ML11221A300: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
Line 15: Line 15:


=Text=
=Text=
{{#Wiki_filter:}}
{{#Wiki_filter:Pressurized Water Reactor B&W Technology Crosstraining Course Manual Chapter 16.0 Davis-Besse Loss of All Feedwater
 
USNRC HRTD 16-i Rev 05/2008 TABLE OF CONTENTS 16.0 DAVIS-BESSE LOSS OF ALL FEEDWATER EVENT .................................................. 1 16.1 Description of Plant Systems ................................................................................. 1 16.1.1 General Design ............................................................................................... 1 16.1.2 Main Steam System ........................................................................................ 1 16.1.3 Main Feedwater System ................................................................................. 2 16.1.4 Auxiliary Feedwater System ............................................................................ 4 16.1.5 Makeup/High-Pressure Injection Cooling Systems ......................................... 5 16.1.6 Steam and Feedwater Rupture Control System (SFRCS) .............................. 6 16.1.7 Pressurizer Pilot Operated Relief Valve .......................................................... 7 16.2 Event Narrative ...................................................................................................... 8 16.2.1 Shift Change ................................................................................................... 8 16.2.2 Reactor Trip - Turbine Trip .............................................................................. 9 16.2.3 Loss of Main Feedwater ................................................................................ 11 16.2.4 Loss of Emergency Feedwater ..................................................................... 11 16.2.5 Reactor Coolant System Heatup ................................................................... 13 16.2.6 Operator Actions ........................................................................................... 13 16.2.7 PORV Failure ................................................................................................ 16 16.2.8 Steam Generator Refill .................................................................................. 18 16.2.9 PRA Insights ................................................................................................. 19 APPENDIX  Sequence of Events  .......................................................................................................... 21  LIST OF FIGURES Figure 16-1 Davis-Besse NSSS Figure 16-2 Main Steam System Figure 16-3 Main Feedwater System Figure 16-4 Auxiliary Feedwater System Figure 16-5 Emergency Core Cooling Systems Figure 16-6 Steam and Feed Rupture Control System Logic Figure 16-7 Reactor Coolant System and Pressurizer Response Figure 16-8 Number One Steam Generator Parameters Figure 16-9 Number Two Steam Generator Parameters Figure 16-10 Trip Throttle Valve Figure 16-11 Dominant core Vulnerability Sequence Event Tree Figure 16-12 Dominant core Damage Sequence Event Tree
 
USNRC HRTD 16-ii Rev 05/2008 This page intentionally blank
 
USNRC HRTD 16-1 Rev 05/2008 16.0 DAVIS-BESSE LOSS OF ALL FEEDWATER EVENT Learning Objectives:
: 1. List the indications of a "Loss of Heat Transfer" event.
: 2. Explain what operator actions and equipment failures led to the "Loss of Heat Transfer" event at Davis-Besse.
: 3. Explain the protection provided in an event that exceeds the design bases of the unit.
: 4. Describe how the "Feed and Bleed" method of core cooling is used to remove decay heat following a reactor trip.
: 5. State why an operator/supervisor may be reluctant to use this method of decay heat removal. 16.1 Description of Plant Systems 16.1.1 General Design The Nuclear Steam Supply System (NSSS) for the Davis-Besse plant was supplied by the Babcock & Wilcox Company. The NSSS, shown in Figure 16-1, consists of two heat transport loops with each containing a hot leg, a once-through steam generator (OTSG), and two cold legs. Water from the OTSG is returned to the reactor vessel by the reactor coolant pumps, with one pump located in each cold leg. Reactor coolant system (RCS) pressure is maintained by an electrically heated pressurizer that is connected to one of the hot legs. During normal operations, the pressurizer contains a 700 ft 3 steam bubble that exerts a pressure of approximately 2150 psig on the RCS. Protection against over-pressurization is provided by the pilot operated relief valve (PORV) and two code safety valves. The pilot operated relief valve discharges to a quench tank. The two code safety valves discharge directly to the containment building.
The reactor design power level is 2,772 Mwt, which is also the design power level for the station and all components. At a power level of 2,772 Mwt, the net station electrical output is 906 Mwe.
16.1.2 Main Steam System The main steam system functions to deliver superheated steam from the steam generators (OTSGs) to the main turbine and required plant auxiliaries. As shown in Figure 16-2, the system begins with the outlet piping from the steam generators and passes through the containment building to the main steam isolation valves (MSIVs). Protection against overpressurization for the steam generators is provided by 18 code safety valves (9 USNRC HRTD 16-2 Rev 05/2008 per steam generator) located on the system piping upstream of the MSIVs, and two atmospheric vent valves (one per steam generator) which act as relief valves. The atmospheric vent valves are controlled by the integrated control system (ICS) and aid in controlling steam pressure if a large transient occurs when the unit is in service, if condenser vacuum is lost, or if the MSIVs are closed. Connections upstream of each main steam isolation valve supply steam to the redundant turbine-driven auxiliary feedwater pumps. Either system header is capable of supplying either turbine; however, the auxiliary feedwater pump turbine normally receives steam from its associated steam header.
The piping downstream of the MSIVs contains non-return valves that prevent reverse flow when steam generator pressures are not equal. From the non-return valves, steam flows to the high pressure turbine and secondary systems, such as the air ejectors.
During normal operations, the main steam system valves are not required to change position; however, reactor trips and steam and feedwater rupture control system (SFRCS) actuations cause changes in valve position. When the reactor trips, OTSG pressure rises rapidly; resulting in the actuation of the steam line safety valves. The integrated control system (ICS) biases the steam generator pressure control setpoint to a value higher than the normal steam header pressure control value to minimize the cooldown of the reactor coolant system. Once the ICS gains control of the steam pressure, the safety valves should close.
The steam and feedwater rupture control system (SFRCS) also changes the position of the main steam system valves. If an SFRCS actuation signal is received, the following changes can occur in the system:
: 1. The MSIVs close. 2. The atmospheric vent valves close. 3. The steam supply valves open to supply steam to the auxiliary feedwater pump turbines.
16.1.3 Main Feedwater System The main feedwater system, Figure 16-3, begins with the cross-connected deareator storage tanks. Each of these tanks has a capacity of 64,000 gallons and provides the required net positive suction head (NPSH), i.e. pressure, for the booster feedwater pumps. The booster feedwater pumps are driven through a gear reducer by the main feedwater pump turbines and function to increase system pressure to satisfy the suction requirements for the main feedwater pumps. The direct-driven main feedwater pumps increase feedwater pressure to a value greater than steam generator pressure and discharge through the high pressure feedwater heaters to the feedwater regulating valves.
Two parallel valves are used to govern the flow of feedwater to each OTSG. The first of the two valves is called the startup control valve and regulates feedwater flow from 0% power to approximately 15% power. Startup control valve SP-7B supplies the #1 OTSG, USNRC HRTD 16-3 Rev 05/2008 and startup control valve SP-7A supplies the #2 OTSG. When the startup control valves reach the 80% open position, the main feedwater regulating block valves open, and flow is also controlled by the main feedwater regulating valves. The main feedwater regulating valves control feedwater flow during the power escalation from 15% to 100%. The pressure drop across the valve network is monitored and used to control main feedwater pump turbine speed. From the outlet of the feedwater regulating valves, the feedwater travels to the OTSGs via a motor-operated main feedwater isolation valve. Main feedwater is added to the OTSG through the external main feedwater ring and the main feedwater nozzles. A separate auxiliary feedwater ring is used for the addition of auxiliary feedwater flow. After entering the steam generator, auxiliary feedwater is sprayed on the tubes to enhance natural circulation when reactor coolant pumps are not running and to minimize thermal shock to the steam generator.
When the plant is in mode 3 (Hot Standby), a motor-driven startup feedwater pump is used to maintain steam generator level. The startup feedwater pump receives its suction from the deareator storage tanks and discharges to the steam generator main feed rings via the high pressure feedwater heaters, the feedwater regulating valves, and the main feedwater isolation valves. After reactor criticality is achieved, power is escalated to about 1% and a main feedwater pump is placed in service. When the main feedwater pump is in service, the startup feedwater pump is shutdown and isolated from the main feedwater system. Startup feedwater pump isolation includes the closing of the suction, discharge, and the cooling water isolation valves. All of these valves are located in the turbine building and must be locally operated. In addition to the manual operation of the pump isolation valves, the breaker control power fuses are removed as a safety precaution. This prevents the operation of the pump with its suction supply isolated.
The startup feedwater pump is designed to deliver feedwater flow at approximately 200 gpm with a steam generator pressure of 1050 psig. Electrical power is supplied to the pump motor from the non-Class 1E distribution; however, the pump power supply may be manually transferred to the diesel generator busses if required. Operation of the startup feedwater pump in off-normal situations requires the manual opening of the suction, discharge, cooling water inlet and outlet valves, and the installation of the breaker control power fuses.
If the reactor trips, the feedwater system is controlled by the rapid feedwater reduction system which closes the main feedwater regulating valves and positions the startup control valves to a position that allows proper OTSG level control. These actions are taken to prevent excessive cooling of the RCS caused by overfeeding the steam generators. This system also increases the speed of the operating main feedpump turbine(s) from a normal value of 4400 rpm to 4600 rpm.
In addition to the control actions described above, the steam and feedwater rupture control system (SFRCS) closes the main feedwater regulating valves, the startup regulating USNRC HRTD 16-4 Rev 05/2008 valves, and the main feedwater isolation valves when certain abnormal plant conditions are detected.
16.1.4 Auxiliary Feedwater System The auxiliary feedwater system (AFW), Figure 16-4, is designed to remove the core's decay heat by the addition of feedwater to the steam generators following a reactor trip, if main feedwater is not available. The system consists of redundant turbine-driven auxiliary feedwater pumps and associated piping. Three suction sources are available to the AFW pumps:  the deareator storage tanks, the condensate storage tank (CST), and the service water system. The CST serves as the normal suction source for the system; however, if a low suction pressure condition is sensed, the AFW suction will automatically transfer to the service water system. Manual action would be required to transfer suction to the deareator storage tanks.
When the AFW system is actuated by the steam and feedwater rupture control system (SFRCS) on signals other than low steam generator pressure, the steam to drive the AFW pump turbine and the discharge of each pump are aligned with the associated steam generator. Each of the AFW pumps is rated at 1050 gpm when pumping against a steam generator pressure of 1050 psig; 250 gpm of the 1050 gpm is used for recirculation flow.
The #1 pump supplies the #1 OTSG via motor-operated valves AF-360, AF-3870, and AF-608. The feedwater supply for #2 OTSG is from the #2 pump through valves AF-388, AF-3872, and AF-599. However, if the SFRCS is actuated on low OTSG pressure, the flow path of the system is altered to prevent the feeding of a ruptured steam generator. The isolation of feedwater to the faulted steam generator is accomplished by closing the AFW containment isolation valve (AF-599 or AF-608). Feedwater to the intact steam generator is supplied by both pumps through the appropriate cross-connect valve (AF-3869 or AF-3871). The steam supply valves for the turbine-driven pumps are also realigned to provide steam for both pumps from the intact steam generator. The following listing gives the position of the AFW system valves during various SFRCS actuations:
NORMAL SYSTEM ALIGNMENT Open valves - AF-360, AF-388, AF-599, AF-608 Closed valves - AF-3869, AF-3870, AF-3871, AF-3872, MS-106, MS-106A, MS-107, MS-107A SFRCS LOW LEVEL ACTUATION Open valves - AF-360, AF-388, AF-3870, AF-3872, AF-599, AF-608, MS-106, MS-107 Closed valves -  AF-3869,AF-3871, MS-106A, MS-107A SFRCS ACTUATION #1 OTSG LOW PRESSURE Open valves - AF-360, AF-388, AF-3869, AF-3872, AF-599, MS-106A, MS-107 Closed valves - AF-608, AF-3870,AF-3871, MS-106, MS-107A USNRC HRTD 16-5 Rev 05/2008 SFRCS ACTUATION #2 OTSG LOW PRESSURE Open valves - AF-360, AF-388, AF-3870, AF-3871, AF-608, MS-106, MS-107A Closed valves - AF-3869, AF-3872, AF-599, MS-106A, MS-107 The SFRCS is described in more detail in section 16.1.6.
16.1.5 Makeup/High-Pressure Injection Cooling Systems Makeup/High-Pressure Injection (MU/HPI) core cooling (also called PORV cooling or feed-and-bleed core cooling) involves the use of the makeup and purification system, the high pressure injection system and, at the operator's discretion, the low pressure injection system. These three systems are shown in Figure 16-5. The system contains two multistage centrifugal makeup pumps rated at 150 gpm each, with a discharge pressure of approximately 2500 psig. Two suction sources are available to the pumps; the makeup tank and the borated water storage tank (BWST). During normal operations, the makeup pumps supply seal injection and control pressurizer level by discharging into the RCS via the makeup flow control valve (MU-32). The discharge of the makeup pumps enters the RCS through one of the high-pressure injection penetrations. When feed-and-bleed operations are required, plant procedures require the positioning of the three-way suction valve (MU-3971) to the BWST suction source, fully opening the makeup flow control valve, and the starting of both makeup pumps.
The high-pressure injection pumps (HPI) are a part of the emergency core cooling system and are not in service during normal operations. The system consists of redundant pumps and four injection paths into the cold legs of the RCS. The pumps receive their suction from the BWST and have a shutoff head of 1630 psig. When these pumps are used in the feed and bleed mode of core cooling, both pumps are started, and the discharge of the low-pressure injection pumps can be aligned to the  HPI pump suctions as described below.
The low-pressure injection (LPI) pumps are also a part of the emergency core cooling systems. The LPI pumps receive a suction from the BWST and discharge via the decay heat removal coolers (not shown in Figure 16-5) into the reactor vessel. The pumps are rated at 3000 gpm with a discharge pressure of approximately 150 psig. The shutoff head of the pumps is about 200 psig. Plant procedures allow the discharge of the LPI pumps to be aligned to the suction of the HPI pumps by opening valves DH-62 and DH-63. This alignment increases the discharge pressure of the HPI pumps from 1630 psig to approximately 1830 psig and allows HPI flow at a higher RCS pressure.
 
When the feed and bleed mode of core cooling is required, plant procedures call for starting the makeup pumps and the high-pressure injection pumps. After the pumps are in service, the pressurizer pilot-operated relief valve, the pressurizer vent, and the hot leg vents are opened. The HPI/LPI piggy-back mode of operation is not specifically addressed USNRC HRTD 16-6 Rev 05/2008 in the loss of subcooling margin or the overheating sections of plant procedures but may be aligned at the discretion of the operator. All the required feed-and-bleed alignments are performed in the control room.
16.1.6 Steam and Feedwater Rupture Control System (SFRCS)
The steam and feedwater rupture control system (SFRCS) is provided in the plant design as an engineered safety features system for postulated transient or accident conditions arising generally from the secondary (steam generation) side of the plant, because the OTSGs serve as the heat sinks for the reactor power. The SFRCS senses loss of main feedwater (MFW) flow, rupture of an MFW line, and rupture of a main steamline. It also senses loss of all forced coolant flow in the primary system.
The safety function of the SFRCS is to provide safety actuation signals to equipment that will:  isolate the steam flow from the OTSGs, isolate the MFW flow, and start and align the AFW system. The SFRCS also provides output signals to the turbine trip system and to the Anticipatory Reactor Trip System (ARTS).
In the event of loss of MFW pumps or a main feedwater line rupture, the OTSGs would start to boil dry, and, if action is not initiated promptly, there would be no motive steam available for the turbine-driven AFW system and the OTSGs would be lost as heat sinks. As soon as the MFW pump discharge pressure falls below the pressure in the OTSG (i.e., reverse differential pressure across a check valve) by a predetermined value, the SFRCS provides safety actuation signals to close the main steam isolation valves (MSIVs), close the MFW stop and control valves, and start AFW. The SFRCS also receives OTSG low level signals which are diverse from the reverse differential pressure signals.
In the event of steamline pipe ruptures, when the main steam pressure drops, the SFRCS will close both MSIVs and the MFW stop and control valves. The description of the SFRCS in the Updated Safety Analysis Report (USAR) Section 7.4.1.3 does not mention the SFRCS closure (or re-opening) of the AFW containment isolation valves (AF-608 and AF-599), although the design does include such features. The AFW is also initiated and both AFW trains are aligned to draw steam only from, and to provide feed only to, the unaffected "intact" OTSG.
In the event of loss of all four reactor coolant pumps (RCPs), forced cooling flow of the reactor coolant system would be lost and AFW flow is needed to enhance natural circulation flow. Therefore, the SFRCS senses the loss of four RCPs and automatically initiates AFW.
Figure 16-6 depicts the channelization of the SFRCS. There are two Actuation Channels, each of which contains two identical logic channels. Within each Actuation Channel, one logic channel is ac powered and the other logic channel is dc powered. The field wiring at the actuated equipment is such that generally both logic channels must "trip" (i.e., a two-out-of-two AND logical arrangement) to actuate most equipment, which is USNRC HRTD 16-7 Rev 05/2008 referred to as a "full trip."  However, some equipment is actuated by a "half trip" (i.e., only one logic channel of an actuation channel has tripped). For example, the atmospheric steam vent valves are closed by "half trips."
16.1.7 Pressurizer Pilot Operated Relief Valve At the top of the pressurizer as shown in Figure 16-1, there are two code safety valves which vent directly to the containment atmosphere, a high-point vent line, and the pilot operated relief valve (PORV) with its associated upstream block valve.
The PORV block valve is a manually-controlled motor-operated valve, equipped with position instrumentation including a position alarm.
The PORV is a style HPV-SN solenoid-controlled pilot-operated pressure relief valve manufactured by the Crosby Valve and Gage Company. It was the Incident Investigation Team's (IIT) understanding that Davis- Besse is the only B&W-designed PWR that has a Crosby PORV. The Crosby PORV is operated by the reactor coolant system pressure via a solenoid-operated pilot valve and therefore does not involve any pneumatic power (instrument air or nitrogen). Electric power is used for the solenoid control device. To actuate the PORV, the solenoid is energized. This action allows the use of reactor coolant system pressure to open the main disc of the valve.
The controls for the PORV include features for automatic operation, manual open, manual close, and lock open. In automatic, the pressure channel's bistable would close one set of contacts above the high pressure setpoint (2425 psig) and would close another set of contacts below the low pressure setpoint (2375 psig). When the high pressure setpoint is reached, the control relay is energized and an electrical seal-in circuit is energized. When the low setpoint is reached, an auxiliary relay is operated which in turn interrupts the valve-open seal-in circuit.
In manual control, the circuit is designed for momentary-only operation of the switch to the valve-open position. The seal-in circuit will hold the valve open if the pressure is above the low pressure setpoint. To lock open the PORV (as would be done for MU/HPI cooling), the manual control switch would be rotated to the "lock open" position. The control circuitry would maintain the PORV solenoid energized regardless of RCS pressure. To manually close the PORV, the control switch must be rotated to the "auto" position and the control switch pushed inward. This action causes both control relays to be deenergized and the seal-in circuit to be deenergized, which in-turn causes the PORV solenoid to be deenergized.
The indicators for the PORV include:  control power available (blue), automatic (white), PORV open (red), PORV close (green), and lock open (amber). The PORV open/close lights are operated by a limit switch operated by the PORV solenoid plunger (i.e., the output of the electric solenoid; the mechanical input to the PORV). All of these position lights are PORV command indicators, in that they indicate only the position that the electric controls USNRC HRTD 16-8 Rev 05/2008 have commanded for the PORV. Only the acoustic monitor is a direct indicator of the flow condition through the PORV/block valve path.
The acoustic monitor for the PORV was installed as one of the post-TMI safety improvements. Two redundant accelerometer sensors are mounted on the discharge piping. Each sensor channel provides a signal to drive the remote 0-100% (open) PORV position meter on the post- accident monitoring (PAM) panel, and an adjustable position signal switch to drive the remote PORV open/closed lights on the PAM panel. The IIT was told that the adjustable switch was set such that the red (open) light would be energized if the flow signal is greater than 22% of the full flow value.
If PORV/block valve flow is less than 22%, the red (open) light would be turned off and the green (closed) light would be energized. The meter could be used to obtain more precise position/flow information. The Post-Accident Monitoring (PAM) panel is a separate panel mounted about 7 ft to the left of where the reactor operator assigned to the primary system would be standing. Both redundant red/green PORV indicating lights are easily visible to the operator if he turns his head. However, the 0-100% meters are relatively small, i.e., about a 3-inch tall vertical edge-mounted meters. To read this meter, the operator would have to step a pace or two toward the PAM panel.
16.2 Event Narrative This detailed description of the Davis-Besse loss-of-feedwater event focuses attention on the operator actions which prevented a potentially serious event, both in terms of safety and economics, from occurring. From their normal operating routine, the operators were plunged abruptly into a high stress situation requiring complicated responses outside the control room. Furthermore, these activities unfolded early on a Sunday morning when additional technical expertise from either onsite or offsite was at a minimum.
In view of the importance of the operator actions, the narrative of the event which follows is based upon a composite of the operator interviews performed by the (IIT). The narrative is written to reflect the operators' descriptions of their actions, observations, and thoughts during the event. The IIT decided that this would best convey the effects of stress, training, experience, teamwork, and impediments on operator performance. There are undoubtedly lessons to be learned about what operators are likely to do during a serious event which are not easily summarized, but which perhaps can be inferred from the descriptions of what occurred during this particular event.
16.2.1 Shift Change On June 9, 1985, the midnight shift of operators assumed control of the Davis-Besse nuclear power plant. The oncoming shift included four licensed operators, four equipment operators, an auxiliary operator, and an administrative assistant. The shift supervisor and assistant shift supervisor were the most experienced members of the operating crew. Both were at the plant before it was issued an operating license in April 1977. The two reactor USNRC HRTD 16-9 Rev 05/2008 operators, who were responsible for the control room, had decided between themselves who would be responsible for the primary-side and who would take the secondary-side work station. The secondary-side operator had been a licensed reactor operator for about two years; the primary-side operator was licensed in January 1985.
The shift turnover on June 9 was easy-there were no ongoing tests or planned changes to the plant status. The plant was operating at 90 percent of the full power authorized in the license granted by the NRC in April 1977, to minimize the potential for an inadvertent reactor trip (i.e., shutdown) due to noise on primary coolant flow instrumentation.
All the major equipment control stations were in automatic except the No. 2 main feedwater pump. As a result, the integrated control system instruments were monitoring and controlling the balance between the plant's reactor coolant system and the secondary coolant system.
Since April 1985, there had been control problems with both main feedwater pumps. Troubleshooting had neither identified nor resolved the problems. In fact, a week earlier, on June 2, 1985, both feedwater pumps tripped unexpectedly after a reactor trip. After some additional troubleshooting, the decision was made to not delay startup any longer, but to put instrumentation on the pumps to help diagnose the cause of a pump trip, if it occurred again. As a precaution, the number two main feedwater pump was operating in manual control to prevent it from tripping and to ensure that all main feedwater would not be lost should the reactor trip.
During the first hour of the shift, the operators' attention and thoughts were directed to examining the control panels and alarm panels, and performing instrument checks and routine surveillances associated with shift turnover. Thus, at 1:35 in the morning, the plant generator was providing electricity to the Ohio countryside. The secondary-side operator had gone to the kitchen where he joined an equipment operator for a snack. The other reactor operator was at the operator's desk studying procedures for requalification examinations. The assistant shift supervisor had just left the kitchen on his way back to the control room after a break. The shift supervisor was in his office outside the control room performing administrative duties.
16.2.2 Reactor Trip - Turbine Trip The assistant shift supervisor entered the control room and was examining one of the consoles when he noticed that main feedwater flow was decreasing and that the No. 1 main feedwater pump had tripped (Figures 16-7 thru 16-9 trace the major primary and secondary parameters and will be referred to for the remainder of this discussion). Since the No. 2 feedwater pump was in manual control, it could not respond to the integrated control system demand automatically to increase feedwater flow.
 
USNRC HRTD 16-10 Rev 05/2008 The "winding down" sound of the feedwater pump turbine was heard by the reactor operator in the kitchen, and by the administrative assistant and the shift supervisor, both of whom were in their respective offices immediately outside the control room. They headed immediately for the control room-the event had begun.
The secondary-side reactor operator ran to his station and immediately increased the speed of the No. 2 main feedwater pump to compensate for the decrease of feedwater flow from the No. 1 pump. The primary-side operator had already opened the pressurizer spray valve in an attempt to reduce the pressure surge resulting from the heatup of the reactor coolant system due to a decrease in feedwater flow.
The plant's integrated control system attempted automatically to reduce reactor/turbine power in accordance with the reduced feedwater flow. The control rods were being inserted into the core and reactor power had been reduced to about 80 percent. At the same time the primary-side reactor operator held open the pressurizer spray valve in an attempt to keep the reactor coolant pressure below the high pressure reactor trip setpoint of 2300 psig (normal pressure is 2150 psig). However, the reduction of feedwater and subsequent degradation of heat removal from the primary coolant system caused the reactor to trip on high reactor coolant pressure. The operators had done all they could do to prevent the trip, but the safety systems had acted automatically to shut down the nuclear reaction.
The primary-side operator acted in accordance with the immediate post-trip actions specified in the emergency procedure that he had memorized. Among other things, he checked that all control rod bottom lights were on, hit the reactor trip (shutdown) button, isolated letdown from the reactor coolant system, and started a second makeup pump in anticipation of a reduced pressurizer inventory after a normal reactor trip. Then he waited, and watched the reactor coolant pressure to see how it behaved.
The secondary-side operator heard the turbine stop valves slamming shut and knew the reactor had tripped. This "thud" was heard by most of the equipment operators who also recognized its meaning, and two of them headed for the control room. Almost simultaneously, the secondary-side operator heard the loud roar of main steam safety valves opening, a sound providing further proof that the reactor had tripped. The lifting of safety valves after a high-power reactor trip was normal. Everything was going as expected as he waited and watched the steam generator water levels boil down-each should have reached the normal post-trip low-level limit of 35 inches on the startup level instrumentation and held steady.
The shift supervisor joined the operator at the secondary-side control console and watched the rapid decrease of the steam generator levels. The rapid feedwater reduction system (a subsystem of the integrated control system) had closed the startup feedwater valves, but as the level approached the low level limits, the startup valves opened to hold the level steady. The main steam safety valves closed as expected. The system response was looking "real good" to the shift supervisor.
USNRC HRTD 16-11 Rev 05/2008 The assistant shift supervisor in the meantime opened the plant's loose leaf emergency procedure book.  (It is about two inches thick, with tabs for quick reference. The operators refer to it as emergency procedure 1202:01; the NRC refers to it as the ATOG procedure - Abnormal Transient Operating Guidelines.)  As he read aloud the immediate actions specified, the reactor operators were responding in the affirmative. After phoning the shift technical advisor (STA) to come to the control room, the administrative assistant began writing down what the operators were saying, although they were speaking faster than she could write.
16.2.3 Loss of Main Feedwater Although the assistant shift supervisor was loudly reading the supplementary actions from the emergency procedure book, the shift supervisor heard the main steam safety valves open again. He knew from experience that something was unusual and instinctively surveyed the control console and panels for a clue. He discovered that both main steam isolation valves (MSIVs) had closed-the first and second of a list of unexpected equipment performances and failures that occurred during the event.
The secondary-side operator was also aware that something was wrong because he noticed that the speed of the only operating main feedwater pump was decreasing. After verifying that the status of the main feedwater pump turbine was normal, he concluded that the turbine was losing steam pressure at about the same time that the shift supervisor shouted that the MSIVs were closed. All eyes then turned up to the annunciators at the top of the back panel. They saw nothing abnormal in the kind or number of annunciators lit after the reactor trip. The operators expected to find an alarm indicating that the Steam Feedwater Rupture Control System (SFRCS, pronounced S-FARSE) had activated. Based on their knowledge of previous events at the plant, they believed that either a partial or full actuation of the SFRCS had closed the MSIVs. However, the SFRCS annunciator lights were dark. The MSIVs had closed at 1:36 a.m. and they were going to stay closed. It normally takes at least one-half hour to prepare the steam system for reopening the valves.
The No. 2 main feedwater pump turbine, deprived of steam, was slowly winding down. Since the MSIVs were closed and there was limited steam inventory in the moisture separator reheaters, there was inadequate motive power to pump feedwater to the steam generators. At about 1:40 a.m. the discharge pressure of the pump had dropped below the steam pressure, which terminated main feedwater flow.
16.2.4 Loss of Emergency Feedwater The secondary-side operator watched the levels in both steam generators boil down; he had also heard the main steam safety valves lifting. Without feedwater, he knew that an SFRCS actuation on low steam generator level was imminent. The SFRCS would actuate the auxiliary feedwater system (AFWS), which in turn would provide emergency feedwater to the steam generators. He was trained to trip manually any system that he felt was going USNRC HRTD 16-12 Rev 05/2008 to trip automatically. He requested and received permission from the shift supervisor to trip the SFRCS on low level to conserve steam generator inventory; i.e., the AFWS would be initiated before the steam generator low-level setpoint was reached.
He went to the manual initiation switches at the back panel and pushed two buttons to trip the SFRCS. He inadvertently pushed the wrong two buttons, and, as a result, both steam generators were isolated from the emergency feedwater supply. He had activated the SFRCS on low pressure for each steam generator instead of on low level. By manually actuating the SFRCS on low pressure, the SFRCS was signaled that both generators had experienced a steamline break or leak, and the system responded, as designed, to isolate both steam generators. The operator's anticipatory action defeated the safety function of the auxiliary feedwater system-a common-mode failure and the third abnormality to occur within 6 minutes after the reactor trip.
The operator returned to the auxiliary feedwater station expecting the AFWS to actuate and to provide the much-needed feedwater to the steam generators that were boiling dry. Instead, he first saw the No. 1 AFW pump, followed by the No. 2 AFW pump trip, on overspeed-a second common-mode failure of the auxiliary feedwater system and abnormalities four and five. He returned to the SFRCS panel to find that he had pushed the wrong two buttons.
The operator knew what he was supposed to do. In fact, most knowledgeable people in the nuclear power industry, even control room designers, know that the once-through steam generators in Babcock & Wilcox-designed plants can boil dry in as little as 5 minutes; consequently, it is vital for an operator to be able to quickly start the AFWS. There could have been a button labeled simply "AFWS-Push to Start."  But instead, the operator had to do a mental exercise to first identify a signal in the SFRCS that would indirectly start the AFW system, find the correct set of buttons from a selection of five identical sets located knee-high from the floor on the back panel, and then push them without being distracted by the numerous alarms and loud exchanges of information between operators.
The shift supervisor quickly determined that the valves in the AFWS were improperly aligned. He reset the SFRCS, tripped it on low level, and corrected the operator's error about one minute after it occurred. This action commanded the SFRCS to realign itself such that each AFW pump delivered flow to its associated steam generator. Thus, had both systems (the AFWS and SFRCS) operated properly, the operator's mistake would have had no significant consequences on plant safety.
The assistant shift supervisor, meanwhile, continued reading aloud from the emergency procedure. He had reached the point in the supplementary actions that require verification that feedwater flow was available. However, there was no feedwater, not even from the AFWS, a safety system designed to provide feedwater in the situation that existed.  (The Davis-Besse emergency plan identifies such a situation as a Site Area Emergency.)  Given this condition, the procedure directs the operator to the section entitled, "Lack of USNRC HRTD 16-13 Rev 05/2008 Heat Transfer."  He opened the procedure at the tab corresponding to this condition, but left the desk and the procedure at this point, to diagnose why the AFWS had failed. He performed a valve alignment verification and found that the isolation valve in each AFW train had closed. Both valves (AF-599 and AF-608) had failed to reopen automatically after the shift supervisor had reset the SFRCS. He tried unsuccessfully to open the valves with the pushbuttons on the back panel. He went to the SFRCS cabinets in the back of the back panel to clear any trips in the system and block them so that the isolation valves could open. However, there were no signals keeping the valves closed. He concluded that the torque switches in the valve operators must have tripped. The AFW system had now suffered its third common-mode failure, thus increasing the number of malfunctions to seven within 7 minutes after the reactor trip (1:42 a.m.).
16.2.5 Reactor Coolant System Heatup Meanwhile, about 1:40 a.m., the levels in both steam generators began to decrease below the normal post-reactor-trip limit (about 35 inches on the startup range). The feedwater flow provided by the No. 1 main feedwater pump had terminated. The flow from the No. 2 main feedwater pump was decreasing because the MSIVs were closed, which isolated the main steam supply to the pump. With decreasing feedwater flow, the effectiveness of the steam generators as a heat sink for removing decay (i.e., residual) heat from the reactor coolant system rapidly decreased. As the levels boiled down through the low-level setpoint (the auxiliary feedwater should automatically initiate at about 27 inches), the average temperature of the reactor coolant system began to increase, indicating a lack of heat transfer from the primary to the secondary coolant system. When the operator incorrectly initiated SFRCS on low pressure, all feedwater was isolated to both steam generators. The reactor coolant system began to heat up because heat transfer to the steam generators was essentially lost due to loss of steam generator water level.
The average reactor coolant temperature increased at the rate of about 4 degrees Fahrenheit per minute for about 12 minutes. The system pressure also increased steadily until the operator fully opened the pressurizer spray valve (at about 1:42 a.m.). The spray reduced the steam volume in the pressurizer and temporarily interrupted the pressure increase. The pressurizer level increased rapidly, but the pressurizer did not completely fill with water. As the indicated level exceeded the normal value of 200 inches, the control valve for makeup flow automatically closed.
At this point, things in the control room were hectic. The plant had lost all feedwater; reactor pressure and temperature were increasing; and a number of unexpected equipment problems had occurred. The seriousness of the situation was fully appreciated.
16.2.6 Operator Actions By 1:44 a.m., the licensed operators had exhausted every option available in the control room to restore feedwater to the steam generators. The main feedwater pumps no longer had a steam supply. Even if the MSIVs could be opened, the steam generators had USNRC HRTD 16-14 Rev 05/2008 essentially boiled dry, and sufficient steam for the main feedwater pump turbines would likely not have been available. The turbines for the AFW pumps had tripped on overspeed, and the trip throttle valves could not be reset from the control room. Even if the AFW pumps had been operable, the isolation valves between the pumps and steam generators could not be opened from the control room, which also inhibited the AFWS from performing its safety function. The likelihood of providing emergency feedwater was not certain, even if the AFW pump overspeed trips could be reset and the flow paths established; for example, there was a question as to whether there was enough steam remaining in the steam generators to start the steam-driven pumps. Unknown to the operators, the steam inventory was further decreased because of problems controlling main steam pressure. The number of malfunctions had now reached eight.
Three equipment operators had been in the control room since shortly after the reactor tripped. They had come to the control room to receive directions and to assist the licensed operators as necessary. They were on the sidelines watching their fellow operators trying to gain control of the situation.
The safety-related AFW equipment needed to restore water to the steam generators had failed in a manner that could only be remedied at the equipment locations and not from the control room. The affected pumps and valves are located in locked compartments deep in the plant.
The primary-side reactor operator directed two of the equipment operators to go to the auxiliary feedwater pump room to determine what was wrong-and hurry.
The pump room, located three levels below the control room, has only one entrance:  a sliding grate hatch that is locked with a safety padlock. One of the operators carried the key ring with the padlock key in his hand as they left the control room. They violated the company's "no running" policy as they raced down the stairs. The first operator was about 10 feet ahead of the other operator, who tossed him the keys so as not to delay unlocking the auxiliary feedwater pump room. The operator ran as fast as he could and had unlocked the padlock by the time the other operator arrived to help slide the hatch open.
The operators descended the steep stairs resembling a ladder into the No. 2 AFW pump room. They recognized immediately that the trip throttle valve had tripped (Figure 6-10). One operator started to remove the lock wire on the handwheel while the other operator opened the water-tight door to the No. 1 AFW pump. He also found the trip throttle valve tripped and began to remove the lock wire from the handwheel.
The shift supervisor had just dispatched a third equipment operator to open AFW isolation valves AF-599 and AF-608. These are chained and locked valves, and the shift supervisor gave the locked-valve key to the operator before he left the control room. He paged a fourth equipment operator over the plant communications systems and directed him also to open valves AF-599 and AF-608. Although the operators had to go to a USNRC HRTD 16-15 Rev 05/2008 different room for each valve, they opened both valves in about 3-1/2 minutes. They were then directed to the AFW pump room.
As the operators ran to the equipment, a variety of troubling thoughts ran through their minds. One operator was uncertain if he would be able to carry out the task that he had been directed to do. He knew that the valves he had to open were locked valves, and that they could not be operated manually without a key. He did not have a key and that concerned him. As he moved through the turbine building, he knew there were numerous locked doors that he would have to go through to reach the valves. He had a plastic card to get through the card readers, but they had been known to break and fail. He did not have a set of door keys, and he would not gain access if his key card broke, and that concerned him too.
The assistant shift supervisor came back into the control console area after having cleared the logic for the SFRCS and he tried again, unsuccessfully, to open the AFWS isolation valves. At this point, the assistant shift supervisor made the important decision to attempt to place the startup feedwater pump (SUFP) in service to supply feedwater to the steam generators. He went to the key locker for the key required to perform one of the five operations required to get the pump running.
The SUFP is a motor-driven pump, usually more reliable than a turbine-driven pump, and more importantly, it does not require steam from the steam generators to operate. The SUFP is located in the same compartment as the No. 2 AFW pump. But since the refueling outage in January 1985, the SUFP had been isolated by closing four manual valves, and its fuses were removed from the motor control circuit. This isolation was believed necessary because of the consequences of a high-energy break of the non-seismic grade piping which passes through the two seismic-qualified AFW pump rooms. Prior to January 1985, the SUFP could be initiated from the control room by the operation of a single switch.
The assistant shift supervisor headed for the turbine building, where he opened the four valves and placed the fuses in the pump electrical switchgear. This equipment is located at four different places; in fact, other operators had walked through the procedure of placing the SUFP in operation and required 15 to 20 minutes to do it. The assistant shift supervisor took about 4 minutes to perform these activities. He then paged the control room from the AFW pump room and instructed the secondary-side operator to start the pump and align it with the No. 1 steam generator.
The two equipment operators in the AFW pump rooms had been working about 5 minutes to reset the trip throttle valves when the assistant shift supervisor entered the room to check the SUFP. The equipment operators thought that they had latched and opened the valves. However, neither operator was initially successful in getting the pumps operational. Finally, after one equipment operator had tried everything that the knew to get the No. 1 AFW pump operating, he left it and went to the No. 2 AFW pump, where the other operator was having the same problem of getting steam to the turbine. Neither operator had previously performed the task that he was attempting.
USNRC HRTD 16-16 Rev 05/2008 The assistant shift supervisor went over to assist the equipment operators and noticed immediately that the trip throttle valves were still closed. Apparently, the equipment operators had only removed the slack in attempting to open the valve. The valve was still closed, and the differential pressure on the wedge disk made it difficult to turn the handwheel after the slack was removed, thus necessitating the use of a valve wrench. A third, more experienced operator had entered the pump room and used a valve wrench to open the trip throttle valve on AFW pump No. 2. Without the benefit of such assistance, the equipment operators may well have failed to open the trip throttle valves to admit steam to the pump turbines.
The third equipment operator then proceeded to the No. 1 AFW pump trip throttle valve. The valve had not been reset properly, and he experienced great difficulty in relatching and opening it because he had to hold the trip mechanism in the latched position and open the valve with the valve wrench. Because the trip mechanism was not reset properly, the valve shut twice before he finally opened the valve and got the pump operating.
16.2.7 PORV Failure Prior to being informed by the assistant shift supervisor that the SUFP was available, the secondary-side operator requested the primary-side operator to reset the isolation signal to the startup feedwater valves in preparation for starting the SUFP. In order to perform this task, the operator left the control console and went to the SFRCS cabinets in back of the control room. As he re-entered the control panel area, he was requested to reset the atmospheric vent valves. As a result of these activities, the primary-side operator estimated that he was away from his station for 20 to 30 seconds.  (In fact, he was away for about two minutes.)
While the operator was away from the primary-side control station, the pressurizer PORV opened and closed twice without his knowledge. The pressure had increased because of the continued heatup of the reactor coolant system that resulted when both steam generators had essentially boiled dry.
According to the emergency procedure, a steam generator is considered "dry" when its pressure falls below 960 psig and is decreasing, or when its level is below 8 inches on the startup range (normal post- trip pressure is 1010 psig and post-trip level is 35 inches). The instrumentation in the control room is inadequate for the operator to determine with certainty if these conditions exist in a steam generator. The lack of a trend recorder for steam generator pressure makes it difficult to determine if the steam pressure is 960 psig and decreasing. The range of the steam generator level indicator in the control room is 0-250 inches, a scale which makes determining the 8-inch level difficult. The safety parameter display system (SPDS) is intended to provide the operators with these critical data, but both channels of the SPDS were inoperable prior to and during this event. Thus, the operators did not know that the conditions in the steam generators beginning at about USNRC HRTD 16-17 Rev 05/2008 1:47 a.m. were indicative of a "dry" steam generator, or subsequently, that both steam generators were essentially dry.
When both steam generators are dry, the procedure requires the initiation of makeup/high-pressure injection (MU/HPI) cooling, or what is called the "feed-and-bleed" method for decay heat removal. Even before conditions in the steam generators met these criteria, the shift supervisor was fully aware that MU/HPI cooling might have been necessary. When the hot-leg temperature reached 591°F (normal post-trip temperature is about 550°F), the secondary-side operator recommended to the shift supervisor that MU/HPI cooling be initiated. At about the same time, the operations superintendent told the shift supervisor in a telephone discussion that if an auxiliary feedwater pump was not providing cooling to one steam generator within one minute, to prepare for MU/HPI cooling. However, the shift supervisor did not initiate MU/HPI cooling. He waited for the equipment operators to recover the auxiliary feedwater system.
The shift supervisor appreciated the economic consequences of initiating MU/HPI cooling. One operator described it as a drastic action. During MU/HPI, the PORV and the high point vents on the reactor coolant system are locked open, which breaches one of the plant's radiological barriers. Consequently, radioactive reactor coolant is released inside the containment building. The plant would have to be shut down for days for cleanup even if MU/HPI cooling was successful. In addition, achieving cold shutdown could be delayed. Despite his delay, the shift supervisor acknowledged having confidence in this mode of core cooling based on his simulator training; he would have initiated MU/HPI cooling if "it comes to that."
The primary-side operator returned to his station and began monitoring the pressure in the pressurizer, which was near the PORV setpoint (2425 psig). The PORV then opened, and he watched the pressure decrease. The indicator in front of him signaled that there was a closed signal to the PORV and that it should be closed. The acoustic monitor installed after the TMI accident was available to him to verify that the PORV was closed, but he did not look at it. Instead, he looked at the indicated pressurizer level, which appeared steady, and based on simulator training, he concluded that the PORV was closed. In fact, the PORV had not completely closed and, as a result, the pressure decreased at a rapid rate for about 30 seconds.
The operator did not know that the PORV had failed. He believed that the RCS depressurization was due either to the fully open pressurizer spray valve or to the feedwater flow to the steam generators. He closed the spray valve and the PORV block valve as precautionary measures. But subsequent analyses showed that the failed PORV was responsible for the rapid RCS depressurization. Two minutes later, the reactor operator opened the PORV block valve to ensure that the PORV was available. Fortunately, the PORV had closed during the time the block valve was closed. The failed PORV was the ninth abnormality that had occurred within 15 minutes after reactor trip.
USNRC HRTD 16-18 Rev 05/2008 16.2.8 Steam Generator Refill At about 1:50 a.m. the No. 1 atmospheric vent valve opened and depressurized the No. 1 steam generator to about 750 psig when the SFRCS signal was reset by the primary-side operator. The atmospheric vent valve for the No. 2 steam generator had been closed by the secondary-side operator before the SFRCS signal was reset. The indicated No. 1 steam generator level was less than 8 inches. The corresponding pressure and indicated level in the No. 2 steam generator were about 928 psig and 10 inches, respectively. The indicated levels continued to decrease until the secondary-side operator started the SUFP after being informed by the assistant shift supervisor that it was available and after the other operator had reset the isolation signal to the startup feedwater valves.
Although the flow capacity of the SUFP is somewhat greater, approximately 150 gallons per minute (gpm) were fed to the steam generators because the startup valves were not fully opened. Essentially all the feedwater from the SUFP was directed to the No. 1 steam generator. At about 1:52 a.m., the pressure in the No. 1 steam generator increased sharply, while the indicated water level stopped decreasing and began slowly to increase. Since there was little feedwater sent to the No. 2 steam generator, its condition did not change significantly.
The trip throttle valve for the No. 2 AFW pump was opened by the equipment operators at about 1:53 a.m. After the SFRCS was reset and tripped on low level by the shift supervisor, the AFWS aligned itself so that each AFW pump would feed only its associated steam generator; i.e., the No. 2 AFW pump would feed the No. 2 steam generator. Thus, the No. 2 AFW pump refilled the No. 2 steam generator, and its pressure increased abruptly to the atmospheric vent valve relief set point. The turbine governor valve was fully open when the trip throttle valve was opened, and the pump delivered full flow for about 30 seconds until the operator throttled the flow down.
The No. 1 trip throttle valve was opened by the equipment operator about 1:55 a.m., and feedwater from the AFWS flowed to the No. 1 steam generator. However, the No. 1 AFW pump was not controlled from the control room but controlled locally by the equipment operators.
The equipment operators controlled the pump locally using the trip throttle valve. One operator manipulated the valve based on hand signals from the operator who was outside the No. 1 AFW pump room communicating with the control room operator. For two hours the AFW pump was controlled in this manner by the operators. Their task was made more difficult from the time they first entered the AFW pump room by the intermittent failures of the plant communication station in the room . With feedwater flow to the steam generators, the heatup of the reactor coolant system ended. At about 1:53 a.m. the average reactor coolant temperature peaked at about 592°F and then decreased sharply to 540°F in approximately 6 minutes (normal post-trip average USNRC HRTD 16-19 Rev 05/2008 temperature is 550°F). Thus, the reactor coolant system experienced an overcooling transient caused by an excessive AFW flow from the condensate storage tank. The overfill of the steam generators caused the reactor coolant system pressure to decrease towards the safety features actuation system (SFAS) setpoint of 650 psig. To compensate for the pressure decrease, and to avoid an automatic SFAS actuation, at approximately 1:58 a.m., the primary-side operator aligned one train of the emergency core cooling system (ECCS) in the piggyback configuration. In this configuration the discharge of the low-pressure injection pump is aligned to the suction of the high-pressure injection pump to increase its shutoff head pressure to about 1830 psig. At about the time the train was actuated, the combination of pressurizer heaters, makeup flow, and reduction of the AFW flow increased the reactor coolant pressure above 1830 psig. As a result, only a limited amount (an estimated 50 gallons) of borated water was injected into the primary system from the ECCS. At 1:59 a.m., the No. 1 AFW pump suction transferred spuriously from the condensate storage tank to the service water system (malfunction number 10). This action was not significant, but it had occurred before and had not been corrected. Similarly, a source range nuclear instrument became inoperable after the reactor trip (malfunction number 11) and the operators initiated emergency boration pursuant to procedures.  (Note:  One channel had been inoperable prior to the event.)  The source range instrumentation had malfunctioned previously and apparently had not been properly repaired. Also, the control room ventilation system tripped into its emergency recirculation mode (malfunction number 12), which had also occurred prior to this event.
The steam generator water levels soon exceeded the normal post-trip level, and the operator terminated AFW flow to the steam generators. The subcooling margin remained adequate throughout this event. The event ended at about 2 o'clock in the morning, twelve malfunctions and approximately 30 minutes after it began.
16.2.9 PRA Insights Two major points concerning risk are evident from this event. The first is the probability of multiple equipment failures, and the second is a human reliability issue.
One of the major insights gained from a PRA is the risk associated with multiple failures of plant systems. However, the assumption of multiple failures is usually criticized by the plant staff as a series of incredible failures. This event provides a very dramatic example of the possibility of multiple failures. First, the loss of one main feedwater pump resulted in a transient that challenged plant systems. Next, multiple failures of safety-related systems did occur. As discussed in this chapter, both AFW pump turbines, both AFW isolation valves, and the PORV failed to respond properly during the event. This list does not include the actions of the SFRCS system, the failure of a turbine bypass valve, and the loss of source range instrumentation.
 
USNRC HRTD 16-20 Rev 05/2008 One of the most difficult probabilities to include in a PRA is the failure of the operators to take proper action or human failure that results in an improper action. In this event, an operator error occurred when the SFRCS was manually initiated. Failure to recover after a system failure has occurred is demonstrated by the failure of the auxiliary operators to correctly reset the overspeed trips on the auxiliary feedwater pump turbines. In contrast to these two errors is the almost heroic actions that were performed by the assistant shift supervisor. This individual attempted to reset the SFRCS so that auxiliary feedwater could be added to the steam generators, and aligned the startup feedwater pump for service.
A calculation of conditional core vulnerability and core damage probabilities for this event was performed and appears in NUREG/CR-4674, "Precursors to Potential Severe Core Damage Accidents: 1985 A Status Report."  The dominant sequence for core vulnerability has a probability of 9.085E-03, and the event tree for this sequence is shown in Figure 16-11. The dominant sequence for core damage has a conditional probability of 4.680E-03, and the event tree for this sequence is shown in Figure 16-12. Note that this sequence contains a failure of the HPI feed and bleed. The hesitancy of the shift supervisor to initiate this system could have led to this failure.
 
USNRC HRTD 16-21 Rev 05/2008 APPENDIX - SEQUENCE OF EVENTS Initial Conditions
* Unit operating at 90% power * #1 MFP operating in automatic (ICS) control * #2 MFP operating in manual control
* One source range NI inoperable
* Both channels of the SPDS inoperable Transient Initiator 01:35:00 #1 MFP trips. Control system causes MFP flow increase; MFP turbine trips on overspeed.
Partial Loss of Main Feedwater 01:35:01 Unit runback at 50%/min toward 55%. 01:35:21 Manual increase of #2 MFP speed. PZR spray valve opened to 100% in manual. 01:35:30 Reactor/turbine trip from 80% caused by high RCS pressure (2300 psig). 01:35:31 SFRCS low level trip - channel 2. 01:35:31 Both MSIVs start to close. 01:35:34 SFRCS actuation signal clears automatically. 01:35:36 MSIV #2 close. 01:35:37 MSIV #1 closed. The main steam supply to #2 MFP is isolated. Steam from the MSR and MS piping will drive the turbine for about 4-1/2 minutes. 01:35:45 PZR spray valve closed. 01:35:56 OTSGs on low level limits (35 in.). 01:40:00 OTSG levels begin to drop below low level limits.
Complete Loss of Main Feedwater 01:41:04 SFRCS OTSG #1 low level (26.5 in.) actuation.  #1 AFW turbine being supplied with steam from and supplying feedwater to #1 OTSG. 01:41:08 Operator manually actuates SFRCS on low OTSG pressure. The low pressure actuation is in both SFRCS channels, and the system senses ~steam ruptures" in both OTSGs. The following equipment changes due to the manual actuation: 1. #1 AFW turbine is aligned to be supplied from #2 OTSG. 2. #2 AFW turbine is aligned to be supplied from #1 OTSG. 3. #1 OTSG AFW containment isolation valve is automatically closed. 4. #2 OTSG AFW containment isolation valve is automatically closed. 5. The AFW cross-connect valves open.
USNRC HRTD 16-22 Rev 05/2008 SEQUENCE OF EVENTS (continued) 01:41:13 SFRCS channel 2 low level trip. Pressure trip has priority. 01:41:31 #1 AFW turbine trips on overspeed. 01:41:44 #2 AFW turbine trips on overspeed. 01:42:00 Manual reset of SFRCS. The AFW containment isolation valves should have re-opened automatically, but did not. An attempt was made to re-open the valves from the main control panel, but the valves did not respond. 01:42:00 PZR spray valve opened. 01:43:55 "Initiate reset and block" of SFRCS attempted in an effort to re-open AFW containment isolation valves. Valves did not open. 01:44: + Equipment operators dispatched to the plant to operate the following equipment: 1. Two operators to the AFW turbines to restore AFW pumps to service. 2. The assistant shift supervisor left the control room to place the startup feed pump in service. 3. Two operators were sent to open the AFW containment isolation valves. 01:44:50 Makeup flow decreases as pressurizer level increases above the normal setpoint of 200 in. 01:45:50 #2 AFW turbine overspeed trip reset locally. 01:45:29 OTSG #1 atmospheric vent valve opened. 01:46:30 #1 AFW turbine throttle valve relatched and valve opened (overspeed trip not cleared). Speed controlled locally throughout event 01:47:33 OTSG #1 below 960 psig and decreasing. 01:47:48 OTSG #2 AFW containment isolation valve opened locally. 01:48:08 OTSG #1 atmospheric vent valve closed. 01:48:49 PZR PORV opens at 2433 psig (2425 psig setpoint). 01:48:51 OTSG #2 pressure <960 psig and decreasing. Both OTSGs now ~dried out." Procedures require MU/HPI core cooling. MU/HPI core cooling is also called ~feed and bleed" core cooling. 01:48:52 PORV closed at 2377 psig. (2375 setpoint) 01:49:28 OTSG #1 AFW containment isolation valve opened manually. 01:50:09 PORV opens at 2434 psig. 01:50:12 PORV closes at 2369 psig. 01:50:13 OTSG #1 atmospheric vent valve opened; OTSG pressure drops rapidly to 750 psig. 01:51:17 OTSG #1 level drops below 8 in.  (MU/HPI cooling criterion) 01:51:18 PORV opens at 2435 psig and does not close. 01:51:23 Startup feedwater pump motor started. 01:51:30 Obtained flow from startup feedpump to OTSG #1.
 
USNRC HRTD 16-23 Rev 05/2008 SEQUENCE OF EVENTS (Continued) 01:51:42 Operator started to close the PORV block valve as pressure fell through 2140 psig. 01:51:42 RCS loop #1 reaches a minimum pressure of 2081 psig. Loop #1 T hot=588.6&deg;F, T ave=587.5&deg;F. 01:51:43 PZR spray valve closed. 01:51:49 Acoustic monitor indicates <20% flow through the PORV and PORV block valve.
01:53:00 T hot reaches maximum value of 593.5&deg;F. 01:53:22 AFW train #2 has significant flow, with control locally via the trip-throttle valve.
01:53:25 RCS Tave reaches maximum of 592.3&deg;F. 01:53:25 RCS Tave reaches maximum of 592.3&deg;F. 01:53:35 OTSG #2 returns to above 960 psig. 01:53:56 PORV block valve re-opened. 01:54:45 OTSG #1 returns to above 960 psig. 01:54:46 AFW train #1 has significant flow. 01:56:58 OTSG #2 atmospheric vent valve open. Pressure <960 psig. 01:57:05 OTSG #1 <960 psig. 01:57:53 Low suction pressure developed on #1 AFW pump. 01:58: + Tave passed through the normal post-trip value. The cooldown (due to feedwater) has lowered RCS pressure to about 1720 psig. The operators have manually started #1 HPI pump in the piggy back mode of operation to maintain pressurizer level. About 50 gallons of water is injected. 01:58:08 RCS pressure reaches a minimum of 176 psig. T hot=546&deg;F, T ave=546.2&deg;F. 01:58:27 AFW pump suction pressure returns to normal. 01:58:28 OTSG #1 atmospheric vent valve closed. 01:58:33 AFW flow to #1 OTSG reduced to control level. 01:58:40 AFW #1 suction transfers to service water. Manual realignment to CST. 01:58:57 AFW pump turbine overspeed trip reset. 02:01: + When AFW turbine #2 was returned to serv ice, the control room operator controlled the pump in manual rather than returning it to auto. 02:01:13 AFW train #2 flow reduced. 02:02:27 OTSG #1 pressure >960 psig. 02:02:30 OTSG #2 pressure >960 psig. 02:04: Plant conditions essentially stable.
 
USNRC HRTD 16-24 Rev 05/2008 SEQUENCE OF EVENTS (Continued)
Additional Complications
* Control room HVAC spuriously tripped to the emergency mode.
* Upon energization, the remaining source range NI failed off-scale low. All control rods were verified to be fully inserted, and emergency boration was initiated.
* The main turbine did not go on turning gear.
* The operator attempted to override the automatic close signal for one of the SU reg valves, but a burned out light bulb prevented reset indication.
* When vacuum was restored and the MSIVs opened, a water slug damaged one of the turbine bypass valves.
 
Figure 16-1 Davis-Besse NSSS This page intentionally blank Figure 16-2 Main Steam System This page intentionally blank Figure 16-3 Main Feedwater System This page intentionally blank Figure 16-4 Auxiliary Feedwater System This page intentionally blank Figure 16-5 Emergency Core Cooling Systems This page intentionally blank Figure 16-6 Steam and Feed Rupture Control System Logic This page intentionally blank Figure 16-7 Reactor Coolant System and Pressurizer Response This page intentionally blank Figure 16-8 Number One Steam Generator Parameters This page intentionally blank Figure 16-9 Number Two Steam Generator Parameters This page intentionally blank Figure 16-10 Trip Throttle Valve This page intentionally blank 
 
Figure 16-11 Dominant core Vulnerability Sequence Event Tree This page intentionally blank Figure 16-12 Dominant core Damage Sequence Event Tree This page intentionally blank}}

Revision as of 13:49, 18 September 2018

521- R326C B&W Tech Cross Training - Chapter 16 Davis-Besse Loss of All Feedwater
ML11221A300
Person / Time
Site: Davis Besse Cleveland Electric icon.png
Issue date: 05/01/2008
From:
NRC/HR/ADHRTD/RTTB-PWR
To:
References
Download: ML11221A300 (52)


Text

Pressurized Water Reactor B&W Technology Crosstraining Course Manual Chapter 16.0 Davis-Besse Loss of All Feedwater

USNRC HRTD 16-i Rev 05/2008 TABLE OF CONTENTS 16.0 DAVIS-BESSE LOSS OF ALL FEEDWATER EVENT .................................................. 1 16.1 Description of Plant Systems ................................................................................. 1 16.1.1 General Design ............................................................................................... 1 16.1.2 Main Steam System ........................................................................................ 1 16.1.3 Main Feedwater System ................................................................................. 2 16.1.4 Auxiliary Feedwater System ............................................................................ 4 16.1.5 Makeup/High-Pressure Injection Cooling Systems ......................................... 5 16.1.6 Steam and Feedwater Rupture Control System (SFRCS) .............................. 6 16.1.7 Pressurizer Pilot Operated Relief Valve .......................................................... 7 16.2 Event Narrative ...................................................................................................... 8 16.2.1 Shift Change ................................................................................................... 8 16.2.2 Reactor Trip - Turbine Trip .............................................................................. 9 16.2.3 Loss of Main Feedwater ................................................................................ 11 16.2.4 Loss of Emergency Feedwater ..................................................................... 11 16.2.5 Reactor Coolant System Heatup ................................................................... 13 16.2.6 Operator Actions ........................................................................................... 13 16.2.7 PORV Failure ................................................................................................ 16 16.2.8 Steam Generator Refill .................................................................................. 18 16.2.9 PRA Insights ................................................................................................. 19 APPENDIX Sequence of Events .......................................................................................................... 21 LIST OF FIGURES Figure 16-1 Davis-Besse NSSS Figure 16-2 Main Steam System Figure 16-3 Main Feedwater System Figure 16-4 Auxiliary Feedwater System Figure 16-5 Emergency Core Cooling Systems Figure 16-6 Steam and Feed Rupture Control System Logic Figure 16-7 Reactor Coolant System and Pressurizer Response Figure 16-8 Number One Steam Generator Parameters Figure 16-9 Number Two Steam Generator Parameters Figure 16-10 Trip Throttle Valve Figure 16-11 Dominant core Vulnerability Sequence Event Tree Figure 16-12 Dominant core Damage Sequence Event Tree

USNRC HRTD 16-ii Rev 05/2008 This page intentionally blank

USNRC HRTD 16-1 Rev 05/2008 16.0 DAVIS-BESSE LOSS OF ALL FEEDWATER EVENT Learning Objectives:

1. List the indications of a "Loss of Heat Transfer" event.
2. Explain what operator actions and equipment failures led to the "Loss of Heat Transfer" event at Davis-Besse.
3. Explain the protection provided in an event that exceeds the design bases of the unit.
4. Describe how the "Feed and Bleed" method of core cooling is used to remove decay heat following a reactor trip.
5. State why an operator/supervisor may be reluctant to use this method of decay heat removal. 16.1 Description of Plant Systems 16.1.1 General Design The Nuclear Steam Supply System (NSSS) for the Davis-Besse plant was supplied by the Babcock & Wilcox Company. The NSSS, shown in Figure 16-1, consists of two heat transport loops with each containing a hot leg, a once-through steam generator (OTSG), and two cold legs. Water from the OTSG is returned to the reactor vessel by the reactor coolant pumps, with one pump located in each cold leg. Reactor coolant system (RCS) pressure is maintained by an electrically heated pressurizer that is connected to one of the hot legs. During normal operations, the pressurizer contains a 700 ft 3 steam bubble that exerts a pressure of approximately 2150 psig on the RCS. Protection against over-pressurization is provided by the pilot operated relief valve (PORV) and two code safety valves. The pilot operated relief valve discharges to a quench tank. The two code safety valves discharge directly to the containment building.

The reactor design power level is 2,772 Mwt, which is also the design power level for the station and all components. At a power level of 2,772 Mwt, the net station electrical output is 906 Mwe.

16.1.2 Main Steam System The main steam system functions to deliver superheated steam from the steam generators (OTSGs) to the main turbine and required plant auxiliaries. As shown in Figure 16-2, the system begins with the outlet piping from the steam generators and passes through the containment building to the main steam isolation valves (MSIVs). Protection against overpressurization for the steam generators is provided by 18 code safety valves (9 USNRC HRTD 16-2 Rev 05/2008 per steam generator) located on the system piping upstream of the MSIVs, and two atmospheric vent valves (one per steam generator) which act as relief valves. The atmospheric vent valves are controlled by the integrated control system (ICS) and aid in controlling steam pressure if a large transient occurs when the unit is in service, if condenser vacuum is lost, or if the MSIVs are closed. Connections upstream of each main steam isolation valve supply steam to the redundant turbine-driven auxiliary feedwater pumps. Either system header is capable of supplying either turbine; however, the auxiliary feedwater pump turbine normally receives steam from its associated steam header.

The piping downstream of the MSIVs contains non-return valves that prevent reverse flow when steam generator pressures are not equal. From the non-return valves, steam flows to the high pressure turbine and secondary systems, such as the air ejectors.

During normal operations, the main steam system valves are not required to change position; however, reactor trips and steam and feedwater rupture control system (SFRCS) actuations cause changes in valve position. When the reactor trips, OTSG pressure rises rapidly; resulting in the actuation of the steam line safety valves. The integrated control system (ICS) biases the steam generator pressure control setpoint to a value higher than the normal steam header pressure control value to minimize the cooldown of the reactor coolant system. Once the ICS gains control of the steam pressure, the safety valves should close.

The steam and feedwater rupture control system (SFRCS) also changes the position of the main steam system valves. If an SFRCS actuation signal is received, the following changes can occur in the system:

1. The MSIVs close. 2. The atmospheric vent valves close. 3. The steam supply valves open to supply steam to the auxiliary feedwater pump turbines.

16.1.3 Main Feedwater System The main feedwater system, Figure 16-3, begins with the cross-connected deareator storage tanks. Each of these tanks has a capacity of 64,000 gallons and provides the required net positive suction head (NPSH), i.e. pressure, for the booster feedwater pumps. The booster feedwater pumps are driven through a gear reducer by the main feedwater pump turbines and function to increase system pressure to satisfy the suction requirements for the main feedwater pumps. The direct-driven main feedwater pumps increase feedwater pressure to a value greater than steam generator pressure and discharge through the high pressure feedwater heaters to the feedwater regulating valves.

Two parallel valves are used to govern the flow of feedwater to each OTSG. The first of the two valves is called the startup control valve and regulates feedwater flow from 0% power to approximately 15% power. Startup control valve SP-7B supplies the #1 OTSG, USNRC HRTD 16-3 Rev 05/2008 and startup control valve SP-7A supplies the #2 OTSG. When the startup control valves reach the 80% open position, the main feedwater regulating block valves open, and flow is also controlled by the main feedwater regulating valves. The main feedwater regulating valves control feedwater flow during the power escalation from 15% to 100%. The pressure drop across the valve network is monitored and used to control main feedwater pump turbine speed. From the outlet of the feedwater regulating valves, the feedwater travels to the OTSGs via a motor-operated main feedwater isolation valve. Main feedwater is added to the OTSG through the external main feedwater ring and the main feedwater nozzles. A separate auxiliary feedwater ring is used for the addition of auxiliary feedwater flow. After entering the steam generator, auxiliary feedwater is sprayed on the tubes to enhance natural circulation when reactor coolant pumps are not running and to minimize thermal shock to the steam generator.

When the plant is in mode 3 (Hot Standby), a motor-driven startup feedwater pump is used to maintain steam generator level. The startup feedwater pump receives its suction from the deareator storage tanks and discharges to the steam generator main feed rings via the high pressure feedwater heaters, the feedwater regulating valves, and the main feedwater isolation valves. After reactor criticality is achieved, power is escalated to about 1% and a main feedwater pump is placed in service. When the main feedwater pump is in service, the startup feedwater pump is shutdown and isolated from the main feedwater system. Startup feedwater pump isolation includes the closing of the suction, discharge, and the cooling water isolation valves. All of these valves are located in the turbine building and must be locally operated. In addition to the manual operation of the pump isolation valves, the breaker control power fuses are removed as a safety precaution. This prevents the operation of the pump with its suction supply isolated.

The startup feedwater pump is designed to deliver feedwater flow at approximately 200 gpm with a steam generator pressure of 1050 psig. Electrical power is supplied to the pump motor from the non-Class 1E distribution; however, the pump power supply may be manually transferred to the diesel generator busses if required. Operation of the startup feedwater pump in off-normal situations requires the manual opening of the suction, discharge, cooling water inlet and outlet valves, and the installation of the breaker control power fuses.

If the reactor trips, the feedwater system is controlled by the rapid feedwater reduction system which closes the main feedwater regulating valves and positions the startup control valves to a position that allows proper OTSG level control. These actions are taken to prevent excessive cooling of the RCS caused by overfeeding the steam generators. This system also increases the speed of the operating main feedpump turbine(s) from a normal value of 4400 rpm to 4600 rpm.

In addition to the control actions described above, the steam and feedwater rupture control system (SFRCS) closes the main feedwater regulating valves, the startup regulating USNRC HRTD 16-4 Rev 05/2008 valves, and the main feedwater isolation valves when certain abnormal plant conditions are detected.

16.1.4 Auxiliary Feedwater System The auxiliary feedwater system (AFW), Figure 16-4, is designed to remove the core's decay heat by the addition of feedwater to the steam generators following a reactor trip, if main feedwater is not available. The system consists of redundant turbine-driven auxiliary feedwater pumps and associated piping. Three suction sources are available to the AFW pumps: the deareator storage tanks, the condensate storage tank (CST), and the service water system. The CST serves as the normal suction source for the system; however, if a low suction pressure condition is sensed, the AFW suction will automatically transfer to the service water system. Manual action would be required to transfer suction to the deareator storage tanks.

When the AFW system is actuated by the steam and feedwater rupture control system (SFRCS) on signals other than low steam generator pressure, the steam to drive the AFW pump turbine and the discharge of each pump are aligned with the associated steam generator. Each of the AFW pumps is rated at 1050 gpm when pumping against a steam generator pressure of 1050 psig; 250 gpm of the 1050 gpm is used for recirculation flow.

The #1 pump supplies the #1 OTSG via motor-operated valves AF-360, AF-3870, and AF-608. The feedwater supply for #2 OTSG is from the #2 pump through valves AF-388, AF-3872, and AF-599. However, if the SFRCS is actuated on low OTSG pressure, the flow path of the system is altered to prevent the feeding of a ruptured steam generator. The isolation of feedwater to the faulted steam generator is accomplished by closing the AFW containment isolation valve (AF-599 or AF-608). Feedwater to the intact steam generator is supplied by both pumps through the appropriate cross-connect valve (AF-3869 or AF-3871). The steam supply valves for the turbine-driven pumps are also realigned to provide steam for both pumps from the intact steam generator. The following listing gives the position of the AFW system valves during various SFRCS actuations:

NORMAL SYSTEM ALIGNMENT Open valves - AF-360, AF-388, AF-599, AF-608 Closed valves - AF-3869, AF-3870, AF-3871, AF-3872, MS-106, MS-106A, MS-107, MS-107A SFRCS LOW LEVEL ACTUATION Open valves - AF-360, AF-388, AF-3870, AF-3872, AF-599, AF-608, MS-106, MS-107 Closed valves - AF-3869,AF-3871, MS-106A, MS-107A SFRCS ACTUATION #1 OTSG LOW PRESSURE Open valves - AF-360, AF-388, AF-3869, AF-3872, AF-599, MS-106A, MS-107 Closed valves - AF-608, AF-3870,AF-3871, MS-106, MS-107A USNRC HRTD 16-5 Rev 05/2008 SFRCS ACTUATION #2 OTSG LOW PRESSURE Open valves - AF-360, AF-388, AF-3870, AF-3871, AF-608, MS-106, MS-107A Closed valves - AF-3869, AF-3872, AF-599, MS-106A, MS-107 The SFRCS is described in more detail in section 16.1.6.

16.1.5 Makeup/High-Pressure Injection Cooling Systems Makeup/High-Pressure Injection (MU/HPI) core cooling (also called PORV cooling or feed-and-bleed core cooling) involves the use of the makeup and purification system, the high pressure injection system and, at the operator's discretion, the low pressure injection system. These three systems are shown in Figure 16-5. The system contains two multistage centrifugal makeup pumps rated at 150 gpm each, with a discharge pressure of approximately 2500 psig. Two suction sources are available to the pumps; the makeup tank and the borated water storage tank (BWST). During normal operations, the makeup pumps supply seal injection and control pressurizer level by discharging into the RCS via the makeup flow control valve (MU-32). The discharge of the makeup pumps enters the RCS through one of the high-pressure injection penetrations. When feed-and-bleed operations are required, plant procedures require the positioning of the three-way suction valve (MU-3971) to the BWST suction source, fully opening the makeup flow control valve, and the starting of both makeup pumps.

The high-pressure injection pumps (HPI) are a part of the emergency core cooling system and are not in service during normal operations. The system consists of redundant pumps and four injection paths into the cold legs of the RCS. The pumps receive their suction from the BWST and have a shutoff head of 1630 psig. When these pumps are used in the feed and bleed mode of core cooling, both pumps are started, and the discharge of the low-pressure injection pumps can be aligned to the HPI pump suctions as described below.

The low-pressure injection (LPI) pumps are also a part of the emergency core cooling systems. The LPI pumps receive a suction from the BWST and discharge via the decay heat removal coolers (not shown in Figure 16-5) into the reactor vessel. The pumps are rated at 3000 gpm with a discharge pressure of approximately 150 psig. The shutoff head of the pumps is about 200 psig. Plant procedures allow the discharge of the LPI pumps to be aligned to the suction of the HPI pumps by opening valves DH-62 and DH-63. This alignment increases the discharge pressure of the HPI pumps from 1630 psig to approximately 1830 psig and allows HPI flow at a higher RCS pressure.

When the feed and bleed mode of core cooling is required, plant procedures call for starting the makeup pumps and the high-pressure injection pumps. After the pumps are in service, the pressurizer pilot-operated relief valve, the pressurizer vent, and the hot leg vents are opened. The HPI/LPI piggy-back mode of operation is not specifically addressed USNRC HRTD 16-6 Rev 05/2008 in the loss of subcooling margin or the overheating sections of plant procedures but may be aligned at the discretion of the operator. All the required feed-and-bleed alignments are performed in the control room.

16.1.6 Steam and Feedwater Rupture Control System (SFRCS)

The steam and feedwater rupture control system (SFRCS) is provided in the plant design as an engineered safety features system for postulated transient or accident conditions arising generally from the secondary (steam generation) side of the plant, because the OTSGs serve as the heat sinks for the reactor power. The SFRCS senses loss of main feedwater (MFW) flow, rupture of an MFW line, and rupture of a main steamline. It also senses loss of all forced coolant flow in the primary system.

The safety function of the SFRCS is to provide safety actuation signals to equipment that will: isolate the steam flow from the OTSGs, isolate the MFW flow, and start and align the AFW system. The SFRCS also provides output signals to the turbine trip system and to the Anticipatory Reactor Trip System (ARTS).

In the event of loss of MFW pumps or a main feedwater line rupture, the OTSGs would start to boil dry, and, if action is not initiated promptly, there would be no motive steam available for the turbine-driven AFW system and the OTSGs would be lost as heat sinks. As soon as the MFW pump discharge pressure falls below the pressure in the OTSG (i.e., reverse differential pressure across a check valve) by a predetermined value, the SFRCS provides safety actuation signals to close the main steam isolation valves (MSIVs), close the MFW stop and control valves, and start AFW. The SFRCS also receives OTSG low level signals which are diverse from the reverse differential pressure signals.

In the event of steamline pipe ruptures, when the main steam pressure drops, the SFRCS will close both MSIVs and the MFW stop and control valves. The description of the SFRCS in the Updated Safety Analysis Report (USAR) Section 7.4.1.3 does not mention the SFRCS closure (or re-opening) of the AFW containment isolation valves (AF-608 and AF-599), although the design does include such features. The AFW is also initiated and both AFW trains are aligned to draw steam only from, and to provide feed only to, the unaffected "intact" OTSG.

In the event of loss of all four reactor coolant pumps (RCPs), forced cooling flow of the reactor coolant system would be lost and AFW flow is needed to enhance natural circulation flow. Therefore, the SFRCS senses the loss of four RCPs and automatically initiates AFW.

Figure 16-6 depicts the channelization of the SFRCS. There are two Actuation Channels, each of which contains two identical logic channels. Within each Actuation Channel, one logic channel is ac powered and the other logic channel is dc powered. The field wiring at the actuated equipment is such that generally both logic channels must "trip" (i.e., a two-out-of-two AND logical arrangement) to actuate most equipment, which is USNRC HRTD 16-7 Rev 05/2008 referred to as a "full trip." However, some equipment is actuated by a "half trip" (i.e., only one logic channel of an actuation channel has tripped). For example, the atmospheric steam vent valves are closed by "half trips."

16.1.7 Pressurizer Pilot Operated Relief Valve At the top of the pressurizer as shown in Figure 16-1, there are two code safety valves which vent directly to the containment atmosphere, a high-point vent line, and the pilot operated relief valve (PORV) with its associated upstream block valve.

The PORV block valve is a manually-controlled motor-operated valve, equipped with position instrumentation including a position alarm.

The PORV is a style HPV-SN solenoid-controlled pilot-operated pressure relief valve manufactured by the Crosby Valve and Gage Company. It was the Incident Investigation Team's (IIT) understanding that Davis- Besse is the only B&W-designed PWR that has a Crosby PORV. The Crosby PORV is operated by the reactor coolant system pressure via a solenoid-operated pilot valve and therefore does not involve any pneumatic power (instrument air or nitrogen). Electric power is used for the solenoid control device. To actuate the PORV, the solenoid is energized. This action allows the use of reactor coolant system pressure to open the main disc of the valve.

The controls for the PORV include features for automatic operation, manual open, manual close, and lock open. In automatic, the pressure channel's bistable would close one set of contacts above the high pressure setpoint (2425 psig) and would close another set of contacts below the low pressure setpoint (2375 psig). When the high pressure setpoint is reached, the control relay is energized and an electrical seal-in circuit is energized. When the low setpoint is reached, an auxiliary relay is operated which in turn interrupts the valve-open seal-in circuit.

In manual control, the circuit is designed for momentary-only operation of the switch to the valve-open position. The seal-in circuit will hold the valve open if the pressure is above the low pressure setpoint. To lock open the PORV (as would be done for MU/HPI cooling), the manual control switch would be rotated to the "lock open" position. The control circuitry would maintain the PORV solenoid energized regardless of RCS pressure. To manually close the PORV, the control switch must be rotated to the "auto" position and the control switch pushed inward. This action causes both control relays to be deenergized and the seal-in circuit to be deenergized, which in-turn causes the PORV solenoid to be deenergized.

The indicators for the PORV include: control power available (blue), automatic (white), PORV open (red), PORV close (green), and lock open (amber). The PORV open/close lights are operated by a limit switch operated by the PORV solenoid plunger (i.e., the output of the electric solenoid; the mechanical input to the PORV). All of these position lights are PORV command indicators, in that they indicate only the position that the electric controls USNRC HRTD 16-8 Rev 05/2008 have commanded for the PORV. Only the acoustic monitor is a direct indicator of the flow condition through the PORV/block valve path.

The acoustic monitor for the PORV was installed as one of the post-TMI safety improvements. Two redundant accelerometer sensors are mounted on the discharge piping. Each sensor channel provides a signal to drive the remote 0-100% (open) PORV position meter on the post- accident monitoring (PAM) panel, and an adjustable position signal switch to drive the remote PORV open/closed lights on the PAM panel. The IIT was told that the adjustable switch was set such that the red (open) light would be energized if the flow signal is greater than 22% of the full flow value.

If PORV/block valve flow is less than 22%, the red (open) light would be turned off and the green (closed) light would be energized. The meter could be used to obtain more precise position/flow information. The Post-Accident Monitoring (PAM) panel is a separate panel mounted about 7 ft to the left of where the reactor operator assigned to the primary system would be standing. Both redundant red/green PORV indicating lights are easily visible to the operator if he turns his head. However, the 0-100% meters are relatively small, i.e., about a 3-inch tall vertical edge-mounted meters. To read this meter, the operator would have to step a pace or two toward the PAM panel.

16.2 Event Narrative This detailed description of the Davis-Besse loss-of-feedwater event focuses attention on the operator actions which prevented a potentially serious event, both in terms of safety and economics, from occurring. From their normal operating routine, the operators were plunged abruptly into a high stress situation requiring complicated responses outside the control room. Furthermore, these activities unfolded early on a Sunday morning when additional technical expertise from either onsite or offsite was at a minimum.

In view of the importance of the operator actions, the narrative of the event which follows is based upon a composite of the operator interviews performed by the (IIT). The narrative is written to reflect the operators' descriptions of their actions, observations, and thoughts during the event. The IIT decided that this would best convey the effects of stress, training, experience, teamwork, and impediments on operator performance. There are undoubtedly lessons to be learned about what operators are likely to do during a serious event which are not easily summarized, but which perhaps can be inferred from the descriptions of what occurred during this particular event.

16.2.1 Shift Change On June 9, 1985, the midnight shift of operators assumed control of the Davis-Besse nuclear power plant. The oncoming shift included four licensed operators, four equipment operators, an auxiliary operator, and an administrative assistant. The shift supervisor and assistant shift supervisor were the most experienced members of the operating crew. Both were at the plant before it was issued an operating license in April 1977. The two reactor USNRC HRTD 16-9 Rev 05/2008 operators, who were responsible for the control room, had decided between themselves who would be responsible for the primary-side and who would take the secondary-side work station. The secondary-side operator had been a licensed reactor operator for about two years; the primary-side operator was licensed in January 1985.

The shift turnover on June 9 was easy-there were no ongoing tests or planned changes to the plant status. The plant was operating at 90 percent of the full power authorized in the license granted by the NRC in April 1977, to minimize the potential for an inadvertent reactor trip (i.e., shutdown) due to noise on primary coolant flow instrumentation.

All the major equipment control stations were in automatic except the No. 2 main feedwater pump. As a result, the integrated control system instruments were monitoring and controlling the balance between the plant's reactor coolant system and the secondary coolant system.

Since April 1985, there had been control problems with both main feedwater pumps. Troubleshooting had neither identified nor resolved the problems. In fact, a week earlier, on June 2, 1985, both feedwater pumps tripped unexpectedly after a reactor trip. After some additional troubleshooting, the decision was made to not delay startup any longer, but to put instrumentation on the pumps to help diagnose the cause of a pump trip, if it occurred again. As a precaution, the number two main feedwater pump was operating in manual control to prevent it from tripping and to ensure that all main feedwater would not be lost should the reactor trip.

During the first hour of the shift, the operators' attention and thoughts were directed to examining the control panels and alarm panels, and performing instrument checks and routine surveillances associated with shift turnover. Thus, at 1:35 in the morning, the plant generator was providing electricity to the Ohio countryside. The secondary-side operator had gone to the kitchen where he joined an equipment operator for a snack. The other reactor operator was at the operator's desk studying procedures for requalification examinations. The assistant shift supervisor had just left the kitchen on his way back to the control room after a break. The shift supervisor was in his office outside the control room performing administrative duties.

16.2.2 Reactor Trip - Turbine Trip The assistant shift supervisor entered the control room and was examining one of the consoles when he noticed that main feedwater flow was decreasing and that the No. 1 main feedwater pump had tripped (Figures 16-7 thru 16-9 trace the major primary and secondary parameters and will be referred to for the remainder of this discussion). Since the No. 2 feedwater pump was in manual control, it could not respond to the integrated control system demand automatically to increase feedwater flow.

USNRC HRTD 16-10 Rev 05/2008 The "winding down" sound of the feedwater pump turbine was heard by the reactor operator in the kitchen, and by the administrative assistant and the shift supervisor, both of whom were in their respective offices immediately outside the control room. They headed immediately for the control room-the event had begun.

The secondary-side reactor operator ran to his station and immediately increased the speed of the No. 2 main feedwater pump to compensate for the decrease of feedwater flow from the No. 1 pump. The primary-side operator had already opened the pressurizer spray valve in an attempt to reduce the pressure surge resulting from the heatup of the reactor coolant system due to a decrease in feedwater flow.

The plant's integrated control system attempted automatically to reduce reactor/turbine power in accordance with the reduced feedwater flow. The control rods were being inserted into the core and reactor power had been reduced to about 80 percent. At the same time the primary-side reactor operator held open the pressurizer spray valve in an attempt to keep the reactor coolant pressure below the high pressure reactor trip setpoint of 2300 psig (normal pressure is 2150 psig). However, the reduction of feedwater and subsequent degradation of heat removal from the primary coolant system caused the reactor to trip on high reactor coolant pressure. The operators had done all they could do to prevent the trip, but the safety systems had acted automatically to shut down the nuclear reaction.

The primary-side operator acted in accordance with the immediate post-trip actions specified in the emergency procedure that he had memorized. Among other things, he checked that all control rod bottom lights were on, hit the reactor trip (shutdown) button, isolated letdown from the reactor coolant system, and started a second makeup pump in anticipation of a reduced pressurizer inventory after a normal reactor trip. Then he waited, and watched the reactor coolant pressure to see how it behaved.

The secondary-side operator heard the turbine stop valves slamming shut and knew the reactor had tripped. This "thud" was heard by most of the equipment operators who also recognized its meaning, and two of them headed for the control room. Almost simultaneously, the secondary-side operator heard the loud roar of main steam safety valves opening, a sound providing further proof that the reactor had tripped. The lifting of safety valves after a high-power reactor trip was normal. Everything was going as expected as he waited and watched the steam generator water levels boil down-each should have reached the normal post-trip low-level limit of 35 inches on the startup level instrumentation and held steady.

The shift supervisor joined the operator at the secondary-side control console and watched the rapid decrease of the steam generator levels. The rapid feedwater reduction system (a subsystem of the integrated control system) had closed the startup feedwater valves, but as the level approached the low level limits, the startup valves opened to hold the level steady. The main steam safety valves closed as expected. The system response was looking "real good" to the shift supervisor.

USNRC HRTD 16-11 Rev 05/2008 The assistant shift supervisor in the meantime opened the plant's loose leaf emergency procedure book. (It is about two inches thick, with tabs for quick reference. The operators refer to it as emergency procedure 1202:01; the NRC refers to it as the ATOG procedure - Abnormal Transient Operating Guidelines.) As he read aloud the immediate actions specified, the reactor operators were responding in the affirmative. After phoning the shift technical advisor (STA) to come to the control room, the administrative assistant began writing down what the operators were saying, although they were speaking faster than she could write.

16.2.3 Loss of Main Feedwater Although the assistant shift supervisor was loudly reading the supplementary actions from the emergency procedure book, the shift supervisor heard the main steam safety valves open again. He knew from experience that something was unusual and instinctively surveyed the control console and panels for a clue. He discovered that both main steam isolation valves (MSIVs) had closed-the first and second of a list of unexpected equipment performances and failures that occurred during the event.

The secondary-side operator was also aware that something was wrong because he noticed that the speed of the only operating main feedwater pump was decreasing. After verifying that the status of the main feedwater pump turbine was normal, he concluded that the turbine was losing steam pressure at about the same time that the shift supervisor shouted that the MSIVs were closed. All eyes then turned up to the annunciators at the top of the back panel. They saw nothing abnormal in the kind or number of annunciators lit after the reactor trip. The operators expected to find an alarm indicating that the Steam Feedwater Rupture Control System (SFRCS, pronounced S-FARSE) had activated. Based on their knowledge of previous events at the plant, they believed that either a partial or full actuation of the SFRCS had closed the MSIVs. However, the SFRCS annunciator lights were dark. The MSIVs had closed at 1:36 a.m. and they were going to stay closed. It normally takes at least one-half hour to prepare the steam system for reopening the valves.

The No. 2 main feedwater pump turbine, deprived of steam, was slowly winding down. Since the MSIVs were closed and there was limited steam inventory in the moisture separator reheaters, there was inadequate motive power to pump feedwater to the steam generators. At about 1:40 a.m. the discharge pressure of the pump had dropped below the steam pressure, which terminated main feedwater flow.

16.2.4 Loss of Emergency Feedwater The secondary-side operator watched the levels in both steam generators boil down; he had also heard the main steam safety valves lifting. Without feedwater, he knew that an SFRCS actuation on low steam generator level was imminent. The SFRCS would actuate the auxiliary feedwater system (AFWS), which in turn would provide emergency feedwater to the steam generators. He was trained to trip manually any system that he felt was going USNRC HRTD 16-12 Rev 05/2008 to trip automatically. He requested and received permission from the shift supervisor to trip the SFRCS on low level to conserve steam generator inventory; i.e., the AFWS would be initiated before the steam generator low-level setpoint was reached.

He went to the manual initiation switches at the back panel and pushed two buttons to trip the SFRCS. He inadvertently pushed the wrong two buttons, and, as a result, both steam generators were isolated from the emergency feedwater supply. He had activated the SFRCS on low pressure for each steam generator instead of on low level. By manually actuating the SFRCS on low pressure, the SFRCS was signaled that both generators had experienced a steamline break or leak, and the system responded, as designed, to isolate both steam generators. The operator's anticipatory action defeated the safety function of the auxiliary feedwater system-a common-mode failure and the third abnormality to occur within 6 minutes after the reactor trip.

The operator returned to the auxiliary feedwater station expecting the AFWS to actuate and to provide the much-needed feedwater to the steam generators that were boiling dry. Instead, he first saw the No. 1 AFW pump, followed by the No. 2 AFW pump trip, on overspeed-a second common-mode failure of the auxiliary feedwater system and abnormalities four and five. He returned to the SFRCS panel to find that he had pushed the wrong two buttons.

The operator knew what he was supposed to do. In fact, most knowledgeable people in the nuclear power industry, even control room designers, know that the once-through steam generators in Babcock & Wilcox-designed plants can boil dry in as little as 5 minutes; consequently, it is vital for an operator to be able to quickly start the AFWS. There could have been a button labeled simply "AFWS-Push to Start." But instead, the operator had to do a mental exercise to first identify a signal in the SFRCS that would indirectly start the AFW system, find the correct set of buttons from a selection of five identical sets located knee-high from the floor on the back panel, and then push them without being distracted by the numerous alarms and loud exchanges of information between operators.

The shift supervisor quickly determined that the valves in the AFWS were improperly aligned. He reset the SFRCS, tripped it on low level, and corrected the operator's error about one minute after it occurred. This action commanded the SFRCS to realign itself such that each AFW pump delivered flow to its associated steam generator. Thus, had both systems (the AFWS and SFRCS) operated properly, the operator's mistake would have had no significant consequences on plant safety.

The assistant shift supervisor, meanwhile, continued reading aloud from the emergency procedure. He had reached the point in the supplementary actions that require verification that feedwater flow was available. However, there was no feedwater, not even from the AFWS, a safety system designed to provide feedwater in the situation that existed. (The Davis-Besse emergency plan identifies such a situation as a Site Area Emergency.) Given this condition, the procedure directs the operator to the section entitled, "Lack of USNRC HRTD 16-13 Rev 05/2008 Heat Transfer." He opened the procedure at the tab corresponding to this condition, but left the desk and the procedure at this point, to diagnose why the AFWS had failed. He performed a valve alignment verification and found that the isolation valve in each AFW train had closed. Both valves (AF-599 and AF-608) had failed to reopen automatically after the shift supervisor had reset the SFRCS. He tried unsuccessfully to open the valves with the pushbuttons on the back panel. He went to the SFRCS cabinets in the back of the back panel to clear any trips in the system and block them so that the isolation valves could open. However, there were no signals keeping the valves closed. He concluded that the torque switches in the valve operators must have tripped. The AFW system had now suffered its third common-mode failure, thus increasing the number of malfunctions to seven within 7 minutes after the reactor trip (1:42 a.m.).

16.2.5 Reactor Coolant System Heatup Meanwhile, about 1:40 a.m., the levels in both steam generators began to decrease below the normal post-reactor-trip limit (about 35 inches on the startup range). The feedwater flow provided by the No. 1 main feedwater pump had terminated. The flow from the No. 2 main feedwater pump was decreasing because the MSIVs were closed, which isolated the main steam supply to the pump. With decreasing feedwater flow, the effectiveness of the steam generators as a heat sink for removing decay (i.e., residual) heat from the reactor coolant system rapidly decreased. As the levels boiled down through the low-level setpoint (the auxiliary feedwater should automatically initiate at about 27 inches), the average temperature of the reactor coolant system began to increase, indicating a lack of heat transfer from the primary to the secondary coolant system. When the operator incorrectly initiated SFRCS on low pressure, all feedwater was isolated to both steam generators. The reactor coolant system began to heat up because heat transfer to the steam generators was essentially lost due to loss of steam generator water level.

The average reactor coolant temperature increased at the rate of about 4 degrees Fahrenheit per minute for about 12 minutes. The system pressure also increased steadily until the operator fully opened the pressurizer spray valve (at about 1:42 a.m.). The spray reduced the steam volume in the pressurizer and temporarily interrupted the pressure increase. The pressurizer level increased rapidly, but the pressurizer did not completely fill with water. As the indicated level exceeded the normal value of 200 inches, the control valve for makeup flow automatically closed.

At this point, things in the control room were hectic. The plant had lost all feedwater; reactor pressure and temperature were increasing; and a number of unexpected equipment problems had occurred. The seriousness of the situation was fully appreciated.

16.2.6 Operator Actions By 1:44 a.m., the licensed operators had exhausted every option available in the control room to restore feedwater to the steam generators. The main feedwater pumps no longer had a steam supply. Even if the MSIVs could be opened, the steam generators had USNRC HRTD 16-14 Rev 05/2008 essentially boiled dry, and sufficient steam for the main feedwater pump turbines would likely not have been available. The turbines for the AFW pumps had tripped on overspeed, and the trip throttle valves could not be reset from the control room. Even if the AFW pumps had been operable, the isolation valves between the pumps and steam generators could not be opened from the control room, which also inhibited the AFWS from performing its safety function. The likelihood of providing emergency feedwater was not certain, even if the AFW pump overspeed trips could be reset and the flow paths established; for example, there was a question as to whether there was enough steam remaining in the steam generators to start the steam-driven pumps. Unknown to the operators, the steam inventory was further decreased because of problems controlling main steam pressure. The number of malfunctions had now reached eight.

Three equipment operators had been in the control room since shortly after the reactor tripped. They had come to the control room to receive directions and to assist the licensed operators as necessary. They were on the sidelines watching their fellow operators trying to gain control of the situation.

The safety-related AFW equipment needed to restore water to the steam generators had failed in a manner that could only be remedied at the equipment locations and not from the control room. The affected pumps and valves are located in locked compartments deep in the plant.

The primary-side reactor operator directed two of the equipment operators to go to the auxiliary feedwater pump room to determine what was wrong-and hurry.

The pump room, located three levels below the control room, has only one entrance: a sliding grate hatch that is locked with a safety padlock. One of the operators carried the key ring with the padlock key in his hand as they left the control room. They violated the company's "no running" policy as they raced down the stairs. The first operator was about 10 feet ahead of the other operator, who tossed him the keys so as not to delay unlocking the auxiliary feedwater pump room. The operator ran as fast as he could and had unlocked the padlock by the time the other operator arrived to help slide the hatch open.

The operators descended the steep stairs resembling a ladder into the No. 2 AFW pump room. They recognized immediately that the trip throttle valve had tripped (Figure 6-10). One operator started to remove the lock wire on the handwheel while the other operator opened the water-tight door to the No. 1 AFW pump. He also found the trip throttle valve tripped and began to remove the lock wire from the handwheel.

The shift supervisor had just dispatched a third equipment operator to open AFW isolation valves AF-599 and AF-608. These are chained and locked valves, and the shift supervisor gave the locked-valve key to the operator before he left the control room. He paged a fourth equipment operator over the plant communications systems and directed him also to open valves AF-599 and AF-608. Although the operators had to go to a USNRC HRTD 16-15 Rev 05/2008 different room for each valve, they opened both valves in about 3-1/2 minutes. They were then directed to the AFW pump room.

As the operators ran to the equipment, a variety of troubling thoughts ran through their minds. One operator was uncertain if he would be able to carry out the task that he had been directed to do. He knew that the valves he had to open were locked valves, and that they could not be operated manually without a key. He did not have a key and that concerned him. As he moved through the turbine building, he knew there were numerous locked doors that he would have to go through to reach the valves. He had a plastic card to get through the card readers, but they had been known to break and fail. He did not have a set of door keys, and he would not gain access if his key card broke, and that concerned him too.

The assistant shift supervisor came back into the control console area after having cleared the logic for the SFRCS and he tried again, unsuccessfully, to open the AFWS isolation valves. At this point, the assistant shift supervisor made the important decision to attempt to place the startup feedwater pump (SUFP) in service to supply feedwater to the steam generators. He went to the key locker for the key required to perform one of the five operations required to get the pump running.

The SUFP is a motor-driven pump, usually more reliable than a turbine-driven pump, and more importantly, it does not require steam from the steam generators to operate. The SUFP is located in the same compartment as the No. 2 AFW pump. But since the refueling outage in January 1985, the SUFP had been isolated by closing four manual valves, and its fuses were removed from the motor control circuit. This isolation was believed necessary because of the consequences of a high-energy break of the non-seismic grade piping which passes through the two seismic-qualified AFW pump rooms. Prior to January 1985, the SUFP could be initiated from the control room by the operation of a single switch.

The assistant shift supervisor headed for the turbine building, where he opened the four valves and placed the fuses in the pump electrical switchgear. This equipment is located at four different places; in fact, other operators had walked through the procedure of placing the SUFP in operation and required 15 to 20 minutes to do it. The assistant shift supervisor took about 4 minutes to perform these activities. He then paged the control room from the AFW pump room and instructed the secondary-side operator to start the pump and align it with the No. 1 steam generator.

The two equipment operators in the AFW pump rooms had been working about 5 minutes to reset the trip throttle valves when the assistant shift supervisor entered the room to check the SUFP. The equipment operators thought that they had latched and opened the valves. However, neither operator was initially successful in getting the pumps operational. Finally, after one equipment operator had tried everything that the knew to get the No. 1 AFW pump operating, he left it and went to the No. 2 AFW pump, where the other operator was having the same problem of getting steam to the turbine. Neither operator had previously performed the task that he was attempting.

USNRC HRTD 16-16 Rev 05/2008 The assistant shift supervisor went over to assist the equipment operators and noticed immediately that the trip throttle valves were still closed. Apparently, the equipment operators had only removed the slack in attempting to open the valve. The valve was still closed, and the differential pressure on the wedge disk made it difficult to turn the handwheel after the slack was removed, thus necessitating the use of a valve wrench. A third, more experienced operator had entered the pump room and used a valve wrench to open the trip throttle valve on AFW pump No. 2. Without the benefit of such assistance, the equipment operators may well have failed to open the trip throttle valves to admit steam to the pump turbines.

The third equipment operator then proceeded to the No. 1 AFW pump trip throttle valve. The valve had not been reset properly, and he experienced great difficulty in relatching and opening it because he had to hold the trip mechanism in the latched position and open the valve with the valve wrench. Because the trip mechanism was not reset properly, the valve shut twice before he finally opened the valve and got the pump operating.

16.2.7 PORV Failure Prior to being informed by the assistant shift supervisor that the SUFP was available, the secondary-side operator requested the primary-side operator to reset the isolation signal to the startup feedwater valves in preparation for starting the SUFP. In order to perform this task, the operator left the control console and went to the SFRCS cabinets in back of the control room. As he re-entered the control panel area, he was requested to reset the atmospheric vent valves. As a result of these activities, the primary-side operator estimated that he was away from his station for 20 to 30 seconds. (In fact, he was away for about two minutes.)

While the operator was away from the primary-side control station, the pressurizer PORV opened and closed twice without his knowledge. The pressure had increased because of the continued heatup of the reactor coolant system that resulted when both steam generators had essentially boiled dry.

According to the emergency procedure, a steam generator is considered "dry" when its pressure falls below 960 psig and is decreasing, or when its level is below 8 inches on the startup range (normal post- trip pressure is 1010 psig and post-trip level is 35 inches). The instrumentation in the control room is inadequate for the operator to determine with certainty if these conditions exist in a steam generator. The lack of a trend recorder for steam generator pressure makes it difficult to determine if the steam pressure is 960 psig and decreasing. The range of the steam generator level indicator in the control room is 0-250 inches, a scale which makes determining the 8-inch level difficult. The safety parameter display system (SPDS) is intended to provide the operators with these critical data, but both channels of the SPDS were inoperable prior to and during this event. Thus, the operators did not know that the conditions in the steam generators beginning at about USNRC HRTD 16-17 Rev 05/2008 1:47 a.m. were indicative of a "dry" steam generator, or subsequently, that both steam generators were essentially dry.

When both steam generators are dry, the procedure requires the initiation of makeup/high-pressure injection (MU/HPI) cooling, or what is called the "feed-and-bleed" method for decay heat removal. Even before conditions in the steam generators met these criteria, the shift supervisor was fully aware that MU/HPI cooling might have been necessary. When the hot-leg temperature reached 591°F (normal post-trip temperature is about 550°F), the secondary-side operator recommended to the shift supervisor that MU/HPI cooling be initiated. At about the same time, the operations superintendent told the shift supervisor in a telephone discussion that if an auxiliary feedwater pump was not providing cooling to one steam generator within one minute, to prepare for MU/HPI cooling. However, the shift supervisor did not initiate MU/HPI cooling. He waited for the equipment operators to recover the auxiliary feedwater system.

The shift supervisor appreciated the economic consequences of initiating MU/HPI cooling. One operator described it as a drastic action. During MU/HPI, the PORV and the high point vents on the reactor coolant system are locked open, which breaches one of the plant's radiological barriers. Consequently, radioactive reactor coolant is released inside the containment building. The plant would have to be shut down for days for cleanup even if MU/HPI cooling was successful. In addition, achieving cold shutdown could be delayed. Despite his delay, the shift supervisor acknowledged having confidence in this mode of core cooling based on his simulator training; he would have initiated MU/HPI cooling if "it comes to that."

The primary-side operator returned to his station and began monitoring the pressure in the pressurizer, which was near the PORV setpoint (2425 psig). The PORV then opened, and he watched the pressure decrease. The indicator in front of him signaled that there was a closed signal to the PORV and that it should be closed. The acoustic monitor installed after the TMI accident was available to him to verify that the PORV was closed, but he did not look at it. Instead, he looked at the indicated pressurizer level, which appeared steady, and based on simulator training, he concluded that the PORV was closed. In fact, the PORV had not completely closed and, as a result, the pressure decreased at a rapid rate for about 30 seconds.

The operator did not know that the PORV had failed. He believed that the RCS depressurization was due either to the fully open pressurizer spray valve or to the feedwater flow to the steam generators. He closed the spray valve and the PORV block valve as precautionary measures. But subsequent analyses showed that the failed PORV was responsible for the rapid RCS depressurization. Two minutes later, the reactor operator opened the PORV block valve to ensure that the PORV was available. Fortunately, the PORV had closed during the time the block valve was closed. The failed PORV was the ninth abnormality that had occurred within 15 minutes after reactor trip.

USNRC HRTD 16-18 Rev 05/2008 16.2.8 Steam Generator Refill At about 1:50 a.m. the No. 1 atmospheric vent valve opened and depressurized the No. 1 steam generator to about 750 psig when the SFRCS signal was reset by the primary-side operator. The atmospheric vent valve for the No. 2 steam generator had been closed by the secondary-side operator before the SFRCS signal was reset. The indicated No. 1 steam generator level was less than 8 inches. The corresponding pressure and indicated level in the No. 2 steam generator were about 928 psig and 10 inches, respectively. The indicated levels continued to decrease until the secondary-side operator started the SUFP after being informed by the assistant shift supervisor that it was available and after the other operator had reset the isolation signal to the startup feedwater valves.

Although the flow capacity of the SUFP is somewhat greater, approximately 150 gallons per minute (gpm) were fed to the steam generators because the startup valves were not fully opened. Essentially all the feedwater from the SUFP was directed to the No. 1 steam generator. At about 1:52 a.m., the pressure in the No. 1 steam generator increased sharply, while the indicated water level stopped decreasing and began slowly to increase. Since there was little feedwater sent to the No. 2 steam generator, its condition did not change significantly.

The trip throttle valve for the No. 2 AFW pump was opened by the equipment operators at about 1:53 a.m. After the SFRCS was reset and tripped on low level by the shift supervisor, the AFWS aligned itself so that each AFW pump would feed only its associated steam generator; i.e., the No. 2 AFW pump would feed the No. 2 steam generator. Thus, the No. 2 AFW pump refilled the No. 2 steam generator, and its pressure increased abruptly to the atmospheric vent valve relief set point. The turbine governor valve was fully open when the trip throttle valve was opened, and the pump delivered full flow for about 30 seconds until the operator throttled the flow down.

The No. 1 trip throttle valve was opened by the equipment operator about 1:55 a.m., and feedwater from the AFWS flowed to the No. 1 steam generator. However, the No. 1 AFW pump was not controlled from the control room but controlled locally by the equipment operators.

The equipment operators controlled the pump locally using the trip throttle valve. One operator manipulated the valve based on hand signals from the operator who was outside the No. 1 AFW pump room communicating with the control room operator. For two hours the AFW pump was controlled in this manner by the operators. Their task was made more difficult from the time they first entered the AFW pump room by the intermittent failures of the plant communication station in the room . With feedwater flow to the steam generators, the heatup of the reactor coolant system ended. At about 1:53 a.m. the average reactor coolant temperature peaked at about 592°F and then decreased sharply to 540°F in approximately 6 minutes (normal post-trip average USNRC HRTD 16-19 Rev 05/2008 temperature is 550°F). Thus, the reactor coolant system experienced an overcooling transient caused by an excessive AFW flow from the condensate storage tank. The overfill of the steam generators caused the reactor coolant system pressure to decrease towards the safety features actuation system (SFAS) setpoint of 650 psig. To compensate for the pressure decrease, and to avoid an automatic SFAS actuation, at approximately 1:58 a.m., the primary-side operator aligned one train of the emergency core cooling system (ECCS) in the piggyback configuration. In this configuration the discharge of the low-pressure injection pump is aligned to the suction of the high-pressure injection pump to increase its shutoff head pressure to about 1830 psig. At about the time the train was actuated, the combination of pressurizer heaters, makeup flow, and reduction of the AFW flow increased the reactor coolant pressure above 1830 psig. As a result, only a limited amount (an estimated 50 gallons) of borated water was injected into the primary system from the ECCS. At 1:59 a.m., the No. 1 AFW pump suction transferred spuriously from the condensate storage tank to the service water system (malfunction number 10). This action was not significant, but it had occurred before and had not been corrected. Similarly, a source range nuclear instrument became inoperable after the reactor trip (malfunction number 11) and the operators initiated emergency boration pursuant to procedures. (Note: One channel had been inoperable prior to the event.) The source range instrumentation had malfunctioned previously and apparently had not been properly repaired. Also, the control room ventilation system tripped into its emergency recirculation mode (malfunction number 12), which had also occurred prior to this event.

The steam generator water levels soon exceeded the normal post-trip level, and the operator terminated AFW flow to the steam generators. The subcooling margin remained adequate throughout this event. The event ended at about 2 o'clock in the morning, twelve malfunctions and approximately 30 minutes after it began.

16.2.9 PRA Insights Two major points concerning risk are evident from this event. The first is the probability of multiple equipment failures, and the second is a human reliability issue.

One of the major insights gained from a PRA is the risk associated with multiple failures of plant systems. However, the assumption of multiple failures is usually criticized by the plant staff as a series of incredible failures. This event provides a very dramatic example of the possibility of multiple failures. First, the loss of one main feedwater pump resulted in a transient that challenged plant systems. Next, multiple failures of safety-related systems did occur. As discussed in this chapter, both AFW pump turbines, both AFW isolation valves, and the PORV failed to respond properly during the event. This list does not include the actions of the SFRCS system, the failure of a turbine bypass valve, and the loss of source range instrumentation.

USNRC HRTD 16-20 Rev 05/2008 One of the most difficult probabilities to include in a PRA is the failure of the operators to take proper action or human failure that results in an improper action. In this event, an operator error occurred when the SFRCS was manually initiated. Failure to recover after a system failure has occurred is demonstrated by the failure of the auxiliary operators to correctly reset the overspeed trips on the auxiliary feedwater pump turbines. In contrast to these two errors is the almost heroic actions that were performed by the assistant shift supervisor. This individual attempted to reset the SFRCS so that auxiliary feedwater could be added to the steam generators, and aligned the startup feedwater pump for service.

A calculation of conditional core vulnerability and core damage probabilities for this event was performed and appears in NUREG/CR-4674, "Precursors to Potential Severe Core Damage Accidents: 1985 A Status Report." The dominant sequence for core vulnerability has a probability of 9.085E-03, and the event tree for this sequence is shown in Figure 16-11. The dominant sequence for core damage has a conditional probability of 4.680E-03, and the event tree for this sequence is shown in Figure 16-12. Note that this sequence contains a failure of the HPI feed and bleed. The hesitancy of the shift supervisor to initiate this system could have led to this failure.

USNRC HRTD 16-21 Rev 05/2008 APPENDIX - SEQUENCE OF EVENTS Initial Conditions

  • Unit operating at 90% power * #1 MFP operating in automatic (ICS) control * #2 MFP operating in manual control

Partial Loss of Main Feedwater 01:35:01 Unit runback at 50%/min toward 55%. 01:35:21 Manual increase of #2 MFP speed. PZR spray valve opened to 100% in manual. 01:35:30 Reactor/turbine trip from 80% caused by high RCS pressure (2300 psig). 01:35:31 SFRCS low level trip - channel 2. 01:35:31 Both MSIVs start to close. 01:35:34 SFRCS actuation signal clears automatically. 01:35:36 MSIV #2 close. 01:35:37 MSIV #1 closed. The main steam supply to #2 MFP is isolated. Steam from the MSR and MS piping will drive the turbine for about 4-1/2 minutes. 01:35:45 PZR spray valve closed. 01:35:56 OTSGs on low level limits (35 in.). 01:40:00 OTSG levels begin to drop below low level limits.

Complete Loss of Main Feedwater 01:41:04 SFRCS OTSG #1 low level (26.5 in.) actuation. #1 AFW turbine being supplied with steam from and supplying feedwater to #1 OTSG. 01:41:08 Operator manually actuates SFRCS on low OTSG pressure. The low pressure actuation is in both SFRCS channels, and the system senses ~steam ruptures" in both OTSGs. The following equipment changes due to the manual actuation: 1. #1 AFW turbine is aligned to be supplied from #2 OTSG. 2. #2 AFW turbine is aligned to be supplied from #1 OTSG. 3. #1 OTSG AFW containment isolation valve is automatically closed. 4. #2 OTSG AFW containment isolation valve is automatically closed. 5. The AFW cross-connect valves open.

USNRC HRTD 16-22 Rev 05/2008 SEQUENCE OF EVENTS (continued) 01:41:13 SFRCS channel 2 low level trip. Pressure trip has priority. 01:41:31 #1 AFW turbine trips on overspeed. 01:41:44 #2 AFW turbine trips on overspeed. 01:42:00 Manual reset of SFRCS. The AFW containment isolation valves should have re-opened automatically, but did not. An attempt was made to re-open the valves from the main control panel, but the valves did not respond. 01:42:00 PZR spray valve opened. 01:43:55 "Initiate reset and block" of SFRCS attempted in an effort to re-open AFW containment isolation valves. Valves did not open. 01:44: + Equipment operators dispatched to the plant to operate the following equipment: 1. Two operators to the AFW turbines to restore AFW pumps to service. 2. The assistant shift supervisor left the control room to place the startup feed pump in service. 3. Two operators were sent to open the AFW containment isolation valves. 01:44:50 Makeup flow decreases as pressurizer level increases above the normal setpoint of 200 in. 01:45:50 #2 AFW turbine overspeed trip reset locally. 01:45:29 OTSG #1 atmospheric vent valve opened. 01:46:30 #1 AFW turbine throttle valve relatched and valve opened (overspeed trip not cleared). Speed controlled locally throughout event 01:47:33 OTSG #1 below 960 psig and decreasing. 01:47:48 OTSG #2 AFW containment isolation valve opened locally. 01:48:08 OTSG #1 atmospheric vent valve closed. 01:48:49 PZR PORV opens at 2433 psig (2425 psig setpoint). 01:48:51 OTSG #2 pressure <960 psig and decreasing. Both OTSGs now ~dried out." Procedures require MU/HPI core cooling. MU/HPI core cooling is also called ~feed and bleed" core cooling. 01:48:52 PORV closed at 2377 psig. (2375 setpoint) 01:49:28 OTSG #1 AFW containment isolation valve opened manually. 01:50:09 PORV opens at 2434 psig. 01:50:12 PORV closes at 2369 psig. 01:50:13 OTSG #1 atmospheric vent valve opened; OTSG pressure drops rapidly to 750 psig. 01:51:17 OTSG #1 level drops below 8 in. (MU/HPI cooling criterion) 01:51:18 PORV opens at 2435 psig and does not close. 01:51:23 Startup feedwater pump motor started. 01:51:30 Obtained flow from startup feedpump to OTSG #1.

USNRC HRTD 16-23 Rev 05/2008 SEQUENCE OF EVENTS (Continued) 01:51:42 Operator started to close the PORV block valve as pressure fell through 2140 psig. 01:51:42 RCS loop #1 reaches a minimum pressure of 2081 psig. Loop #1 T hot=588.6°F, T ave=587.5°F. 01:51:43 PZR spray valve closed. 01:51:49 Acoustic monitor indicates <20% flow through the PORV and PORV block valve.

01:53:00 T hot reaches maximum value of 593.5°F. 01:53:22 AFW train #2 has significant flow, with control locally via the trip-throttle valve.

01:53:25 RCS Tave reaches maximum of 592.3°F. 01:53:25 RCS Tave reaches maximum of 592.3°F. 01:53:35 OTSG #2 returns to above 960 psig. 01:53:56 PORV block valve re-opened. 01:54:45 OTSG #1 returns to above 960 psig. 01:54:46 AFW train #1 has significant flow. 01:56:58 OTSG #2 atmospheric vent valve open. Pressure <960 psig. 01:57:05 OTSG #1 <960 psig. 01:57:53 Low suction pressure developed on #1 AFW pump. 01:58: + Tave passed through the normal post-trip value. The cooldown (due to feedwater) has lowered RCS pressure to about 1720 psig. The operators have manually started #1 HPI pump in the piggy back mode of operation to maintain pressurizer level. About 50 gallons of water is injected. 01:58:08 RCS pressure reaches a minimum of 176 psig. T hot=546°F, T ave=546.2°F. 01:58:27 AFW pump suction pressure returns to normal. 01:58:28 OTSG #1 atmospheric vent valve closed. 01:58:33 AFW flow to #1 OTSG reduced to control level. 01:58:40 AFW #1 suction transfers to service water. Manual realignment to CST. 01:58:57 AFW pump turbine overspeed trip reset. 02:01: + When AFW turbine #2 was returned to serv ice, the control room operator controlled the pump in manual rather than returning it to auto. 02:01:13 AFW train #2 flow reduced. 02:02:27 OTSG #1 pressure >960 psig. 02:02:30 OTSG #2 pressure >960 psig. 02:04: Plant conditions essentially stable.

USNRC HRTD 16-24 Rev 05/2008 SEQUENCE OF EVENTS (Continued)

Additional Complications

  • Control room HVAC spuriously tripped to the emergency mode.
  • Upon energization, the remaining source range NI failed off-scale low. All control rods were verified to be fully inserted, and emergency boration was initiated.
  • The operator attempted to override the automatic close signal for one of the SU reg valves, but a burned out light bulb prevented reset indication.

Figure 16-1 Davis-Besse NSSS This page intentionally blank Figure 16-2 Main Steam System This page intentionally blank Figure 16-3 Main Feedwater System This page intentionally blank Figure 16-4 Auxiliary Feedwater System This page intentionally blank Figure 16-5 Emergency Core Cooling Systems This page intentionally blank Figure 16-6 Steam and Feed Rupture Control System Logic This page intentionally blank Figure 16-7 Reactor Coolant System and Pressurizer Response This page intentionally blank Figure 16-8 Number One Steam Generator Parameters This page intentionally blank Figure 16-9 Number Two Steam Generator Parameters This page intentionally blank Figure 16-10 Trip Throttle Valve This page intentionally blank

Figure 16-11 Dominant core Vulnerability Sequence Event Tree This page intentionally blank Figure 16-12 Dominant core Damage Sequence Event Tree This page intentionally blank