ML20195J792: Difference between revisions
StriderTol (talk | contribs) (StriderTol Bot insert) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
Line 17: | Line 17: | ||
=Text= | =Text= | ||
{{#Wiki_filter:}} | {{#Wiki_filter:-- - | ||
-o* , | |||
'.- 's e | |||
AE00/E708 ENGINEERING EVALUATION REPORT. | |||
DEPRESSUPIZATION OF PEACTOP COOLANT SYSTEMS n IN PWRs , | |||
August 1987 I | |||
1 t | |||
Prepared by: Sanford Israel I | |||
i Office for Analysis and Evaluation of Operational Data U. S. Nuclear Regulatory Comission j l | |||
8912050054 870031 0' PDR ORO NEXD [ | |||
PDC v 0 l | |||
4 | |||
: s TABLE OF CONTENTS Page | |||
==SUMMARY== | |||
. . . . . . . . . . . ................... 1 | |||
==1.0 INTRODUCTION== | |||
. . . . . . ................... 1 | |||
==2.0 DESCRIPTION== | |||
OF SALEM EVENT .................. 2 3.0' ANALYSIS AND EVALUATION . . . . . . . . . . . . . . . . . . . . 4 4.0 FINDINGS AND CONCLUSIONS ................. . 11 | |||
==5.0 REFERENCES== | |||
. . . . . . . ................... 14 | |||
] | |||
4 4 | |||
i a | |||
i 1 | |||
i A | |||
J l | |||
I 1 | |||
1 i | |||
l t | |||
1 i | |||
l u | |||
f h | |||
I | |||
SUWARY An inadvertent reactor trip at Salem Unit 2 on August 26, 1986 resulted in a loss of normal pressurizer spray, loss of auxiliary spray, and loss of one of the power operated relief valves (POPVs). Repeated FORV actuations caused by continued operation of high pressure safety injection occurred. Quick, impromptu operator action restored normal pressurizer spray, secured high pressure safety injection, and returned the plant to a stable condition. | |||
Extrapolation of this sequence of events to a steam generator tube rupture accident or a forced natural circulation cooldown highlights areas of safety analyses, plant operation, and emergency procedures that could be improved. | |||
Operational experience shows that one or a combination of depressurization equipment may be out of service for extended times becau:e technical specifica-tions do not contain limiting conditions of operation for these systems. | |||
Similarly, the Salem event illustrates electrical dependencies that may reduce the availability of the depressurization function. Generally, these problems stem from a lack of specificity in the acceptance criteria for mitigation systems used in plant safety analyses of steam generator tube rupture accidents. | |||
Inconsistencies in the order which the depressurization systems are used appear in the emergency procedures for Westinghouse plants. Although emergency procedures were intended to be symptom oriented, special procedures do exist for steam generator tube rupture events. The preferred order of equipment use is different. This adds an element of potential uncertainty to the operator's response and is especially important considering potential improvisation in control room operations when events evA e. Our study also noted that potential void formation in the upper head, bec W j :uration pressures associated with the fluid temperatures in the upper h a. u r be quite high (on the order of 1500 to 1600 psi) compared to steam gen m cor pressures (around 1000 psi) and can be instrumental in inhibiting depressurization. | |||
The likelihood of severe core darage from steam generater tube rupture accidents was previously estimated to be small. Still actions to facilitate the operator's recovery from this event may be prudent because of the potential for bypassing contaitrent during this accident. | |||
==1.0 INTRODUCTION== | |||
An operating event at Salbn Unit 2 on August 26, 1986 highlighted the susceptibility of PWRs to degradation of primary system pressure control. A series of circumstances during the Salem event defeated many of the alternative methods for providing pressure control. Impromptu operator actions facilitated recovery and stabilization of the plant in a short time frame (Ref.1). | |||
Pressure control also received NpC staff attention in the resolution of Unresolved Safety issues A-3, A-4, and A-5 (Ref. 2), which reconinended further staff evaluation of pressure control following a tube rupture event. After the Ginna tube rupture accident in 1982, the PWR Owner Groups made an extensive effort to develop emergency procedure guidelines for recovering from such an event. These guidelines vary among the three vendor groups based on unique plant design features. In this study we have reexamined some of the facets of primary system pressure control in Westinghouse plants and how they impact plant recovery from a steam generator tube rupture accident. Relevant operating experience is used to illustrate deficiencies in the maintenance and use of pressure control systems. | |||
2- | |||
==2.0 DESCRIPTION== | |||
OF SALEM FVENT On August 26, 1986, while Salem Unit 2 was operating at 100 percent power, a reactor trip occurred because a spurious loss of a reactor coolant pump signal was generated when a technic;an inadvertently grounded a 120v ac instrument bus. The voltage spike also caused steam generator low pressure signals which, in conjunction with normal higa steam flow indication following a reactor trip, generated a safety injection signal. | |||
Following a normal reactor trip at Salem, station loads transfer from the auxiliary transfonner (powered by the Unit 2 generator) to the station transformer (SPT 21) which is powered by offsite sources. In addition, the vital safety buses are supplied by SPTs 21 and 22. Following the reactor trip on August 26, 1986, the transfer of house loads to bus SPT 21 was initiated af ter a 30 second delay. Subsequently, a series of vital bus transfers between SPT 21 and SPI 22 occurred because of protective relaying logic. During these multiple transfers, two of the vital buses were not powered concurrently for about two seconds, which generated a station "blackout" signal. A more detailed description of the sital bus problems that evolved during this event is presented in Ref. 1. | |||
Prior to the station "blackout" signal, all the plant's safeguards equipment responded to the safety injection signal as designed. When a station "blackout" signal occurred concurrently with a safety injection signal, the safeguards signal properly stripped all vital bus loads and then sequenced selected safety injection loads onto the emergency buses powered by the already operating diesel generators. The No. 2B vital bus was deenergized ' | |||
because of the out of service 28 diesel generator. Therefore, eouipment powered from the 28 bus, which had previously started or changed position on the initial safety injection signal, did not restart or change position after the loss of the bus. Also loading of the diesel generators did not automatictilly load the component cooling water pumps. | |||
During a real loss of offsite power, the reactor coolant pumps (RCP) would have stopped. In this event, the reactor coolant pumps continueo to operate because they were connected to viable offsite power sources. In this instance, the senior reactor operators decided to turn off the reactor coolant pumps. | |||
They reasoned that the pumps should not be operated more than five minutes without component cooling water to the motor bearings and thermal barrier. The high pressure safety injection pumps were operating and the resulting rise in reactor system pressure caused a PORV to lift numerous times. Pressurizer spray was not available to reduce the pressure rise after the reactor coolant pumps were shutdown. | |||
The charging pumps (high pressure safety injection) injected water into the primary system through the ECCS piping and rea: tor coolant pump seals as shown in Figure 1. Seal injection provides cooling for the pump seals in the absence of component cooling water flow to the seal thermal barrier. The control room operators could not isolati the ECCL flow because the loss of the 28 vital bus, subsequent to the initial safety injection, resulted in the loss of power to various motor operated valves in the ECCS. These valves had assumed their safeguards positions on the initial safety injection signal but could not be returned to their nonnal position without local manual operation. The | |||
I 1 | |||
I | |||
/ N , | |||
REFUELING PORV (2) WATER k STORAGE TANK ALTERNATE SPRAY LINE (1) | |||
% NORMAL SPRAY LINE (2) | |||
HIGH PRESSURE S AFETY INJECTION PRESSURl2ER PUMP | |||
[ | |||
RCP SEAL INJECTION l l | |||
(,) LINE (4) | |||
_ / | |||
P w / i m l ECCS INJECTION / | |||
l REACTOR COOLANT PUMP l | |||
l Figure 1 SIMPLIFIED DIAGRAM OF REACTOR COOLANT SYSTEM l | |||
t l | |||
l l | |||
4 operators chose not to stop the charging pumps because they were supplying irjection to the RCP seals. The operators could not initiate the auxiliary pressurizer spray from the charging system because the isolation valve, also pewered from the 2B vital bus, was closed as part of the safeguard 1 alignment. | |||
About seven minutes into the event, the control room operatort manually loaded the component cooling water pumps onto the vital buses. About 21 minutes into the event, the operators teminated safety injection flow. A minute later, a reactor coolant pump was returned to service resulting in resh. ration of normal pressure control via the pressuHzer sprays. The hot and cold iug temperatures subsequently equalized. | |||
pecovery of the startup transformers and stabilization of the reactor continued ever the next several hours. Two other coincidental events occurred: a failure of one of the steam generator feedwater pumps to trip on the safet/ injection signal, and a leak developed in a service water discharge pipe from one of the containment fan coolers. These failures did not impact the recovery of the plant. | |||
Several aspects of the plant's status prior to the event are pertinent to the issue of pressure control. As noted previously, the 28 diesel generator was out of service for preventive maintenance for about three and a half hours prior to the event. One of the pressurizer spray valves had been isolated for almost three months because of excessive leakage. Also, one of the PORVs had been isolated for about two weeks prior to the event because of excessive leakage. Other equipment out of service prior to the event included a service water pump, two chiller units, an atmospheric steam relief valve, and one steam generator level channel. | |||
Subsequent to the event, the licensee initiated actions to correct the failures associated with the vital bus transfer and the service water leak and to review control room operations during the event. The licensee and the NpC met on several occasions following the event to review the progress of the licensee's actions, particularly in the area of ac electrical distribution systems. | |||
3.0 ANALYSIS AND EVALJATION This report focuses on the. portion of the Salem event associated with primary system depre;surization not the personnal errors associated with initiating the event nor the ac power distribution problems that arose early in the event. Inadvertent electrical grounding pervades the published operating experience of the nuclear industry of which this event is just another data point. However, the evolution of the Salem event, after the pseudo-loss of offsite power, dramatizes design tradeoffs and operating modes, all within accepted standards, that impact the operator's ability to control primary system pressure. | |||
In the context of this study, pressure control is the ability to hold or reduce primary pressere. Generally, primary pressure is controlled by a single channel controller that actuate; the normal pressurizer spray system when the pressure exceeds the design operating pressure by about 25 psi. The propor-tional spray controller is driven by the pressure deviation above the desi point and goes wide open just below the pcwer operated relief valve (PORV)gn | |||
actuation setpoint to minimize challenges to the POPVs. 1he autcmatic pressure control system is generally operable following all reactor trips provided control power is still available and the reacter coolant pumps are operating. | |||
As shown in Figure 1, this system draws water from the reactor cold legs using two different lines each having a control valve that can be opereted automati-cally or manually. Thus, the system will be defeated by loss of reactor coolant pumps or closure of the control valve. In the Salem event, only one train of pressurizer spray was potentially operable because the other train had been isolated for about three months prior to the event. There are no limiting conditions for operation requirements in the technical specifications that control the allowable outage time or the operability of the normal pressurizer spray system. | |||
Analyses of design basis accidents generally assume the loss of offsite power. | |||
Therefore, credit is not taken for normal pressurizer spray when reviewing those safety analyses. Emergency procedures require that the reactor coolant pumps be shutdown under a prescribed set of conditions for depressurization events that initiate a safety injection signal. These actions, which would oefeat normal pressurizer spray, were prompted by concerns about adequate core cooling for a narrow range of small-break, loss of coolant accidents (LOCAs). | |||
However, the criteria for reactor ecolant pump trip may very well be satisfied for other accidents, such as a steamline break or a steam generator tube rupture, which have initial plant response characteristics si'nilar to small-break LOCAs. Thus, it is plausible that the normal pressurizer spray system would not be imediately available to depressurize the primary systen for a number of events besides a loss of offsite power. | |||
Normal pressurizer sprays have failed at several plants with the valves open (Ref. 3, 4, and 5). The resulting ccoldown of the pressurizer caused a reactor trip on low primary system pressure. In all the events cited, operators secured one or more reactor coolant pumps to stop the pressurizer spray. They subsequently entered containment to isolate the spray line locally. If cooldown of the pressurizer continued during these events, the pressurizer may have filled when a steam bubble formed in the upper head (after the fluid temperature in the upper head exceeded the fluid temperature in the pressurizer). Upper head temperature is a function of the inlet / outlet bypass flow across the core barrel and jetting along the control rods and guides into the upper head recion during normal plant operation. A discussion of upper head temperatures in Westinghouse plants (Pef. 6) indicated that the upper head temperature was close to the hot leg temperature under norral operating conditions. Discussions with plant personnel confirtned a sin;ilar situation at Salem. Upper head temperatures became an iss u in the context of ECCS analyses in the late 1970s. Because of the cdverse impact on peak clad temperature calculations, many Westinghouse plants increased the bypass flow through the upper head to reduce the temperature in that region to the cold leg temperature range (Ref. 7). The importance of upper head temperatures will be discussed with respect to steam generator tube rupture accidents. | |||
In the absence of normal pressurizer spray, guidelines for emergency operating procedures at Westinghouse plants recomend that auxiliary spray be used as the first backup for pressure control for all events except steam generator tube ruptures (Ref. 8). The auxiliary spray system is a single, manually controlled line between the charging pump discharge header and the pressurizer. | |||
There are no limiting conditions of operation in the technical specifications regarding the availability of the auxiliary spray system. Normal operation of the systecs uses the regenerative heat exchanger in the primary system letdown line to heat the spray water. Operation of the auxiliary snray with temperature differences (between spray and pressurizer) outside of prescribed limits is prohibiteo by the technical specifications for extended tines. Thus, operation of the auxiiiary spray entails additional operator concerns that must be factored into his activities during recovery from an event. Auxiliary specy systems have bd sore negative operating experience. For example, at Catawba Unit 1, an auxi iary spray valve stuck open causing a primary system depressuri-zation during a loss of control room test (Ref. 9). In that instance, the normal pressurizer spray system could not be controlled fm the auxiliary shutdown panel, so auxiliary spray was used. | |||
* f r. is generally true for other plants also. | |||
PORVs can be used to control or reduce primary system pretsure. As part of the TNI-2 action plan, the power supplies for PORVs and their block valves were upgraded to be operable from emergency power sources. Those plants that received operating licenses after the TMI-2 accident incorporated an automatic PORY isolation system to close the block valves when primary system pressure fell below the operating pressure by some finite amount. These modifications reflect the enhanced importance of the PORVs following the THI-2 accident and the concern for loss of coolant accidents caused by a stuck open PORV. A PORY ' | |||
stuck open during the steam generator tube rupture accident at Ginna (Ref. 10) sr.d during an overpressure event at Davis Besse (Ref.11). In both instances, the operator manually closed a block valve to terminate the blowdown. | |||
Operation of PORVs varies among the plants. At Salem, a POPY control switch is located on the control board; while at other plents, operation of the PORY may require activities inr.ide the cabinets behind the control board. Thus, manual operation of the PORVs may be hindered at some plants. There are no requirements in the technical specifications governing the availability of ~ | |||
PORVs. References 12 and 13 identify situations where all the PORVs were blocked during normal plant operation so their availability to riitigate 60 accident is not assured. | |||
Several accident scenarios that involve the loss of RCPs also result in the concurrent loss of the normal pressurizer spray system. Of these, a steam generator tube rupture accident potentially poses the most serious consequences because of loss of the primary system pressure boundary and the potential for containment bypass via the steam generator safety valves. A steam generator tube rupture challenges the reactor operators more than any other design basis accident. There are no automatic plant systems to idtntify and isolate the faulted steam generator (s), so the operators must perfom tnese functions. | |||
Similarly, the operators must control depressurization of the primary system to minimize discharging reactor coolant into the faulted steam generator and overfilling it. This later task requires continuous hands-on control, rather than just turning equipment on and off, a more usual response. | |||
The steam generator tube rupture at Ginna (January 25,1982) illustrates an adverse sequence of events that had a potential for significant offsite doses (Pef. 10). The operators delayed in teminating safety injection (although the i | |||
: 7-temination criteria were satisfied) and consecuently, centinued discharge of coolant into the faulted steam generator lifted a safety valve which eventually stuck open. An uncontrollable pathway existed between the reactor and outside the containment because the safety valves are not isolable. | |||
Continued loss of reactor coolant outside the containment would have ultimately depleted the refueling water storage tank and resulted in core uncovery. In this instance, the operators successfully depressurized the primary system using PORVs (normal pressurizer spray was lost when the reactor coolant pumps were secured according to cmergency operating procedures). However, a PORV stuck open which temporarily resulted in a loss of coolant inside the containment until an operator closed the associated block valve. Rapid depressurization from the PORY actuations resulted in steam bubbles being formed in the upper head of the pressure vessel and the top of the tube bundle ir. the faulted steam generator. Eventually, i.he operators succecSfully stabilized the plant and recovery proceeded without significant consequences. | |||
Two actions stenning from the Ginna event are relevant to this study. First, all PWR licensees reexamined the criteria for tripping the reactor coolant pumps following a primary system depressurization and developed a new set of criteria that should preclude tripping the reactor coolant pumps for most single tube rupture accidents. These new pump trip criteria should make the nomal pressurizer spray system available (barring other failares) for many steam generator tube rupture events. Secondly, emergency procedure guidelines were developed by the PWR Owners Groups to cope with these accidents. | |||
Guidelines for Westinghouse plants direct the operator to use the PORVs to depressurize the primary system if the normal pressurizer spray system is not available (Ref. 8), | |||
Standard Review Plan 15.6.3, Radiological Consequences of Steam Generator Tube Rupture (PWR), indicates that review of this design basis accident should consider loss of offsite power, but is silent on the consideration of an additional single failure in mitigation systems when evaluating plant response to this event. This aoproach differs from the treatment of other accidents, such as steamline breaks and 1.0CAs, that consider single failures in mitigt. ting systems. A recent NRC staff evaluation (Ref.14) of a Westinghouse Owners Group topical report, "SGTR Analysis Methodolo1y to Detemine the Margin to Steam Generator Overfill," stated that "Earl .perator actions to identify and isolate the ruptured steam generator ano subsecuent cornetive actions to equalize RCS and secondary pressures are required." Because of plant differences, the staff required individual plant specific infomation to be submitted for review and evaluation prior to publication of a plant-specific SER. Included in this information requirement is: | |||
"A list of systems, components and instrumentation which are credited for accident mitigation in the plant-specific SGTR E0P(s). Specify whether each system and com.?onent is safety grade. For primary and secondary PORVs and control valves specify the valve motiv> power and state whether the motive power and valve controls are safety grade. For non-safety grade systems and components state whether safety grade back ups are available which can be expected to function or provide the desired informatio6 within a time period compatible with revention of SGTR overfill or justify that non-safety grade components can be utilized for l the design basis event." | |||
l L -_- _ -. .- . _ . _ _ _ - | |||
8 | |||
'The worst single failure should be identified if different from the WCAP-10698 analysis and the effect of the difference on the margin of overfill should he provided." | |||
This staff evalution of this SGTR topical report reflects a treatment of single Tailure and ecuipment availability consistent with other accident analyses in Chapter 15 of the FSAR, but not yet reflected in the Standard Review Plan for SGTRs. | |||
Similarly, primary system depressurization equipment is generally not covered by the limiting conditions for operation in the technical specifications. The lack of specificity for these systems is probably attributable to the prior review and evalutaion of SGTR accidents discussed above. However, in the recently published "Commission Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" (Ref.15), Criterion 3 indicates that systems that are the primary success path for mitigating a design basis accident that failt or presents a challenge to a fission product barrier should be captured by the technical specifications. Primary system depressurization systems fulfill this criterion for SGTR accidents especially considering the staff evalutaion of the owners group topical report noted above. | |||
Consideration of loss of offsite power and an additional single failure (component related, not a persunnel error) in evaluating a steam generntor tube rupture accident highlights the operctor's diminished ability to cope with the accident. In the Salem event, loss of an ac bus made the auxiliary spray system inoperable and precluded isolation of the high pressure safety injection. Thus, only one PORV was initially available to depressurize the plant. A loss of an inverter event at Turkey Point (Init 4 (Ref.16) made normal pressurizer spray system inoperable and defeated the automatic operation of one of the PORVs (the other one was previously iwlated). In this instance, auxiliary spray would have been available to depressurize the plant. | |||
These two events illustrate the vulnerability of the various depressurization methods to failures in the electrical systems. Generally, independence in depressurization system / trains potentially exists only in the P0PVs which are controlled by separate channels that can be powered from separate emergency buses. Consideration of single failures in evaluating these accidents may not completely defeat the depressurization function because of the redundancy in the mitigation systems, but may limit response capability to the PORVs. As cited above PORVs have been isolated at several plants for extended periods of time and therefore may not be available when needed. Consequently, effective depressuiization control following a steam generator tube rupture may be significantly hampered by concurrent and/or prior degradation in mitigation equipment. Relianca on PORVs also poses a r13k of a stuck open valve and consequential loss of coolant inside the containment while trying to recover from the initial tube rupture. This occurred during the Ginna accident cited above. This secondary LOCA can be tenninated by closing the associated block valve, but it still complicates recovery from an accident that is challenging the operators. | |||
.g. | |||
Other coincidental degradations in plant equipment were r.eted during the Salem eunt and discussed in the licensee's evaluation of the event (Ref.17). These ircluded: | |||
: 1. failure of a feedwater pump to trip automatically on the safety injection signal, | |||
: 2. loss of some valve indf:ations, | |||
: 3. lo:s of flow indication for high pressure safety injection, | |||
: 4. a reactor coolant pump fire protection deluge alarm, | |||
: 5. cycling of containment sump pumps because of a leak in a fan cooler unit. | |||
4 | |||
: 6. loss of events recorder, | |||
: 7. loss of component cooling water, | |||
: 8. loss of the auxiliary alam typewriter. | |||
Although none of these ancillary degradations in plant equipment had a direct impact on plant response, except for the loss of component cooling water, they were distractions that diverted the operator's attention. | |||
Loss of component cooling water resulted from the concurrent safety injection and loss of offsite power signals which stripped the safety buses and reloaded them with selected equipment. Salem appears to be unique in not loading the component cooling weter pumps on emergency power buses unoer these conditions. | |||
The senior shift supervisor directed the operators to secure the reactor coolant pcmp3 after five minutes without component ccoling water. .This action acrears to be based on training rather than emanating from procedures used. | |||
During the event debriefing, the reactor operators indicated that they were dware that the reactor coolant pumps should be secured after five minutes without component cooling water, but they would not have taken the initiative , | |||
to secure the pumps without the shift supervisor's direction because it was < | |||
net in the procedures they followed. Tripping of the reactor coolant purps i defeated the normal pressurizer spray system and thus affected plant response and control room activity. : | |||
Impromptu operator actions occurred at McGuire Unit 1 during a primary system depressurization caused by a faulty sofety valve that lif tad prematurely at 2370 psi and didn't reseat until approximately 1800 psi (Ref. 18). An operator blocked i the low pressurizer pressure safety injection signal to preclude its actuation at 1845 psi. Discussions with the licensee management indicated that the general policy, made known to the operatorz during training, was not to block any safety function from Automatically initiating. However, under emergency conditions, the shift supervisor is authorizad to deviate from an established procedure if ' | |||
deemeu necessary to protect health and safety (Ref.18). At McGuire, the operators wer2 concerned about increasing blowdown to the pressurizer relief tank by high pressure injection because personnel were performing a leak check inside containment. l t | |||
k | |||
At Salem, the shift supervisor subsequently directed that the component cooling water pumps be loaded on emergency power buses about seven minutes after they had been lost and that the reactor coolant pumps be restarted about 15 minutes later. These actions evolved during the event and did not emanate from the energency operating procedures. The interinediate head safety ir.jection purrps and the residual heat removal pumps were deenergized after the ccmponent cooling water pumps were loaded on the emergency buses. A potential electrical overload on the emergency buses lasted only a few minutes. | |||
Normal pressurizer spray was lost during the Salem event because of a design peculiarity (component cooling water not loaded on the emergency buses). In the interim the operators attempted to use the auxiliary spray but were thwarted by a closed valve whose power came from the emergency bus connected to the diesel generator which was down for maintenance. Seve al closed valves in the charging and letdown system had to be realigned by local manual actions because of the loss of the same electrical bus. These valve manipulations were needed to stop high pressure safety injection which was causing repeated PCRV actuations. Similar continued operation of high pressure safety injection during the Ginna accident (Ref. 10) resulted in a stuck open steam generator safety valve and loss of primary coolant outside the containment. These two events highlight timely temination of high pressure safety injection which is addressed in the emergency cperating procedures. | |||
If the Salem event had been a steam generator tube rupture accident, the PORVs would have been used to depressurize the primary system in the absence of normal pressurizer spray. Only one PORV was available at Salem. Use of PORVs for steam generator tube rupture accidents and use of auxiliary spray far all other events introduces a potential inconsistency in operator training. Although operators are supposed to follow emergency cperating procedures in responding to an event, they may improvise actions as the event evolves, especially when there are multiple problems. Thus, incensistencies in pressure control procedures and operator training may produce undesirable improvisations during an event. | |||
Resolution of Unresolved Safety Issues A-3, A-4, and A-5 regarding steam generator tube integrity (Ref. 2) recommended further NRC staff evaluation of the use of the auxiliary spray systen in lieu of the PORVs. Utilization of the auxiliary spray system for steam generator tube rupture accidents as a first backup to normal pressurizer spray would eliminate this inconsistency in operator training and reduce the potential for exacerbating the event with a potential LOCA inside conteinment due to a stuck open PORY. | |||
Another area important to pressure control, following a steam generator tube rupture, is the upper head temperature. According to discussions with Salem operating personnel, the upper head temperature is close to the nomal hot leg temperature (606F) which corresponds to a saturation pressure of about 1600 psi. This saturation pressure is considerably above the steam generator safety valve setpoint of 1070 psi. Consequently, the upper head could act as a pressurizer and hold the primary system p essure above the steam generator safety valve setpoint resulting in a potential discharge of reactor coolant outs 1(e the ccNtoinment. In Ref. 7. Westinghousc noted that many plants had decreas=3 their upper head temperatures to the cold leg temperature (about 545F for Wem) by increasing the bypass flow through the upper head. A temperature of 545F corresponds to a saturation pressure of about 1000 psi | |||
- 11 which is below the steam generatar safety valve setpoint (1070 psi). This modification would improve the olant response characteristics to a steam generator tube rupture accident and reduce the potential for discharging coclant outside the containment. | |||
From a safety standpoint, loss of pressure control ir. a FhR is of most concern for a steam generator tube rupture accident because of the potential for bypassing containment should a secondary side relief valve stick open. An extensive probabilistic assessment of steam generator tube ruptures was perfonned for Unresolved Safety Issues A-3, A-4, and A-5 (Ref. 2). That stydy estimated core melt likelihood for steam generator tube ruptures to be 4E-6 per reactor year and the corresponding risk to the public was estimated to be 2.5E-3 latent fatalities and 1.1E-5 early fatalities per reactor year. These risk estimates are directly proportional to human error probabilities associated with failing to depressurize and sharply reduce the flow from the primary system into the failed steam generator before the refueling water storage tank is exhausted. | |||
Time available before depletion of the refueling water storage tank varies with the number of concurrent tube ruptures in the accident, high head pressure injection capability, and discharge flow area (safety valve) off of the steam-lines. Estimates of expected depletion times in Ref. 2 range upwards from one hour to five hours for total accident recovery. Prolonged high primary system pressures, early in an accident, that could cause damage in the secondary system (e.g., stuck open safety valve) could then require significant time and operator improvisation to mitigate. Thus, deficiencies in plant design and operation, operator training, and emergency procedures related to pressure control, like those discussed above, have a direct effect on the probability of inappropriate operator actions and impact the likelihood of severe core damage and offsite exposures from steam generator tube rupture accidents. | |||
The methodology to make accurate estimates of the impact of perfonrance related factors, such as training, flexibility in operator response to an event, and plant characteristics, on human error probabilities does not exist. Good practices should be emphasized in situations heavily dependent on operator actions such as steam generator tube rupture accidents. This means carefully examining the total man-machine picture for those events to identify and previde direct operator support for coping with events while removing or minimizing characteristics that impede optimum responses. | |||
4.0 FINDINGS AND CONCt.USIONS | |||
.. There are several systems available for primary system pressure control. | |||
All plants have a normal pressurizer spray system that automatically controls system pressure if control power is available and the reactor coolant pumps are running. Auxiliary sp.*ay is provided by a manually controlled line from the charging pump discharge header. Most plants have PORVs that can be used to depressurize the primary system. | |||
: 2. Generally, none of the systems identified in Item 1 above is controlled by limiting conditions for operation in the technical specifications. Experi-ence has shown that one or portions of all these equipment / systems c?n be out of service for extended times while the plant is operating. | |||
* 4E-6 represents 4x10-6 | |||
: 3. Operating procedures for utilizing the above mentiered equipment / systems are not consistent at Westinghouse plants. For all events, the procedure - | |||
guidelines use the auxiliary spray as a backup to the normal sprcy, except for steam generator tube rupture accidents which use the PORVs as a backup to the nortral spray. PORVs have a tendency to stick open and cause a small loss of coolant accident which complicates recovery from a tube rupture, | |||
: d. Of primary concern from a pressure control standpoint, is a steam generator tube rupture accident becausr of the potential for bypassing the containment. | |||
A steam generator tube rupture which defeats the prir3ry system pressure boundary and with continued discharge of primary coolant into the faulted steam generator could challenge and fail the steam generator safety valves. | |||
: 5. In the past, systems evaluation criteria for mitigating a steam generator tube rupture accident are not as stringent as those used for reviewing other design basis accidents. In particular, single failure criteria was not applied to the mitigating systems in a consistent fashion. However, a recent staff evaluation of a Westinghouse Owners Grcup topical report on SGTR fndicates that single failure and equipment operability will be considered in future evaluations. | |||
: 6. The upper head temperature may adversely influence plant response characteristics in a tube rupture accident. Many plants operate with upper head temperatures close to core exit temperatures that correspond to saturation pressures above the setpoint on the steam generator safety valves. | |||
The upper heau could act as a pressurizer and maintain primary system pressures above the pressure in the faulted steam generator and potentially challenge the steam generator safety valves. | |||
: 7. The likelihood of severe core d3 mage and offsite doses from steam generator tube rupture accidents is proportional to human error probabilities associ-ated with recovery from the accident. Continuous operator attention is required to stabilize the plant after a tube rupture, in contrast to autoiratic system actuations and simple on/off manual actions used for - | |||
mitigating other design basis accidents. | |||
: 8. Several hours may be available to preclude a steam generator tube rupture accident from evolving into a severe core damage event due to depletion of the refueling water storage tank. However, loss of pressure control early in the event may result in prolonged discharge of coolant into the faulted steam generator and subsequent failures in the secondary system (or the pressurizer PORV) that exacerbate the situation and significantly complicate the operator's ability to recover. | |||
: 9. The circumstances of the Salem event, as they relate to a potential tube rupture event, are not unique. Multiple pieces of equipment out of service are within allowable practice. Multiple coincidental failures have been cbserved during other operational events. Although the Salen operating staff perfonted well in this particular instance and there are multiple methods for depressuri7.ing the primary system, the Salem event still raises an issue: Do circumstances that prevailed during the event facilitate | |||
appropriate operator action or detract from it? On one hand, there appears to be ample time and acceptable emergency procedures for the operator to successfully respond to a steam generator tube rupture accident. On the other, control of the design, operability, and availability of the mitigating systems appears lacking. The evidence clearly indicates that primary pressure control capability could be enhancec. | |||
f I | |||
i E | |||
l 4 | |||
t 1 | |||
I | |||
_ _ _ - . - - - _ - - _ _ _ , - . . _ . - _ _ _ _ _ _ _ _ _ _ , _ ~ _ _ _ _ _ _ . . _ . . , . . . _ _ _ _ - - - . _ _ _ . _ , _ _ , - _ . _ . - | |||
9 | |||
==5.0 REFERENCES== | |||
: 1. Licensee Event Report 86-007, Cocket 50-311, Salem Unit 2, August 26, 1986 | |||
: 2. U.S. Nuclear Regula' tory Comission, "NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3, f-4, and A-5 Regarding Stearr, Generator Tube Integrity, ORAFT, NUREG-0844, April 1985 | |||
: 3. Licensee Event Report 85-011, Docket 50-336, Millstone Unit 2, July 15, 1982 | |||
: 4. Licensee Event Report 85-017, Docket 50-247, Indian Point Unit 2, December 31, 1985 | |||
: 5. Licensee Event Report 85-034, Docket 50-395, Virgil C. Sumer December 25, 1985 | |||
: 6. Letter from C. Eicheldinger (Westinghouse) to V Stello (NRC) dated August 13, 1976 | |||
: 7. Meeting between Westinghouse and NRC, Bethesde, Maryland, July 21, 1986 | |||
: 8. Westinghouse Owners Group, "Emergency Response Guidelines, Rev.1," Letter from J. Sheppard (WOG) to H. Thompson (NRC) dated November 30, 1983 | |||
: 9. Licensee Event Report 85-009, Docket 50-413, Catawba Unit 1. January 31, 1985 | |||
: 10. U.S. Nuclear Regu!atory Comission, "NRC Report on the January 25, 1982 Steam Generator Tuee Pupture at R. E. Ginna Nuclear Power Plant," | |||
NUREG-0909, April 1982 | |||
: 11. Licensee Event Report 85-013, Docket 50-346, Davis J me Unit 1, June 9, 1985 | |||
: 12. Licensee Event Report 85-002, Docket 50 ';47, Indian Point Unit 2, February 4, 1985 | |||
: 13. Licensee Event Report' 84-064, Docket 50-483, Callaway Unit 1, December 17, 1984 | |||
: 14. Letter from C. Rossi (NRC) to A. Ladieu (WOG) dated March 30, 1987. | |||
: 15. U.S. Nuclear Regulatory Comission,10 CFR 50 'Comission Policy Statement on Technical Specificaton Improvement: for Nuclear Power Plants," | |||
Federal Register, Vol. 52 No. 3788. February 1987 | |||
: 16. Licensee Event Report 85-017, Docket 504251, Turkey point Unit 4 June 20, 1985 | |||
: 17. J. Gueller et al, "Evaluation to Detemine the Adequacy of E0P's to Deal with the Type of Trip / Safety Injection that Occurred on August 26, 1986," | |||
Salem Station Report | |||
: 18. U.S. Nuclear Regulatory Comission, Inspection Report No. 50-369/86-28 and 50-370/86-28, McGuire Nuclear Station, November 5, 1986 | |||
, ,}} |
Latest revision as of 13:01, 13 November 2020
ML20195J792 | |
Person / Time | |
---|---|
Issue date: | 08/31/1987 |
From: | Israel S NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
To: | |
References | |
TASK-AE, TASK-E708 AEOD-E708, NUDOCS 8812050054 | |
Download: ML20195J792 (17) | |
Text
-- -
-o* ,
'.- 's e
AE00/E708 ENGINEERING EVALUATION REPORT.
DEPRESSUPIZATION OF PEACTOP COOLANT SYSTEMS n IN PWRs ,
August 1987 I
1 t
Prepared by: Sanford Israel I
i Office for Analysis and Evaluation of Operational Data U. S. Nuclear Regulatory Comission j l
8912050054 870031 0' PDR ORO NEXD [
PDC v 0 l
4
- s TABLE OF CONTENTS Page
SUMMARY
. . . . . . . . . . . ................... 1
1.0 INTRODUCTION
. . . . . . ................... 1
2.0 DESCRIPTION
OF SALEM EVENT .................. 2 3.0' ANALYSIS AND EVALUATION . . . . . . . . . . . . . . . . . . . . 4 4.0 FINDINGS AND CONCLUSIONS ................. . 11
5.0 REFERENCES
. . . . . . . ................... 14
]
4 4
i a
i 1
i A
J l
I 1
1 i
l t
1 i
l u
f h
I
SUWARY An inadvertent reactor trip at Salem Unit 2 on August 26, 1986 resulted in a loss of normal pressurizer spray, loss of auxiliary spray, and loss of one of the power operated relief valves (POPVs). Repeated FORV actuations caused by continued operation of high pressure safety injection occurred. Quick, impromptu operator action restored normal pressurizer spray, secured high pressure safety injection, and returned the plant to a stable condition.
Extrapolation of this sequence of events to a steam generator tube rupture accident or a forced natural circulation cooldown highlights areas of safety analyses, plant operation, and emergency procedures that could be improved.
Operational experience shows that one or a combination of depressurization equipment may be out of service for extended times becau:e technical specifica-tions do not contain limiting conditions of operation for these systems.
Similarly, the Salem event illustrates electrical dependencies that may reduce the availability of the depressurization function. Generally, these problems stem from a lack of specificity in the acceptance criteria for mitigation systems used in plant safety analyses of steam generator tube rupture accidents.
Inconsistencies in the order which the depressurization systems are used appear in the emergency procedures for Westinghouse plants. Although emergency procedures were intended to be symptom oriented, special procedures do exist for steam generator tube rupture events. The preferred order of equipment use is different. This adds an element of potential uncertainty to the operator's response and is especially important considering potential improvisation in control room operations when events evA e. Our study also noted that potential void formation in the upper head, bec W j :uration pressures associated with the fluid temperatures in the upper h a. u r be quite high (on the order of 1500 to 1600 psi) compared to steam gen m cor pressures (around 1000 psi) and can be instrumental in inhibiting depressurization.
The likelihood of severe core darage from steam generater tube rupture accidents was previously estimated to be small. Still actions to facilitate the operator's recovery from this event may be prudent because of the potential for bypassing contaitrent during this accident.
1.0 INTRODUCTION
An operating event at Salbn Unit 2 on August 26, 1986 highlighted the susceptibility of PWRs to degradation of primary system pressure control. A series of circumstances during the Salem event defeated many of the alternative methods for providing pressure control. Impromptu operator actions facilitated recovery and stabilization of the plant in a short time frame (Ref.1).
Pressure control also received NpC staff attention in the resolution of Unresolved Safety issues A-3, A-4, and A-5 (Ref. 2), which reconinended further staff evaluation of pressure control following a tube rupture event. After the Ginna tube rupture accident in 1982, the PWR Owner Groups made an extensive effort to develop emergency procedure guidelines for recovering from such an event. These guidelines vary among the three vendor groups based on unique plant design features. In this study we have reexamined some of the facets of primary system pressure control in Westinghouse plants and how they impact plant recovery from a steam generator tube rupture accident. Relevant operating experience is used to illustrate deficiencies in the maintenance and use of pressure control systems.
2-
2.0 DESCRIPTION
OF SALEM FVENT On August 26, 1986, while Salem Unit 2 was operating at 100 percent power, a reactor trip occurred because a spurious loss of a reactor coolant pump signal was generated when a technic;an inadvertently grounded a 120v ac instrument bus. The voltage spike also caused steam generator low pressure signals which, in conjunction with normal higa steam flow indication following a reactor trip, generated a safety injection signal.
Following a normal reactor trip at Salem, station loads transfer from the auxiliary transfonner (powered by the Unit 2 generator) to the station transformer (SPT 21) which is powered by offsite sources. In addition, the vital safety buses are supplied by SPTs 21 and 22. Following the reactor trip on August 26, 1986, the transfer of house loads to bus SPT 21 was initiated af ter a 30 second delay. Subsequently, a series of vital bus transfers between SPT 21 and SPI 22 occurred because of protective relaying logic. During these multiple transfers, two of the vital buses were not powered concurrently for about two seconds, which generated a station "blackout" signal. A more detailed description of the sital bus problems that evolved during this event is presented in Ref. 1.
Prior to the station "blackout" signal, all the plant's safeguards equipment responded to the safety injection signal as designed. When a station "blackout" signal occurred concurrently with a safety injection signal, the safeguards signal properly stripped all vital bus loads and then sequenced selected safety injection loads onto the emergency buses powered by the already operating diesel generators. The No. 2B vital bus was deenergized '
because of the out of service 28 diesel generator. Therefore, eouipment powered from the 28 bus, which had previously started or changed position on the initial safety injection signal, did not restart or change position after the loss of the bus. Also loading of the diesel generators did not automatictilly load the component cooling water pumps.
During a real loss of offsite power, the reactor coolant pumps (RCP) would have stopped. In this event, the reactor coolant pumps continueo to operate because they were connected to viable offsite power sources. In this instance, the senior reactor operators decided to turn off the reactor coolant pumps.
They reasoned that the pumps should not be operated more than five minutes without component cooling water to the motor bearings and thermal barrier. The high pressure safety injection pumps were operating and the resulting rise in reactor system pressure caused a PORV to lift numerous times. Pressurizer spray was not available to reduce the pressure rise after the reactor coolant pumps were shutdown.
The charging pumps (high pressure safety injection) injected water into the primary system through the ECCS piping and rea: tor coolant pump seals as shown in Figure 1. Seal injection provides cooling for the pump seals in the absence of component cooling water flow to the seal thermal barrier. The control room operators could not isolati the ECCL flow because the loss of the 28 vital bus, subsequent to the initial safety injection, resulted in the loss of power to various motor operated valves in the ECCS. These valves had assumed their safeguards positions on the initial safety injection signal but could not be returned to their nonnal position without local manual operation. The
I 1
I
/ N ,
REFUELING PORV (2) WATER k STORAGE TANK ALTERNATE SPRAY LINE (1)
% NORMAL SPRAY LINE (2)
HIGH PRESSURE S AFETY INJECTION PRESSURl2ER PUMP
[
RCP SEAL INJECTION l l
(,) LINE (4)
_ /
P w / i m l ECCS INJECTION /
l REACTOR COOLANT PUMP l
l Figure 1 SIMPLIFIED DIAGRAM OF REACTOR COOLANT SYSTEM l
t l
l l
4 operators chose not to stop the charging pumps because they were supplying irjection to the RCP seals. The operators could not initiate the auxiliary pressurizer spray from the charging system because the isolation valve, also pewered from the 2B vital bus, was closed as part of the safeguard 1 alignment.
About seven minutes into the event, the control room operatort manually loaded the component cooling water pumps onto the vital buses. About 21 minutes into the event, the operators teminated safety injection flow. A minute later, a reactor coolant pump was returned to service resulting in resh. ration of normal pressure control via the pressuHzer sprays. The hot and cold iug temperatures subsequently equalized.
pecovery of the startup transformers and stabilization of the reactor continued ever the next several hours. Two other coincidental events occurred: a failure of one of the steam generator feedwater pumps to trip on the safet/ injection signal, and a leak developed in a service water discharge pipe from one of the containment fan coolers. These failures did not impact the recovery of the plant.
Several aspects of the plant's status prior to the event are pertinent to the issue of pressure control. As noted previously, the 28 diesel generator was out of service for preventive maintenance for about three and a half hours prior to the event. One of the pressurizer spray valves had been isolated for almost three months because of excessive leakage. Also, one of the PORVs had been isolated for about two weeks prior to the event because of excessive leakage. Other equipment out of service prior to the event included a service water pump, two chiller units, an atmospheric steam relief valve, and one steam generator level channel.
Subsequent to the event, the licensee initiated actions to correct the failures associated with the vital bus transfer and the service water leak and to review control room operations during the event. The licensee and the NpC met on several occasions following the event to review the progress of the licensee's actions, particularly in the area of ac electrical distribution systems.
3.0 ANALYSIS AND EVALJATION This report focuses on the. portion of the Salem event associated with primary system depre;surization not the personnal errors associated with initiating the event nor the ac power distribution problems that arose early in the event. Inadvertent electrical grounding pervades the published operating experience of the nuclear industry of which this event is just another data point. However, the evolution of the Salem event, after the pseudo-loss of offsite power, dramatizes design tradeoffs and operating modes, all within accepted standards, that impact the operator's ability to control primary system pressure.
In the context of this study, pressure control is the ability to hold or reduce primary pressere. Generally, primary pressure is controlled by a single channel controller that actuate; the normal pressurizer spray system when the pressure exceeds the design operating pressure by about 25 psi. The propor-tional spray controller is driven by the pressure deviation above the desi point and goes wide open just below the pcwer operated relief valve (PORV)gn
actuation setpoint to minimize challenges to the POPVs. 1he autcmatic pressure control system is generally operable following all reactor trips provided control power is still available and the reacter coolant pumps are operating.
As shown in Figure 1, this system draws water from the reactor cold legs using two different lines each having a control valve that can be opereted automati-cally or manually. Thus, the system will be defeated by loss of reactor coolant pumps or closure of the control valve. In the Salem event, only one train of pressurizer spray was potentially operable because the other train had been isolated for about three months prior to the event. There are no limiting conditions for operation requirements in the technical specifications that control the allowable outage time or the operability of the normal pressurizer spray system.
Analyses of design basis accidents generally assume the loss of offsite power.
Therefore, credit is not taken for normal pressurizer spray when reviewing those safety analyses. Emergency procedures require that the reactor coolant pumps be shutdown under a prescribed set of conditions for depressurization events that initiate a safety injection signal. These actions, which would oefeat normal pressurizer spray, were prompted by concerns about adequate core cooling for a narrow range of small-break, loss of coolant accidents (LOCAs).
However, the criteria for reactor ecolant pump trip may very well be satisfied for other accidents, such as a steamline break or a steam generator tube rupture, which have initial plant response characteristics si'nilar to small-break LOCAs. Thus, it is plausible that the normal pressurizer spray system would not be imediately available to depressurize the primary systen for a number of events besides a loss of offsite power.
Normal pressurizer sprays have failed at several plants with the valves open (Ref. 3, 4, and 5). The resulting ccoldown of the pressurizer caused a reactor trip on low primary system pressure. In all the events cited, operators secured one or more reactor coolant pumps to stop the pressurizer spray. They subsequently entered containment to isolate the spray line locally. If cooldown of the pressurizer continued during these events, the pressurizer may have filled when a steam bubble formed in the upper head (after the fluid temperature in the upper head exceeded the fluid temperature in the pressurizer). Upper head temperature is a function of the inlet / outlet bypass flow across the core barrel and jetting along the control rods and guides into the upper head recion during normal plant operation. A discussion of upper head temperatures in Westinghouse plants (Pef. 6) indicated that the upper head temperature was close to the hot leg temperature under norral operating conditions. Discussions with plant personnel confirtned a sin;ilar situation at Salem. Upper head temperatures became an iss u in the context of ECCS analyses in the late 1970s. Because of the cdverse impact on peak clad temperature calculations, many Westinghouse plants increased the bypass flow through the upper head to reduce the temperature in that region to the cold leg temperature range (Ref. 7). The importance of upper head temperatures will be discussed with respect to steam generator tube rupture accidents.
In the absence of normal pressurizer spray, guidelines for emergency operating procedures at Westinghouse plants recomend that auxiliary spray be used as the first backup for pressure control for all events except steam generator tube ruptures (Ref. 8). The auxiliary spray system is a single, manually controlled line between the charging pump discharge header and the pressurizer.
There are no limiting conditions of operation in the technical specifications regarding the availability of the auxiliary spray system. Normal operation of the systecs uses the regenerative heat exchanger in the primary system letdown line to heat the spray water. Operation of the auxiliary snray with temperature differences (between spray and pressurizer) outside of prescribed limits is prohibiteo by the technical specifications for extended tines. Thus, operation of the auxiiiary spray entails additional operator concerns that must be factored into his activities during recovery from an event. Auxiliary specy systems have bd sore negative operating experience. For example, at Catawba Unit 1, an auxi iary spray valve stuck open causing a primary system depressuri-zation during a loss of control room test (Ref. 9). In that instance, the normal pressurizer spray system could not be controlled fm the auxiliary shutdown panel, so auxiliary spray was used.
- f r. is generally true for other plants also.
PORVs can be used to control or reduce primary system pretsure. As part of the TNI-2 action plan, the power supplies for PORVs and their block valves were upgraded to be operable from emergency power sources. Those plants that received operating licenses after the TMI-2 accident incorporated an automatic PORY isolation system to close the block valves when primary system pressure fell below the operating pressure by some finite amount. These modifications reflect the enhanced importance of the PORVs following the THI-2 accident and the concern for loss of coolant accidents caused by a stuck open PORV. A PORY '
stuck open during the steam generator tube rupture accident at Ginna (Ref. 10) sr.d during an overpressure event at Davis Besse (Ref.11). In both instances, the operator manually closed a block valve to terminate the blowdown.
Operation of PORVs varies among the plants. At Salem, a POPY control switch is located on the control board; while at other plents, operation of the PORY may require activities inr.ide the cabinets behind the control board. Thus, manual operation of the PORVs may be hindered at some plants. There are no requirements in the technical specifications governing the availability of ~
PORVs. References 12 and 13 identify situations where all the PORVs were blocked during normal plant operation so their availability to riitigate 60 accident is not assured.
Several accident scenarios that involve the loss of RCPs also result in the concurrent loss of the normal pressurizer spray system. Of these, a steam generator tube rupture accident potentially poses the most serious consequences because of loss of the primary system pressure boundary and the potential for containment bypass via the steam generator safety valves. A steam generator tube rupture challenges the reactor operators more than any other design basis accident. There are no automatic plant systems to idtntify and isolate the faulted steam generator (s), so the operators must perfom tnese functions.
Similarly, the operators must control depressurization of the primary system to minimize discharging reactor coolant into the faulted steam generator and overfilling it. This later task requires continuous hands-on control, rather than just turning equipment on and off, a more usual response.
The steam generator tube rupture at Ginna (January 25,1982) illustrates an adverse sequence of events that had a potential for significant offsite doses (Pef. 10). The operators delayed in teminating safety injection (although the i
- 7-temination criteria were satisfied) and consecuently, centinued discharge of coolant into the faulted steam generator lifted a safety valve which eventually stuck open. An uncontrollable pathway existed between the reactor and outside the containment because the safety valves are not isolable.
Continued loss of reactor coolant outside the containment would have ultimately depleted the refueling water storage tank and resulted in core uncovery. In this instance, the operators successfully depressurized the primary system using PORVs (normal pressurizer spray was lost when the reactor coolant pumps were secured according to cmergency operating procedures). However, a PORV stuck open which temporarily resulted in a loss of coolant inside the containment until an operator closed the associated block valve. Rapid depressurization from the PORY actuations resulted in steam bubbles being formed in the upper head of the pressure vessel and the top of the tube bundle ir. the faulted steam generator. Eventually, i.he operators succecSfully stabilized the plant and recovery proceeded without significant consequences.
Two actions stenning from the Ginna event are relevant to this study. First, all PWR licensees reexamined the criteria for tripping the reactor coolant pumps following a primary system depressurization and developed a new set of criteria that should preclude tripping the reactor coolant pumps for most single tube rupture accidents. These new pump trip criteria should make the nomal pressurizer spray system available (barring other failares) for many steam generator tube rupture events. Secondly, emergency procedure guidelines were developed by the PWR Owners Groups to cope with these accidents.
Guidelines for Westinghouse plants direct the operator to use the PORVs to depressurize the primary system if the normal pressurizer spray system is not available (Ref. 8),
Standard Review Plan 15.6.3, Radiological Consequences of Steam Generator Tube Rupture (PWR), indicates that review of this design basis accident should consider loss of offsite power, but is silent on the consideration of an additional single failure in mitigation systems when evaluating plant response to this event. This aoproach differs from the treatment of other accidents, such as steamline breaks and 1.0CAs, that consider single failures in mitigt. ting systems. A recent NRC staff evaluation (Ref.14) of a Westinghouse Owners Group topical report, "SGTR Analysis Methodolo1y to Detemine the Margin to Steam Generator Overfill," stated that "Earl .perator actions to identify and isolate the ruptured steam generator ano subsecuent cornetive actions to equalize RCS and secondary pressures are required." Because of plant differences, the staff required individual plant specific infomation to be submitted for review and evaluation prior to publication of a plant-specific SER. Included in this information requirement is:
"A list of systems, components and instrumentation which are credited for accident mitigation in the plant-specific SGTR E0P(s). Specify whether each system and com.?onent is safety grade. For primary and secondary PORVs and control valves specify the valve motiv> power and state whether the motive power and valve controls are safety grade. For non-safety grade systems and components state whether safety grade back ups are available which can be expected to function or provide the desired informatio6 within a time period compatible with revention of SGTR overfill or justify that non-safety grade components can be utilized for l the design basis event."
l L -_- _ -. .- . _ . _ _ _ -
8
'The worst single failure should be identified if different from the WCAP-10698 analysis and the effect of the difference on the margin of overfill should he provided."
This staff evalution of this SGTR topical report reflects a treatment of single Tailure and ecuipment availability consistent with other accident analyses in Chapter 15 of the FSAR, but not yet reflected in the Standard Review Plan for SGTRs.
Similarly, primary system depressurization equipment is generally not covered by the limiting conditions for operation in the technical specifications. The lack of specificity for these systems is probably attributable to the prior review and evalutaion of SGTR accidents discussed above. However, in the recently published "Commission Policy Statement on Technical Specification Improvements for Nuclear Power Reactors" (Ref.15), Criterion 3 indicates that systems that are the primary success path for mitigating a design basis accident that failt or presents a challenge to a fission product barrier should be captured by the technical specifications. Primary system depressurization systems fulfill this criterion for SGTR accidents especially considering the staff evalutaion of the owners group topical report noted above.
Consideration of loss of offsite power and an additional single failure (component related, not a persunnel error) in evaluating a steam generntor tube rupture accident highlights the operctor's diminished ability to cope with the accident. In the Salem event, loss of an ac bus made the auxiliary spray system inoperable and precluded isolation of the high pressure safety injection. Thus, only one PORV was initially available to depressurize the plant. A loss of an inverter event at Turkey Point (Init 4 (Ref.16) made normal pressurizer spray system inoperable and defeated the automatic operation of one of the PORVs (the other one was previously iwlated). In this instance, auxiliary spray would have been available to depressurize the plant.
These two events illustrate the vulnerability of the various depressurization methods to failures in the electrical systems. Generally, independence in depressurization system / trains potentially exists only in the P0PVs which are controlled by separate channels that can be powered from separate emergency buses. Consideration of single failures in evaluating these accidents may not completely defeat the depressurization function because of the redundancy in the mitigation systems, but may limit response capability to the PORVs. As cited above PORVs have been isolated at several plants for extended periods of time and therefore may not be available when needed. Consequently, effective depressuiization control following a steam generator tube rupture may be significantly hampered by concurrent and/or prior degradation in mitigation equipment. Relianca on PORVs also poses a r13k of a stuck open valve and consequential loss of coolant inside the containment while trying to recover from the initial tube rupture. This occurred during the Ginna accident cited above. This secondary LOCA can be tenninated by closing the associated block valve, but it still complicates recovery from an accident that is challenging the operators.
.g.
Other coincidental degradations in plant equipment were r.eted during the Salem eunt and discussed in the licensee's evaluation of the event (Ref.17). These ircluded:
- 1. failure of a feedwater pump to trip automatically on the safety injection signal,
- 2. loss of some valve indf:ations,
- 3. lo:s of flow indication for high pressure safety injection,
- 4. a reactor coolant pump fire protection deluge alarm,
- 5. cycling of containment sump pumps because of a leak in a fan cooler unit.
4
- 6. loss of events recorder,
- 7. loss of component cooling water,
- 8. loss of the auxiliary alam typewriter.
Although none of these ancillary degradations in plant equipment had a direct impact on plant response, except for the loss of component cooling water, they were distractions that diverted the operator's attention.
Loss of component cooling water resulted from the concurrent safety injection and loss of offsite power signals which stripped the safety buses and reloaded them with selected equipment. Salem appears to be unique in not loading the component cooling weter pumps on emergency power buses unoer these conditions.
The senior shift supervisor directed the operators to secure the reactor coolant pcmp3 after five minutes without component ccoling water. .This action acrears to be based on training rather than emanating from procedures used.
During the event debriefing, the reactor operators indicated that they were dware that the reactor coolant pumps should be secured after five minutes without component cooling water, but they would not have taken the initiative ,
to secure the pumps without the shift supervisor's direction because it was <
net in the procedures they followed. Tripping of the reactor coolant purps i defeated the normal pressurizer spray system and thus affected plant response and control room activity. :
Impromptu operator actions occurred at McGuire Unit 1 during a primary system depressurization caused by a faulty sofety valve that lif tad prematurely at 2370 psi and didn't reseat until approximately 1800 psi (Ref. 18). An operator blocked i the low pressurizer pressure safety injection signal to preclude its actuation at 1845 psi. Discussions with the licensee management indicated that the general policy, made known to the operatorz during training, was not to block any safety function from Automatically initiating. However, under emergency conditions, the shift supervisor is authorizad to deviate from an established procedure if '
deemeu necessary to protect health and safety (Ref.18). At McGuire, the operators wer2 concerned about increasing blowdown to the pressurizer relief tank by high pressure injection because personnel were performing a leak check inside containment. l t
k
At Salem, the shift supervisor subsequently directed that the component cooling water pumps be loaded on emergency power buses about seven minutes after they had been lost and that the reactor coolant pumps be restarted about 15 minutes later. These actions evolved during the event and did not emanate from the energency operating procedures. The interinediate head safety ir.jection purrps and the residual heat removal pumps were deenergized after the ccmponent cooling water pumps were loaded on the emergency buses. A potential electrical overload on the emergency buses lasted only a few minutes.
Normal pressurizer spray was lost during the Salem event because of a design peculiarity (component cooling water not loaded on the emergency buses). In the interim the operators attempted to use the auxiliary spray but were thwarted by a closed valve whose power came from the emergency bus connected to the diesel generator which was down for maintenance. Seve al closed valves in the charging and letdown system had to be realigned by local manual actions because of the loss of the same electrical bus. These valve manipulations were needed to stop high pressure safety injection which was causing repeated PCRV actuations. Similar continued operation of high pressure safety injection during the Ginna accident (Ref. 10) resulted in a stuck open steam generator safety valve and loss of primary coolant outside the containment. These two events highlight timely temination of high pressure safety injection which is addressed in the emergency cperating procedures.
If the Salem event had been a steam generator tube rupture accident, the PORVs would have been used to depressurize the primary system in the absence of normal pressurizer spray. Only one PORV was available at Salem. Use of PORVs for steam generator tube rupture accidents and use of auxiliary spray far all other events introduces a potential inconsistency in operator training. Although operators are supposed to follow emergency cperating procedures in responding to an event, they may improvise actions as the event evolves, especially when there are multiple problems. Thus, incensistencies in pressure control procedures and operator training may produce undesirable improvisations during an event.
Resolution of Unresolved Safety Issues A-3, A-4, and A-5 regarding steam generator tube integrity (Ref. 2) recommended further NRC staff evaluation of the use of the auxiliary spray systen in lieu of the PORVs. Utilization of the auxiliary spray system for steam generator tube rupture accidents as a first backup to normal pressurizer spray would eliminate this inconsistency in operator training and reduce the potential for exacerbating the event with a potential LOCA inside conteinment due to a stuck open PORY.
Another area important to pressure control, following a steam generator tube rupture, is the upper head temperature. According to discussions with Salem operating personnel, the upper head temperature is close to the nomal hot leg temperature (606F) which corresponds to a saturation pressure of about 1600 psi. This saturation pressure is considerably above the steam generator safety valve setpoint of 1070 psi. Consequently, the upper head could act as a pressurizer and hold the primary system p essure above the steam generator safety valve setpoint resulting in a potential discharge of reactor coolant outs 1(e the ccNtoinment. In Ref. 7. Westinghousc noted that many plants had decreas=3 their upper head temperatures to the cold leg temperature (about 545F for Wem) by increasing the bypass flow through the upper head. A temperature of 545F corresponds to a saturation pressure of about 1000 psi
- 11 which is below the steam generatar safety valve setpoint (1070 psi). This modification would improve the olant response characteristics to a steam generator tube rupture accident and reduce the potential for discharging coclant outside the containment.
From a safety standpoint, loss of pressure control ir. a FhR is of most concern for a steam generator tube rupture accident because of the potential for bypassing containment should a secondary side relief valve stick open. An extensive probabilistic assessment of steam generator tube ruptures was perfonned for Unresolved Safety Issues A-3, A-4, and A-5 (Ref. 2). That stydy estimated core melt likelihood for steam generator tube ruptures to be 4E-6 per reactor year and the corresponding risk to the public was estimated to be 2.5E-3 latent fatalities and 1.1E-5 early fatalities per reactor year. These risk estimates are directly proportional to human error probabilities associated with failing to depressurize and sharply reduce the flow from the primary system into the failed steam generator before the refueling water storage tank is exhausted.
Time available before depletion of the refueling water storage tank varies with the number of concurrent tube ruptures in the accident, high head pressure injection capability, and discharge flow area (safety valve) off of the steam-lines. Estimates of expected depletion times in Ref. 2 range upwards from one hour to five hours for total accident recovery. Prolonged high primary system pressures, early in an accident, that could cause damage in the secondary system (e.g., stuck open safety valve) could then require significant time and operator improvisation to mitigate. Thus, deficiencies in plant design and operation, operator training, and emergency procedures related to pressure control, like those discussed above, have a direct effect on the probability of inappropriate operator actions and impact the likelihood of severe core damage and offsite exposures from steam generator tube rupture accidents.
The methodology to make accurate estimates of the impact of perfonrance related factors, such as training, flexibility in operator response to an event, and plant characteristics, on human error probabilities does not exist. Good practices should be emphasized in situations heavily dependent on operator actions such as steam generator tube rupture accidents. This means carefully examining the total man-machine picture for those events to identify and previde direct operator support for coping with events while removing or minimizing characteristics that impede optimum responses.
4.0 FINDINGS AND CONCt.USIONS
.. There are several systems available for primary system pressure control.
All plants have a normal pressurizer spray system that automatically controls system pressure if control power is available and the reactor coolant pumps are running. Auxiliary sp.*ay is provided by a manually controlled line from the charging pump discharge header. Most plants have PORVs that can be used to depressurize the primary system.
- 2. Generally, none of the systems identified in Item 1 above is controlled by limiting conditions for operation in the technical specifications. Experi-ence has shown that one or portions of all these equipment / systems c?n be out of service for extended times while the plant is operating.
- 3. Operating procedures for utilizing the above mentiered equipment / systems are not consistent at Westinghouse plants. For all events, the procedure -
guidelines use the auxiliary spray as a backup to the normal sprcy, except for steam generator tube rupture accidents which use the PORVs as a backup to the nortral spray. PORVs have a tendency to stick open and cause a small loss of coolant accident which complicates recovery from a tube rupture,
- d. Of primary concern from a pressure control standpoint, is a steam generator tube rupture accident becausr of the potential for bypassing the containment.
A steam generator tube rupture which defeats the prir3ry system pressure boundary and with continued discharge of primary coolant into the faulted steam generator could challenge and fail the steam generator safety valves.
- 5. In the past, systems evaluation criteria for mitigating a steam generator tube rupture accident are not as stringent as those used for reviewing other design basis accidents. In particular, single failure criteria was not applied to the mitigating systems in a consistent fashion. However, a recent staff evaluation of a Westinghouse Owners Grcup topical report on SGTR fndicates that single failure and equipment operability will be considered in future evaluations.
- 6. The upper head temperature may adversely influence plant response characteristics in a tube rupture accident. Many plants operate with upper head temperatures close to core exit temperatures that correspond to saturation pressures above the setpoint on the steam generator safety valves.
The upper heau could act as a pressurizer and maintain primary system pressures above the pressure in the faulted steam generator and potentially challenge the steam generator safety valves.
- 7. The likelihood of severe core d3 mage and offsite doses from steam generator tube rupture accidents is proportional to human error probabilities associ-ated with recovery from the accident. Continuous operator attention is required to stabilize the plant after a tube rupture, in contrast to autoiratic system actuations and simple on/off manual actions used for -
mitigating other design basis accidents.
- 8. Several hours may be available to preclude a steam generator tube rupture accident from evolving into a severe core damage event due to depletion of the refueling water storage tank. However, loss of pressure control early in the event may result in prolonged discharge of coolant into the faulted steam generator and subsequent failures in the secondary system (or the pressurizer PORV) that exacerbate the situation and significantly complicate the operator's ability to recover.
- 9. The circumstances of the Salem event, as they relate to a potential tube rupture event, are not unique. Multiple pieces of equipment out of service are within allowable practice. Multiple coincidental failures have been cbserved during other operational events. Although the Salen operating staff perfonted well in this particular instance and there are multiple methods for depressuri7.ing the primary system, the Salem event still raises an issue: Do circumstances that prevailed during the event facilitate
appropriate operator action or detract from it? On one hand, there appears to be ample time and acceptable emergency procedures for the operator to successfully respond to a steam generator tube rupture accident. On the other, control of the design, operability, and availability of the mitigating systems appears lacking. The evidence clearly indicates that primary pressure control capability could be enhancec.
f I
i E
l 4
t 1
I
_ _ _ - . - - - _ - - _ _ _ , - . . _ . - _ _ _ _ _ _ _ _ _ _ , _ ~ _ _ _ _ _ _ . . _ . . , . . . _ _ _ _ - - - . _ _ _ . _ , _ _ , - _ . _ . -
9
5.0 REFERENCES
- 1. Licensee Event Report 86-007, Cocket 50-311, Salem Unit 2, August 26, 1986
- 2. U.S. Nuclear Regula' tory Comission, "NRC Integrated Program for the Resolution of Unresolved Safety Issues A-3, f-4, and A-5 Regarding Stearr, Generator Tube Integrity, ORAFT, NUREG-0844, April 1985
- 3. Licensee Event Report 85-011, Docket 50-336, Millstone Unit 2, July 15, 1982
- 4. Licensee Event Report 85-017, Docket 50-247, Indian Point Unit 2, December 31, 1985
- 5. Licensee Event Report 85-034, Docket 50-395, Virgil C. Sumer December 25, 1985
- 6. Letter from C. Eicheldinger (Westinghouse) to V Stello (NRC) dated August 13, 1976
- 7. Meeting between Westinghouse and NRC, Bethesde, Maryland, July 21, 1986
- 8. Westinghouse Owners Group, "Emergency Response Guidelines, Rev.1," Letter from J. Sheppard (WOG) to H. Thompson (NRC) dated November 30, 1983
- 9. Licensee Event Report 85-009, Docket 50-413, Catawba Unit 1. January 31, 1985
- 10. U.S. Nuclear Regu!atory Comission, "NRC Report on the January 25, 1982 Steam Generator Tuee Pupture at R. E. Ginna Nuclear Power Plant,"
NUREG-0909, April 1982
- 11. Licensee Event Report 85-013, Docket 50-346, Davis J me Unit 1, June 9, 1985
- 12. Licensee Event Report 85-002, Docket 50 ';47, Indian Point Unit 2, February 4, 1985
- 13. Licensee Event Report'84-064, Docket 50-483, Callaway Unit 1, December 17, 1984
- 14. Letter from C. Rossi (NRC) to A. Ladieu (WOG) dated March 30, 1987.
- 15. U.S. Nuclear Regulatory Comission,10 CFR 50 'Comission Policy Statement on Technical Specificaton Improvement: for Nuclear Power Plants,"
Federal Register, Vol. 52 No. 3788. February 1987
- 16. Licensee Event Report 85-017, Docket 504251, Turkey point Unit 4 June 20, 1985
- 17. J. Gueller et al, "Evaluation to Detemine the Adequacy of E0P's to Deal with the Type of Trip / Safety Injection that Occurred on August 26, 1986,"
Salem Station Report
- 18. U.S. Nuclear Regulatory Comission, Inspection Report No. 50-369/86-28 and 50-370/86-28, McGuire Nuclear Station, November 5, 1986
, ,