valve actuators (Ref. 50). The failure of either check valve to seat properly would result in the MS!V partially closing. The failure of both check valves would result in the MS!V remaining fully open.
Subsequent to determining the cause of the MSIV failures at Byron, and before finding a permanent solution, the licensee installed the eight check valves thathadpassedthein-situandbenchleakagetests(slowdepressurization tests) in the plant. Following this temporary corrective action, the ifcensee 1 proceeded with startup testing. The NRC agreed to this interim corrective action on the condition that the MSIVs' ability to close during a gradual air system depressurization be tested monthly. When the licensee performed the first monthly tests of the MSIVs, two of the eight check valves failed. Sub-sequently, the check valves were modified to assure closure upon a gradual loss of IA pressure.
Eased upon information provided by the supplier, similar check valves have been replaced at other plants. Some of the affected plants had been operating with the : heck valve design deficiency for a considerable period of time prior to becoming aware of the problem. For example, the Callaway plant had operated for several years prior to being notified of the problem. The Callaway plant FWlVs were also found to be subject to the same kind of check valve design deficiency. Until the deficiencies were corrected, the Callaway plant had an elevated probability for having both multiple MSIVs and FWlVs remain open during an operational transient or accident.
Byron 1 operated with the faulty air accumulator check valves at low power for about I month. Callaway operated with faulty accumulator check valves on the MSlys and the FWlVs at full power for about half a year. During these periods, the plants were operating outside the bounds of the plant FSAR accident analysis assumptions (i.e., a main steamline break with multiple isolation valve failures could have resulted in offsite doses in excess of those presented in the FSAR).
The Summer and Vogtle plants have MSIVs of a different design which was not vulnerable to the aforementioned check valve failures. However, the FWlVs at 5 24
these plants were provided with similar check valve / actuators that were sub-feet to the aforementioned check valve failures. Although the main feedwater tystem is not a safety system, plant safety analyses take credit for FWlV closure. Fnr example, the Summer FSAp assumes that the FWIVs perform their safety function during the following events:
(1) Excess heat removal due to a feedwater system malfunction, (2) Major rupture of a main steam line, and/or (3) Major rupture of a main feedwater line.
The Summer plant received notification of the air accumulator check valve prob-1em in May 1985 (Ref. 49). In September 1985, a feedwater transient and IA system isolation occurred at 93% power at Summer. The event was accompanied by an improperly seating check valve that prevented the FWIV from closing on demand (Ref. 51). After the September event, new positive closing check valves were installed in the air supply line to the FW!Vs.
f.l.6.2 Turkey Point 3 and 4 and H. B. Robinson 2 In February 1985, NRC inspectors found that MSIV surveillance testing at Turkey Foint 3 and 4 had been performed in a manner that did not verify operability curing accident conditions. Similar findings had been made earlier at H.B. Robinson 2inNovember1984(pef.52). The nonsafety-related (unqualified) air systems at all three plants were being relied upon to assist MSIV closure.
This was contrary to the FSAR, which assumed that unqualified air systems were unavailable during the postulated accidents. ,'
Subsequent analysis and testing was performed which showed that the MSIVs would not close under certain accident conditions. The air accumulators alone did not have adequate capacity to assure MSIV closure for low steam flow conditions (i.e.,asmallsteamlinebreak). The Turkey Point 3 and 4 MSIVs are spring loaded and closure force is provided by air stored in accumulators mounted on thevalveassemblies,assistedbyIA,andthesteamflow(Ref.53). The assist-ing force from the steam flow during a small steam line break would not be ade-cuate to assure MSIV closure. Failure of the MS!Vs to close could result in an 5 25
6 uncontrolled steam blowdown which could result in the loss of the steam gener- l ators as the secondary heat sink. In addition, the only " qualified" AFW pumps at Turkey Point 3 and 4 in February 1985 were steam driven. The occurrence of j a loss of IA followed by a small steam line break could have jeopardized the i ability of the AFW system to remove reactor decay heat to bring the plant to a safe shutdown. The licensee for Turkey Pcint determined that M51V closure would be assured for a large steam line break, even without IA.
The licensee for Turkey Point issued a Part 21 notification and took several corrective actions. The actions included increasing the air accumulator volumes, developing procedures to require a plant shutdown on loss of the IA system, and ir. stalling a temporary backup diesel-driven air compressor until the accumulator l
modifications were made. ,
H. 8. Robinson Unit 2 was also found to have a similar M5!V accumulator sizing deficiency. An interim corrective action proposed for H. 8. Robinson Unit 2 [
was to provide redundant nitrogen bottles to back up the air accumulators. ;
Several additional plants were also suspected of having similar MSIV accumulator deficiencies. Those plants fcund to require corrective actions were Haddam
(
Neck and St. Lucie 1 and 2 (Ref. 54).
5.1.6.3 Brunswick j i
On September 21, 1985, during surveillance testing at Brunswick 2 three pneu-metically operated M51Vs failed to fast close (Refs. 55, 56). Two of the valves that fatted to fast close were on the same steam Ifne. An investigation of the failures found that the M51Vs failed to close due to disc-to-seat sticking of the air actuator solenoid air pilot valves. The internal 0-rings on the solenoid l valves were also found to be degraded. They were brittle, and several 0 rings ;
were stuck to the valve body. Several solenoid valve discs came apart after becoming brittle. Pieces of one solenoid valve disc became wedged in the valve's enhaust port. One valve disc stuck to the exhaust port while another valve lost a piece of its disc. ;
5-26 f f
. 1
- A laboratory analysis of the three failed solenoid valves determined that a significant amount of hydrocarbon was present in the valves. The combination of hydrocarbons and elevated temperature caused the ethylene propylene discs to swell and fill the solenoid valves' exhaust ports. The swelling blocked the discharge of air in the air actuator and increased the frictional force opposing solenoid valve core movement. The IA system was believe,d to have been the source of the hydrocarbon contamination. (The valve manufacturer discounted the possibility that the hydrocarbons were introduced during the valve manufacturing process.)
A From a safety standpoint, a steam line break with two failed open MSIVs on the same main steam line is an unanalyzed event. The plant's FSAR analysis of a main steam line break accident takes credit for fast closure of at least one of the two MSIVs on each steam line. Closure of the MSIV limits the loss of reactor I coolant and the release of radioactive materials outside containment. Failure of both MSIVs on the same steam line would result in a more severe accident than that analyzed in the FSAR.
?
Because of the susceptibility of the ethylene propylene solenoid valve parts to hydrocarbon contamination, the licensee replaced all of the solenoid valves with a type having Viton discs and seals. Viton has a higher tolerance to hydrocarbon contamination, but a lower threshold to radiation damage. Accord-irigly, the Viton parts must be changed out more frequently.
The September 27, 1985, MSIV failures at Brunswick 2 demonstrated that contami-nation of a "nonsafety-related" air system has the potential to cause multiple failures of safety-related components. The results of such failures could, in the event of an accident, result in conditions having consequences which exceed the plant's design basis. Specifically, the failure of three MSIVs to fast close during the event was a major degradation of essential safety-related equipment. Accordingly, the event was also reported to Congress as an abnormal occurrence. The abnormal occurrence report categorized the event as one which resulted in the " loss of plant capability to perform essential safety functions such that a potential release of radioactivity in excess of 10 CFR Part 100 guidelines could result from a postulated transient or accident" (Ref. 57).
5-27
. 2 .
J 5.1.7 Emergency Diesel Generators 5.1.7.1 Air Starting System Nuclear plant emergency diesel generators (EDGs) typically have dedicated air
- s. tart systems, consisting of high pressure compressors (*'200-300 psig) and air-receiver tanks. Some diesels are crank started by injecting high pressure :
starting air directly into the engines while others are started by motors which are driven by the starting air. Although the starting air compressors are not safety grade in many plants, the air receiver tanks and the piping downstream cf the receivers are safety grade at all plants.
1 Pany. events have be'en reported which involved a failure of an EDG to start as a result of poor starting system air quality (e.g., dirt, moisture, corrosion, sticking of system components due to contaminants). Inadequate EDG starting system air quality is not a new problem. In the late 1970s, the NRC had a con-tractor conduct a study of EDG operating experience (Ref. 58). The study presented many recommendations for improving EDG reliability. One of the recom- E irendations was to upgrade the EDG starting air system to improve the quality of the starting air. Standard Review Plan 9.5.6 (Ref. 59) was formulated as a
- result of the aforementioned study. It requires new plants to meet many of the i study's recommendations by installing dryers in the EDG starting air system. t However, the EDG starting air systems of older plants are not required to meet
- l. those air quality standards. ,
5.1.7.2 Pneumatic Controls - Cooper-Bessemer, Nordberg The analysis and evaluation of operating data for this study revealed that l several plants (e.g., Zion 1 and 2, Cooper and Susquehanna 1) have experienced I unanticipated shutdowns of operating EDGs as a result of failures in the EDG preumatic control system. All of the EDGs designed and built by Cooper-Bessemer have pneumatic control systems which operate off the air starting system.*
c-
- These EDGs are located at: Zion 1 and 2; Cooper; Susquehanna 1 and 2; Palo
- Verde 1, 2, and 3; Byron 1 and 2; Braidwood I and 2; Waterford 3; South Texas; !
and Nine Mile Pt. 2.
5-28 4
4
, -.n.+ y c. , - , , . - - - - - ,,,.,.,nn , -
. t. .
Ccoper-Bessemer technical personnel have stated that during operation, Cooper-Eessemer f DGs require a continuous source of control air, consuming about 5 standard cubic feet per minute (scfm) (Ref. 60). Since the EDG air start system is the source of the control air, and since the air start system compressors ray not be seismically qualified, these EDGs may not be available following an earthquake. The control air for the Cooper-Bessemer diesels may therefore be limited to what remains in the receiver tanks subsequent to starting.
Assuming an air start receiver volume of about 60 ft3 (Ref. 60), and a receiver pressure of about 15 atmospheres, neglecting the air consumed during starting, it is estimated that the receivers would have enough air to control the EDG for ab6ut 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Upon receipt of a low receiver pressure signal, the EDG would shut down. Discussions with NRC and utility personnel familiar with Cooper-Bessemer EDGs, revealed that they were not aware of this design arrangement and the potential for depleting the control air supply during continuous EDG operation.
A limited review conducted for this study indicates that this control air de-pendency may also exist at other plants having pneumatically controlled EDGs (i.e., Nordberg* and possibly DeLaval). In order to assure continuous EDG operation ** at plants having the aforementioned pneumatic control systems, it may be necessary to assure that the EDGs have long term sources of qualified (safety grade) control air.
5.1.7.3 Emerger D!esel Generator Cooling - Maine Yankee, Haddam Neck A recent study (see Appendix B) has identified design deficiencies at Maine Yankee and Haddam Neck. At each plant the failure of a single air-operated control valve could result in the simultaneous failure of both of each plant's EDGs. The study concluded that the design deficiencies were not generic and appeared to be confined to those two plants (Ref. 61).
In the case of Haddam Neck (1985), air-operated control valves for the EDG cooling system (service water) were found to fail open in the event of a postulated
- Nordberg EDGs are used at Brunswick 1 and 2, and McGuire 1 and 2. Nordberg's EDG division is now a division of Cooper-Bessemer.
- M.nimum EDG fuel requirements are typically 7 days of continuous full load operation.
5-29
. .J .
loss of air. Similarly, a loss of ac power to the solenoid-operated air-supply valve could also prevent proper operation of the EDG cooling system. For Maine Venkee, it was found that the cooling water temperature control valves to both EEGs (component cooling water system) had a common air supply. A single failure (loss of air) would cause the temperature control valves for each EDG to close, resulting in a loss of cooling for both EDGs. The licensees took prompt corrective action to prevent the loss of multiple EDGs from the aforementioned single failures (air supply valves, loss of air, etc).
5.1.8 Safety Injection Systems 5.1.8.1 Fort Calhoun On September 17, 1982, the Fort Calhoun licensee informed NRC of the results of its review of environmental qualification of electro-pneumatic (E/P) valve posi-tioners (Ref. 62). The review found that failure of the "nonqualified" E/P valve positioners would result in an IA system leak. As a result, air-operated valves in the safety injection system would open and allow part of the safety injection flow to be diverted from the reactor coolant system during a postu-lated LOCA. The plant safety analyses had assumed that the safety injection flow would not be diverted. ,
Tre licensee's short term corrective action was to modify the plant's emergency procedures to require operators to monitor the positions of the air-operated valves, and take manual action to assure that the valves were closed during a postulated design basis LOCA. For the long term, the licensee committed to redesign the valve actuation circuitry ,to assure that no safety injection flow would'be diverted from the reactor following a postulated LOCA.
5.1.8.2 Point Beach I and 2 On July 24, 1985, the Point Beach licensee informed the NRC of a design deff-ciency which could result in the failure of the safety injection system at Point Beach I and 2 (Ref. 63). It was found that a loss of IA would result in closure of two air-operated valves in the recirculation (and test) line for the safety injection system. The valves were designed to fail closed on a loss of t
5-30 l
)
. L. .
electrical power or IA to assure isolation of the RWST from the-containment sump during the recirculation phase of a postulated LOCA. Initiation of a safety injection signal' during a small break LOCA would cause the safety injec-tion pumps to start. As long as reactor pressure was above the safety injec-tion pump shutoff head, injection would not take place, and the valve alignment would allow the safety injection pump discharge to return to'the refueling water storage tank (RWST). A loss of IA, however, would cause the air-operated valves in the recirculation lines to close. Continued pump operation with the air-operated valves in the closed position could result in the pumps overheating and could possibly cause the failure of both pumps. Valve closure would also occur from a failure of the air-operated valve control circuitry.
The licensee's immediate corrective action included modifying the manual hand-wheel operators on the air-operated valves to prevent the valves from closing following a loss of electrical power or IA, administratively controlling the position of the air-operated valves, and revising the plant emergency proce-dures. These actions reduced the potential for having an air system failure degrading the safety injection system. Administrative controls were also added to assure that the containment sump isolation valves would be kept closed until the RWST recirculation line was closed following a postulated LOCA.
The NRC issued Information Notice 85-94, to address the loss of safety injec-tion pump minimum flow protection during a LOCA (Ref. 64). The information notice included details of the Point Beach design deficiency. In response to the recommendations of Infonnation Notice 85-94, the H. B. Robinson 2 licensee found a similar design deficiency. The H. B. Robinson plant's deficiency was discovered on January 7,1986 (Ref. 65). In order to prevent damage or failure
, to all three ECCS safety injection pumps, the H. B. Robinson licensee planned to install mechanical blocks to keep the recirculation line air-operated valves open in the event of a loss of IA.
5.1.9 Containment Isolation Valves - Grand Gulf I and 2 l
l In May 1982, the NRC was informed by the Grand Gulf licensee that fail safe closure of the plant's air-operated containment isolation valves could not be assured under certain accident conditions. During preoperational testing, 5-31
.. .J' ,
which was conducted in accordance with Regulatory Guide 1.80, the plant operating staff discovered that about 48 air-operated containment isolation
- valves did not close when the IA system was slowly depressurizing. Although the air-operated valves would not close during a slow bleeddown of the IA system, it was believed that the valves would close properly during a rapid air system
~
. depressurization. However, subsequent testing which simulated a rapid loss of IA also resulted in failure of the air-operated valves to go to their fail-safe positions. The plant safety analysis had taken credit'for closure of the valves during plant transients and accidents. Accordingly, the licensee filed a 10 CFR 21 report (Ref. 66). The Part 21 report stated that the " Instrument Air System" was not seismic Category 1; and that a line break ~ causing a rapid loss of IA was a realistic concern. Had an IA line break occurred coincident with a postulated LOCA, then failure of the pneumatic valves to fail closed could have resulted in a loss of drywell, containment or secondary containment integrity.
The Part 21 report concluded that potential site accident doses could have ex-ceeded the limits specified in 10 CFR Part 100. In response to the Part 21 report, the NRC issued Information Notice 82-25 (Ref. 67) to alert all nuclear facilities of the problem.
The actuators were designed to close the valves properly for a rapid loss of air. Originally, the valve actuators were to use spring-loaded closure mech-anisms. However, due to space limitations, the architect engineer (Bechtel) modified the design to use pneumatic actuators for valve closure. The valve procurement specifications required the valves to go to specified positions in the event of a loss of IA. The valve assembly (valve and actuator) procurement i dopuments were in place the year before Regulatory Guide 1.80 was issued.
[
Consequently, the procurement specifications did not require that the valve j assemblies meet the testing requirements of the guide.
l The pneumatic actuators for the containment isolation valves at Grand Gulf have air accumulators which supply air to the valve actuator cylinders. In the event of a gradual loss of air, the accumulators bleed down to the atmosphere rather than to the actuator cylinder (see Appendix C for the manufacturer's drawings and a description of pneumatic actuator operation). To correct the deficiency, l the licensee added safety-related pressure switches to sense supply air pressure.
l 5-32
. L. .
i Upon sensing low pressure, the switches de-energize the solenoid air pilot valves, causing the valves to close before air pressure drops below a level which is insufficient to fully close the valve.
More recently, the valve actuator manufacturer has indicated that several utili-ties have expressed a concern about this deficiency (Ref. 68). Hewever, as of April 10, 1986, the manufacturer was not aware of any plants other than Grand Gulf and Turkey Point that had completed actuator modifications to assure valve closure on a gradual loss of IA. Information Notice 82-25 provides the NRC's generic response for this issue. The information notice is also based on the understanding that the actuator manufacturer had developed a modification which would correct the problem. However, a review of closecut information suggests that no confirmatory action correspondence was developed for this issue for any plants other than Grand Gulf 1 and 2.
5.1.10 Peactor Coolant Pump Seal Injection 5.1.10.1 B&W Generic In 1983, a B&W plant had an event in which there was inadequate seal injection flow to all four reactor coolant pumps (RCPs). The event was initiated by dirt which blocked and obstructed a pneumatically operated flow control valve (FCV).
Although information about that event is limited, our review of B&W plants found that all B&W 177 design plants have the same single failure vulnerability. The i Oconee 3 PRA (Ref. 69) analyzed a similar event. It found that failure of one l
l air-operated FCV (3 HP-31) will cause a loss of seal injection to all four RCPs.
Furthermore, a loss of RCP pump seal injection for as little as half an hour could result in common mode damage to the pump seals and simultaneous seal leakage from all four RCPs (Ref. 69). At Oconee 3 (and other B&W plants), a loss of the IA system would also cause a containment isolation, a loss of i component cooling water, and a loss of cooling of all four RCPs seals.
i l Prior to the TMI-2 accident, the NRC did not view a loss of RCP seal injection or RCP seal cooling to,be a potentially serious event. More recently, the NRC has designated RCP seal integrity a high priority generic safety issue since the loss of seal cooling or injection could result in multiple small break LOCAs.
5-33 l
l l
t .
. .i .
It is important to note that in many plants RCP seal leakage and/or failure is highly dependent upon the IA system and components which interact with the IA system. For example, at Oconee 3 it is necessary to restore RCP seal injection within half an hour after closure of air-operated FCV 3 HP-31, in order to prevent RCP seal damage. (Ref. 69)*
There is a bypass line around FCV 3 HP-31, but it requires entry into contain-ment to manually open a valve in the bypass line. More importantly, it is not certain that a failure of the air-operated flow control valve FCV 3 HP-31 would be detected and corrective action taken within 30 minutes to prevent RCP seal damage and subsequent seal leakage.
5.1.10.2 St. Lucie In April 1977, with the plant operating at full power, St. Lucie 1 experienced a failure of the containment IA compressor (Ref. 71). The backup compressor was successfully started, but discharged back through the failed compressor. As a result of the loss of containment IA, air pressure dropped in the system causing a loss of control of all air-operated valves inside containment. Many of the air-operated containment isolation valves drifted closed resulting in a loss of RCP seal cooling water. The plant was tripped and the RCPs were secured. Sub-sequent seal damage resulted.
After the event, the licensee installed a compressed ga.s cylinder (outside con-tainment). On a loss of containment IA, the gas cylinder can be connected to ilupply the appropriate air-operated containment isolation valves to assure that j RCP seal cooling is maintained.
I
- Contrary to this reference, the plant emergency operating procedures (Ref. 70)
' indicate that a loss of RCP seal cooling and seal injection will not result l
in seal failure if the RCP is shut off.
5-34
. o. .
5.1.11 Reactor Cavity and Spent Fuel Pool Pneumatic Seal Failures 5.1.11.1 Haddam Neck On August 21, 1984, a gross failure of the refueling cavity seal occurred at the Haddam Neck Nuclear Power Plant, resulting in a rapid draindown of the refueling pool to the top of the open reactor vessel. Approximately 200,000 gallons of water drained from the refueling cavity to the reactor building floor in about 22 minutes. The water filled the reactor building sump and flooded the reactor building to a level of 18 inches.
The Haddam Neck event was caused by a design deficiency of a pneumatic seal, rather than air system malfunction. Nonetheless, other draindown events have occurred at other plants as a result of air system failures (e.g., ANO-2 in 1981, San Onofre 2 in 1984, Sequoyah 1 and 2 in 1985; those events are discussedbelow).
Following the Haddam Neck event, the NRC issued IE Bulletin 84-03 (Ref. 72),
requesting all owners of U.S. LWRs to perform evaluations to determine the susceptibility of their plants to failures similar to that which occurred at Haddam Neck. Licensees were to report their findings to the NRC, and to take action to assure that fuel uncovery during refueling remains an unlikely event at each plant.
At the time of the Haddam Neck event, no fuel was .being moved in the refueling cavity. If a "uel assembly was being moved it could have been uncovered, resulting in very high radiation levels, and possibly elevated release of radio-activity outside secondary containment. If the fuel transfer canal had been open, the spent fuel pool could also have drained, possibly uncovering the top of the fuel stored in the spent fuel pool.
5.1.11.2 Susquehanna 1 and 2 In response to IE Bulletin 84-03, the licensee for Susquehanna evaluated the susceptibility of the Susquehanna plant to the type of event which occurred at <
Haddam Neck. The Susquehanna pneumatically-inflated seal design was very 5-35 i - - - - - -
.o ,
similar to that used at Haddam Neck. However,-the Susquehanna plant used two seals in series while Haddam Neck used only one. Nonetheless, it was noted that due to a lack of testing, a failure of one of Susquehanna's redundant seals could go undetected, thereby increasing the likelihood that Susquehanna would be susceptible to a major draining event like Haddam Neck's as a result of a single additional seal failure (Ref. 73).
The review of Susquehanna also found that the redundant seals at Susquehanna are pressurized by a comon IA line. A loss of air would therefore result in a common mode deflation failure of both seals which would defeat the dual seal redundancy. In addition, the licensee found that the air. supplies to the reac-tor cavity seals and the air control valves were not adequately labeled. Inade-quate labeling of the air supplies could increase the likelihood of an operator error that would cause the loss of both seals. Three air header isolation valves were also found inadequately marked. Inadvertent closure of the valves would isolate the reactor cavity seals from the air supply thereby affecting seal integrity.
The licensee calculated that reactor cavity seal failures could result in drain-ing the spent fuel pool down to a 1.evel 5 inches above the fuel. The calculation showed that with 5 inches of water above the fuel bundles, the radiation level caused by one irradiated fuel bundle would be 100,000 rem /hr at the water's surface. Furthermore, any irradiated fuel raised in the fuel handling equip-i ment would be completely uncovered in the event of a draindown event.
The licensee determined that the instrumentation available to monitor spent l
fuel pool radiation was incapable of monitoring the high radiation levels which would result from the postulated fuel pool draindown event. In addition, the operators would not have any indication of pool water level or temperature.
Adequate knowledge of water level was considered essential for protecting the fuel from overheating and failing. The licensee also noted that there were no operating or emergency procedures for a reactor cavity seal failure, and that the lack of maintenance and testing procedures increased the likelihood of a seal failure (Ref. 73).
l l
l 5-36
1 The licensee concluded that in the unlikely event of a reactor cavity seal failure, a rapid drop in the spent fuel pool level was a credible outcome and the consequences would be severe. Water could quickly drain to a level at which uracceptably high radiation fields would result. The FSAP did not consider the censequences of such an event. The licensee concluded that, "a pneumatic seal design (single or double) used without a leak limiting device is highly sus-ceptible to failure and may pose significant consequences for the operator and possible health and safety concerns for the general public." In response to the deficiencies found, the licensee implemented several changes to minimize the likelihood of a seal failure, and to improve the operator's ability to ritigate the consequences of such an event.
5.1.11.3 Rancho Seco Following their review in connection with IE Bulletin 84-03, the Rancho Seco licensee informed the NRC that during certain conditions a single pneumatic seal (spent fuel "stop log") is the only barrier between the drained fuel trans-fer canal and the spent fuel pool. To minimize the vulnerability, the licensee modified the air supply to the stop log by replacing a flexible hose IA supply line with a permanent pipe. Nitrogen bottles were also provided as a backup source to prevent seal bladder depressurization (Ref. 74).
5.1.11.4 Arkansas Nuclear One Unit-2 On May 15,1981, while the ANO-2 reactor was in Mode 6 and core alterations were in progress, the IA system was temporarily isolated so that modifications ,
could be made to the system (see Figure 5). When the air system was isolated the spent fuel pool " tilt pit" gate seci air pressure began to drop. The drop in the pressure resulted in a loss of seal integrity, and a leak path was estab-lished between the fuel pool and the containment building (Ref. 75). The spent fuel pool water level dropped approximately 5 feet in a period of 40 minutes (Ref. 76). The minimum level was 21 feet, which is about 2 feet less than the minimum level allowed by the plant technical specifications. To terminate the event the IA system was unisolated, restoring pneumatic seal integrity.
Borated water was also added to the spent fuel pool to restore level.
5-37
~~
b
.i ::yug:: ,
i -
~:;sl'n' u
l l i
/ -
,g f _
..t.______;g(. -
g 3
/
m I !
ld GATE LOADING TILT PIT PLAN VIEW Pli SEAL TO REACTOR BUILDING GE ,
l h
hb A
O
. SPENT NEW FUEL FUEL '
RACKS GATE
, . \ 2 .. /
SEAL e N
y"" . . .L
/ .'
/ IE
!l=
O '"
lb RAfS J{
Na ll f~i s l
' l l
TILT! '
PIT f
l ?~
l i ELEVATION VIEW FIGURE 5 ANO-2 SPENT FUEL POOL '
S-38
One week after the draindown event, while the reactor was shut down (in Mode 5),
the licensee completed an analysis of a postulated loss of IA to the spent fuel pool gate seal. The analysis concluded that a longer duration loss of IA similar to the one which had occurred on May 15, could have resulted in the fuel pool draindown to a level near the top of the upper end fittings of the spent fuel assemblies (Ref. 77). As a result of the May 15 event, and the subsequent analysis the licensee implemented administrative controls to prevent a sig-nificant reduction in spent fuel pool water level in the event of a loss of IA.
5.1.11.5 San Onofre 2' On October 2,1964, San Onofre 2 was operating at full power when a grid dis-turbance caused a trip of the service air compressor. The backup compressor failed to start, causing the service air pressure to decrease. With air pres-sure reduced, the pneumatic seals between the spent fuel pool and the spent fuel shipping container pit collapsed, and water drained from the spent fuel pool through the seals into the pit. The pneumatic seals were reinflated upon restoration of the service air compressor 37 minutes later. As a result seal integrity was restored, and the leakage was stopped. During the tirie that the service air system Las lost, 20,000 gallons of water were drained from the spent fuel pool.
The water level in the spent fuel poci fell about 1-2/3 ft, but it remained above the minimum level required by the plant technical specifications. During this event no irradiated fuel was in the spent fuel pool. Nonetheless, a fail-ure to restore service air would have resulted in a continued draindown of water to a level below the top of the fuel normally stored in the pool.
The licensee's followup review determined that failure of the service air system was not considered in the seal system design. As a result, a design change was implemented to provide redundant compressed gas cylinders and low seal pressure alarms to assure seal integrity upon loss of the service air system (Ref 78).
5-39
5.1.11.6 Sequoyah 1 and 2 Or December 18, 1985, with-Sequoyah I and 2 in cold shutdown, the station air supply was lost (Ref. 79). Air pressure dropped, causing the pneumatic gaskets on the door connecting the spent fuel pool to the transfer canal to'begin to leak. The operators restored the air supply within 36 minutes. During that time, the water level in the spent fuel pool decreased to approximately 21 feet above the top of the irradiated fuel, which is 2 feet below the minimum allow-able technical specification water level.
5.2 Foreign Reactor Experience Numerous events at foreign reactors which were caused by air system degradation and failures have been reported. The following is a brief summary of a few of those events.
5.2.1 Loss of Containment Integrity i
A pressure regulator failure cut off the air supply to seals on the personnel airlock in the reactor building at a foreign PWR. The loss of air resulted in a common mode failure of redundant latch seals. The loss of compressed air caused a 45-minute loss of containment integrity. Since radioactivity levels were low, the release of about 35,000 ft3 of containment air resulted in neg-
'ligible radiological consequences. Had the event occurred subsequent to a LOCA, the radiological consequences would have been significantly increased. Analysis of the event showed that even though the containment air lock door seals were intended to be single failure proof, certain single failures of the air supply could cause a_ simultaneous loss of integrity to the redundant door seals.
5.2.2 Loss of Fuel Pool Inventory During a refueling outage at a foreign PWR, an operator inadvertently isolated the air supply for the pneumatic seals of the hatch between the fuel pool and the fuel transfer canal. The pneumatic seal deflated, causing a draindown of water from the fuel pool. An analysis of the event showed that, had rapid air 5-40
system recovery not occurred, high radiation levels would have prevented access to the fuel pool area. One of the contributors to the event was that portions of the air system serving the fuel pool pneumatic seals had been modified, but had not undergone post-modification testing.
5.2.3 Low Reactor Coolant System level A break in a 1/2-inch air line occurred at a foreign two-unit BWR station and resulted in low control rod air header pressure at both units. A low rod drive pressure alarm sounded in the control room. The main feedwater control valves closed and reactor vessel level could not be controlled. Manual actions were taken to control reactor level. The reactor was automatically scrammed when the reactor low level relays were deenergized. To prevent recurrence of this event, the licensee installed isolation valves in the air systems.
5-41
6.0 ANALYSIS AND EVALUATION OF OPERATIONAL EXPERIENCE 6.1 Analysis and Evaluation of Safety, Safety-Related, and Important-to-Safety System Failures In this section of the report, we present the results of our analysis of 29 i failures of safety systems which were presented in Charter 5. Those 29 events were chosen to show the wide variety of safety systems that could be impaired by faulty air systems or failure of air-operated equipment. Those events illustrate the potential seriousness of air system failures and failures of air-operated equipment.
Many of those 29 events had multiple causes. For example, the loss of primary system pressure control during the Ginna steam gene'rator tube rupture event had three causes:
1 (1) Design deficiency - the licensee did not install satellite filters in the air supply immediately upstream of the PORV actuators.
(2) Human error - contrary to the manufacturer's recommendations, plant per-sonnel crimped the air discharge lines downstream of the PORY actuators.
(3) Air system contamination - dirt in the air system plugg7d the crimped air discharge line.
> Our analysis of the 29 safety system failures which were presented in Chapter 5 revealed the following:
. Twenty-four (83%) of those failures are attributed to design deficiencies, j such as: inadequately sized air dryers, improperly located air receiver j tank outlets, improperly selected materials (0-rings, seals, gaskets not 4 compatible with IA system contaminants), inability of equipment to function properly or fail safely during partial or gradual loss of air events, 6-1 i
l inadequately sized filters, lack of satellite filters contrary to equipment manufacturer's recommendations, failure to recognize single failure vul-
~
nerability to loss of air.
. Seven (24%) of these events involved operator errors, or operations and maintenance deficiencies, such as: inadvertent isolation of air lines, bypassing air dryers, failing to conduct periodic maintenance on air dryers and filters, crimping of air lines.
. Fifteen (52%)ofthoseeventsinvolved: gross loss of air, or gradual air system depressurization caused by component or line failures.
. Ten (34%) of those events involved contaminated air. The contaminants being water, corrosion products resulting from water, dirt, desiccant or <
oil.
For older plants, built prior to invoking the standard review plan (SRP), the NPC has categorized air systems as nonsafety systems that are assumed to fail in' a safe manner during plant transients and accidents. As reported in Chapter 5 of this report, the assumptions that. air systems will fail in a safe manner and will not have adverse affects on plant safety are not always correct. For non-SPP plants, the only NRC requirements for air system quality and operability involve startup testing as outlined in Regulatory Guides 1.80, and in a few cases, 1.68.3. Subsequent to initial startup, or subsequent to major modifica-tions to the IA system, the older plants do not appear to be required to maintain or verify the quality of their IA systems. It should be noted that c ANSI /ISA 57.3-1975 is mentioned in Regulatory Guide 1.68.3; however, there are no specific requirements for plants to meet the ANSI /ISA or similar air quality standards requirements once preoperational testing is completed. Furthermore, many plants are not bound by Regulatory Guide 1.68.3 (which was implemented in 1982). As noted in Section 5.1.2.1 Turkey Point 3 and 4 operated many years with filters which would allow particles in excess of the maximum particle size which could plug up the seismically qualified, safety-related, I/P converters that regulate AFW flow to both units.
6-2
At many plants the priority given for repairing' air system components is low, and as a result, component or system redundancy is frequently lost. For example, the licensee for H. B. Robinson 2 has concluded that significant gains in air system availability (and overall plant availability) could be achieved by assigning a high priority to air system maintenance and repair operations (Refs. 80 and 81).
Many plants operate with high moisture content in the air system, and routinely .
drain out water from the air lines. There have been many cases where malfunc-tioning air dryers were bypassed for long periods of time. For example, shortly after Turkey Point 3 and 4 sustained significant problems from degraded air systems in 1985, Turkey Point management committed to improve the plant air quality. Nonetheless, shortly after making that commitment Turkey Point 4 operated the IA system completely bypassing the air dryers (Ref. 23).
f
! Plant personnel are generally unaware of the potential for simultaneous or common mode failures of redundant safety-related equipment which can result from contaminated air systems. There have been many events in which safety equipment was impaired by air system degradation. Credible common mode failures could result from contaminants in the air system and could lead to more severe events than those that had been experienced.
Plant emergency procedures frequently are not complete, and do not alert opera-tors to anticipated equipment failure modes subsequent to a loss of air.
6.2 Analysis and Evaluation of. Reactor Transients and Safety System Degradations 6.2.1 Trends and Patterns Analyses The NRC's Office for Analysis and Evaluation of Operational Data (AEOD) has analyzed the trends and patterns of unplanned trips at U.S. LWRs in 1984 o (Ref. 82). The study utilized Licensee Event Reports (LERs) for the source of information about the reactor trips. The level of technical detail contained in the LERs, and accordingly in the study, was such that many events which were caused by degraded air systems were not categorized as such. For example, reactor trips which were initiated by sluggish feedwater regulator valves were
/
6-3
, . . . _ _ _ . . . . . . - . . _ . _ _ . . . _ ~ - , , . . _ . , _ _ . _ _ _ . _ . . _ -m-- --.
P categorized as " valve" initiated feedwater transients. However, if the valve was sluggish beccuse of contaminants in the IA system, but was not identified i as such in the LER, air system contamination would not be listed in the study as the cause of the trip, i
The AE00 study cites only four reactor trips in 1984 as having been caused by air system problems. The four events involved major air system failures (e.g., air line ruptures or separation of air line fittings). A more recent AE00 analysis of 1985 reactor trip data focuses on the underlying or root causes, j such as transients which are induced by degraded air systems (Ref. 83). The ,
, 1985 data indicate that, similar to 1984 data, gross air systems failures (com-pressor failures, air line breaks, etc.) account for only about 1% of the reported . reactor trips. However, an estimate based on the 1985 data suggests that degraded air systems were responsible for approximately 5% of 1985's reactor trips. ,
L 6.2.2 Reactor Trip Analyses The NRC's Office of Inspection and Enforcement (IE)'has studied forced shutdowns ;
induced by IA system failures. In two of these studies, it was concluded that between 1977 and 1985, gross air system failures (air line rupture, compressor i j failure, etc.) accounted for approximately 1% of all plant forced shutdowns
] (Refs. 84 and 85). The data presented in these reports, however, do not include trips which were caused by degraded air systems, but do include information from 10 CFR 50.72 reports, 10 CFR 50.73 reports (LERs), regional daily reports, NRC " gray books," regional inspection reports and PNs.
2 I
- These studies evaluated the risks associated with IA system failures and the i f- likely costs and benefits associated with specific corrective actions. Based i upon review of the Browns Ferry and Calvert Cliffs Integrated Reliability Evalua$ionProgram(IREP) studies (Refs.86and87),itwasconcludedthatthe risk due to gross IA system failures constitutes about one half of one percent
- of all core melt risk. For PWRs, the analysis assumed that transients which '
l - were caused by gross IA system failures constituted 10% of the PWR power con- l version system (PCS) failures. Therefore, it was assumed that the PWR risk t
6-4 i
i
- y. . _ _ c , . , - . - , , , , , , . - - _ , , - - , _ - - - . . , , _ , , , . , - . - , , , c-, .-r_-- _ _ , , ,e.--- .- - -- . - - , . -- - - - -
from air systems was limited to 10% of the risk attributed to PCS failures at '
Calvert Cliffs. Similarly, for BWRs, References 84 and 85 assumed that gross IA systems failures caused 5% of all BWR PCS failures. Therefore, these studies assumed that the BWR risk from air systems was limited to 5% of the risk attri-buted to PCS failures at Browns Ferry. Those analyses did not take into account safety system failures due to degraded air systems and design deficiencies such as those described in Section 5.1 of this report.
The IE reactor trip studies show that, based on downtime alone, there appears to be a significant financial incentive to improve air system reliability. This conclusion was based only on gross air system failures, and did not consider failures induced by degraded air systems. The quantitative results from IE's first forced shutdown report (Ref. 84) are presented in Table 7. As noted in the IE reactor trip studies, the aforementioned benefits did not take credit for risk avoidance from other accident sequences induced by degraded air systems. '
Table 7 Benefits of Improving Instrument Air Systems
- Avoidable public Total industry Plant Estimate dose (person-rem benefit (millions Type Category reactor-year) of dollars)**
PWRs high 71 88 best estimate 14.2 18 low 3.55 4.4 8WRs high 50 40 best estimate 10 7.5 low 2.5 2.0
- 8ased upon halving the frequency of air system losses by strengthening e administrative procedures for maintenance and operation of air systems at a cost of $50,000/ plant-year - cost per shutdown = $500,000; frequency = .2 shutdowns per reactor-year.
- Based on $1,000/ person-rem 6.2.3 H. B. Robinson Study In 1983, the licensee for H. B. Robinson 2 assessed the reliability of the plant's IA system (Refs. 80 and 81). The licensee concluded that, although the plant had a better reliability record than industry averages, it would be cost-effective and beneficial to plant safety to upgrade the IA system. The l
6-5 i
train benefit would be a reduction in the number of plant trips and a higher unit availability.
The licensee's analysis found that implementation of several relatively inex-pensive improvements involving air system hardware, procedures, and mainten-ance practices,'would increase system reliability and reduce risk. In addition:
A major finding of this study is the degree to which the IA system has safety ramifications even though it is classified as a nonsafety system in the HBR Final Safety Analysis Report. The system supplies air to eleven safety systems and eleven nonsafety systems. Loss of instrument air pressure and flow would make unavailable many air-operated valves and other plant instrumentation. Although not speci-fically required to allow safety shutdown as defined in the FSAR and federal regulations, recovery from the ensuing transient without air-operated components would be an extremely difficult challenge to the operators. Most safety related components will fail in the ' safe' position; however, these components are nevertheless unavailable if the operator needs or wishes to operate them. It should be noted that poor instrument air quality (i.e., excessive moisture, oil, or particulates) can cause components to fail.in an unsafe position as documented in several of the LERs... Nonsafety-related equipment, which may be needed for backups, may be lost entirely. Due to the extent of plant equipment failures, the loss of instrumentation, and the transients induced by loss of instrument air, operator response to such situations would be severely impaired and the probability of damage and off-site releases would increase significantly. (Ref. 81.)
A listing of the safety systems that interface with the IA system at H. B. Robinson are listed in Table 8. The most significant hardware modifica-tion implemented was that of powering the " primary" air system off the emergency bus. In addition, it was believed that a very significant gain in system reliability would be achieved by assigning a higher priority to maintenance and repairs of the IA system. '
\
f 6-6 l
i
Table 8 Safety Systems that Interface with the Instrument Air System at H. B. Robinson (Ref. 80)
Auxiliary Feedwater Safety Injection Residual Heat Removal Emergency Diesel Generator Main Steam Reactor Coolant Chemical Volume Control Component Cooling Service Water Penetration Pressurization Fire and Makeup Water
~6.3 Patterns Observed Regarding Failures of Air-Operated Components 6.3.1 Component Contamination Water and particulate contamination appear to be the most frequently observed IA system problems, even though water and particulate contamination are easily corrected with simple hardware modifications and periodic maintenance. A pattern of progressively degrading IA systems that has been observed at many plants follows:
. Initial licensee responses to the component malfunctions were limited.
. Usually the licensee would clean, repair, or replace the malfunctioning component without recognizing the root cause.
. The licensees would frequently drain or blow down air lines near the com-ponents which had the water or particles which caused the malfunction.
They also performed maintenance on the IA dryers and filters. However, on many occasions, they did not recognize the root causes of the failures (root causes being undersized air drying equipment, improperly sized filters, inadequately j maintained desiccant stacks, filters, etc.). At many plants, the maintenance and operations staffs accept major water accumulations in the IA system as normal occurrences. At those plants, blowdown and draining accumulated water in the 1 \
IA system are performed routinely on a daily or even per shift basis, and IA 6-7 N
system dewpoint monitoring is virtually nonexistent. After cleaning, fixing, or repairing the malfunctioning component, continued operation with poor quality
!A eventually led to additional failures of air-operated equipment. At many plants, the root cause of the IA system contamination was not fixed until they experienced excessive numbers of component failures, excessive amounts of down-time, or failure of safety-related equipment. Some plants that experienced repetitive failures of air-operated equipment which resulted from widespread IA system contamination as described above are:
Indian Point 1 (oil)
RanchoSeco(water)
San Onofre 1 (desiccant)*
ANO-2(desiccant)
IndianPoint2(water)
TurkeyPoint3,4(waterandrust)*
DuaneArnold(desiccant)
Zion 1, 2 (oil)
Maine Yankee (desiccant)
Cperating for long periods of time with degraded IA systems increases the likelihood for comon mode failures which would cause failures of multiple trains of safety systems (as described in Section 5.1 of this report).
j It appears that virtually all failures of air-operated equipment which were caused by contaminants in the IA system (Appendix A and Section 5.1) could have been prevented if the IA systems were designed and maintained to meet industry standards (ANSI /ISA-57.3). However, most plants do not have aggressive (or any) programs to monitor and maintain air quality to meet industry standards.
- The extensive clean up that was necessary after operating many years with degraded air systems at San Onofre 1 and Turkey Point are described in References 2 and 18..
6-8 l
l
. +, .
6.3.? Accumulator Failures Safety-related air-operated equipment which are required to function during transients or accidents are usually supplied with air or nitrogen backup accumulators. The designs of such accumulators have frequently been found to be deficient. For example, accumulator sizing and procedures for the use of accumulators have been found to be inadequate for the required applications.
Also,accumulatorcheckvalveshavenotbeentestedfrequently(oratall),and accumulator pressures are not necessarily monitored or alarmed. Many plants have experienced undetected accumulator bleed off which resulted from excessive check valve leakage. There have been many instances in which the piping or tubing connecting seismically qualified accumulators to seismically qualified safety-related equipment was not supported adequately to assure that it could survive the seismic events for which the accumulators were installed.
IE inspectors have found instances in which accumulators have been installed in accordance with NRC requirements (TMI Lessons Learned) and have never been tested to verify their adequacy (e.g., Turkey Point discussed in Section 5.1.2.1 of this report, Ft. Calhoun - Ref. 88 and Oconee 1, 2, 3 - Ref. 89).
6.3.3 Individual Component Failures Resulting in loss of Air System Events In view of the fact that IA systems are generally not designated as safety 7
systems, it is not surprising that failures of single air system components (e.g., IA distribution syst'em piping, air dryers, air filters, interconnected air compressors) frequently cause a total loss of the IA system.* In addition, loss of ac power or compressor cooling water have resulted in loss of the IA system at many plants. The data analyses of Section 6.2 and the failure data of Appendix A highlight the fact that the loss of IA is a commonly occurring event, similar to events such as loss of offsite power, that the operating staff at each nuclear power plant should be able to cope with.
- 0peration and maintenance staff errors have also resulted in many loss of IA system events.
6-9
I Reviews of plant procedures indicated that many plants do not provide adequate training for loss of air system events--both rapid and slow bleeddown events. In addition, it is important to recognize that recovery from a loss of IA can become complex since a loss of IA can initiate several simultaneous transients. For example, review of Rancho Seco's emergency operating procedures (Ref. 90) shows that a loss of IA at Rancho Seco would simultaneously cause the following transients:
. Loss of Control Rod Drive Cooling
. Loss of Reactor Coolant Makeup / Letdown
. Reactor Coolant Pump / Motor Emergency
. Loss of Steam Generator Feed Control The Rancho Seco emergency procedures do indicate the response of many important components to a loss of IA. However, the emergency procedures for many plants do not provide the operators with such ir. formation. In fact, the emergency pro-cedures at some plants simply tell operators to restore the air system without providing information on anticipated equipment failures and failure modes.
6.4 Risk Assessments This section contains information which was obtained from three selected risk assessments to highlight the importance of air systems.
6.4.1 Calvert Cliffs
- As part of NRC's resolution program for Unresolved Safety Issue (USI A-45),
" Shutdown Decay Heat Removal Requirements," Sandia Laboratories assessed the potential benefits of requiring safety-grade cold shutdown systems (Ref. 91).
The Sandia study included assessments of the core melt potential associated with losing decay heat removal capability at the Calvert Clitfs nuclear power plant.
The study found that loss of IA is a major contributor to core melt at Calvert Cliffs because of the inability to open an air-operated injection valve on'the auxiliary pressurizer spray system (APSS) on a loss of air. Other air-operated 6-10
equipment at Calvert Cliffs also were found to contribute to risk, but the air-operated APSS injection valve failure was determined to be one of the most significant contributors. The failure of the unqualified IA supply subsequent to loss of offsite power or an earthquake is a major contributor to a core melt with a frequency of between 4 x 10-5/yr and 9 x 10-5/yr. Following an earthquake or a loss of offsite power, the APSS is required to operate to depressurize the primary system to the point where the shutdown cooling system (RHR) can be operated to bring the plant to cold shutdown. If the APSS fails and cannot be restored, core melt will result. Because the APSS was found to be an important contributor to the core melt risk, the Los Alamos National Laboratory was re-quested to perform independent calculations of the plant response. The Los Alamos calculations confinned the importance of the APSS (Ref. 92).
6.4.2 Oconee Unit 3 A probablistic risk assessment (PRA) for Oconee 3 is presented in NSAC-60 (Ref 69). The PRA found that even though the compressed air system (i.e.,
IA and SA) was not designated a safety system, its failure had a significant effect on many accident sequences that could lead to core melt. At Oconee 3, the compressed air system interfaces with the main feedwater and emergency feedwater systems, the RCP seal cooling flow control, the high pressure injec-tion pumps, the service water control system, the decay heat coolers and many control room instruments.
To support the NRC's review of the Oconee 3 PRA, the Brookhaven National Labora-tory (BNL) performed a detailed review of the Oconee 3 PRA core damage sequence analyses. BNL's review (Ref. 93) found that the values chosen in the Oconee PRA were non-conservative with regard to the IA system. Based on interviews with plant personnel, and operating experience reviews, the Brookhaven study
, concluded that the loss of IA was the dominant contributor to core damage fre-quency. The effects of the compressed air system upon core melt frequency are shown in Table 9.
- /
6-11
Table 9 Core Melt Frequency Attributed to Compressed Air System Failures at Oconee 3 Percent of frequency transients . Percent of all Source (1/yr) with scram transients Original Oconee 3 PRA 11 6 Brookhaven Review 3.2x10"l 3.1x10' 49 33 6.4.3 NRC Pressurized Thermal Shock Program '
To assist in the resolution of the pressurized thermal shock (PTS) issue (Unre-solved Safety Issue A-49), ORNL evaluated the potential for PTS events at several PWRs. Their evaluations of PTS at Calvert Cliffs 1 (Ref. 94) and H. 8. Robinson 2 (Ref. 95) indicate that air system failures,could initiate severe PTS events.
For example, for Calvert Cliffs 1 the ORNL study noted that:
\
A passive failure of the main instrument air header results in the freezing of the MFW control valves in position (open) and in the iso-lation of the cooling water flow to the RCP seals. Failure of the operator to trip the RCPs could result in a coupled MFW overfeed of both SGs and an eventual small LOCA.
Similarly, for H. B. Robinson 2, ORNL identified the loss of IA as a potential concern with respect to PTS. The loss of IA would present a PTS concern because of the resultant loss of control of AFW flow and charging flow.
l l
l 6-12
. *. =
7.0 FINDINGS 7.1 Root Causes of Air Systems Problems The root causes of most air systems problems are traceable to design and management deficiencies. The design deficiencies appear to reflect a lack of sufficient regulatory requirements and review, and the view by many applicants and licensees that air systems are not highly important to plant safety. The specific deficiencies we found are:
(1) Mismatched equipment - the air quality capability of the IA system filters and dryers do not always match the design requirements of the equipment using the air (particulate size, moisture content, oil content, etc.).
(2) Maintenance of IA systems is not always performed in accordance with the air dryer and air filter manufacturer's recommendations (e.g.
inadequate frequency of filter and desiccant stack changeout).
(3) Air quality is not usually monitored periodically to assure that the IA system dryers and filters are working properly, f
(4) Plant operations and maintenance personnel frequently do not understand i the potential consequences of degraded air systems. They are often unaware of the potential for simultaneous or common mode failures of redundant safety-related equipment which rely upon air systems.
(!I) In many plants, operators are not well trained to respond to losses of IA, and the emergency operating procedures for such events are frequently inadequate.
(6) At many plants, the response of key equipment to a loss of IA (slow and rapid losses of IA) has not been verified as consistent with the FSARs.
7-1
(7) Inspections of several plants found that safety-related backup accumulators do not undergo surveillance testing or monitoring to confirm their readiness to perform their function when needed.
(E) The size and the seismic capability of safety-related backup accumulators (including connecting piping) at several plants have been found to be inadequate.
7.2 Consequences of Air Systems Problems (1) Failures of significant safety systems have resulted from plant operations with degraded IA systems. Transients and accidents which can be caused by or exacerbated by such failures including common-cause lailures, are not always analyzed in plant licensing analyses. The consequences of such events could be more severe than those predicted by present FSAR analyses.
(2) Operational events have shown that a loss of the IA system by itself or the loss of the IA system accompanying another transient can be difficult to mitigate if emergency procedures and operator training do not include adequate information on equipment failure modes and equipment availability.
(3) Losses of shared IA systems at multi-plant stations have resulted in simultaneous transients. The recovery from some of those events has been complex.
7-2
7.3 Risks, Cost-Benefit (1) Degraded IA systems can account for a very significant portion of overall risk (accounting for as much as 33% of the core melt frequency of all transients at one plant). Many existing analyses have not accounted for the effect of common mode IA system failures caused by degraded air.
(2) Traditional PRAs, which do not account for the effects of air system degradation and/or common mode failure of air operated safety-related equipment, may greatly underestimate the risks from the failure and degradation of IA systems.
/
l I
7-3
i.
8.0 CONCLUSION
S We view the multitude of events in which safety systems have been adversely affected by degraded or malfunctioning air systems as important precursor events. They indicate that further attention and actions are necessary to
-assure that air systems are maintained and operated at levels which will enable plant equipment to function as designed, and to identify and eliminate unanalyzed failure modes possibly resulting in serious consequences.
d Operational data has shown that simply. addressing symptoms of air degradation without correcting the root causes is ineffective. Our primary concern with air system degradation is the potential for common mode failures that could l
result in the simultaneous loss of safety systems required to mitigate transients and to bring the plant to safe and stable conditions. Some safety systems that have been disabled or degraded by air system problems are:
. Auxiliary feedwater system
. Main steam isolation systems
. -Emergency AC power systems
. Safety injection systems
. Containment isolation systems Failures of such equipment during postulated transients or accidents are not predicted in plant safety analyses (FSARs) as a result of disabled or degraded ,
air systems. Consequently, some plants with significant IA system degradation may be operating or may have operated with much higher risk than previously estimated (for examples, see section 6.3.1).
l 8-1
a Because many plants do not have specific license requirements prohibiting operation with degraded IA systems, high confidence does not exist that all plants will voluntarily take corrective action to avoid plant operation with degraded air systems in the absence of a serious event.
l 8-2
. .. =
9.0 RECOMMENDATIONS As noted previously, we believe that further attention and actions are necessary to assure that the plant air systems receive the emphasis warranted by their contribution to predictable and safe operation. Thus, we reconsnend the following actions be initiated either by the industry or the regulatory process.
(1) Licensees should ensure that air system quality is consistent with equipment specifications and is periodically monitored and tested. .
Licensees should verify (and periodically monitor) that their plants' air system quality is within the specifications of the manufacturers of all pneumatic equipment that is either safety-related or relied upon to perform a safety function (such as the equipment discussed in Section 5.1 of this report) or analysis should be performed to assure that no unacceptable effects will result from the most unfavorable credible failure of the pneumatic equipment. If the air system quality does not meet the pneumatic equipment manufacturer's requirements, either the air system should be modified to assure that those requirements are met, or the pneumatic equipment should be replaced with equipment that can perform the required function with the existing air system.
l (2) Anticipated transient and system recovery procedures and related training for loss of air systems should be reviewed for adequacy and revised as _
necessary.
l (a) Operating experience has shown that the loss of air systems can cause equipment response that is not necessarily favorable or " safe" for all transients. Because of the strong interdependence and interactions between safety-related equipment and air systems, it is reconunended that licensees verify the availability and adequacy of anticipated transient and recovery procedures for loss of air systems events.
9-1
. .__ . . ~. .. _ _ _ _ ._ .-.
t (b) The plant staff should be trained in the aforementioned procedures to respond to loss of air systems events.
(3) Plant staff should be trained regarding the importance of air systems.
Plant operations and maintenance personnel should be sensitized to the importance of air systems and the vulnerability of safety-related equipment to common mode failures that could result from air system degradation. This should be accomplished by implementing training sessions applicable to air system operation and maintenance.
(4) The adequacy of safety-grade backup air accumulators for safety-related equipment should be verified.
~0perating experience has raised doubts about the adequacy of backup air accu-mulators required for plant responses to postulated transients and accidents.
In several instances, safety-grade backup air accumulators have been sized i inadequately, have hat discharge lines inadequately restrained, or have not been' verified to operate under appropriate test conditions. In' addition, there have been cases in which the operational transient' procedures for using the accumulators were either wrong or nonexistent. In order to assure that plants are capable of responding to postulated transients and accidents in the manner described in plant FSAR analyses, it is recommended that safety-grade
{
backup accumulators be reviewed relative to the aforementioned design, l installation, testing and operational deficiencies at all operating plants.
Specifically, this reconnendation includes (a) periodic testing of safety-grade backup accumulator check valves for leakage; (b) monitoring and/or alarming
! accumulator pressure; and (c) verifying the adequacy of safety-related accumulators (including air receiver tanks for emergency diesel generators i that require compressed air to sustain continuous operation).
(5) All operating plants should be required to perform gradual loss of instrument air system pressure tests.
Gradual instrument air system pressure loss tests (preoperational testing) have revealed deficiencies in safety system equipment including common mode l
failure potential. A number of such failures have not been within the envelope i
9-2 '
i
of FSAR accident analyses. Accordingly, it is recommended that all plants verify that credible gradual IA system bleeddown events will not result in unanalyzed and/or unacceptable conditions. If plants have performed the Regulatory Guide 1.68.3 bleeddown tests previously, no additional bleeddown testing should be required unless significant system modifications have been made subsequent to srch testing.
l 9-3
I 3'
10.0 REFERENCES
- 1. Southern California Edison, Licensee Event Report (LER) 50-206/80-006,
-San Onofre - Unit 1, dated March 24, 1980.*
- 2. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study No. AE00/C204, " San Onofre Unit 1 Loss of Salt Water Cooling Event on March 10, 1980," July 1982.*
- 3. E.W. Hagen, " Compressed Air and Backup Nitrogen Systems in Nuclear Power Plants," USNRC Report NUREG/CR-2796, ORNL/NSIC-206, July 1982.**
- 4. General Public Utilities, "GPU Accident Review Task Force Final Summary Report," December 15, 1980.
t
- 5. U.S. Nuclear Regulatory Commission, "NRC Report on the January 25, 1982 Steam Generator Tube Rupture at R.E. Ginna Nuclear Power Plant,"
(NUREG-0909), April 1982.**
- 6. Consumers Power Company, Licensee Event Report (LER) 50-255/78-003, Palisades, dated January 31, 1978.*
- 7. Florida Power & Light Company, Licensee Event Report (LER) 50-250/85-021
.l Rev.1, Turkey Point Unit 3, dated August 21, 1985.*
i
- 8. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-250/85-26; j 50-251/85-26, Turkey Point Units 3 and 4, October 9, 1985.*
1
- 9. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-387/84-35; 50-388/84-44, Susquehanna Steam Electric Station, November 15, 1984.*
i i
See footnotes on last page.
10-1
, _ _ _ . . , . ,,m . . . , - , , - _ , , , , _ _ _ _ _ _ _ - - _ , _ , - , - . , , - . - - - - - - . _ , ~
- 10. American National Standards Institute (ANSI) Standard MC 11.1-1976/Instru-ment Society of America Standard ISA-57.3,1975, " Quality Standard for Instrument Air."
- 11. U.S. Nuclear Regulatory Comission, Regulatory Guide 1.68.3, "Preoperational Testing of Instrument and Control Air Systems," April 1982.*
- 12. U.S. Nuclear Regulatory Commission Standard Review Plan 9.3.1, Rev. 1,
" Compressed Air System," (NUREG-0800), July 1981.**
- 13. U.S. Atomic Energy Commission Regulatory Guide 1.80, "Preoperational Testing of Instrument Air Systems," June 1974.*
- 14. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Circular No. 81-14, " Main Steam Isolation Valve Failures to Close," -
November 5, 1981.*
- 15. Consumer Power Company, Licensee Event Report (LER) 50-255/81-030, Palisades, dated August 18, 1981.*
- 16. U.S. Nuclear Regulatory Comission, " Power Reactor Events," (NUREG/BR-0051)
May-June 1981 issue Vol. 3, No. 4, January 1982.**
- 17. U.S. Nuclear Regulatory Comission, Inspection Report 50-250/85-26, 50-251/85-26, Turkey Point Unit 3 and Turkey Point Unit 4, September 5, 1985.*
- 18. Florida Power & Light Company, F. Southworth, et al., " July 21-26, 1985 Short Outage Critique," Turkey Point. Unit 3, August 6, 1985.
- 19. U.S. Nuclear Regulatory Comission, Inspection Report 50-250/85-40, 50-251/85-40, Turkey Point Unit 3 and Turkey Point Unit 4, January 2, 1986.*
See footnotes on last page.
10-2
1
- 20. U.S. Nuclear Regulatory Commission, Safety System Functional Inspection
' Report 50-250/85-32, 50-251/85-32, Turkey Point Unit 3 and Turkey Point Unit 4, October 7,1985.*
-21. Letter from A. W. Wilk, Bechtel Power Corporation, to S. G. Brain, Florida Power & Light Company,
Subject:
Turkey Point Units 3 and 4, Bechtel j= Job 5177-458, Effect of Particulates in the Instrumeat Air System, July 29, 1985,
- 22. Florida Power & Light Company Interoffice enrrespondence from S. G. Brain to K. L. Jones,
Subject:
Turkey Point Units 3 and 4, " Effects of Particu-lates in Instrument Air on Safety Related Equipment," File:PTP100-16, August 5, 1985.
- 23. U.S. Nuclear Regulatory Commission, Inspection Report 50-250/85-30,
, 50-251/85-30, Turkey Point Unit 3 and Turkey Point Unit 4, November 12, 1985.*
- 24. U.S. Nuclear Regulatory Commission, Inspection Report 50-247/85-10, Indian Point Nuclear Generating Station, Unit 2, June 11, 1985.*
- 25. Consolidated Edison Company of N.Y., Inc., Licensee Event Report (LER) 50-247/85-006, Indian Point 2, dated May 16, 1985.*
- 26. Telephone discussion between J. Curry, Consolidated Edison Co. and
- j. e H. L. Ornstein, NRC, August 27, 1985.
j 27. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-387/85-09, 50-388/85-09, Susquehanna Steam Electric Station, April 15, 1985.*
[ 28. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, October-December 1984," NRC-(NUREG-0090, Vol. 7, No. 4),
May 1985.**
i l See footnotes on last page.
10-3 i
4 -. _ - . . _ - ._s.. .- - , -~ _....___,.--..__~,mc .m,,-,-.---,
L
- 29. U.S Nuclear Regulatory Commission,. Inspection Report No. 50-387/84-38, 50-388/84,-37, Susquehanna Steam Electric Station, February 27, 1985.*
- 30. U.S. Nuclear Regulatory Commission, Preliminary Notification, PNO-III-85-84, September 20, 1985.*
- 31. U.S. Nuclear Regulatory Commission, Daily Report Region III, September 24, 1985.*
- 32. Commonwealth Edison Company, Licensee Event Report (LER) 50-249/85-018, Dresden Nuclear Power Station - Unit 3, dated October 1,1985.*
- 33. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. IN 85-95, " Leak of Reactor Water to Reactor Building Caused by Scram Solenoid Valve Problem," December 23, 1985.*
- 34. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study Report AE00/C401, " Low Temperature Overpres-surization Events at Turkey Point Unit 4," March 1984.*
- 35. Union Electric Company, Licensee Event Report (LER) 50-483/84-015, Callaway Unit 1, August 10, 1984.*
- 36. Consolidated Edison Company of N.Y., Inc., Licensee Event Report (LER) 50-247/76-2-15, Indian Point 2, September 24, 1976.*
's
- 37. Letter from F. L. Clayton, Jr. , Alabama Power Company to J. P. O'Reilly, NRC,
Subject:
J. M. Farley Nuclear Plant Special Report - Unit 2, November 14, 1983.
- 38. Connecticut Yankee Atomic Power Company, Licensee Event Report (LER) 50-213/83-020, Haddam Neck Plant, November 30, 1983.*
See footnotes on last page.
10-4
- 39. Connecticut Yankee Atomic Power Company, Licensee Event Report (LER) 50-213/83-021, Haddam Neck Plant, November 30, 1983.*
l
- 40. Wisconsin Electric Power Company, Licensee Event Report (LER) 50-301/82-007, Point Beach Nuclear Plant, Unit 2, October 25, 1982.*
- 41. U.S. Nuclear Regulatory Comission, Office for Analysis and Evaluation of Operational Data, Engineering Evaluation Report AE00/E426, " Single Failure Vulnerability of Power Operated Relief Valve (PORV) Actuation Circuitry for Low Temperature Overpressure Protection (LTOP)," October 24, 1984.*
- 42. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Technical Review Report AE00/T504, " Loss of Instrument Air and Subsequent Transient," May 17, 1985.*
- 43. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-317/80-027, Calvert Cliffs 1, June 3, 1980.*
- 44. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study Report AEOD/C105, " Report on the Calvert Cliffs Unit 1 Loss of Service Water May 20, 1980," December 1981.*
- 45. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-317/80-041, Calvert Cliffs 1, August 26, 1980.*
- 46. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-317/81-074, Calvert Cliffs 1, November 4, 1981.*
- 47. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-318/81-045, Calvert Cliffs 2, November 4, 1981.*
- 48. Commonwealth Edison Co., Licensee Event Report (LER) 50-454/85-027, Byron Station, Unit 1, July 25, 1985.*
See footnotes on last page.
10-5
t
- 49. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information. Notice No. 85-35, " Failure of Air Check Valves to Seat,"
April 30, 1985.*
- 50. Letter from R. E. Querio, Commonwealth Edison Co. to J. G. Keppler, USNRC,
Subject:
" Notification of Possibly Defective Airline Check Valves in Byron Unit 1 (Docket Number 50-454) Main Steam Isolation Valve Actuators," dated March 21, 1985.* .
- 51. South Carolina Electric and Gas Co., Licensee Event Report (LER) 50-395/85-027, Summer Nuclear Station, dated October 18, 1985.*
- 52. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 85-84, " Inadequate Inservice Testing of Main Steam Isolation Valves," October 30, 1985.*
- 53. Florida Power & Light Co. , Licensee Event Report (LER) 50-250/85-020, Turkey Point 3, dated July 29, 1985.*
- 54. U.S. Nuclear Regulatory Commission, Minutes of Operating Reactor Briefing No. 85-13, August 13, 1985.*
- 55. Letter from P. W. Howe, Carolina Power & Light Co. to J. N. Grace, NRC, Sub-ject: Docket Nos. 50-325 and 50-324 Brunswick Steam Electric Plant, Units 1 and 2, " Failure of ASCO Model 8323A36E Double Solenoid Valves,"
October 15, 1985.*
- 56. Carolina Power & Light Company, Licensee Event Report (LER) 50-324/85-008, Brunswick Unit 2, October 25, 1985.*
- 57. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, October-December 1985," NRC-(NUREG-0090, Vol. 8, No. 4)
May 1986.**
See footnotes on last page.
10-6
.m W
/
- 58. G. L. Boner and H. W. Hanners, " Enhancement of On-Site Emergency Diesel Generator Reliability," USNRC Report NUREG/CR-0660, UDR-TR-79-07, February 1979.**
- 59. U.S. Nuclear Regulatory Commission Standard Review Plan 9.5.6. Rev. 2,
" Emergency Diesel Engine Starting System" (NUREG-0800), July 1981.**
- 60. Telephone discussion between C. C. Bemiller, Cooper-Bessemer Reciprocating Division of Cooper Industries and H. L. Ornstein, NRC, June 4, 1986.
- 61. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Technical Review No. AE0D/T602, " Emergency Diesel Genera-tor Cooling Water System Design Deficiencies at Maine Yankee and Haddam Neck," April 1986.*
- 62. Omaha Power District, Licensee Event Report (LER) 50-285/82-018, Ft. Calhoun Station, dated September 17, 1982.*
- 63. Letter from S. Burstein, Wisconsin Electric Power Company, to J. G. Keppler, NRC, Subject Docket Nos. 50-266 and 50-301, " Single Failure Potential for Safety Injection Recirculation Path, Point Beach Nuclear Plant, Units 1 and 2," dated July 24, 1985.*
- 64. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 85-94, " Potential for Loss of Minimum Flow Paths Leading to ECCS Pump Damage During a LOCA," December 13, 1985.*
- 65. Carolina Power & Light Company, Licensee Event Report (LER) 50-261/86-001, H. 8. Robinson-2, dated February 5, 1986.*
- 66. Letter from J. P. McGaugby, Jr. , Mississippi Power & Light Company, to J. P.
O'Reilly, NRC,
Subject:
" Grand Gulf Nuclear Station Units 1 and 2 Docket Nos. 50-416/417, Final Report Unit 1, Interim Report Unit 2, Hiller Actuators," dated June 11, 1982.*
See footnotes on last page.
10-7
a . - .
- 67. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 82-25, " Failures of Hiller Actuators Upon Gradual Loss of Air Pressure," July 20, 1982.*
- 68. Letter from J.-R. Nanci, Ralph A. Hiller Company, to H. L. Ornstein, NRC,
Subject:
Telecon Request Regarding IE Information Notice 82-25, dated April 10, 1986.
- 69. Nuclear Safety Analysis Center / Electric Power Research Institute / Duke Power Company, "Oconee PRA A Probabilistic Risk Assessment of Oconee 3," NSAC-60, June 1984. Available from Research Reports Center (RRC), Box 50490, Palo Alto, CA 94303.
- 70. Duke Power Company, Oconee Nuclear Station, Procedure No. OP/2/A/1103/06, Rev. 22, Reactor Coolant Pump Operation, March 19, 1985.
- 71. Florida Power & Light Company, Licensee Event Report (LER) 50-335/77-023, St. Lucie Unit 1, dated May 13, 1977.*
- 72. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Bulletin No. 84-03, " Refueling Cavity Water Seal," August 21, 1984.*
- 73. Pennsylvania Power and Light Company, Susquehanna Steam Electric Station, Nuclear Safety Assessment Group Project Report No. 13-84, " Implications of Loss of Water from the Spent Fuel Pool Due to Reactor Cavity Seal Failure or Other Causes," December 18, 1984.
/
- 74. U.S. Nuclear Regulatory Commission, Inspection Report 50-312/85-27, Rancho i Seco Nuclear Generating Station Unit No.1, November 5,1985.*
- 75. Arkansas Power & Light Company, Licensee Event Report (LER) 50-368/81-019, Arkansas Nuclear One - Unit 2, dated June 11, 1981.*
- 76. Telephone Discussion between D. B. Lomax, Arkansas Power and Light Company, and H. L. Ornstein, NRC, July 28, 1986.
See footnotes on last page.
10-8
- 77. U.S. Nuclear Regulatory Comission, Region IV Daily Report, May 27, 1981.*
- 78. Southern California Edison Company, Licensee Event Report (LER) 50-361/84-060, San Onofre Nuclear Generating Station, Unit 2, dated November 2, 1984.*
- 79. U.S. Nuclear Regulatory Commission, Region II Daily Report, December 19, 1985.*
- 80. EDS Nuclear Inc., "H. B. Robinson Unit 2 Instruirent Air System Reliability Study," Report No. 03-1320-1035 Revision 0. December 17, 1982.
- 81. Memorandum from J. D. E. Jeffries, Carolina Power and Light, to B. J. Furr,
Subject:
"H. B. Robinson 2 Instrument Air System Reliability Study - CNS and EDS Nuclear, Inc., Recommendations," dated February 16, 1983.
- 82. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study No. AE00/P504, " Trends and Patterns Report of Unplanned Reactor Trips at U.S. Light Water Reactors in 1984,"
August 1985.*
- 83. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study No. AE00/P602, " Trends and Patterns Report of UnplMned Reactor Trips at U.S. Light Water Reactors in 1985," August 1986.*
- 84. Memorandum from R. Singh, NRC to E. L. Jordan, " Forced Stutdowns Induced by Instrument Air Failures," April 2,1985.*
- 85. Memorandum from R. Keppler, S. Krill and P. Koutaniemi, NRC, to D. Allison,
" Forced Shutdowns Induced by Instrument Air Failures in 1985 " March 14, 1986.* ,
See footnotes on last page.
10-9 N. .- -.-. . - - _ . _ - _ . _ _ _ . _ _ .
E6. A. C. Payne, Sandia National Laboratories, " Interim Reliability Program:
Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant," USNRC Report f:UPEG/CR-3511, March 1984.**
E7. S. E. Mays et al., EG8G, " Interim Reliability Program: Analysis of the '
Browns Ferry Unit 1 Nuclear Plant," USNRC Report NUREG/CR-2802, July 1982.**
- 88. Letter from J. M. Taylor, NRC, to B. W. Reznicek, Omaha Public Power District,
Subject:
Safety Systems Outage Modification Inspection (Design) 50-285/85-22, dated January 21, 1986.*
- 89. Letter from J. M. Taylor, NRC, to H. B. Tucker, Duke Power Company,
Subject:
Safety System functional Inspection Report Numbers 50-269/86-16, 50-270/86-16, and 50-289/86-16, dated August 1, 1986.*
- 90. Rancho Seco Nuclear Generating Station, Plant Operations Manual Emergency Procedures, Pay 1984.
- 91. D. P. Gallup, D. M. Kunsman, M. P. Bohn, Sandia National Laboratories, "Poten-tial Benefits Obtained by Requiring Safety-Grade Cold Shutdown Systems,"
USNRC Report NUREG/CR-4335, November 1985.**
- 92. Memorandum from L. B. Marsh, NRC, to H. B. Holz, "Calvert Cliffs LOSP Calculations (LANL)," February 21, 1985.*
- 93. N. A. Hannan, D. Ilberg, D. Xue, R. G. Fitzpatrick, T-L. Chu, Brookhaven National Laboratory, "A Review of the Oconee-3 Probabilistic Risk Assess-ment, Internal Events, Core Damage Frequency," USNRC Report NUREG/CR-4374,
!"' Vol. 1, March 1986.**
- 94. D. L. Selby, et. al., Oak Ridge National Laboratory, " Pressurized Thermal Shock Evaluation of the Calvert Cliffs Unit 1 Nuclear Power Plant " USNRC Report NUREG/CR-4022. September 1985.**
See footnotes on last page.
10-10
1 8
- 95. D. L. Selby, et. al., Oak Ridge National Laboratory, " Pressurized Thermal Shock Evaluation of the H. B Robinson Unit 2 Nuclear Power Plant," USNRC Report NUREG/CR-4183. Vol. 1. September 1985.**
- Available in the NRC Public Document Room at 1717 H Street, N.W., Washington, D.C. 20555 for inspection and copying for a fee.
"Available for purchase from National Technical Information Service, Springfield, VA 22161 10-11
, co..
L
)
i APPENDIX A Partial Listing of Air-Operated Equipment Failures Sorted by Failure Mode NOTE: This listing does not include most events presented in Chapter 5, or the events listed in Reference 14.
. c.
- w WATER / CORROSION PRODUCTS Haddam Neck 12/14/85 Licensee review of maintenance IE Inspection 50-213 history for MSIV failures Report concluded root cause "to be 50-213/84-28 ,
solenoid valve failures caused by impure control air" (water vapor freeze up in air lines, carbon steel
. corrosion products).
Oyster Creek 6/11/82 During spent resin transfer LER 82-016 50-219 operations a check valve failed and water backed up into the service air system. The SAS became contaminated and a radioactive release resulted.
Nine Mile 7/15/80 Moisture and corrosion products LER 80-013 Pt. 1 prevented scram solenoid from 50-220 operating properly - air could not be exhausted from the scram valves thereby preventing rod insertion.
Indian Pt. 2 2/13/85 A hydrogen recombiner was LER 85-003
' 50-247 inoperable because rust plugged up filters in the IA lines leading from the hydrogen flow transmitter.
Indian Pt. 2 4/16/85 I/P converters malfunctioned - LER 85-006 50-247 sluggish response of AFW control valves.
A-1 4
.- - - - - - - - - - - - , - ,. m. ,_,-n,-- n--,. - - - - - , , , - --.n , - - - , - - - - - - - . . - - - - - - - . - , . - .-m-. -
Palisades 1/31/78 Water in the air line to a valve LER 78-003 50-255 operator caused closure of the shutdown cooling system heat exchanger resulting in a 45-minute loss of DHR system primary coolant heated up froo 130*F ,
to 215*F (see Section 5.1.1 of this report).
Palisades 7/18/81 Air-operated valve on the shutdown LER 81-030 50-255 cooling system heat exchanger failed closed. Removal of water from the air line to the valve operator re-
> stored the valve to operation. The RCS heated up from 123*F to 197*F (see section 5.1.1 of this report).
Oconee 1 12/25/83 Moisture in the IA line to the LER 83-021 50-269 BWST level transmitter froze and Oconee 2 1/11/77 BWST level indication was lost. LER 77-001 50-270 Oconee 3 3/3/75 LER 75-005 50-287 Crystal 9/29/82 Fan damper operator failed causing LER 82-061 River 3 overheating of Reactor Building.
o 50-302 (Water was introduced into the IA system from the fire service water system.)
s A-2
_ . . . . . . , , . . _ - - , _. - _ . . _ . _ , _ . _ _ , - - , . .- .._..__-._.__._.m_.. _ , -
Crystal 3/23/83 Check valves failed due to the LER 83-016 River 3 presence of water in the IA system.
50-302 Resulted in loss of 2 accumulators for 2 AFW valves. These failures were discovered during testing.
The licensee reported that water l in the IA system had caused both air accumulators to be inoperable i
. previously.
Rancho Seco 1/19/75 Air-operated containment isolation LER 75-001 50-312 valve was prevented from closing by water in the IA lines.
Rancho Seco 2/2/81 Containment isolation valve failed. LER 81-004 50-312 Water in the IA system prevented the valve actuator from operating.
Rancho Seco 9/30/81 Containment isolation valve failed LER 81-050 50-312 to close due to the presence of water and rust from IA system in the solenoid valve.
Brunswick 2 2/3/76 A drywell penetration isolation LER 76-032 50-324 valve was stuck due to moisture in the IA lines.
Duane Arnold 1/10/84 Moisture or foreign matter in the LER 84-004 50-331 IA system contributed to failure of air-operated solenoid valves which resulted in failure of both trains of the safety related control room intake treatment system standby filter units (the function of the standby filter units is to minimize operator radiation exposure during an accident).
A-3
North Anna 2 7/1/81, Air-operated valves on the TDAFW LER 81-053 50-339 7/3/81 pump steam supply failed to operate because of contaminants and corrosion products in the IA system (two parallel valves failed from the same cause within a 3-day period).
Grand Gulf 11/16/83 ADS /MSIV/SRV accumulators corroded; IE Daily 1, 2 due to the pre'sence of moisture Report 50-416 and faulty accumulator coating. 11/16/83 50-417 The coating material flaked off the accumulators and contaminated the IA system.
s A-4
PARTICULATES/ FOREIGN MATTER Big Rock 11/73 Backup N supply was depleted Nov. 27, 1973 Point (enough for eight operations vs. Letter to AEC 50-155 the design valve of 50 operations) due to particulates ur. der the seat of one solenoid valve, and a loose fitting on the other.
Big Rock Pt. 2/1/84 Foreign particles were found Feb. 2, 1984 50-155 in the IA system leading to Letter - R. Krich possible equipment failure. The Consumers Fower Co.
licensee committed to install D. Crutchfield, air filters at the discharge of NRC - Big Rcck the IA dryer. Pt. - Plant Inte-grated Assessment of Open Issues Oyster Creek 12/12/78 An air-operated valve on the LER 78-036 50-219 12/19/78 stand-by gas treatment system 12/26/78 failed to operate due to buildup of dirt and corrosion in the valve operator.
Dresden 2 11/8/78 Accumulation of dirt in a solenoid LER 78-061 50-237 valve's air-operator prevented a containment vent valve from closing.
Dresden 2 10/4/79 Accumulation of dirt and corrosion LER 79-055 50-237 products in a solenoid valve air-operator prevented a containment vent from closing.
A-5
Millstone 1 12/5/77 A drywell vent valve failed to LER 77-004 50-245 close. Failure was caused by dirt in the air line leading to the valve's operator.
Ginna 2/19/84 Dirt in an I/P converter caused a N LER 84-001 50-244 leak and loss of a safety injection accumulator.
Millstone 1 9/14/78 Drywell vent valve failed to close. LER 78-022 50-245 Dirt in the IA caused a malfunction of the valve operator.
Monticello 3/24/80 Containment isolation valve leaked LER 80-010 50-263 because dirt deposits from the IA system were on the valve seat.
Point Beach 1 4/30/77 A control room ventilation system LER 77-003 50-266 damper could not close because of dirt in the IA system. A similar event occurred on 5/28/77 (LER 77-004).
Peach 9/4/78 Radioactive liquid from the LER 78-039 Bottom 2 and radwaste system demineralizer 50-277 9/21/78 backed up to the service air
.- system. Dirt in the air system lodged on the seats of check valves and prevented their closure,
- resulting in the back flow. As a result the service air system became contaminated. Service air is occasionally used to supply
, breathing air to maintenance workers
! in areas with high airborne contamination.
l l
A-6 l
t
I Peach 11/17/83 Particulates in the IA system LER 83-018 Bottom 3 caused two scram solenoid valves 50-278 to fail, thereby preventing their normal scram insertion. The rods were scrammed using backup scram solenoid valves.
Surry 1 1/7/80 Contrary to design, a feedwater LER 80-003 50-280 bypass valve did not fail closed upon loss of IA. Failure of the valve to close upon safety injec-tion could cause an excessive cooldown. The pilot valve was' dirty and sticking. The failure was discovered during pre-startup testing.
ANO-1 10/21/76 Dirt from the IA system prevented LER 76-032 50/313 positive actuation of a solenoid valve actuator. As a result, a .
containment isolation valve would ,
not close upon demand.
Hatch 2 2/20/80 A small foreign object in the air LER 80-018 50-366 supply line to an air-operated valve prevented a torus-drywell vacuum breaker valve from opening.
McGuire 1 1/28/86 Dirt in the IA system caused drift LER 85-004 50-369 of pneumatic pressure transmitters, resulting in spurious main steam PORV actuation. This event resulted in low steam generator level and a reactor trip.
A-7
Grand Gulf 1 9/83 Inoperability'of SDV solenoid. IE Inspection 50-416 valves. Foreign material in the Report 50-416/
air header collected in internal 83-39 parts of the scram discharge sole-noid valves blocking air discharge ,
through the valve ports.
Palo Verde 1 4/25/85 Control room air handling unit LER 85s027 50-528 dampers failed to close on demand because of;" foreign matter" in the air supply lines.
a 1
h A-8
HYDROCARBON CONTAMINATION ndian Point 1 1/71 Sixty three of 191 containment Letter from 50-003 isolation valves failed as a result Consolidated of oil contamination in the air Edison Company system. (Sticking valve operators (T. A. Griffin)-
and malfunctioning valve to USAEC DRL solenoids). (P. A. Morris)
January 20, 1971 Browns 3/10/83 Containment isolation valve LER 83-014 Ferry 1 closure time exceeded tech spec 50-259 values. " Oily, gummy film" covered solenoid valve internals pre-venting air from exhausting.
Browns 3/21/83 Primary containment isolation LER 83-022 Ferry 3 valve failed open. Oil ,
50-296 accumulation on solenoid valve shaft prevented air leak off.
Susquehanna 1 1984 Oil or water contamination / loose Numerous 50-249 several particulates caused degradation references. See events of the scram system pilot valves - Section 5.1.3 failure of control rods to insert.
Zion 1 12/15/75 Containment isolation valve failed LER 75-032 50-295 to close during testing. The sole-noid pilot valve was stuck due to oil residue which was baked onto the valve. The oil entered the IA system from the PA system, when the PA system was used to supplement the IA system's capacity.
A-9
.o .
Zion 1 8/11/76 Oil in the IA system caused stick- LER 76-044 50-295 8/11/76 ing of solenoid pilot valves result- 76-046 9/30/76 ing in failures of air-operated 76-061 1/23/77 valves. (Numerous containment isola- 77-004 7/23/77 tion valve failures.) 7'7-043 1/25/78 78-017 4/8/78 78-030 7/7/78 78-059 8/30/78 78-086 9/14/78 78-094 11/20/78 78-124 3/2/79 79-011 Zion 2 3/11/75 Oil in the IA system caused LER 75-010*
50-304 5/2/77 sticking of solenoid pilot valves77-030 6/15/77 resulting in failures of air- 77-036 5/9/78 operated valves. (Numerous78-037 6/3/78 containment isolation valve 78-045 7/3/78 failures.)78-051 3/ /79 79-020 5/9/80 80-018 ANO-1 3/29/82 Containment isolation valve would LER 82-008 50-313 not remain closed upon demand. Oil in the IA system impregnated 0-rings in a pneumatic relay, causing failure of a reactor building. isolation valve.
- This LER reported 10 such failures.
A-10
DESICCANT CONTAMINATION San Onofre.1 1/9/80 Containment isolation valve failed LER 80-003 50-206 to close upon demand. Desiccant particles in IA system prevented ,
solenoid air control valve from operating.
San Onofre 1 7/17/80 Recurrence of 1/9/80 event LER 80-032 50-206 which had been reported in LER 80-003). Event was probably caused by residual desiccant which had not been cleaned out after the first malfunction.
Millstone 1- 12/24/85 Several control rods failed to IE Daily Report 50-245 scram. The HCU pilot valves failed 12/24/85 to actuate because of the presence of small amounts of desiccant.
Point Beach 5/12/74 Dirt / desiccant / rust (from a burst Letter from 50-266 filter) prevented complete Wisconsin Electric closing of containment isolation (S. Burstein) to valves. USAEC DRL (J. O' Leary) 6/25/74 Maine Yankee 4/4/85 Widespread desiccant contamination IE Inspection 50-309 existed at the plant - components Report 85-06 reported as being affected include main feedwater regulating valves and heater drain tank level con-trol. Thirty of 480 in-line filters had been changed out. Overheating and burning of the desiccant had caused its breakdown and carryover into the IA system.
A-11
ANO 1 10/21/76 Reactor building chilled water LER 76-032 50-313 2/18/77 isolation valve failed due to LER 77-003 3/29/82 " foreign matter" (desiccant) in LER 82-008 the IA system which lodged in the solenoid valve actuator.
Between 1976 and 1984 this valve,
. and a similar valve, have failed on at least six occasions.
ANO-2 6/18/84 IA system contamination (desiccant) LER 84-014 50-368 caused I/P converter on the main feedwater bypass valve to mal-function, causing a high steam generator level and a reactor trip.
ANO-2 10/8/85 Main feedwater regulating valve's LER 85-022 50-368 I/P converter malfunctioned due to desiccant carryover in the air lines. Caused a high steam generator level and a reactor trip.
Subsequently the licensee replaced 40 micron in line filters (upstream of the I/P converters) with 1 micron in-line filters.
l k
A-12
CHECK VALVE FAILURES r
San Onofre 1 7/20/81 The check valve which was designed LER 81-018 50-206 to isolate the IA-from the backup N supply leaked. As a result, IA leaked into the backup N system.
Oxygen was then introduced into the waste gas decay tank cover gas.
Subsequently a hydrogen-oxygen ignition damaged the tank and resulted in a radioactive release.
Palisades 9/15/81 Check valve failures resulted in LER 81-38 50-255 the inoperability of containment isolation valves.
Cooper 4/18/80 Check valves on three of six ADS LER 80-011 50-298 accumulators had excessive leakage.
Buna-M 0-ring seals were replaced with ethylene propylene ones.
Hatch 2 4/4/80 ADS safety relief valve accumulator LER 80-045 50-366 check valves leaked. All accumulator check valves were repaired or replaced prior to unit ,
startup.
LaSalle 2 1/14/85 Two ADS valves were inoperable as a IE Daily Report 50-374 result of accumulator check valve 1/14/85 failures.
f A-13
DESIGN DEFICIENCIES Big Rock Pt. 8/13/81 Reactor containment was pressurized LER 81-016 50-155 due to IA system and SA system leaks. The conditions experienced were not addressed in the plant accident analyses. The licensee determined that containment pres-surization and radiological releases could exceed FSAR values. The FSAR analysis had omitted the contribution from gross failure of air system components.
Big Rock Pt. 2/22/84 The reactor depressurization system LER 84-001 50-155 failed (three of four isolation Abnormal valves failed to open). Plant Occurrence Report modifications which increased to Congress # 84-3, dir supply pressure contributed NUREG-0900, Vol. 1,
. to binding of the valves while No.1, July 1984 closed at hot conditions.
Haddam Neck 11/2/84 Loss of control air may cause AFW Licensee letter 50-213 turbine to overspeed, resulting 11/6/85 in a turbine trip and a loss of IE Inspection
! AFW. The plant design was found Report 50-213/
to be contrary to the NRC's SER; 85-20 f.e., a single credible failure LER 85-005 such as stuck air-operated valve j could prevent the automatic feeding of all SGs.
{
\
A-14
)
Oyster Creek 10/23/84 Containment isolation valves for LER 84-023 50-219 the main drywell ventilation and purge system would not isolate on loss of IA - there was no backup accumulator system. Since the i plant's initial criticality in 1969, the potential existed for releases of fission products in i excess of FSAR calculations.
Nine Mile 7/11/83 The containment spray system had LER 83-020 ,
Point 1 four test valves that relied upon ,
50-220 air operators that were not seismically qualified.
Turkey 8/3/83 Steam generator blowdown isolation LER 83-009 Point 4 valve failed to close upon demand.
50-251 The isolation valve required IA to close - however IA had been isolated.
Subsequently a modification was made to enable the blowdown isolation valve to close upon a slow loss of IA.
Palisades 9/16/77 Loss of the air supply to contain- LER 77-045 l
50-255 ment isolation valves would cause a loss of containment integrity -
no redundant air source was provided.
l A-15
Browns Ferry 8/80 A loss of control air pressure AE00 memo 1, 2, 3, and could result in an ATWS. C. Michelson to other BWRs H. Denton 8/18/80 50-259, 260, " Potential for 296 Unacceptable Inter-action Between the Control Rod Drive System and Non-essential Control Air System at the Browns Ferry Nuclear Plants."
PNO-78-147 Peach 1/10/80 Accumulator check valves for the LER 80-002 Bottom 2 ADS safety-relief valves leaked.
50-277 An incorrect seat material had been used. Its deterioration caused the leakage. Subsequently all such valve seats were changed on all Unit 2 and Unit 3 ADS accumulators.
Peach 3/27/81 Air supply piping to pneumatic LER 81-029 Bottom 2 damper operators for the emergency 50-277 switchgear and battery rooms was not seismically qualified.
Surry 2 8/7/75 Vibration caused a partial loss of LER 75-015 50-281 IA. The decreased IA supply resulted in closure of three BIT recirculation valves.
A-16
, ., o Oconee 3 10/9/76 Loss of an inverter caused loss of LER 76-018 50-287 ac to a vital instrument panel.
As a result, an air-operated valve opened allowing Lake Keowee to flow into the CCW discharge, thereby '.
flooding the turbine building base-ment. The emergency feedwater pump "was affected." The' emergency feed- I water pump, lube oil pump, ar.d the circulating water pumps were sub-merged. (Note: external flooding has been found to be Oconee 3's largest risk contributor.)
Pilgrim 1 2/25/81 IA lincs to SDV isolation valves LER 81-004 50-293 were incorrectly located, thereby blocking the vent path. The inability of SDV vent and drain valves to close following a scram would result in a primary leak outside containment.
Calvert 1983 Pressurizer spray valves drift IE Inspection Cliffs 1, 2 open upon loss of IA. They were Report i
50-317 supposed to be capable of being 50-317/85-28 ,
50-318 operated from outside containment. 50-318/85-28 (Local accumulators were added to provide remote operation of the valve.)
Brunswick 2 2/10/83 Inadequate seismic support of LER 83-019 50-324 tubing associated with ADS valve accumulators could result in the inoperability of SRV/ ADS valves.
A-17
-i Sequoyah 2 4/19/83 An incorrectly sized metering LER 83-060 50-328 orifice in a pneumatic relay prevented automatic operation of the AFW system - the same error existed on Unit 1 as well.
LaSalle 1 12/30/82 Drywell accumulator check valves LER 82-178 50-373 were not designed to close upon slow depressurization.
Callaway 1 11/5/84 Fatigue cracking of air lines LER 84-059 50-483 11/6/84 supplying feedwater regulator valves caused two reactor trips on successive days.
l l
l A-18
OPERATOR ERRORS Nine Mile 2/4/82 An operator secured air to a level LER 82-003 Point 1 indicator on the cleanup' filter 50-220 sludge tank. An erroneous reading
. enabled filling operations to con- ',
tinue. The tank overflowed, and i radioactive contaminates were released in the reactor building. j Ninety people were exposed after the event during reactor building decontamination.
Browns 8/14/84 A solenoid valve for a testable IE Daily Reports Ferry 1 check valve had reversed air ports. 8/15, 22, 24, 50-259 As a result the valve remained 27/84 open instead of closed. The low IE PNO-II 84-49 pressure core spray system was IE Information pressurized by primary coolant. Notice 84-74 The potential existed for a primary leak outside containment (Event V).
Browns Ferry 12/13/85 MSIV testing was not conducted IE Daily Report 1,2,3 properly. IA compressors are #3054 50-259, 260, operable during tests whereas 12/13/85 296 testing should have been conducted with only accumulato.r ;
air available. As a result the testing did not verify MSIV closure capability in the absence of IA.
A-19
Peach 9/10/82 Service air leaked into primary LER 82-027 Bottom 2 containment. Two containment 50-277 isolation valves had been left open, enabling air to enter the drywell through leaking service air connection valves. The leaks introduced oxygen into the inerted containment.
Prairie 1/23/76 Air supply lines for the post LOCA LER 76-04 Island 1, 2 hydrogen control system for both 50-282 units were found to be capped.
50-306 (Both plants had operated at least one fuel cycle in this condition.)
An operator erroneously isolated LER 82-007
~
Point Beach 2 9/25/82 50-301 the air line to a PORV rendering the PORV inoperable.
Hatch 1 7/24/80 A seismic support for a seismically LER 80-086 50-321 qualified air supply was omitted.
Therefore, contrary to plant design, a seismic event could cause a piping failure which could render eight valves on the post LOCA hydrogen venting system inoperable. A similar omission was discovered on 8/23/79.
A-20
Hatch 1 12/21/85 An operator isolated service air. 10 CFR 50.72 50-321 Air-operated torus isolation valves Report #3126 failed open upon loss of service IE Daily Report air, causing flooding of several 12/23/85, reactor building rooms. Two RHR PNO-II-85-121 -
pumps, a core spray pump, a room ,
fan cooler, an RHR jockey pump and the HPCI barometric condenser were submerged.
Farley 2 10/15/83 An operator isolated the IA system. Licensee letter 50-364 With the charging pump on, the loss to NRC 11/14/83 of IA isolated the letdown line and brought the throttle valve in the charging line fully open. At the time of the transient, the plant was solid (in preparation for startup).
RCS relieved through a RHR pump suc-tion relief valve. However, RCS pressure rose to 700 psi (which was in excess of the FSAR's calculated value). The second RHR train's relief valve was unavailable.
(See Section 5.1.4.2.)
Hatch 2 6/7/83 Air supply lines were installed LER 83-112 4 50-366 backwards to a testable check IE Information valve. This resulted in a stuck Notice 84-74 open isolation check valve. Low AE00 Engineering pressure piping was overpres- Evaluation E414 surized by primary coolant. The potential existed for a primary leak outside containment (Event V).
A-21
AIR LEAKS Big Rock Pt 8/13/81 Reactor containment was pressurized LER 81-016 50-155 due to IA system and SA system leaks. The conditions experienced were not addressed in the plant accident analyses.
(This event is also listed in the design deficiency section of this J
table.)
Dresden 2 8/29/82 As a result of an IA line leak, a LER 82-039 50-237 drywell isolation valve could not close upon demand. I Monticello 5/18/76 IA leaked into the nitrogen supply LER 76-003 50-263 line. A a result primary containment oxygen levels increased beyond technical specification limits.
Monticello 1/21/85 IA system leaks caused excessive 10 CFR 50.72 50-263 drywell oxygen concentration. Report 1/21/85 and IE Daily Report 1/22/85 4
Brunswick 1 5/16/78 Air system leaks caused the LER 78-055 50-325 dryweil and tor 4 oxygen concen-trations to tv..za 1110wables.
Loose stainless steel tube fit-tings on the vacuum breaker IA lines were the source of inleakage.
Oconee 3 5/17/81 A broken air line caused a loss of LER 81-010 50-287 cooling of a motor driven emer-gency feedwater pump.
A-22
, ~ - - - - - - - - - - - - , _ . - - , - - - - --- - -
( ,
A broken IA supply line (3/8") LER 84-012 Crystal 6/15/84 River-3 caused all auxiliary building ex-50-302 haust fans to fail closed. Reactor building exhaust fan dampers were also inoperable, thereby disabling t
the hydrogen purge system.
10 CFR 50.72 0.C. Cook 1 11/25/85 An air line break caused a reactor trip. Recovery operations were Report 2871 50-315 complicated by the loss of the 11/25/85 and IE TDAFW control system which was Daily Report .
dependent on IA. 11/26/85 It was found that the loss of IA LER 83-003
- Calvert 1/12/83 Cliffs 2 to the AFW regulating valves' I/P 50-318 converters could cause an overcooling transient.
Sequoyah 2 2/25/83 Reactor containment was pressurized LER 83-027 50-328 due to a leak in a 1/2" " essential air line."
A ruptured air hose caused the LER 82-075 LaSalle 7/26/82 50-373 incperability of ADS valves.
During excavation activities an IE Daily Report Catawba 1 1/15/84 IA line was broken. Loss of IA 1/15/84 50-413 to the containment chilled water 10 CFR 50.72 system resulted in a loss of cool- Report 1/15/84 ing to RCP motors and chiller loads.
1 The RCP seals heated up. The reactor was manually scrammed, and the RCPs were tripped. Pressurizer
(
control was lost and there was insufficient boron mixing as a l
result of the RCP trip.
s A-23
/
\
(
l
MISCELLANEOUS COMPONENT FAILURES eaddam Neck 11/02/84 Failures of solenoids controlling LER 85-005 '
5'-213 s air pressure to air-operated valves caused a loss of automatic initiation of two trains'of AFW.
Indian 9/12/76 A desiccant dryer inlet valve mal- LER 76-2-15(A)
Point 2 function caused a loss of IA.
This resulted in the closure of letdown valves and the opening of charging lines with one charging pump running. The RCS was solid, preparing to start the RCPs. The RHR relief valve opened to limit RCS pressure.
A similar event occurred on 5/18/73 L (prior to power operation).
Indian 2/13/85 A failed air regulator resulted in IE Daily Report Point 2 the inoperability of the hydrogen 2/14/85 50-247 recombiner.
Turkey 1/13/85 A solenoid pilot failed to bleed IE Daily Report Point 3 off air from a valve operator. 1/14/85 50-250 This resulted in the failure of a containment isolation valve
, to close upon demand.
Browns 8/28/78 The cylinder head of one air PNO-78-147 Ferry 1, compressor failed, and there was 2, 3 a loss of control air to all three 50-259, units. Units 1 and 2 were scrammed 260, 296 while Unit 3 was already shut down.
A-24
Browns 9/19/84 The SA system compressor tripped IE Daily Report Ferry 1 causing depressurization of the 9/24/84 50-259 SA system. As a result an offgas discharge from the hydrogen analyzer entered the service air system.
, Haddam Neck 11/1/83 Containment control air was lost LER 83-020 50-213 due to an incorrectly installed air filter. As a result control of the pressurizer spray valves ,
and the pressurizer PORVs was lost for about 45-minutes.
Haddam Neck 11/28/83 Failed air filter - identical event LER 83-021 50-213 to LER 83-020 (11/1/83). Contain-ment control air was lost, and the control of the pressurizer spray valves and the pressurizer PORV was lost for less than an hour.
Pilgrim 1- 9/29/83 An air-operated testable check IE Information 50-293 valve failed open. The failure Notice 84-74 resulted in overpressurization of the HPCI suction piping. Primary coolant pressurized a low pressure portion of the HPCI system. The potential existed for a primary system leak outside containment (Event V).
A-25 w
_, --,ww -- ,- ,
Hatch.1 & 2 12/31/85 An air compressor failure resulted 10 CFR 50.72 50-321, 366 in a loss of IA. Upon loss of Report #3205 IA, the air-operated deluge valves 12/31/85 on a cooling tower opened (per design). Fire pumps started and sprayed down the cooling tower, thereby draining down both units' fire protection water storage tanks to below the technical specification minimums.
St. Lucie 1 4/15/77 A containment IA compressor LER 77-23 50-335 failed. Control of all air- (See Section operated valves in containment 5.1.10) was lost. RCP seal cooling was lost, and the RCP seals were damaged.
Limerick 1 9/4/84 It was determined that malfunc- IE Daily Report
, 50-352 tioning air-operated pilot valves 9/4/84 could result in the loss of the emergency services water system.
The malfunctioning pilot valves were replaced.
McGuire 1, 2 11/2/85 A break in an IA compressor LER 85-034 50-369 discharge line resulted in the 10 CFR 50.72 loss of IA to both units. As a Reports 2615,
, result both units scrammed 2618, 3335 on low SG 1evel.
LaSalle 1, 2 10/25/83 Loss of cooling water to the 10 CFR 50.72 l
50-373 Unit 2 service air compressor 10/25/83 50-374 . resulted in loss of Unit 1 IA. IE Daily Report Unit I was manually scrammed. 10/26/83 A-26
w e &
Summer 1 6/29/84 Failure of an air-operated isolation IE Daily Report 50-395 valve on the steam admission line 7/3/84 and to the TDAFW pump caused the TDAFW . 10 CFR 50.72 Report pump to turn. If the TDAFW pump 7/2/84 had then been called upon to operate it would have tripped on overspeed.
Summer 1 9/8/85 An air compressor trip resulted in NRR/IE briefing ;
50-395 a drop in IA pressure. The drop 9/16/85 in IA pressure caused the steam LER 85-026 ,
admission valve to the TDAFW pump to open partially and turn the turbine. If the TDAFW pump had then been called upon to operate it_would have tripped on overspeed.
Grand 7/2/84 Unit I had a reactor scram after LER 84-33 Gulf 1, 2 the loss of the Unit 2 air com-50-416 pressor. (The scram occurred subsequent to the scram pilot valves drifting open, low IA header pressure, and high SDV level.)
i I
(
i A-27 i
APPENDIX B Technical Review of Emergency Diesel Generator Cooling System Failures Due to Air Systems Interactions
/
t
~ - --
b APR 2 S 1986 I
MEMORANDUM FOR: Stuart D. Rubin, Acting Chief AE00/T602 I = Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data FROM:
Eric J. Leeds, Reactor Systems Engineer -
Reactor Systems Section 1 Heactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data
SUBJECT:
EMERGENCY DIESEL GENERATOR COOLING WATER SYSTEM DESIGN DEFICIENCIES AT MAINE YANKEE AND HADDAM NECK The enclosed technical review report is forwarded for your information and ,
consideration. The study evaluated two recently identified system design The deficiencies, found deficiencies involving air-operated control valves.
at two different operating pressurized water reactors, could have resulted in a common mode failure of both the onsite emergency diesel generators at the involved plants. The study found that the use of air-operated valves to control the emergency diesel generator cooling water supply was unique to the Maine Yankee and Haddam Neck plants. The study also found that the use of an automatic bus transfer device at Haddam Neck (to ensure the availability of redundant power supplies to a vital motor control center for emergency core cooling equipment) was also apparently plant unique. The interaction and I potential adverse impacts of degraded or failed nonsafety-grade air systems on safety-related nuclear plant systems is currently being evaluatedItonisa -
generic basis in an ongoing AE00 case study on plant air systems.
suggested, therefore, that the design , deficiencies identified at the Maine-Yankee and Haddam Neck plants be considered for inclusion in the plant air i systems case study. The study also suggests that the' details of the design deficiencies identified at the Maine Yankee and Haddam Neck plants be included in a forthcoming issue of Power Reactor Events.
L /s/
t Eric J. Leeds, Reactor Systems Engineer Reactor Systems Section 1 Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data
Enclosure:
As Stated cc: Hal Ornstein, AE00 Paul Swetland, RI Cornelius Holden, RI Alan Rubin, NRR
( /
. - ..... ~ .. ~ ..
~> . .R.QM. . . . . . . . .K:RQ . .................... .....................
- . . - ~ ~
SRubin .. ~ .. .......... - .... ~ . - - . -
w"*> .. Ele s:ks ................ ............. . . . . . . . . . . . . . . . . . . . . . . .....................
. ~ . - - ~ ~
em) . ..../.4/. /......86... ..f../p.8.6.......
B-1
............. ~ . -
- u.s.oeo ms = 24:
e -- , - .. . . . .. - . . ~. .e o n, a a
I AE00 TECHNICAL REVIEW REPORT
Haddam Neck E. Leeds EVALUATOR / CONTACT:
DOCKET.NOS: 50-309 and 50-213 LICENSEES: Maine Yankee Atomic Power Northeast Utilities NSSS/AE:
Combustion Engineering / Stone & Webster i Westinghouse / Stone & Webster
SUBJECT:
EMERG,ENCY DIESEL GENERATOR COOLING WATER SYSTEM DESIGN DEFICIENCIES AT MAINE YANKEE AND HA00AM NECK
SUMMARY
On June 25, 1985, during a review of systems required for safe shutdown', per-sonnel at Maine Yankee identified a design deficiency that could result in a ,
comon mode failure of the cooling water supply for the onsite emergency diesel generators (EDGs). At Maine Yankee, the cooling water supply to the EDGs de-
- pended on the proper operation of air-operated temperature control valves and k plant personnel determined that a credible single failure could cause a loss of the air supply to these valves, resulting in a loss of cooling water flow to the EDGs. On November 1,1985, a probabilistic safety study for the Haddam Neck plant identified a previously unrecognized failure sequence that could result in a loss of all cooling water flow to the onsite EDGs due to a single component failure, At Haddam Neck, EDG cooling water flow also depended on proper opera-tion of air-operated supply valves. The probabilistic study found that a single com,nnnent failure could result in a loss of power to the solenoid airApilot loss of valves that control the position of the cooling water supply valves.
power also resulted in the cooling water valves to both EDGs failing closed.
The design deficiencies at Maine Yankee and Haddam Neck were investigated and evaluated to assess their potential applicability to other nuclear plants.
The study found the use of air-operated valves to control the EDGThe cooling studywater also supply to be unique to the Maine Yankee and Haddam Neck plants.
found that the use of an automatic bus transfer (ABT) device at Haddam Neck (to ensure the availability of redundant power suppifes to a vital motor control l
center for emergency core cooling equipment) was also apparently plant unique.
However, the interaction and potential adverse impacts of degraded or failed nonsafety-grade air systems on safety-related nuclear plant systems is currently being evaluated on a generic basis in an ongoing AE00 case study on plant air systems. It is suggested, therefore, that the design deficiencies identified at Maine Yankee and Haddarr Neck be considered for inclusion in the plant air systems case study. y
(
- This document supports ongoing AE00 and NRC activities and does not represent the position or requirements of the responsible NRC program office.
B-2 i
l
- , t
(
DISCUSSION Recently, independent design reviews at Maine Yankee and Haddam Neck identified deficiencies at each plant that could result in common mode failure of the cool-ing water supply to the onsite EDGs. A sustained interruption or complete loss of cooling water without prompt operator actions would cause the EDGs to over-heat and subsequently fail. In view of the significant adverse safety implica-tions associated with the identified design deficiencies, a study was initiated to review the EDG cooling water system configurations at Maine Yankee, Haddam Neck and other early-generation light water reactor plants to determine if the design deficiencies had potential applicability to other nuclear power facilities.
Design Review Experience
- 1. Maine Yankee On June 25, 1985, during a design review of the systems required for safe shutdown and accident mitigation, personnel at Yankee Atomic Electric Company identified a deficiency in the cooling water control system for the onsite EDGs i
( Re f. 1 ) . The design deficiency was such that a single component At Mainefailure could Yankee, potentially disable the cooling water supply to both EDGs.
two diesel generators provide emergency onsite ac power, with each cooled by a EDG heat exchanger is cooled separate component cooling water system. The 'A' 'B' EDG heat by the " primary" component cooling water (PCCW) system and the
{ exchanger is cooled by the " secondary" component cooling water (SCCW) system.
Each EDG cooling water supply is regulated by a separate air-operated tempera-ture control valve. However, both control valves share a common air supply (Figure 1). Because the temperature control valves are designed to fail closed on a loss of air, a single failure in the air supply could have resulted in a loss of cooling water to both EDG heat exchangers.
The licensee's immediate corrective action was to align the back-up fire water cooling supply to the EDG heat exchangers to allow automatic transfer to fire water cooling in the event of a loss of the air supply. However, leakage past the supply valves allowed untreated fire water to contaminate the PCCW and SCCW systems. The contamination c* the PCCW and SCCW systems was determined to be unacceptable by the licensee since both systems utilize demineralized water treated with corrosion inhibitors. Therefore, on June 26, 1985, following a determination that full cooling water flow through the EDG heat exchangers would be acceptable with respect to lube oil and jacket water temperatures, heat exchanger tube erosion, and component cooling flow demand, the temperature control valves were blocked open to provide continuous full flow to the heat exchangers. The fire water temperature control valves were then reisolated to prevent fire water leakage into the PCCW and SCCW systems.
- 2. Haddam Neck On November 1,1985, a probabilistic safety study for the Haddam Neck plant identified a scenario that could result in a loss of cooling water flow to both At Haddam Neck, two diesel
(
EDGs by the failure of a single component (Ref.Each2). EDG has a cooling water 9enerators provide onsite emergency ac power.
supply with an air-operated control valve which opens to allow cooling water to B-3
PCCW FLOW -
I I A = SIGNAL FROM ASSOCIATED JACKET WATER TEMP. SWITCH WILL CHANGE SOV POSITION AT 190*F. THIS WILL OPEN FIRE VALVES 1724A Er 1725A Et CLOSE CCW VALVE TCV-1730A.
N = AIR SYSTEM A A, ,A ,,
s YARD LOCATED 3 r FS-37 4" ,
I TCV.1724A 4" , :
1 i (FAILS OPEN)
- 4 4 % m FIRE WATER TO DIESEL 1B FIRE WATER ;
SUPPLY ;
1:
TEMPERATURE CONTROLLER I
, DG-1A
,, ,, ,, TDIC HT EX
' ' F ,, ,-
1730A l E-82A ,
" ? t
- n "
FIRE WATER TO
(
CAPILLARY - 4" 4 STORM DRAIN
) X i
SENSING
- r
'^- 92V 1 f4" TCV 1725A (FAILS OPEN) -
- SOV-1730A -- b d k "
,," 3" ^^---
SOV-1724A TCV-1730A P (FAILS CLOSED ON ,
- CONTROL AIR LOSS OF AIR)
SUPPLY
% BYPASS ' i '
' " FOR DG-1B y
4., '
COOLING 1 , PCV-2701 DIESEL
,, ,, ,, ,, ,, ,, ,, ,, J s "
,e v' - '
STARTING
.f ,, ,, ,,
AIR TKS V__
1 f ;
PCCW FLOW
- INSTRUMENT
( (RETURN) , AIR SYSTEM Figure 1 Cooling Water Control Schematic for "A" EDG at Maine Yankee B-4
~
- , t
. I i
flow from the service water system to the EDG heat exchanger when the EDG starts. The cooling water supply valves fail open on a loss of air pressure.
However, each air-operated cooling water supply valve is positioned by a solenoid air pilot valve. With the solenoid valve energized, air is vented Both from the air-operator allowing the cooling water supply valve to open. ,
solenoid valves receive control power from a common motor control center (MCC).
This MCC (MCC-5) can be supplied emergency ac power from either EDG via an ABT (Figure 2). As seen from the figure, the ABT interlocks the output breakers from Bus 5 and Bus 6 so that only one of the two breakers can be shut at any time. If the bus supplying power to MCC-5 is deenergized, the ABT automatically opens the deenergized output breaker and The closes the alternate ABT ensures bus output a continuous power breaker supply (if the alternate bus is energized).
to MCC-5. Since ac power is required for the solenoid valves to energize (and thereby open the cooling water supply' valves), a loss of offsite power coin-cident with an interruption of emergency power to MCC-5 could cause a simultaneous loss of cooling water flow to both EDG heat exchangers.
The licensee's immediate corrective action was to evaluate the consequences of maintaining the cooling water supply valves in the full open Based on thispcsition review,to ensure the cooling water flow to the EDG heat exchangers.
licensee modified the cooling system by blocking open the cooling water supply '
valves. The licensee is also monitoring the EDG lube oil temperatures daily to ensure the lube oil temperature remains above 85*F in accordance with the EDG manufacturer's specifications.
( Analysis and Evaluation
- 1. Maine Yankee At Maine Yankee, the 'A' EDG heat exchanger is cooled by the PCCW system and the 'B' EDG heat exchanger is cooled by the SCCW system. When the plant was originally constructed, both EDG heat exchangers relied on the site fire water ~
system for a backup source of cooling water. Fire water cooling 1) EDG(to jacket either EDG heat exchanger was designed to be automatically initiated if :
water temperature reached 190'F, then fire water cooling supply valves (TCV-1724A
> and TCV-1725A) would open and the temperature control valve (TCV-1730A) would close (see figure 1); or (2) a complete loss of the air supply occurred, then the temperature control valve would fail closed and the fire water cooling supply valves would fail open. The licensee isolated the backup fire water cooling supply in. late 1981, however, because the fire water leakage pastThe thelicensee supply valves was causing contamination of the PCCW and SCCW systems.
believed that isolating the fire water cooling supply was not a safety concern because the temperature control valves that regulate the normal cooling water supply to the EDG heat exchangers are equipped with a seismically qualified, safety-grade backup air supply.
Nomally, each EDG temperature control valve receives its air supply from the instrument air system, which is a nonsafety-grade system. The instrument air system consists of three motor-driven air compressors powered from vital buses.
Additionally, the temperature control valves and the fire water cooling supply valves must remain operable during all postulated accidents. Therefore, the
( instrument air system has a back-up tie-in from the diesel air starting system B-5 I
4
_ y m
D T)I I
O R N EE TV E
L I
)
OU k C S. 1l I
) c e
N m
a d
d e
H t
e Y 5- .
R C % ) I I C C N E
I
( C G & I M R
E S
. ( (- f r
o M R s - n E E u F o VM o 5- it 0
8R I
1 C u
= b 4OF C i
/
VS I
^ M t r
s K N I i 4 . - D Y
A s c R R -
O C T u - ir N e ) ) t c
e A E I
) l G
R Wm I I l E
y E ( c E
G M
E Wm n e
g r
e m
E 2
er u
I g u ( i F
N e
L E
v O
L N A o I l E P (
TC C R I I
T V V N N 0 R E O 2 1
E V C S
^
L
_ L
4 I
which is a seismically qualified, safety-grade system. The instrument air system supplies air at 95 psi to both the temperature control valves and the fire water cooling supply valves through a common piping header. The diesel air starting _
system is a 200 psi system which supplies a back-up source of air to the valves through a single regulating valve, PCV-2701, which is connected to a common piping header (see Figure 1). If instrument air system pressure drops below 40 psi, the regulating valve will open and regulate the back-up air system pressure to maintain 95 psi air pressure in the header.
4 During a review of the systems required for safe shutdown and accident mitiga-tion, personnel at the Yankee Atomic Electric Company found that the single failure of the back-up air supply regulating valve (PCV-2701) coincident with L
a . loss of offsite power could result in the loss of cooling water.to both i EDG heat exchangers. Following a loss of offsite power, the instrument air system compressors would lose power, resulting in a los's of the normal (instru-ment) air supply to the temperature control valves. A failure of the backup air supply regulating valve would then result in a complete loss of air to the temperature control valves. With a loss of air pressure the temperature control valves would fail closed and the fire water control valves would fail open to i
allow backup fire water cooling to the heat exchangers. However, because the fire water cooling supply system had been isolated, a loss of the normal and r.
backup air supplies to the temperature control valves would result in a complete
- - loss of cooling water to both EDG heat exchangers.
The licensee's corrective action consisted of blocking open the temperature
! control valves to provide continuous full cooling flow to both EDG heat ex-j
(
~
changers. The temperature control-valves were originally designed to be posi-i tioned by a temperature controller to maintain a 25*F delta-temperature across each EDG heat exchanger (see Figure 1). This arrangement was used to balance the component cooling water flow demand. However, the licensee determined that !
!. full cooling flow through the heat exchangers was acceptable in regard to the cooling loads of the PCCW and SCCW systems. Additionally, full cooling flow to
~
the heat exchangers did not impact on the EDG lube oil and jacket water tempera-tures because each EDG has an internal " thermostat" to specifically regulate the lobe oil and jacket water temperatures. Finally, the licensee determined that full cooling flow would not adversely increase the rate of heat exchanger
{
- i. tube erosion. Therefore, blocking the temperature control valves open was
- acceptable and would eliminate the possibility of a loss of air supply causing a loss of cooling water to both EDG heat exchangers.
- 2. Haddam Neck At Haddam Neck, control air pressure overcomes an internal spring force to shut the cooling water supply valves for the EDG heat exchangers. When control air pressure is lost, the cooling water supply valves will " fail safe," i.e., the 2 spring force will open the valves to ensure a cooling water supply to the EDG heat exchangers. 'The air supply to each cooling water supply valve is con-
' trolled by a three-way solenoid air pilot valve. When an EDG is not running, its associated solenoid valve is deenergized, allowing control air pressure to be supplied to the air actuator of the cooling water supply valve keeping the ,
supply valve closed. When an EDG starts, the solenoid valve is energized and
( repositions, venting air from the air actuator. The spring force will then open ;
'- 8-7 1^
l
v .- .
a the cooling water supply valve allowing cooling water flow to the EDG heat ex-changer. The control air system at Haddam Neck uses large accumulators which maintain air pressure-in the event that the compressors are lost. However, if electrical power to the solenoid valves is lost, the solenoid valves will not reposition, in such an event, with air pressure available, the cooling water supply valves will remain closed. Therefore, a loss of electrical power to the solenoid valves would result in a loss of cooling water flow to the EDG heat exchangers.
The solenoid air pilot valves for both EDGs are supplied electrical power from MCC-5. This MCC normally is supplied by offsite power though emergency Buses 8 and 9. Thp MCC is supplied with emergency ac power from either EDG via an ABT (Figure 2) in the event that offsite power is unavailable.' The scenario identified by the licensee, which could lead to a loss of cooling. water to both EDGs, involves a postulated loss of offsite power and the coincident t failure of the ABT for MCC-5. The ABT failure sequence is as follows: Ini-tially, offsite power is assumed to be supplying Buses 5 and 6 and the preferred source selector switch for the A8T is assumed to be set for Bus 5.
In this alignment, Bus 5 is supplying power to MCC-5 (the Bus 5 output breaker is shut). -
' The scenario begins with a loss of offsite power which results in a loss of power to emergency Buses 8 and 9 and consequently to Buses 5 and 6. As soon as , [
the electrical frequency associated with Bus 5 decreases by a predetermined [
L_
amount, the ABT, as designed, would open the Bus 5 output breaker. However, since the electrical frequency associated with Bus 6 would also decrease by the same amount, the ABT will not shut the bus 6 output breaker. Thus, MCC-5
( would be deenergized with both Bus 5 and Bus 6 output breakers open. However, the EDGs start following a loss of offsite power and begin to load 10 to 13 seconds later. When the EDGs reenergize Buses 5 and 6, the ABT would sense that the selected source (Bus 5) had electrical power and would attempt to shut the Bus 5 output breaker. It is postulated that the Bus 5 output breaker fails to close (single failure). By design, the ABT would continue to attempt to shut the selected source (Bus 5) output breaker as long as the bus had electrical power.
The ART will not transfer and shut the alternate source (Bus 6) output breaker unless electrical power to Bus 5 is interrupted or an operator selects bus 6 with the ABT's preferred source selector switch. Thus, MCC-5 would be deenergized with neither Bus 5 nor Bus 6 supplying power. In this situation, the EDG cooling water supply valves would remain closed since the solenoid valves would have no power to reposition to vent air from the cooling water supply valve air actuators.
To fully evaluate the significance of this failure mode, background information regarding MCC-5 is presented. MCC-5 is a single 480 volt distribution bus which powers many vital loads (such as the motor-operated injection valves) for both safeguards trains. However, MCC-5 is not a single failure proof power distri-bution center. Furthermore, MCC-5 was not originally required to meet the single failure criterion. This fact had been identified and determined to be acceptable by the then Atomic Energy Commission in the safety (evaluation for the plant's operating license. Subsequently, the use of an ABT to provide redundant power supplies to MCC-5) was discussed at an Advisory Comittee on Reactor Safeguards (ACRS) subcosmittee meeting held in Washington, D.C. on April 7, 1983 (Ref. 3). The meeting was held to review the results of Phase II
' of the Systematic Evaluation Program as applied to the Haddam Neck plant.
Questions raised by the subcomittee prompted an analysis to evaluate the availability of power for vital equipment powered from MCC-5. The analysis, B-8
o ,
0 performed in 1983 and utilizing probabilistic risk assessmer+ (PRA) techniques, determined that the frequency of a loss of power to MCC-5 is .-4/yr (Ref. 4). g This frequency was based on the yearly testing interval at Haddam Neck for the ,
If a monthly test interval is assumed for these ABT and associated breakers. The analysis also determined components, the frequency drops to 7.3E-4/yr.that the frequency of a total sta dent with the failure of both EOGs, is 7.2E-4/yr. Therefore, it appeared that the probability of losing power to MCC-5 was of the same order of magnitude as ,
a total station blackout. .
The failure scenario for the ABT identified in the new probabilistic safety '
study completed by Northeast Utilities (the licensee) significantly The affects scenariothe probabilistic frequency for a loss of power to MCC-5 (Ref. 5).
presented in the new study (previously discussed in this report) was not identified in the 1983 PRA. !
Based on the new scenario, the frequency of a loss of power to MCC-5 is calcu-lated as follows:
F(MCC-5) = F(LOSP)
- P(BKR) where:
F(MCC-5) = frequency of a loss of power to MCC-5 f(LOSP) = loss of offsite power frequency
( P(BKR) = probability of a breaker failing to close For Haddam Neck, F(LOSP) is assumed to be .2/yr and P(BKR), based on its yearly testing interval, is approximately 1.0E-2. Therefore, F(MCC-5), the frequency of a loss of power to MCC-5, becomes 2.0E-3 (Ref. 5). The current PRA indicates that the frequency of a loss of power to MCC-5 is an order of magnitude greater than the probability of a loss of offsite power coincident with a failure of both EDGs for other causes. Thus, a loss of power to the solenoid valves con-trolling the EDG cooling water supply valves was determined to be a significant safety concern.
The licensee blocked the EDG cooling water supply valves open by removing the control air lines which provide the air pressure necessary to hold the valves closed. This eliminates the potential for a loss of electrical power to MCC-5 to cause a loss of cooling water to the EDG heat exchangers. However, redundant and nonredundant equipment necessary for safety injection is still powered from MCC-5. A coincident loss of MCC-5 during a postulated loss of coolant accident (LOCA) would prevent initiation of safety injection and could . lead to core damage. The resident inspector at Haddam Neck has raised this concern with the licensee (Ref. 6). The licensee stated that the probability of a LOCA with a loss of offsite power and coincident loss of MCC-5 is sufficiently low that immediate corrective action is not required. Region I has requested the Office of Nuclear Reactor Regulation (NRR) to review the potential concerns resulting from the new higher probability scenario for a loss of MCC-5 (Ref. 7). The region has also requested NRR to take the lead responsibility for reviewing the recently completed probabilistic safety study and for determining whether the
(
- The frequency of a loss of a single ac bus is small enough so that the loss of offsite power will dominate the frequency for a loss of power to the buses.
B,9
.- e licensee's plan of action regarding potential MCC-5 failure consequences durine a postulated LOCA cr main steam line break is acceptable.
Generic Applicability To generically assess the extent to which air-operated valves are used in EDG cooling water systems, the EDG cooling systems at eight operating plants were reviewed. Because Stone and Webster (S&W) was the architect engineer (A/E) for both Maine Yankee and Haddam Neck, the review included four S&W plants: _ North Anna, Surry, Beaver Valley and Fitzpatrick. The other plants included in the review were licensed some time before or after Maine Yankee and Haddam Neck.
These were: Ginna, Oyster Creek, Quad Cities and Fort Calhoun. None of the plants examined used air-operated valves in their EDG cooling water systems (Ref. 8). Six of the plants used manually operated valves which were locked open to permit full cooling water flow through the EDG heat exchangers. One plant used a motor-operated valve for cooling water control and one plant uses air-cooled EDGs. For additional independent verification, Reference 9 was reviewed to assess whether significant EDG failure operating experiences were reported.to have been caused by air-operated valve problems associated with the EDG cooling supply. The review of Reference 9 revealed no evidence of other i plants utilizing air-operated valves in their EDG cooling water control systems. l Due to the absence of data involving the loss of EDG cooling water (Ref. 9) caused by air-operated valve problems, it was concluded that the deficiencies associated with the design of the EDG cooling water systems at Maine Yankee and Haddam Neck were unique to those plants. Therefore, this issue does not I appear to be a generic concern.
Similarly, the issue of using an ABT to provide redundant power supplies for ECCS equipment was examined to assess its generic applicability. Historically, the Nuclear Regulatory Comission has required that ECCS equipment be supplied by separate and redundant power sources. Exceptions to these requirements (e.g.,
MCC-5 at Haddam Neck) appear to have been accepted by the AEC on a case-by-case basis for some of the earlier licensed plants. To determine if any other operat-ing plants have vital motor control centers or load centers which receive normal and alternate power supplies through an ABT device, the design of six plants licensed in the 1960s and early 1970s were reviewed. They were: Quad Cities, Ginna, Zion, Oconee, Oyster Creek and Fitzpatrick. None of these plants were l
found to have an ABT arrangement similar to the design for MCC-5 at Haddam Neck I (Ref. 10). Therefore, it appears that this arrangement is also unique to Haddam Neck and is, therefore, not a generic concern.
FINDINGS AND CONCLUSIONS Both of the design deficiencies evaluated in this study identified the potential I for a failure in a nonsafety-related system to adverst .y affect the onsite l
safety-related EDG systems. Specifically, at Maine Yankee, the loss of the nonsafety-related air supply to the temperature control valves could have re-sulted in a loss af cooling water flow to the EDG heat exchangers. At Haddam l Neck, an interruption of power to the solenoid air pilot valves (which control
! the position of the EDG cooling water supply valves) could have resulted in a '
loss of cooling water flow to the EDG heat exchangers. A sustained interruption l
or complete loss of cooling water would cause the EDGs to overheat and subse-(
quently fail without prompt operator actions. The corrective action taken at l
~
both plants was virtually identical, uncomplicated and adequate - the air-B-10
(
operated valves controlling the cooling water supply to the EDG heat exchangers were blocked open. Blocking the valves open, in effect, eliminated the poten-tial adverse interaction between the safety-related system (i.e., the EDG cool-ing water system) and the nonsafety-related system (i.e., the air supply system).
However, a review of the EDG cooling water system designs at eight nuclear plants has led to the conclusion that the use of air-operated valves in EDG cooling water systems is unique to the Maine Yankee and Haddam Neck plants and that this issue is, therefore, not a generic concern.
At Hdddam Neck, the use of an ABT to provide redundant power supplies to MCC-5 was initially reviewed in the licensing process for the original plant design and was again accepted during the Systematic Evaluation Program review of exist-ing plant system configurations. However, a recently completed probabilistic safety study identified a previously unrecognized failure mechanism for the ABT which significantly affects the probabilistic frequency for a loss of power to MCC-5. The licensee found that a loss of MCC-5 would cause the loss of cooling water to both EDGs and took appropriate corrective actions. However, signifi-cant redundant and nonredundant equipment necessary for safety injection is also powered from MCC-5. A coincident loss of MCC-5 during a postulated LOCA would prevent initiation of safety injection and could lead to core damage.
Region I has requested that NRR take lead responsibility to review the recently completed probabilistic safety study and determine whether the licensee's plan of action regarding potential MCC-5 failure consequences during a postulated LOCA or main steam line break is acceptable. A review to generically assess the use of ABis to provide redundant sources of power to ECCS equipment concluded
( that this type of arrangement is unique to Haddam Neck and is, therefore, also not a generic concern.
SUGGESTIONS At both Maine Yankee and Haddam Neck, the coolino water supply to the EDG heat exchangers is dependent on the proper operation of air-operated control valves.
The interaction and impact of nonsafety-grade air systems on other nuclear -
plant systems is currently being evaluated on a generic basis by an AE0D case study on plant air systems. Therefore, it is suggested that the design defi-ciencies identified at Maine Yankee and Haddam Neck be included in the plant air systems case study.
The use of an ABT to provide redundant power supplies to emergency core cooling system equipment appears to be unique to the Haddam Neck plant. Since Region I has requested that NRR review the ABT issue at Haddam Neck, it is suggested that no further AE00 review on this subject be taken at this time.
REFERENCES
- 1. Licensee Event Report 85-006, Maine Yankee Atomic Power Plant, Docket No. 50-309, June 25, 1985.
- 2. Licensee Event Report 85-029, Haddam Neck Plant, Docket No. 50-213, November 1,1985. ,
- 3. Letter from J. C. Ebersole, ACRS, to N. J. Palladino, Chairman, NRC,
Subject:
ACRS Report on the Systematic Evaluation Program Review of the Haddam Neck Plant, May 17, 1985.
B ,11
l i
' D. Gallagher and others, " Review and Assessment of Various Automatic Bus 4
Transfer Designs for Haddam Neck," performed for USNRC by Science Applications, Inc. May, 1983.
- 5. Telecommunications between E. Leeds and F. Akstulewicz, NRC, and M. Bain, J. Bickle and D. Dube, Northeast Utilities, February 13, 1986.
- 6. NRC Inspection Report No. 50-213/85-21, January 5, 1986.
- 7. Memorandum from R. W. Starostecki, NRC, to F. Miraglia, NRC,
Subject:
Increased Potential for loss of Offsite AC Power Leading to Loss of Emergency Core Cooling, February 18, 1986.
- 8. Telecommunications between E. Leeds (AE00) and the resident inspectors at -
North Anna,Surry, Beaver Valley, Fort Calhoun, Ginna, Oyster Creek, Quad Cities and Fitzpatrick, April 10, 1986. .
- 9. NUREG/CR-2989, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," by R. E. Battle and D. J. Campbell, July,1983.
- 10. Telecommunications between E. Leeds (AE00) and the resident inspectors at Quad Cities, Ginna, Zion, Oconee, Oyster Creek and Fitzpatrick, April 10, 1986.
(
c
(
l l
i
. B-12 i
APPENDIX C i
Operation of Ralph A. Hiller '
Company Air Spring Actuators I g
. =. <
I roh RalphA.HilletCompany April 24, 1986 t
United States Nuclear Regulatory Commission Of fice for Analysis and Evaluation And Ooerational Data Mail Stop EWS205A Washington, D.C. 20555 ,
Attention: Mr. A1 Ornstein
Dear Mr. Ornstein,
Per your request, enclosed are drawings of ai.r spring act-uators and a description of their ooerating orincioles.
OPERATION
- Plant air enters the filter / regulator (l tem 7) and is regulated to operating pressure. The air is then pioed to the accumulator (I tem 1), which is an ai r storage tank, the 3-way solenoid valve (l tem 6), and the 4-way directional control valve (Item 2). The 3-way solenoid valve (item 6) controls the ooera-tion of the circuit.
To coerate the circuit, an electrical signal is sent to the solenoid valve (l tem 6), which shi f ts from its failure mode and allows oilot air to be sent to the 4-way valve (item 2). The 4-way valve (I tem 2) shif ts from its failure mode and allows operating air to flow to the actuator. Piping is arranged to allow air to enter under the actuator piston for a fait close actuator or over the actuator piston for a fail open actuator.
As air oressure moves the actuator to the desired position, the air on the opposite side of the piston is simultaneously vented to the atmosphere throught the second port of the 4-way valve (i tem 2) and the exhaust muf fler (I tem 5). The rate of opening and closing of the actuator is controlled by adjusting the flow control valves ( I tem 8) .
For the actuator to move to its failure mode, the electrical signal to the solenoid valve (Item 5) is stocoed and the solenoid valve moves to its failure mode. The oilot air suoplied to the 4-way valves (I tem 2) is then blocked and the air in the pilot line is vented to the atmosphere. This venting allows the 4-way valve (i tem 2) to move to its failure mode, and the operating air being supplied to the actuator is shut off. The air in the act-uator is vented to the atmosphere through the 4-way valve (I tem 2) and the exhaust muf fler (l tem 5), while simul taneously the ai r stored in the accumulator is allowed to flow through the segond port of the 4-way valve and either (1 Over the actuator piston for a fait close actuator or (2. Under the actuator oiston for a 951KilicvneyDdve Pittsburgh,Po.15254 4r2-882-53OO Telex 81-2360 C-1
U.S. Nuclear R gulatory Commission Page 2 fail open actuator. Air tight joints and a check valve (Item 4) will allow air from the accumulator to hold the actuator in the failed position until-the solenoid is re-energized.
i hope that the drawings and explanation answer all your %p auestions, if you require additional information, please contact me.
Sincerely yours, .
4 RALPH A. HILLER COMPANY
~
r
- Michael Meketa Engineering / Quality Assurance Manager MM:es t
l l
RolphR.151erCompony 951KikwneyDdve Pittsburgh,Po.15234 C-2 1
/ TEM OE6CR/P7/ON ?
/ BA6/C ACTUATOR W/ACCVM 2
4 - WA Y VA L VE
.9 L./M/ 7 6 W/ TCH 4 CHECK VA L VE 5 EXHA u67 MVffL ER 6
3- WA Y 60L. OPERA TEO VALVE 7
FIL TER/RESUL ATOR
- 8 FLOW CONTROL VA L VE
- 4 x
'~
f$..N A / /Nt. E T
\& W SU ' ~
y \ A/R
$ L/M/T ..
4 6 W/TCH (A )
VA L VE e
e e
e l
Q H >'
f h- .. - . ] ')
O 3 'J 8 l' ' - - - I 7 L/M/T -
6 W/TCH e e s%
(z3 ) [ -o ; as-- I- e- a I VA L VE e a b CLC6FO
~ '
Q
~
S RALPH A. HILLER COMPANY 2 PI T _T_S B U RG H , PA . I 5 2_3,4 ,_
A/R 6PR/NG N.O.-FO.( VA L VE6 )
_ DR. NO6 SCALEI~ ~
CK. APPD.
REV.
ray- il SHEET OF
= w
lg - J -+ . 'g . . _ m '.e . . . p.
EXTENO.
. . . , _ _ _ _ ,i m
l- - gg-]
k'j h ; CONTROL l '.:.C I --
U/T l C/R ...__l.._,-.-..--,
__-__-..p'
____ _ a._ _ . . _.__ __ _ . . _ . . . - -
'h' p: 4 l otA .-
ACCUMULA TOR _ - _. - .-
_ _ _ - .??, "T h Y Y - - # ~ rw
- l- -_C.G.
_. ... g _. .. g_ C. 6.
._ .__ L D.li l
L.e 6 _
.p.
g- 1_ ,._. .
i.__..___._. _ _ . _ _ _ _ _ _ . _ _ i p l _. R -
O/A .
?
a _ ._ ._ . a
! = _ . _ _ _ ROO O/A . 9
_-.__ _ ._ . _ . _ ____ z.
~ ~'
~
~~p~
[L6j
- U {_ ~E521, ! L6j RETRACT.
O/A. BOL T6
=
4 - REQ 'O.
RALPH A. HILLER COMPANY TYPC - A/R ACTUATOR PI T TSBU RG H' PA .152 3 4 ---
/~AM/LY- PNEUMA T/C AC TUA TOR LONG 67ROKE
,y 7gg;,y,gg ,,p 3pp,gg A/R OPERA TED 99,yog scggg ~
6TOREO [NERCrV, /NT[N6/F/ED 670 RED A/R ._
CK. A P P_ D . __, , , __ _ _ _ ,
NORh1A L L Y CPEN - FA /L OPEN 0bH~ ' '
REV. 's C -_ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ . . .__