Forwards Draft Problems W/Hpsi Sys in Westinghouse Pwrs, Technical Review Rept.Study Categorized Many Different Ways HPSI Function Could Be Lost.Suggests That Evaluation Be Conducted to Determine If Occurrence Rate Is High

ML20235S042
Person / Time
Issue date:	08/05/1987
From:	Salah S NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:	Lam P NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
References
NUDOCS 8710080287
Download: ML20235S042 (21)
v • d • e

Text

y DISTRIBUTION: {

AUG 0 51987 egen s ROAB RF AE00 RF

. MEMORANDUM FOR Peter S.' Lam, Chief. . SSalah Reactor Systems Section W and B&W SIsrael Reactor Operations Analysis Branch Plam Division of Safety Programs, AE00 JRosenthal MWilliams FROM: Sagid Salah, Reactor Systems Engineer. KBlack VBenaroya Sanford Israel, Senior Reactor Systems Engineer TNovak CHeltemes Reactor Systems Section.W and B&W EJordan Reactor Operations Analyiis Branch Division of Safety Programs, AEOD

SUBJECT:

TECHNICAL REVIEW REPORT: PROBLEMS WITH HIGH PRESSURE SAFETY INJECTION SYSTEM IN WESTINGHOUSE PWRs The subject technical review report is enclosed for your consideration. The study was initiated to evaluate the causes and' impact of a total loss of the high pressure safety injection (HPSI) function at Westinghouse pressurized water reactors (PWRs). Loss of HPSI.following a small break LOCA will ' lead to core uncovery and subsequent severe damage if makeup water is not added to the primary system by some other means. Our evaluation found that most of the failures that lead to loss of HPSI have been addressed by previous staff or licensee actions. These include valve problems, loss of pump cooling problems, boron solidification problems, debris in the pump, and deficiencies in the HPSI design.

This study has collected and categorized the many different ways the HPSI' function could be lost. These results can be used to support the ongoing RES effort on dependent failures and operational safety reliability within the research program on Plant and System Risk and Reliability. System unavailability because of equipment out of service, coupled with another random component failure, appears to have a high likelihood. It is suggested that AE0D conduct an evaluation of these type of system unavailabilities to determine if the occurrence rate is indeed high. This study should include safety systems other than HPSI.

IMeinel signed by  !

Sagid Salah, Reactor Systems Engineer -l l 87100602B7 670B057 l l PDR ORG NEXD b sirmed by .I PDR I

Sanford Israel, Senior Reactor Systems  !

Engineer i 1

cc: See next page SEE PREVIOUS CONCURRENCE

• OFC : ROAB:DSP g,.....

ROAB:DSP! : ROAB:DSP

:  :  : l

_g. .......................................:...........

NAME : SSalah:as : SIsrael  : PLam  :  :  :  :  !

DATE : 7/ /87  : 7/ /87  : 7/T/87  :  :  :  : )

0FFICIAL RECORD COPY 1

DISTRIBUTION:

POR ROAB RF AE0D RF MEMORANDU FOR Peter S. Lam, Chief SSalah Reactor Systems Section W and B&W SIsrael Reactor Operations Analysis Branch Plam Division of Safety Programs, AE0D JRosenthal MWilliams FROM: Sagid Salah, Reactor Systems Engineer KBlack i

Reactor Systems Section W and B&W VBenaroya eactor Operations Analysis Branch TNovak l ision of Safety Programs, AEOD CHeltemes EJordan Sa ord Israel, Senior Reactor Systems Engineer ReackorSystemsSectionWandB&W React 6r Operations Analysis Branch Divisi'6n of Safety Programs, AE0D l

SUBJECT:

TECHNICA REVIEW REPORT: PROBLEMS WITH HIGH PRESSURE I

SAFETY IN ECTION SYSTEM IN WESTINGHOUSE PWRs Thesubjecttechnicalrevie\ w\ report is enclosed for your consideration. The studywasinitiatedtoevaluagethecausesandimpactofatotallossofthe high pressure safety injection (HPSI) function at Westinghouse pressurized water reactors (PWRs). Loss o HPSI following a small break LOCA will lead to core uncovery and subsequent se gre damage if makeup water is not added to the primary system by some other meads. Our evaluation found that most of the failures that lead to loss of HPS1 have been addressed by previous staff or s

licensee actions. These include valve problems, loss of pump cooling problems, boron solidification problems, debris in the pump, and deficiencies in the HPSI design.

ThisstudyhascollectedandcategorizddthemanydifferentwaystheHPSI function could be lost. These results can be used to support the ongoing RES i effort on dependent failures and operational safety reliability within the l research program on Plant and System Risk'and Reliability. System I

unavailability because of equipment out of \service, coupled with another random component failure, appears to have a %igh likelihood. It is suggested that AEOD conduct an evaluation of these type g of system unavailabilities to determine if the occurrence rate is indeed high. This study should include safety systems other than HPSI. \

\

\

\

Sagid Salah,\ actor Systems Engineer l

Sanford Israel,\ enior

$ Reactor Systems i Engineer cc: See next page 1 3

... ....i..!...

NAME : SSalah:as : SIsrael  : Plam  :  :  :  : I DATE : 7/f t/87  : 7/\0/87  : 7/ /87  :  :  : -

l 0FFICIAL RECORD COPY

]

l l

i, i

i I

cc: C. Johnson, RES I F. Coffman, RES R. Barrett, NRR l J. Murphy, RES I T. Gwynn, OCM M. Beaumont, W C. Brinkman, CE .

R. Borsum, B&W l L. Gifford, GE i I

l l

\

l l

l 1

i l

i

)

L - _ _ _ _ _ _ ___ ____________________U

.\ .

\

l . J AE0D TECHNICAL REVIEW REPORT UNIT: N/A TR REPORT NO.: AEOD/T DOCKET NO.: N/A DATE:

LICENSEE: N/A EVALUATOR / CONTACT: 6 Salah S. Israel NSSS: Westinghouse '

SUBJECT:

PROBLEMS WITH HIGH PRESSURE SAFETY INJECTION SYSTEMS IN WESTINGHOUSE PWRS

SUMMARY

There have been several severe operating and design' problems with the high pressure safety injection (HPSI) systems in Westinghouse-designed PWRs in the ,

last six years. Westinghouse-designed PWRs use three types of HPST systems: i only safety grade centrifugal charging pumps, only intermediate pressure' safety injection pumps, and a combination of both types of pumps. HPSI systems using only centrifugal charging pumps or intermediate pressure safety injection pumps are the most vulnerable because of the limited redundancy in the safety  !

injection function. 1 Approximately 500 operating event reports were reviewed. Out of all.the reports reviewed, there were two operating and one design problem which could result in complete HPSI system failure. Other observed major operational I problems which have a potential tc defeat HPSI were valve failures, pump cooling failures, out-of-service components, and misaligned systems. The results of the study suggest that tne frequency of system unavailability (for i HPSI and other systems) with respect to out-of-service equipment coupled with i' random failures in the redundant train may be higher than previcusly considered and, therefore, a candidate for further examination by AEOD.

i

1.0 INTRODUCTION

l The purpose of this investigation is to evaluate the causes and the impect of a total loss of the high pressure safety injection (HPSI) function at Westing-house pressurized water reactors (PWRs). Loss of HPSI following a'small break LOCA will lead to core uncovery and suosequent severe damage if niakeup w. ster is not added to the primary system by some other means. Westinghouse designs use ,

three types of HPSI systems: j l

(1) Centrifugal charging pumps (CCP)

(2) Intermediate pressure safety injection (IPSI) pumps (1500 to 1700 psi)

(3) A combination of charging pumps and intermediate pressure pumps This study addresses plants utilizing only a single type of pump for,HPSI.

Plants utilizing both types of pumps have more redundancy and tireretsre are less susceptible to loss of function.

~

J . i t

.m

, 2

. Using the Sequence Coding and Search System (SCSS), abstracts of approximately 500 events were reviewed for the years 1981 through 1985. Additional Licensee Event Reports (LERs), obtained for 1986, were included in the review process.

Data for plants with both types of HPSI pumps were also included in the assess-ment if one of the subsystems (CCP or IPSI) lost two or more pumps or had a high potential for losing two or more pumps.

2.0 HIGH PRESSURE SAFETY INJECTION SYSTEM DESCRIPTION Westinghouse-designed plants have one of three different high pressure safety injection systems: charging pumps only, intermediate pressure (about 1500 psi) pumps only, or a combination of the two. If the cen.trifugal charging pumps at a plant are safety grade and have adequate capacity for mitigating small break LOCAs, they will be used in the high pressure safety injection system; otherwise, intermediate pressure pumps are used for the HPSI function. The number of HPSI pumps available varies considerably. Those plants with only a single pump type may have two or three pumps. Plants with a combination of pump types will generally have four HPSI pumps available (not taking credit for any sharing of the HPSI function between sister plants).

A typical HPSI system using only CCP is shown in Figure 1. During normal operation, the charging pump draws water from the volume control tank and discharges through the regenerative heat exchangers to the reactor coolant sys-tem (RCS) and to the reactor coolant pump seals. -Hydrogen is used as the cover gas in the volume control tank (VCT). Upon receiving a safety injection signal, the pump discharge is aligned to the HPSI lines and the pump suction is realigned to the refueling water storage tank. In the arrangement shown in Figure 1, a boron injection tank (BIT) is located in the HPSI discharge piping.

Some installations use boric acid tanks and pumps on the suction side of the HPSI pumps. Some plants have removed the high concentration boric acid supply completely.

There are two motor-operated valves in series in the VCT outlet line. These valves, actuated by the safety injection signal, provide redundant isolation of the charging pump suction path from the VCT to preclude ingesting hydrogen into the pumps. There are two normally closed parallel isolation valves in the sup-ply line from the RWST to the HPSI. These valves are opened automatically on a low-low VCT level or a safety injection signal. There are parallel isolation valves on the suction and discharge side of the BIT; three valves in the BIT recirculation bypass line; two valves in the minimum flow recirculation linc; and two valves in the normal charging lines. All these valves are actuated by a safety injection signal.

The BIT contains 12 weight percent boric acid solution. To prevent stratifica-tion and cold spots within the BIT during normal plant operation, the contents of the tank are continuously circulated with the boric acid transfer pump.

Redundant tank heaters and line heat tracing are used to maintain solution tem-peratures above the boron solubility limit.

Plants with only IPSI pumps have a similar lineup to that shown in Figure 1 i

except the pumps are not connected to the volume control tank and do not provide reactor coolant pump seal injection. Since the injection pressure for the IPSI pumps is between 1500 and 1700 psi, the reactor coolant system must be depres-surized for the IPSI to inject into the RCS.

1 lj l l m

e 9

8 R 8 3 _3

.A _4 1 1 3 2 e

. p T

I .O

.T I

B p

W I

aC o .U

. PM

• U P

8

.g

.y

,a

.A ts h _

y' Cp 2 _

, = _

m v* m e

. A

. pe

' W i .

i. . l 2 . A e W

.M

.T a34 T2o8 C

3 -

f_ - ,

R f

C

, E

J--

R

• a .9[=

9 3

~

^ _ 8 [. _

3 <

= 9;"

.^ '

t m

e s

.TM y

. S _

T UC n _

o o i

, j  : e ! ;* s  :>  !;- ,# t c _

.Tw e j

W .C t

I n

d W 9;, 1 H

a e

h b

g o i 8 .

H 1

I iiIl' II ,Il ,:

e

. r u

g i

F r

g a

eQ

- c u-C o L ,,

j'l;(l(

l . l

_4_

, More than 60 percent of,the Westinghouse-designed plants use a combination of CCPs and IPSI pumps for HPSI. The extra redundancy ar,d diversity in those plants provides a more reliable HPSI function.

13.0 OPERATIONAL EXPERIENCE There were two events which resulted in total failure of the HPSI system and one reported design deficiency which could result in a complete failure of the HPSI system for plants using either CCP or IPSI pumps only. ,

l The events which caused complete failure of the HPSJ system were:

1. On September 3, 1981, at San Onofre.1, after a manual reactor trip, the-safety injection valves failed to open on a safety injection signal-(SIS).1 '

The failure of two valves resulted in both SIS. trains inoperable.

Engineering tests confirmed that these valves would not open with the )

design pressure differential across the disc. Both trains would have I been inoperable following a small break LOCA. J

2. On December 19, 1984, at Indian Point 2, a fire occurred in the generator exciter and seal due to seal failure and hydrogen leakage.2 During the operator-initiated shutdown, the reactor tripped on low steam generator level and safety injection occurred on high steam flow signal (coincident with a low-low average RCS temperature) due.to actuation of steam dump j valves. The safety injection system failed to inject any borated water due to boron solidification (complete failure of SI system).

The design problem which could defeat the HPSI system is:

In the course of performing a probabilistic safety study of Haddam Neck on March 25, 1986,8 the licensee : identified a small range of break sizes in one loop of.the reactor coolant system for which safety injection flow in the high pressure recirculation mode may be insufficient to prevent core uncovery if the facility operating procedures and system (valve) were not modified.

Over five hundred events with a partial failure of the HPSI system were reviewed for the time period of 1981 to 1986. In addition to the three events noted above, events which caused at least two CCPs or IPSI pump failures are reviewed in this report. A tabulation of problems as a function of year of their occurrence is shown in Table 1. These problem areas basically identify potential common failure modes that can defeat the HPSI function except for the first item (out of service) which reflects a train out of service coupled with a random failure in the other train. Brief descriptions of the events that went into Table 1 are presented in Appendix A.

The seven events categorized as out of service generally arise from one train being down for maintenance or testing and the second train failing. This is an important category because it represents potential total system failure from random causes.

L -__-__ _ -

5 Table 1 Functional problems that defeated at least two trains of HPSI 4

81 82 83 84 85 86 Total Out-of-service equipment 2 2 -

1 -

2 7 Valve failures 1 - -

1 1 -

4 Loss of pump cooling 2 2 - - -

2 6 Misaligned system 1 2 -

1 1 1 6 Gas binding of pumps 1 1 - - - -

2 i Boron solidification - - -

1 - -

1 Debris in pumps - - -

1 - -

1  !

Crack in suction line - - -

1 - -

1 I i

Inadequate ECCS design - - - - -

2 2 l l

7 7 -

6 2 8 30 l

~

1 Pump cooling events (6) were dominated by problems at Surry associated with failures of the separate service water pumps dedicated to cooling the charging pumps. It is of interest to note that the charging pumps did not fail even though they lost cooling for significant amounts of time.

There were a wide variety of valve problems (4 events) that could fail the  !

HPSI system. These included basic design flaws (valve would not operate under l design conditions), maintenance flaws (limit torque switch set incorrectly), l and valve failure (disks falling off stems). This is a significant common mode '

l f ailure category.

l The misaligned system category (6 events) captures a number of unrelated events such as switches in the wrong position, tests on different components in different trains, blocked safety injection signals, and valve misalignments.

The remaining events (8) represent a variety of problems that have failed at least two HPSI pumps and could be important considerations for two train HPSI systems. This category includes the Indian Point boric acid precipitation event noted above and the Haddam Neck small break LOCA recirculation problem.

The functional problems are varied and the yearly totals do not indicate improvement in HPSI reliability over the time period examined.

4.0 ANALYSIS AND EVALUATION 4.1 Pump Cooling Problems At Surry, charging pump service water pumps supply cooling water to the charging pump intermediate seal oil coolers and the charging pump lubricating oil coolers. Failures of the charging pump service water pumps were primarily caused by loss of net positive suction head (NPSH) due to inadequate design.

At Surry Station No. 1, four charging pump service water pumps and three air conditioner chiller units are located in one room. The aforementioned components are supplied with service water, via rotating strainers, from two 6-inch supply lines. Each supply line is gravity fed from the intake canal. Two-inch branch lines supply service water to the charging pump service water pumps, while the service water lines to chiller units are four-inch lines. The NPSH available to the charging pump service water pumps is affected by the number of chiller units in operation. The remedy for this problem was to throttle the service water flow through chillers. In addition, charging pump service water pumps are vented in order to flood the suction, l

, A second cause of failure of the service water charging pump was flow l blockage either due to marine growth or excessive amount of trash in the upstream rotating strainer. The remedy for these problems was to clean out the marine growth and trash from the rotating strainer. -A design change was made by the licensee to relocate two of the charging pump service water pumps at a lower level and to increase the size of the suction piping to the pump.

An engineering evaluation of HPSI pump operability without service water was made by ROAB4 for the ANO-2 plant. ANO-2 is a Combustion Engineering (CE) plant; however, results of the evaluation should be applicable to Westinghouse plants as well. ANO-2 performed a test on the operability of HPSI pumps without service water. The pumps operated satisfactorily for pumped fluid j temperatures in the range of those expected during safety injection. This is l

consistent with Surry experience that the pumps operated satisfactorily for at least 20 minutes without outside cooling water. From the test results, AE00 concluded that the operability of the HPSI pumps without service water was not i assured for recirculation conditions following a LOCA because of anticipated high fluid temperatures at that time.

Lubricating oil cooling was lost to two charging pumps at Farley5 because of dislodged mud / sludge and/or clams in the service water system. The pumps continued to run even without oil cooling. This issue has been the subject of previous AE0D studies and IE notices. A more definitive study on service water problems, which would also address this subject, is in progress.

4.2 Boron Precipitation Serious boron solidification problems occurred at Indian Point, Unit 2 because of lack of heat tracing. This problem was addressed by an AEOD Engineering Evaluation ReportG, and an Information Notice vas issued 7 Presently, NRR is permitting licensees to remove the BIT tank and rely on the 2000 ppm boron solution in the RWST for adequate shutdown as discussed in Generic Letter 85-168 It is expected that until the BITS are removed from the HPSI system, additional boron solidification events will occur.

i l

~

7-4.3 Gas Binding of the Pumps Two LERs, related to gas binding of the pumps, stemmed from inadequate design consideration of single failures of components connected to the charging pumps.

In one instance, the concern was loss of level indication (high) in the volume control tank (VCT) which is normally connected to the charging pumps. This would result in loss of inventory in the VCT and subsequent ingestion of hydro-gen into the pumps. Another event was the failure of a surge damper on the suction side of the charging pumps which released sufficient pressurized hydro-gen to gas bind the pumps. Although these c.ommon mode failures could defeat a HPSI system dependent solely on the centrifugal charging pumps, the coincident occurrence of these failures with a severe accident'(requiring HPSI) is not likely. This general topic was discussed in a previous AE0D Engineering Evalua-tion Study Report.8 4.4 Motor Operated Valve (MOV) Failures On May 7, 1986, during review of McGuire, conducted in accordance with NRC bulletin IEB-85-03, it was determined by the licensee that the electric motor operator (EMO) for Unit 1 valve 1NI-10 and Unit 2 valves 2NI-9 and 2NI-10 (reac-tor coolant cold leg injection from the charging pumps) were insufficiently sized to guarantee opening of the valves under the worst case design conditions.10 The torque switch setting for Unit 2 valve NV-7 (reactor coolant letdown outside containment isolation) was also found to be set incorrectly.

In another incident on November 2, 1985, McGuire Station Unit 1 tripped on low-low steam generator (SG) level signal resulting from a ruptured instrument air line22 During this transient, the motor operator for two valves which allow the charging pumps to take suction from the RWST by isolating the VCT burned up in the closed position and had to be manually opened. These failures may also be attributable to design / maintenance deficiencies.

On May 1984, Salem 1 reported SI throttle valve stem / disc separation (i.e. ,

dir.k becoming detached from the stem 12.) The licensee subsequently replaced all twelve valves in each unit.

On September 3, 1981, San Onofre 1, after a manual reactor trip, safety injection valves HV 851 A and B failed to e en following a safety injection signal.2 The failure of two valves resulted in both SIS trains being inoperable. Engineering tests confirmed that these valves would not open against the design pressure difference across the disk. Design changes were made to correct the problem.

On June 6,1981, during a normal plant tour of Beaver Valley 1,23 the primary auxiliary building operator found the emergency cooling water supply valve to the HPSI pumps unlocked and closed. Safety implications due to the closure of the valve would have been a loss of HPSI capability through that flow path.

Most of these valve failure events involved deficiencies in design and/or maintenance of the valves. These types of failures have been discussed in sev-eral AE00 study reports and IE notices and bulletins. The most recent AEOD report, "A Review of Motor-Operated Valve Performance" (AE0D/C603), summarizes the relevant operational experieace and NRC actions. Subsequent to issuing this

, 3_

, report, NUMARC14 has taken the responsibility for improving the reliability of motor-operated valves and will conduct a program of assessment and implementa-tion that should address most of the issues related to valve failure, particu-larly potential common mode failures, i l

4.5 Debris in the Coolant  !

I Failure of SI pumps due to debris in the coolant has been addressed in an '

Engineering Evaluation reported by AE0D.15 This report was initiated as a result of CCP seizure at Salem 1 on July 13, 1984. Seizure of the CCP was attributed to metal filings which lodged between impeller and wearing rings.

The Engineering Evaluation found that SI pumps were. susceptible to mechanical problems from debris in the pumped fluids. Since the SI pump problems due to i debris in the coolant water can occur during the recirculation mode of ECCS, care must be taken by the plants to make sure the debris does not fall into the sump through the sump screen. 1 4.6 Out of Service Unavailability Seven events involved the unavailability of two trains of a system because of administrative outages in one train (test, maintenance), coupled with a failure in the second train. These circumstances are within acceptable plant operation, although the technical specifications severely limit the operating time with two trains out of service. Three Mile Island Action Plan Item II.K.3.17 examined  ;

the ECCS outage time for the previous five years at all operating plants. The results of that review indicated that most of the plants were experiencing train-wise outages less than one percent of the plant operating time. However, data were not accumulated to examine the frequency of one train out of service and the other train failing for some other reason.

The HPSI unavailability caused by random events is the best that one can expect from the system. However, the observed system unavailability related to out-of-service components is on the order of 2 x 10 8 per demand, which is about an order of magnitude higher than expected for a truly random combination of such events. In terms of total system reliability, the out-of-service component is within the range of total HPSI unavailabilities estimated in previous PRAs and the first accident sequence precursor study.16 4.7 Misaligned System Another six events were concerned with other causes of two trains being out 1 of service such as, simultaneous testing of different components in different l' trains, switches " pulled" to lock for both pumps, and wrong train isolation.

These later events are more troublesome because they go unnoticed; however, they l are recoverable since no equipment is actually failed or out of service and the emergency procedures require the operators to check that the ECCS is actually operating if demanded.

4.8 Other HPSI Issues One LER responded to IE Notice 85-94 whir.h is concerned with the potential loss of minimum flow paths for the HPSI pumps. The report identified deficiencies in the minimum flow path and promised plant modifications to correct the situa-tion.

l

Another LER identified a crack in the suction line to the charging pumps which l could have degraded the operability of the charging pumps. There is little i likelihood that this situation would coincide with a demand on the HPSI system. l In any event, the suction would switch to the RWST from the VCT if there was an actual demand on the HPSI.

4.9 Root Causes An examination of the events indicates that approximately half of them could be attributed to deficiencies in design and/or maintenance. High sensitivity of valve operability and charging pump cooling system operability to maintenance and operational conditions account for most of the events having this root l cause. Since the pump cooling events are dominated'by a single plant site,  !

there are no generic implications regarding this design issue. On the other hand, valve problems are pervasive and are being addressed generically in several forums. Isolation valves need careful maintenance to maintain their operability.

About 20 percent of the events involved human errors that resulted in mis-aligned HPSI systems. Because the components are still operable and there is time available for remedial action (at least for small break LOCAs), the HPSI system is recoverable. Part of the automatic initial operator response to a reactor trip is to check that the ECCS is operating if a safety injection signal has been generated.

4.10 Safety Significance The high pressure injection system provides high pressure injection for design basis accidents, such as small break LOCAs and steam generator tube ruptures, and also reactivity control for steamline breaks. The safety analyses of these accident types effectively define the functional performance of the HPSI with respect to redundancy, flow rates, and pressure capability.

A small break LOCA and loss of HPSI is a dominant core-melt sequence in the Reactor Safety Study (WASH-1400), and the Three Mile Island accident was essentially a small break LOCA with ineffective high pressure injection. An estimate of the frequency of a small break LOCA is 0.02/Ry which reflects reactor coolant pump seal failures.17 Estimates for the conditional failure probability for high pressure injection system range from 9 x 10 4 to 5 x 10 2 per demand on NRC and utility-based PRAs.18 The operational events that are discussed herein can be used to estimate HPSI pumps that are tested at least four times a year. Thus, there were about 1000 demands on HPSI pumps in Westinghouse plants having a single type of liPSI pump. Assuming two HPSI system failures that were discussed above, an estimate of the HPSI unavailability due to these common cause failures is 0.002. This estimate could be lower because of underestimating the demands and modeling the failures as demand dependent rather than time dependent. On the other hand, the HPSI unavailability could be higher because of the "almost" events also noted in the preceding discussions.

Combining the above numbers, an estimate of core melt likelihood for small break I LOCA sequences coupled with common mode loss of HPSI is 1.4 x 10 5 without any recovery factor. This estimate, even allowing for uncertainties, indicates that these accident sequences are major contributors to potential severe core damage

. at Westinghouse plants. Uncertainty in HPSI failure aside, this estimate may be high because of the potential to depressurize the primary system and utilize low pressure pumps for cere cooling. This alternate approach has not been suffi-ciently explored to confirm its viability.

5. 0 FINDINGS AND CONCLUSIONS

1. High pressure safety injection is a very important system in PWRs because it is used to mitigate small break LOCAs which have a relatively high  ;

frequency of occurrence.

2. Most Westinghouse plants have two different pumping systems (with different shutoff heads) for HPSI or they have three pumps with the same shutoff head.

3. Most of the failures that leed to loss of HPSI have been addressed by previous staff or licensee actions. These include valve problems, loss of pump cooling problems, boron solidification problems, debris in the pumps, and deficiencies in the HPSI design.

4. Other issues associated with system misalignment and gas binding of the pumps are either recoverable af ter a postulated accident or not likely to occur just prior or coincident with an accident.

5. This study has collected and categorized the many different ways the HPSI function could be lost. These results can be used to support the ongoing RES effort on dependent failures and operational safety re-I liability within the research program on Plant and System Risk and l Reliability.

6. System unavailability because of equipment out of service, coupled with another random component failure, appears to have a high likelihood. It is suggested that AE00 conduct an evaluation of these type of system failures to determine if the occurrence rate is indeed high. This study should include safety systems other than HPSI.

I l

l I

i

)

I'

1

' 11 REFERENCES

1. Licensee Event Report 81-20, Southern California Edison Company, San Onofre Unit 1, Docket No.-50-206, dated September 14, 1981.

2. Licensee Event Report 84-25, Consolidated Edison Company of New York, Indian Point Unit No. 2, Docket No. 50-247, dated January 18, 1984.  ;

3. Licensee Event Report 86-13, Connecticut Yankee Atomic Power Company, Haddam Neck Plant, Docket No. 50-213, dated April 1, 1986.

4. Memorandum for File from Eugene Imbro, NRC, " Evaluation of HPSI Pump Operability Without Service Water," AE00/E111, dated May 22, 1981.

5. Licensee Event Report 86-014, Alabama Power Company, J. M. Farley Unit 1, Docket No. 50-348, dated September 2, 1986.

6. Memorandum for K. V. Seyfrit from Raji Tripathi, NRC, " Loss of Safety Injection Capability at Indian Point Unit 2," AE00/E606 dated May 30, 1986.

7. IE Information Notice No. 86-63,

Subject:

Loss of Safety Injection Capability, dated August 6, 1986.

8. NRC Generic Letter 85-16, "High Boron Concentrations," dated August 23, 1985.

9. Memorandum for K. V. Seyfrit from T. C. Cintula, NRC, Loss of All Three Charging Pumps to Empty Common Reference Leg in the Liquid Level Transducers for the Volume Control Tank," AE0D/E314, dated June 28, 1983.

10. Licensee Event Report 86-09, Duke Power Company, McGuire Nuclear Station Unit No.1, Docket No. 50-369, dated October 10, 1986.

11. Licensee Event Report 86-03, Duke Power Company, McGuire Nuclear Station Unit No. 1, Docket No. 50-369, dated February 10, 1986.

12. Licensee Event Report 84-12, Public Service Electric and Gas Company, Salem Unit No. 1, Docket No. 50-272, dated May 27, 1984. l i

13. Licensee Event Report 81-47, Duquesne Light Company, Beaver Valley Unit )

No. 1, Docket No. 50-334, dated June 19, 1981. '

14. Letter from W. H. Owen (NUMARC) to V. Stello (NRC), dated February 19, 1987.

15. Memorandum for K. V. Seyfrit from R. G. Freeman, NRC, " Failures of Safety-Related Pumps Due to Debris," AE0D/E512, dated September 4, 1985.

16. G. Kolb et al. , " Review and Evaluation of the Indian Point Probabilistic Safety Study," NUREG/CR-2934, December 1982.

17. R. Bertucio et al., " Analysis of Core Damage Frequency From Internal Events:

Surry, Unit 1," NUREG/CR-4550, Vol. 3, November 1986.

18. A. El-Bassioni et al., "PRA Review Manual," NUREG/CR-3485, September 1985.

i l

APPENDIX.A Summary of Events Which Caused HPSI System to Fail Plant Name LER No.

(Docket No.) (Date of Event) Description ,

Out of Service Events Surry 2 81-50 At full power operation with the C charg-(50-281) (8/4/81) ing pump out of service for maintenance, oil was being slung from outboard bearing of the A charging pump. Operation with two inoperable charging pumps is contrary to Tech Spec. C charging pump repaired and returned to service within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Turkey Point 3 86-35 Operative circumstances led to all three (50-250) (9/25/86) charging pumps br:ing inoperable. One was .

out of service for venting, one was out for maintenance, and third one had a leaky relief valve and was required to be isolated.

i Turkey Point 3 86-25 Unit 3 was operating at power when 3C l

(50-250) (6/12/86) charging pump was declared out of service.

At that time the 3A charging pump was out of service for maintenance. Technical Specification allow one of two operable charging pumps to be out of service for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Effort was made to return a charging pump back in service in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> limiting condition for operation.

However, this could not be done, therefore shutdown was commenced.

McGuire 2 84-04 Charging pump 2A was declared inoperable (50-370) (1/15/84) after the pump was started and run for approximately 19 minutes without suction.

l The Volume Control Tank Outlet Isolation Valve inadvertently closed prior to starting the pump, causing destruction of the pump. During this time, charging pump 2B was inoperable for maintenance.

Unit 2 was in Mode 5 at the time of this incident.

Surry 1 82-35 Unit at 100% power revealed higher (50-280) (3/7/82) vibration from charging pump, 1-CH-P-1B; pump declared inoperable. Pump 1-CH-P-1C

I . Plant Name LER No. .

(Docket No.) (Date of Event) Description was already out of service. Two pumps simultaneously inoperable contrary to Tech Spec. Charging pump 1-CM P-1C was returned to service withir. the time allowed.

Salem 1 82-15 Due to de-energizing of vital bus, (50-272) (3/16/82) power was lost to No. 11 component cooling pump and Nos. 15 and 16 service water pumps. This 'r.esulted in a loss of compo-nent cooling water (CCW) and service water (SW) flows; the redundant CCW and SW pumps were tagged out for maintenance.

This resulted in all charging pumps and l both residual heat removal loops declared inoperable due to loss of CCW.

Salem 1 81-85 An operator noticed service water (50-272) (9/2/81) emanating from a leak in the oil cooler of No. 12 charging pump. No. 12 charging pump was declared inoperable. No. 13 charging pump was also inoperable. The cause of the service water leak was leaks in two couplings in the service water piping. The service water leaks were repaired by replacing the two leaky service water couplings. No. 12 charging pump  ;

was tested satisfactorily. l Pump Cooling Problems Surry 2 82-28 With the unit at 96% power, both charging (50-281) (5/13/82) pump service water pumps 2-SW-10A and 10B lost suction. The charging pump service water pumps supply cooling water to the i charging pump intermediate seal oil I

coolers and charging pump lubricating oil coolers. The immediate corrective action was to throttle the service water flow l through the chillers and vent puinp SW-P-10B so that pump suction line was flooded. In addition, an inspection revealed marine growth fouling.

l Surry 1 81-37 With the unit at 100% power, charging (50-280) (8/6/81) pump service water pumps 1-SW-P-10A and B were found to have zero discharge pres-sure as a result of a loss of suction to the pumps. During summer months, the l increased use of service water by

- 14 _

Plant Name LER No. .

(Docket No.) (DateofEventi Description I

chillers can cause a loss of suction pressure to the charging pump service water pumps. The suction strainers were checked and cleaned and service water to the chillers was throttled to increase flow to the charging pump service water pumps. Sufficient NPSH for charging pump service water pump.

Surry 1 82-87 With the unit at full power, 1-SW-P-10A (50-280) (9/1/82) (charging water service water pump) exper-ienced a loss of suction pressure which resulted in loss of discharge pressure. l The charging pump service water pump supplies cooling water to the charging pump intermediate seal oil coolers and charging pump lubrication oil coolers.

The service water flow through the air i conditioning chillers was reduced, thereby increasing the available NPSH to the service water pumps.

Surry 1 86-31 With Unit 1 at 100% power and Unit 2 at (50-280) (10/30/86) refueling shutdown, service water flow to i the Unit 1 Charging Pump Service Water Subsystem was lost due to the pump becoming air bound when a service water strainer was placed in service without being vented.

Farley 1 86-14 Unit was operating at 99% power and the (50-348) (8/1/86) 1A charging pump had been removed from service for maintenance. At 12:30 an alarm was received which indicated that charging pump lubricating oil temperature had increased to the alarm set point of 140 F. During investigation, location indication showed the gear oil temperature had reached 145 F. The IC charging pump was started. The IB pump was declared inoperable. At 13:35 the IC charging pump was also declared inoperable due to high gear oil temperature but remained in service.

Surry 2 81-55 With the unit at 100% power, both (50-281) (8/20/81) charging pump service water pumps failed.

A high carbon steel cap screw for the impeller on pump 2-SW-P-10B failed, allow-ing the impeller to bind on the casing.

Pump 2-SW-P-10A motor stator windings l

1 l

l

i Plant Name LER No. -

j (Docket No.) (Date of Event) Description j were burned out as a result of water fall-ing onto the pump from leaks from other pump. The cap screw was replaced. Pump j 2-SW-P-10A stator and bearings were '

replaced.

ECCS Deficiency Turkey Point 3 Ins. Rep. Design problem. Possible HPSI pump  ;

(50-250) (11/14/86) failure due to slow depressurization with loss of instrument air following small .

The isolation valves break LOCA.

in the minimum recirculation flow to RWST may fail closed on . loss of electric power ,

or instrument air, j Haddam Neck 86-13 In the course of performing a probabilistic (50-213) (3/25/86) safety study, the licensee has identified  ;

a small range of break sizes in one loop 1 of the reactor coolant system for which I safety injection flow in the high pres- l sure recirculation mode may be insuffi- l cient to prevent core uncovery in the absence of modification of facility operating procedure and/or system (i.e.,

valve) re-alignments.

]

Debris l Salem 1 84-17 During refueling outage, while performing l (50-272) (7/16/84) surveillance testing of No. 12 charging

) pump, the pump seized after running for )

l approximately thirty seconds. Upon dis- ,

I assembly of the pump, a small amount of 1 resin particles and metal filings were discovered in the pump casing. Similar  :

l material was found in the common suction l line of all charging pumps. j Gas Binding McGuire 1 82-15 While in Mode 1, during an attempt to I (50-369) (2/12/82) fill and vent the reciprocating charging l pump (PD) suction piping in preparation l for returning the pump to service, both l centrifugal charging pumps (CCP) were  ;

declared inoperable when hydrogen from )

the PD suction dampers entered the suction l of the CCPs causing contamination. This l

1

_ - - - - - _ - - - - - 1

~

)

I j

Plant Name LER No. 4 (Docket No.) (Date of Event) Description incident resulted from the failure of the Hydrogen Control System on the PD pump suction damper. j i

Surry 1 81-09 Westinghouse has identified a p6tential j (50-280) (5/22/81) system interaction involving the VCT level control system and charging pumps. A postulated failure (fail high) of the VCT level control system, without operator intervention, could lead to a possible loss of suction fluid for the charging pumps.

Valve Problems McGuire 1 86-09 During a review conducted in accordance (50-369) (5/7/86) with NRC bulletin (IE-85-03), it was ,

determined by Duke Power personnel that '

the electric motor operator (EMO) for Unit i valve 1NI-10, and Unit 2 valves 2NI-9, and 2NI-10 (reactor coolant cold leg injection from the charging pumps) were insufficiently sized to guarantee opening of valves under worst case design conditions.

McGuire 1 86-03 On November 2, 1985, Units 1 and 2 (50-369) (1/3/86) tripped on low-low steam generator (SG) level signal resulting from ruptured instrument air line. During this transient, the motor operators for two valves which allow the Chemical and Volume Control pump to take suction from the Refueling Water Storage Tank (RWST) when in closed position or from the VCT when in open position burned up and had to be manually opened.

San Onofre 1 81-20 After a manual reactor trip safety (50-206) (9/3/81) injection valves HV 851 A and B failed to open upon a safety injection signal.

The failure of two valves resulted in both SIS trains inoperable. Engineering tests have confirmed that these valves will not open with the design delta P.

Design change made by licensee.

Salem 1 84-12 SI throttle valve stem / disk separation l (50-272) (5/27/84) problem. Disk becoming detached from the j stem. Plans are to replace all twelve throttle valves in each unit.

Plant Name LER No.

(Docket No.) (Date of Event) Description System Misalignment 1 Catawba 1 85-11 On February 7, from 9:20 to 10:30 hours, (50-413) (2/7/85) and from 12:55 to 13:25 hours, Safety Injection Trains A and B were inoperable.

This was due to the concurrent inopera-bility of Safety Injection Pump B and failure of Solid State Protection System Train A. Following discovery of this incident, the Shift Supervisor began the necessary corrective action to return Safety Injection Pump B to service and at 13:75 hours, Safety Injection Pump-B was declared operable. >

V. C. Summer 86-10 The licensee identified a condition for (50-395) (6/12/86) which the breaker alignment of the "B" train charging / safety injection (SI) i pumps resulted in disabling the pumps from an automatic start under conditions of loss of offsite power followed by SI.

D.C. Cook 1 84-14 At 100% power, a valving error was com-(50-315) (7/16/84) mitted in the process of performing a scheduled surveillance test on the ECCS. l A non-licensed operator inadvertently l isolated the north low head SI pump. The  !

licensed locked out control room operator had previously the south pump in preparation for the quarterly valve tests.

When error was discovered the valves were immediately opened. The total time both pumps were inoperable was 3 to 5 minutes.

Beaver Valley 1 81-47 During normal plant tour, the primary (50-334) (6/6/81) auxiliary building operator found the emergency cooling water supply valve to the high head safety injection (HHSI) pumps unlocked and closed. Safety impli-cations due to the closure of this valve would have been a loss of HHSI capability through that flow path.

Trojan IRS 328 While preparations ware being made to (50-344) (8/18/82) restart the Trojan plant after a refueling outage, both trains of automatic SI were unblocked prior to entering hot shutdown, in accordance with general operating

.  ?

,. 1 i .-

l Plant Name LER No.

(Docket No.) (Date of Event) Description instructions. They were subsequently reblocked, however, without the use of a I required safety-related equipment outage worksheet, to prevent a spurious SI while still in cold shutdown. Both trains  ;

remained blocked upon entry into hot '

shutdown and subsequent entry into hot standby for a total duration of aoout 44 hours5.092593e-4 days <br />0.0122 hours <br />7.275132e-5 weeks <br />1.6742e-5 months <br />.

North Anna I IRS 328 While North Anna Unit 1 was in hot (50-338) (12/6/82) standby following an inadvertent SI on December 5, it was discovered that both trains of automatic SI had been blocked for a period of 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> and 30 minutes.

Following the inadvertent SI, an operator had " set" the automatic SI block per the applicable emergency procedure.

Cracking Suction Line Salem 2 84-16 During routine power operation, a leak (50-311) (7/5/84) was discovered on the common line to charging pumps, in the vicinity of vent valve 2CV372. A crack was physict;11y l

located in schedule 10, eight inch charg-ing pump suction line, and originated in the toe of the weld where the vent valve piping is attached to the main suction header. The affected charging system piping was replaced utilizing schedule 40 piping, in place of the original schedule 10 piping.

Boron Precipitation Indian Point 2 84-25 With the unit at full power, a fire (50-247) (12/19/84) occurred at the generator exiter and seal due to seal failure and hydrogen leakage.

During operator-initiated shutdown the reactor tripped on low steam generator level and safety injection occurred on a high steam flow signal (coincident with a low-low average temperature of a RCS) due to actuation of the steam dump valve.

The boron injection tank injected its contents into the safety injection system.

There was no injection of borated water into the RCS since the RCS was at pressure greater than the safety injection.