ML20100P541
| ML20100P541 | |
| Person / Time | |
|---|---|
| Site: | San Onofre  |
| Issue date: | 10/31/1990 |
| From: | Gore B, Pugh R, Vo T Battelle Memorial Institute, PACIFIC NORTHWEST NATION |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML13302B859 | List: |
| References | |
| CON-FIN-L-1310 NUDOCS 9011090308 | |
| Download: ML20100P541 (28) | |
Text
,
4 una ngggy i
NUREG/CR.
PNL-AUXILIARY FEEDWATER SYSTEM RISK BASED INSPECTION GUIDE FOR THE SAN ONOFRE UNIT 2 NUCLEAR POWER PLANT R. Pugh B. F. Gore T. V. Yo October 1990 Prepared for Division of Radiation Protection and Emergency Preparedness Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 NRC FIN L1310
?
Pacific Northwest Laboratory Richland, Washington 99352
[
L1
- 6)f/otoSe8)r+
L
CONTENTS t
i i i
SUMMARY
1
1.0 INTRODUCTION
2 2.0 SAN ONOFRE 2 AFW SYSTEM.........................................
2 2.1 SYSTEM DESCRIPTION....................................
4 2.2 SUCCESS CRITER10N..........................................
4 2.3 SYSTEM DEPENDENCIES........................................
4 2.4 O P E RAT ION AL CON ST RAI NT S....................................
S 3.0 INSPECTION GUIDANCE FOR THE S AN ONOFRE.2 AFW SYSTEM............
S 3.1 RISK IMPORT ANT AFW COMPONENTS AND F AILURE MODES...........
S
-3.1.1 MULTIPLE PUMP FAILURES DUE TO COMMON CAUSE..........
6 3.1.2 TURBINE DRIVEN PUMP P140 FAILS TO START AND RUN.....
3.1.3 MOTOR DRIVEN PUMP P141 OR PSO4 FAILS TO START 7
OR RUN..............................................
3.1.4 PUMP P140, P141 OR PSO4 UNAVAILABLE DUE TO 7
MAINTENANCE OR SURVEILLANCE.........................
3.1.5 ELECTROHYDRAULIC CONTROLLED VALVES HV 4714, 7
4731, 4762, OR 4763 Fall CLOSED....
3.1.6 MOTOR OPERATED VALVES HV 4705, 4706, 4712, 7
4713, 4715, OR 4730 F All CLOSED....................
8 3.1.7 MANUAL SUCTION OR DISCHARGE VALVES FAIL CLOSED......
8 3.1.8 LEAKAGE OF HOT FEEDWATER THROUGH CHECK VALVES.......
8 3.2 RISK IMPORT ANT AFW SYST EM WALKDOWN T ABLE...................
12 l-4.0 GENERIC RISK INSIGHTS FROM PRAs.................................
f l
l l
n
+
y,
y
-.r~
, -..,, -.,-,.,-.,--m..,--.y.-..
8 CONTFNTS (Continued) 4.1 RISK IMPORTANT ACCIDENT SE0VENCE INVOLVING AFW 12 SYSTEM FA! LURES............................................
4.2 RISK IMPORTANT COMPONENT FAILURE MODES.....................
13 14 5.0 FAILURE MODES DETERMINED FROM OPERATING EXPERIENCE..............
14 5.1 SAN ONOFRE (;PERIENCE......................................
15 5.2 INDUST RY WIDE EXPERIENCE...................................
5.2.1 COMMON CAUSE FAILURES...............................
15 18 5.2.2 HUMAN ERRORS........................................
3-5.2.3 DESIGN / ENGINEERING PROBLEMS AND ERRORS..............
19 20 5.2.4 COMPONENT FAILURES..................................
23 REFERENCES...........................................................
k 9
vi i
SUMyaRY This document presents a compilation of auxiliary feedwater (AFW) system failure infor ation which has been screened for risk significance in terks of It is a risk-failure freauency and degradation of system performance.
prioritized listing of f ailure events and their causes that are significant enough to warrant consideration in inspection planning at the San Onofre 2 Nuclear Power Plant. This information is presented to provide inspectors increased esources for inspection planning at San Onofre 2.
The risk importance of various component failure modes was identified by analysis of the results of probabilisitic risk assessments (PPAs) for many However, the component failure categories pressurized water reactors (PWRs).
identified in PRAs are rather broad, because the f ailure data used in the PPAs is an aggregate of many W4vidual f ailures having a variety of root causes.
In order to help inspecf Jh,
%; nn specific aspects of component operation, maintennnce, W cs.
Mit ' m4ght cause these failures, an mation was performed to identify extensive review of comt u ra U.t;
-.c r
the rank and root causes c: 0 t; E m o..e4 iailures.
Both San Onofre and industry wide failure informa h was bnalyzed.
Failure causes were sorted on the basis of frequency of occurrence and seriousness of consequence, and categorized as common cause fai',urss, human errors, design problems, or component failures.
Section 3.0 This information is presented in the body of this document.
provides brief descriptions of these risk important failure causes, and Section 5.0 presents more extensive discussions, with specific examples and The entries in the two sections are cross referenced.
An references.
abbreviated system walkdown table is presented in Section 3.2 which includes only components identified as risk important, inis table lists the system lineup for normal, standby system operation.
This information permits an inspector to concentrate on components important to the prevention of core damage. However, it is important to note that Other inspections should not focus exclusively on these components.
components which perform essential functions, but which are not included because of high reliability or redundancy, must also be addressed to ensure that degradation does not increase their fai'ure proDabilities, and hence their risk importances.
iii t
1.0 INTRODUCTION
This document is the sixth of a series providing plant-specific inspection guidance for auxiliary feedwater (AFW) systems at pressurized water reactors (PWRs). This guidance is based on information from probabilistic risk assessments (PRAs) for similar PWRs, industry wide operating experience with AFW systems, plant specific AFW system descriptions, and plant specific it is not a detailed inspection plan, but rather a operating experience.
compilation of AFW system failure information which has been screered for risk significance in terms of failure frequency and degradation of system The result is a risk prioritized listing of failure events and performance.
their causes that are significant enough to warrant consideration in inspection planning at San Onofre 2.
4
-This inspection guidance is presented in Section 3.0, following a description of the San Onofre AFW system in Section 2.0.
Section 3.0 identifies the risk important system components by San Onofre 2 identification number, followed by brief descriptions of each of the various failure causes of that component.
These include specific human errors, design' deficiencies, and hardware
' failures. The discussions also identify where common cause failures have affected multiple, redundant components.
These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for inspection by observation, records review, training observation,An procedures review, or by observation of the implementation of procedures.
AFW system walkdown table identifying risk important components and their lineup for normal, standby system operation is also provided.
The remainder of the document describes and discusses the information used in compiling this inspection guidance.
Section 4.0 describes the risk importance information which has been derived from PRAs and its sources. As review of that section will show, the failure categories identified in PRAs are rather broad (e.g., pump fails to start or run, valve fails closed).
Section 5.0 addresses the specific failure causes which have been combined under these categories.
AFW system operating hirtory was studied to identify the various specific failures which have been aggregated into the PRA-failure mode categories.
Section 5.1 presents a summary of San Onofre failure information, and Section S.2 presents a review of industry-wide failure information.
The industry-wide information was compiled from a variety of NRC sources, including AE00 analyses and reports,-information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPO reports as well.
Some Licensee Event Reports and NPRDS event descriptions were also reviewed individually.
Finally, information was included from reports of NRC sponsored studies of the effects of plant aging, which include Quantitative analyses of reported AFW system failures. This industry-wide information was then combined with the piant-specific failure information to identify the various root causes of the PRA f ailure categories, which are identified in Section 3.0.
1
2.0 SAN ON0rRE ? AFW SYSTEM This section presents an overview description of '.he San Onofre 2 AfW system, is.cluding a simplified schematic system diagram, in addition, the system success crittrion, system dependencies, and administrative operational constraints are also presented.
2.1. System Descriotion The AFW system provides feedwater to th; steam generators (SG) to allow secondary side heat removal from the primary system when main feedwater is unavailable. The system is capable of fanctioning for extended periods, which allows time to restore main feedwater flow or to proceed with an orderly cooldown of the plant to where the shutdown cooling system (SCS) can remove e decay heat. A simplified schematic diagram of the AFW system is shown in y figure 2.1.
I The AFW system is controlled automatically by an Emergency Feedwater ActuationSignal*(EFAS).
Initiation of an EFAS automatically actuates the AFW 3y system to provide an AFW supply to the steam generators on low steam generator
-!waterlevel. When an EFAS signal is generated, the turbine driven pump (P-
,140) and the corresponding motor-driven pump (P 141 or P-504) dedicated to the 5 steam generator that is initiating the signal are automatically started.
To i deliver flow to the affected steam generator, auxiliary feedwater control
{ valves and isolation valves are fully opened.
When the EFAS signal clears, the control valves and isolation valves are driven closed.
Initiation of a Main Steam 1 solation Signal (MSIS) automatically shuts all remotely actuated y yl auxiliary feedwater control valves and isolation valves unless ar. EFAS signal i
%,* ;; [8 - is present.
Actuation of both a M515 and an EFAS automatically isolates q2 auxiliary feedwater flow to the ruptured steam generator and controls flow to
, j g,j the intatt steam generator.
)
..., l s s
,.,.! The nermal AFW pump suction is from a seismic category I condensate storage I. - ( ! j j - tank T-121 (150,000 Gal.).
Each pump draws from a separate header through two
- 1, ", g ilocked open isolation valves.
Power, control, and instrumentation associated "d
't Steam for the 1(,;l'g.".witheachmotor-drivenpumpareindependentfrom
? turbine driven pump is supplied by each of the two main steam lines from a 2 1 point between the containment penetration and the main steam isolation valves.
1 Jjj: path of the stearn supply lines to the turbine has a check valve and a
- s pneumatically-actuated steam supply isolation valve. The steam from both Y
' ! < y & V g supply lines combines and is then directed to the turbine via a stop valve and v
j 'l
- a governor valve.
Both pneumatically actuated isolation valves, the stop
+ ) h / p 5 valve, and the controls to the governor are supplied with power from an ss
- w % } (4
- g emergency DC power source.* Each AFW pump is equipped with a continuous l ! 0 ) I v{ i recirculation flow system, which prevents pump deadheading.i) 1 e*!
i _5 L4is Each auxiliary feedwater pump discharge is provided with a check valve and h $ locally operated isolation valve. The discharge lines from the motor driven
' ' j ' * * " and AC electrohydraulic bypass control valves.! p x,,;'}
auxiliary feedwater pumps are equipped with AC motor operated control valves The discharge lines from the turbine-driven pump are eouipped with DC motor-operateo control valves.
Each motor-driven pump normally supplies feedwater to only one steam generator, but 2
(
J l
~
s 1
=
w.
y S.
0 y
7 w.
+
S R
.2 E A
1 3
, @'< e 3
7 s_
fA 4
M s
iNI G
e e
r 7
D 4
I I
u EM f
e a
8 3
s 3
g 1
s A
g,2, m3, R
e F Y 3u3
,6 0
3 R
1 1
,. :x N
hn7 A
J 4
OI 2
3 5.f_
1uf U
L f
r 5
o I
1 v
>N I G
G x
>s A[
I x7 S A F
2 3
a x22
=
1 s
2 s 8 l
u1 o.
f -
t T
=
t T F
F YHI f
T l
S H C f
M.
I M O T
a<
-e t
h 1
x-e
=.: O:-
uj re a
s i
u f
5
<J
= x~
3 a
xr
@2 a
-u a
=
d 7
x-
=
..=
ft lL lI
- ' i
>f fl'
,ll Il lIi
4 the headers may be cross connected. The turbine driven pump normally supplies both steam generators.
Two parallel containment isolation valves are provided in each auxiliary feedwater line to each steam generator immediately 1
outside containment. One isolation valve to each pair is AC electrohydraulic powered; the other valve is DC motor powered. This arrangement assures a flow J
path to at least one steam generator if a valve failure occurs concurrent with a loss of AC or DC p%er.
CST T-121 is the normal source of water for the AFL System and is recuired to store sufficient demineralized water to enintain the reactor coolant system (RCS) at hot standby conditions for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> followed by cooldown to shutdown Makeup to CST T-121 cooling initiation, with steam discharge to atmosphere.
is normally supplied from the demineralized water " Hill Tanks *. Alternate makeup,is available from the demineralization system, condensate tant T420 or
[ tie ~7 ire protection system in an emergency condition.
2.2 Success Criterion System success reouires the operation of at least one pump supplying rated flow to at least one of the two steam generators.
2.3 System Denendencies The AFW system depends on AC power for motor driven pumps and level control valves, DC power for control power to pumps and valves, and an automatic actuation signal, in addition, the turbine-driven pump also requires steam availability.
2.4 Doerational Constraints When the reactor is critical the San Onofre 2 Technical Specifications require that all three AFW pumps and associated flow paths are operable with each motor driven pump powered from a different vital bus, if one AFW pump becomes inoperable, it must be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> or
~
the plant must shut down to hot standby within the next six hours.
If two AFW pumps are inoperable, the plant must be shut down to hot standby within six hours. With three AFW pumos inoperable, corrective action to restore at least one pump to operable status must be initiated immediately.
The San Onofre 2 Technical Specifications require a-144,000 gallon supply of water to be stored in the CST T-121 and a 280,000 gallon supply of water stored in CST T-120.
l t
4
. _.., ~.. _., - -..,,.
m 3.0 INSPECTION GUIDANCE FOR THE SAN ONorpE 2 AFW SYSTEM In this section the risk impor, tant components of the San Onofre.2 ArW systrm are identified, and the important modes by which they are likely tc f ail are briefly described. These failure modes include specific human errers, design problems, and types of hardware f ailures which have been observed to occur for 4
these types of components, both at San Onofre and at PWRs throughout the j
nuclear industry. The discussions also identify where common cause failures I
have affected multiple, redundant compenents. These brief discussions identify specific aspects of system or component design, operation, maintenance, or testing for ooservation, records review, training observatten, procedures review or by observation of the implementation of procedures.
Table 3.1 is an abbreviated AFW system walkdown table which identifies risk important components.
This table lists the system lineup for normal, standby system operation, inspection of the components identified addresses essentially all of the risk associated with AFW system operation.
3.1 Risk treertant AFW Cotoonents and Failyrt_ Modes Common cause f ailures of multiple pumps are the most risk-important failure modes of AFV system components. These are followed in importance by single pump failures, level control valve failures, and individual check valve backleakage failures.
The following sections address each of these failure modes, in decreasing order of importance.
They present the important root causes of these component f ailure modes which have been distilled from historical records.
Each-item is keyed to discussions in Section 5.2 which present additionai information on historical events.
3.1.1 Multiple Puen Failures due to Common Cause The following listing summarizes the most important multiple-pump f ailure modes identified in Section 5.2.1, Common,Cause Failures, and each item is keyed to entries in that section..
Incorrect operator intervention into automatic system functioning, including improper manual starting and securing of pumps, has caused failure of all pumps, including overspeed trip on startup, and inability to restart prematurely secured pumps. CCl.
Valve mispositioning has caused failure of all pumps.
Pump suction, steam supply, and instrument isolation valves have been involved.
CC2.
Steam binding has caused failure of multiple pumps.
This resulted from leakage of hot.feedwater past check valves into a common discharge header, with several valves involved including a motor-op9 rated 5
i
~,
...n._,n.,
-....-n
~
N [f P2 11 741.U"t cv 1srf.
discharge valve.
(See item 7 below.) CC10. Multiple pump steam
- i'u{oi binding has also resulted from improper valve lineups, and from running
- I t1j g }p apumpdeadheaded.CC33 id4 t
1
- q.. _ip Pump control circuit deficiencies or design modification errors have Y I o 7 i. I ;
caused f ailures of multiple pumps to auto start, spurious pump trips I'
during operation, and failures to restart after pump shutdown. CC4.
g d )L " t-
.f j k ". &
Incorrect setpoints and control circuit calibrations have also prevented
- u. 4 s -- 5lproper operation of multiple pumps. CC5.
d ' T,r i ?.*
!"Y I PT g'J Loss of a vital power bus has f ailed both the turbine driven and one
- g 7, 9
$ e v] M motor-driven pump due to loss of control power to steam admission valves eI or to turbine controls, and to motor controls powered from the same bus.
m t n; g 4 "i '
o 5
CC6.
Simultaneous startup of multiple pumps has caused oscillations of pump suction pressure causing multiple pump trips on low suction pressure, despite the existence of adequate static net positive suction head (NPSH).
CC7.
Design reviews have identified inadequately sized suction piping which could have yielded insufficient NPSH to support operation of more than one pump. CCB.
p 3.1.2 Turbine Driven pueri Pla0 Fails to Start or Run J
4y.
Improperly adjusted and inadeountely maintained turbine governors have
'1 i caused pump failures.
HE2.
Problems include worn or loosened nuts, set
[$'Ij!
screws, linkages or cable connections, oil leaks and/or contamination.
y and electrical failures of resistors, transistors, diodes and circuit 4 4
" l i d '. 5 ?
cards, and erroneous grounds and connections.
CF5.
c'o t!
2 Terry turbines with Woodward Model EG covernors have been found to
!4*4 t
4 p 3
overspeed trip if full steam flow is allowed on startup.
Sensitivity j4 4 l;3 1 T, t,9 can be reduced if a startup steam bypass valve is sequenced to open
'C?-ys first.
del.
f
- 1 il
. I 2 y Condensate slugs in steam lines have caused turbine overspeed trip on N
"14 1, !,
startup.
Tests repeated right after such a trip may fail to indicate i.(
the problem due to warming and clearing of the steam lines, f t,. t j 1;,
Surveillance should exercise all steam supply connections.
DE2.
Jy+
4,1q d.b problems which have f ailed the turbine Turbine stop valve (HV-4716)ly bumping it, 911ure to reset it following i \\!%+9 driven pump include physical v W, d ! Ii testing, and failures to verify control room indication of reset.
HE2.
- "i ? c Q
Whether either the overspeed trip or TTV trip can be reset without U { 1-a
.+1 resetting the other, indication in the control room of TTV position, and t
- l' A. 4 ? I : unambiguous local indication of an overspeed trip affect the likelihood of these errors. DE3.
Turbines with Woodward Model PG FL governors have tripped on overspeed when rr: started shortly after shutdown, unless an operator has locally 6
l-
4 exercised the speed setting knob to drain oil from the governor speed l
setting cylinder (per procedure).
Automatic oil dump valves are now available through Terry. DE4.
3.1.3 Motor Driven Pumo P141 or P504 Fails to Start or Pun Control circuits used for automatic and manual pump starting are an important cause of motor driven pump failures, as are circuit breaker failures.
CF7.
Mispositioning of handswitches and procedural deficiencies have prevented automatic pump start.
HE3.
Low lubrication til pressure resulting from heatup due to previous operation has prevented pump restart due to failure to satisfy the 4
protective interlock. DES.
3.1.4 Puro P140. P141. or P50A Unavailable Due to Maintenance or Surveillance Both scheduled and unscheduled maintenance remove pumps from operability.
Surveillance requires operation with an altered line up, although a pump train may not be declared inoperable during testing.
Prompt scheduling and performance of maintenance and surveillence minimize this unavailability.
3.1.5 Electrohydraulie Controlled valves HV-4714 473). 4762. or 47(3 Fail Closed These EHVs control or isolate flow from the ATW pumps to each of the steam generators. They fail as is during motor failure and fail closed on loss of hydraulic pressure.
EHV performance has been pocr at other facilities, primarily due to hydraulic problems.
CF6.
Leakage of hot feedwater through check valves has caused thermal binding of normally closed flow control MOVs.
EHVs may be similarly susceptible.
CF2.
Multiple flow control valves have been plugged by clams when suction switched automatically to an alternate, untreated source.
CC9.
3.1.6 Potor Ooerated Valves HV 4705. 4706. 4712. 4713. 4715 and 47?O These normally open MOVs control or isolate flow from the AFW pumps to each of the steam generators. They fail as-is on loss of power.
Common cause failure of MOVs has resulted frc failure to use electrical signature tracing equipment to determine proper settings of torque switch and torque switen bypass switches.
Failure to calibrate switch settings for high torques necessary under design basis accident conditions has also been involved.
CCll.
7
n Valve motors have been failed due to lack of, or improper Tizing or use of thermal overload protective devices.
Bypassing and ov sizing should be based on proper engineering for desion basis conditions.
CF4.
Out-of adjustment electrical flow controllers have caused improper discharge valve operation, affecting multiple trains of AFW.
CCl2.
Grease trapped in the tcrque switch spring pack of Limitorque SMB motor operators has caused motor burnout or thermal overload trip by preventing torque switch actuation.
- CFB, Manually reversing the direction of motion of operating MOVs has overloaded the motor circuit. Operating procedures should provide cautions, and circuit designs may prevent reversal before each stroke is finished.
DE7.
Space heaters designed for preoperation storage have been found wired in parallel with valve motors which had not been environmentally qualified with them p' resent. DEB.
3.1.7 83nual Suction or Discharoe Valves Fail Closed TD puro P140:
Valves $21305MU468. 521305MU122 MD Pure P141:
Valves 52J305MU469. 521305MV127 MD Puno P504:
Valves 521305MU538. S21305MU533 These manual valves are normally locked open.
For each train, closure of the first valve listed would block suction from CST T]21. -Closure of the second valve would block all pump discharge except recirculation to CST T 121.
Valve mispositioning has resulted in f ailures of multiple trains of AFW, CC2.
It has also been the dominant cause of problems identified during operational readiness inspections. HEl.
Events have occurred most often during maintenance, calibration, or system modifications, important causes of mispositioning include:
Failure to provide complete., clear, and specific procedures for tasks and system restoration Failure to promptly revise and validate procedures, training, and diaorams following system modifications f ailure to complete all steps in a procedure Failure to adequately review uncompleted procedural steps after task
. completion Failure to verify support functions after restoration Failure to adhere scrupulously to administrative procedures regarding tagging, control and tracking of valve operations 9
4 Failure to log the manipulation of sealed valves Failure to follow good practices of written task assignment and feedback of task completion information Failure to provide easily read system drawings. legible valve Tabels corresponding to drawings and procedures, and labeled indications of local valve position 3.1.8 leakaoe of Hot Feedwater throvoh Check Valves:
At MFW connections: Valves $21305M0124. 521305MU448 Eetween Pumo P140 and MFW: Valves S21305MU547 Between Puro P141 and MFW: Valves 521305MU126 Between Pumo P504 and MFW: Valves 52130$MU532 Lenkage of hot feedwater through several check valves in series has caused steam binding of multiple pumps. Leakage through a closed level control valve in series with check valves has also occurred, as would be recuired for leakage to reach the motor driven pumps P504 and P141.
CC10.
Slow leakage past the final check valve of a series may not force upstream check valves riosed, allowing leakage past each of them in turn.
Piping orientation and valve design are important factors in achieving true series protection.
CFl.
3.2 Risk 1moortant AFW System Walkdown Table Table 3.1 presents an AFW system walkdown table including only components identified as risk important. The lineup indicated is for normal power operation. -This information allows inspectors to concentrate their efforts on components important to prevention of core damage.
However, it is essential to note that inspections should not focus exclusively on these comments.
0ther components which perform essential functions, but which are absent from this table because of high reliability or redundancy, must also be addressed to ensure that their rish importances are not increased. -Examples include the (open) steam lead isolation valves upstream of HV 4716, an adequate water
. level in the CST, and the (closed) valves cross connecting the discharges of the two motor driven AFW pumps.
9 9
4 a
TABLE 3.1.
Risk important AFW System Walkdown Table Required Actual Component
- Component Name Position Position Electrical 2A0404 2P 141 MDTOR BREAKER RACKED IN ON 1
CLOSING SPRINGS
~
CHG MOTOR ENERG12ED 2A0603 2P 504 MOTOR BREAKER RACKED IN ON CLOSING SPRINGS CHG MOTOR ENERG12ED P 140 Floweath 521305MU471 CST T 121 OUTLET TO 2P 140 LOCKED OPEN S2130$MU468 2P 140 SUCTION VALVE LOCKED OPEN S21305Mul22 2P 140 DISCHARGE VALVE LOCKED OPEN S2130$MU123 2HV 4706 INLET VALVE LOCKED OPEN 2HV 4706 2P 140 FLOW CNTRL TO S/G E 089 CLOSED S2130$Mul25 2HV 4706 0UTLET VALVE LOCKED OPEN S21305MU136 2HV-4705 INLET VALVE LOCKED OPEN 2HV+4705 2P-140 FLOW CNTRL TO $/C 2E-088 CLOSED S21305M0134 2HV 4705 0UTLET VALVE LOCKED OPEN P 141 Floweath 521305MU473 CST T 121 0UTLET TO 2P 141 LOCKED OPEN S21305MU469 2P '*)
SUCTION VALVE LOCKED OPEN S21305Mul27 2P-141 DISCHARGE VALVE LOCKED OPEN S21305MU131 2HV 4713 INLET VALVE LOCKED OPEN 2HV-4713 2P 141 FLOW CONTROL VALVE CLOSED 10
l s
a TABLF 3 l.
Rist Important AfW System Walkdown Table Required Actual Comoonent #
Component Name Position Position 521305MU133 2HV 4713 OUTLET VALVE LOCKED OPEN S21305MU154 2HV 4763 INLET VALVE OPEN 2HV 4763 2P 141 BYPASS FLOW CNTRL VALVE CLOSED S21305MU153 2HV 4763 OUTLET VALVE OPEN E 104 Flowcath 521305MU542 CST T 121 OUTLET TO 2P 504 LOCKED OPEN S21305MU538 29 504 SUCTION VALVE LOCKE0 OPEN S21305MU533 2P 504 DISCHARGE VALVf LOCKED OPEN S21305MU128
,2HV 4712 lNLET VALVE LOCKED OPEN 2HV 4712 2P 504 FLOW CONTROL VALVE CLOSED S21305MU130 2HV 47'2 OUTLET VALVE LOCKED OPEN S21305MU553 2HV 4762 INLET VALVE OPEN 2HV 4762
' / 504 BYPASS FLOW CNTRL VALVE CLOSED S21305MU152 2HV 4762 OUTLET VALVE OPEN
. _ =
Steam Generator Isolation 2HV 4714 AUX. FEED DISCH. TO 2E 088 CLDSED 2HV 4715 AUX. FEED DISCH. TO 2E 089 CLOSED 2HV 4730 AUX. FEED DISCH. TO 2E 088 CLOSED 2HV-4731 AUX. FEED DISCH. TO 2E 089 CLOSED Cross Connect Valves 521305MU634 2P 504 AND 2P 141 DISCH. X TIE LOCKED CLOSED
$21305MU635 2P 504 AND 2P 141 DISCH. X TIE LOCKED CLOSED Steam Sucolv Valve _
2HV-4716 TURBINE 2K-007 TRIP THROTTLE VALVE RESET 11
5 9
4.0 GENERIC RISK INSIGHTS FROM PPAs PRAs for 13 PWRs were analyzed to identify risk important accident sequences involving loss of AFW, Nd to identify and risk prioritize the The results of this analysis are described component failure modes involved.
in this section.
They are consistent with results reported by INEL and BNL (Gregg et al 1988, and Travis et al, 1988).
4.1 Risk lecortant Accident Secuences involvino t.rW System Failure toss of Power System A loss of offsite Dower is followed by f ailure of AFW.
Due to lack of actuating power, the PORVs cannot be opened, preventing adequate feed and bleed cooling, and resulting in core damage.
A station blackout f ails all AC power except Vital AC from DC inverters, and all decay heat retaoval systems except the turbine-driven AFW pump.
AFW subsequently fails due to battery depletion or hardware failures
- esulting in core damage.
A DC bus fails, causing a trip and failure of the power conversion system.
One AFW motor driven pump is failed by the bus loss, and the turbine driven pump fails due to loss of turbine or valve control power.
AFW is subsecuently lost completely due to other failures.
Feed and bleed cooling fails because PORV control is lost, resulting in core damage.
Jransient Caused Reactor or Turbine Trip A transient-caused trif is followed by a loss of PCS and AFW, feed and bleed cooling f ails either due to f ailure of the operator to initiate it, or due to hardware failures, resulting in cor-damage.
[pjs of Main Feedwater
) feedwater line bre1k drains the common water source for MFW and AFW.
The operators fail to provide feedwater from other sources, and fail to initiate feed and bleed coel;ng, resulting in core damage.
A loss of main feedwater trips the plant, and AFW fails due to operator error and hardware failures.
The operators fail to initiate feed and bleed cooling, resulting in core damage.
Steam Generator Tube Ruoture A SGTR is followed by failure of AFW.
Coolant is lost from the primary until the RWST is depleted. HPl fails since recirculation cannot be established from the emoty sump, and core damage results.
12
.e 1
4.2 Risk Ivoortant Comoonent failure Modes The generic component failure modes identified from PRA analyses as important to AFW system failure are listed below in decreasing order of risk importance.
1.
Turbine Oriven Pump Failure to Start or Run.
2.
hator Driven Pump Failure to Start or Run.
3.
TDP or HDP Unavailable due to Test or Maintenance.
4.
AFW System Valve failures steam admission valves trip and throttle valve 4
flow control valves pump discharge valves pump suction valves valves in testing or maintenance.
4 5.
Supply / Suction Sources condentate storage tank stop velve hot well inventory suction valves.
In addition to individual hardware, circuit, or instrument failures, each of these failure modes may result from common causes and human errors. Common cause failures of AFW pumps are particularly risk important.
Valve failures are-somewhat less important due to the multiplicity of steam generators and connection paths. Human-errors of greatest risk importance involve: failures to initiate or control system operation when required; failure to restore proper system lineup after maintenance or testing; and f ailure to switch to alternate' sources when required, 13 t-
~
q 5,0 IAllukE MODES DETERMINED FROM OPEpt. TING EXPERIENEE This section describes the. primary root causes of component failures of the AFW system, as determined from a review of operating hit. tories at San Onofre and at other PWRs throughout the nuclear industry.
Section 5.1 describes experience at San Onofre. Section 5.2 sumarizes information compiled from a variety of NRC sources, including AEOD analyses and reports, information notices, inspection and enforcement bulletins, and generic letters, and from a variety of INPD reports as well. Some Licensee Event P.eports (LERs) and NPRDS event descriptions were also reviewed individually.
Finally, information was included from reports of NRC spMsored studies of the effects of plant aging, This which include quantitative analyses of AFW system failure reports.
information was used to identify the various root causes expected for the broad PRA based f ailure categorier identified in Section 4.0, resulting in the inspection guidelines presented in Section 3.0.
5.1 San Onofre Erneriente There were 86 reports of AFW system equipment failures at San Onofre between November, 1983 and July, 1990. These include failures of the ATW pumps, pump discharge flow control valves to steam generators, and pump suction and discharge valves.
Failure modes include electrical, instrumentation, and hardware failures, And human errors.
AFW Pumo Control locit. Instrumentation and Electrical Failures Nineteen failures of the AFW pumps to start, run, trip when required or achieve rated speed wers found in the events examined. These occurrences resulted from failures of the turbine governor, breakers, relays and contacts, turbine overspeed device, faulty wiring and power supplies.
The failure causes are mechanical wear, corrosion, or improper design and installation.
Failure of AFW Pomo Discharoe Flow Control and Bypass Valve to Steam Generators Nineteen failures of the AFW pump discharge flow control and bypass valves were found in the events examined. These resulted from failures of valve control circuits, valve operators and valve breakers.
Failures have resulted from DC control grounds, valve binding, dirty or worn contacts, improper torque switch operation, electrical component failure, frayed wiring, valve operator mechanical f ailure and low hydraulic fluid pressure.
Failure causes are mechanical wear, contact oxidation, inadequate maintenance or testino activities and improper. design and/or installation. These valves have also experienced v:.
u packing leaks, as have pump discharge check valves.
AF,W Steam Gene, Adolation Valve Failures Eleven failures of the AFW steam generator isolation valves were found in the L
events examined. These f ailures resulted from valve binding, solenoid coil f ailure, fouled torque switch contacts, oil line leaks, pressure switch
_- - -..-__ _- -.=
settings, hydraulic relief valve failure, control power short circuits, and low hydraulic operating pressure, f ailure causes are mechanical wear, contact oxidation, component aging, and inadequate maintenance or testing activities.
AFW Turbine Steo Ve, Tourteen failures of the AFW turbine stop valve were found in the events examined. These failt-es resulted from valve binding, condensation in the balancing chamber, seat leakage, control circuit grounds, actuator motor failure, torque sw nch misadjustment or failure, improper trip plunger adjustment, bent or damaged declutch shaft, and missing hardware.
Failure causes are mechanical wear, component aging, contact oxidation or f auling, inadequate maintenance or testing activities and improper design.
Human Errors Ten events relating directly to significant human errors affecting the AFW system were found in the events examined. Motor stator end cail insulation was apparently damaged during repair or inspection.
External motor components have been found broken off or damaged.
System leakage has resulted from improperly adjusted bolts.
Foreign material has been found between switch contacts.
Components have failed due to missing parts or hardware. Both personnel error and inadequhte procedures have been involved.
5.2 Industry Wide troerience Human errors, design / engineering problems and errors, and component failures are the primary root causes of AFW System failures identified in a review of industry wide system operating history.
Common cause failures, which disable more than one train of this operationally redundant system, are highly risk significant, and can result from all of these causes.
This section identifies important common cause failure modes, and then provides a broad;r discussion of the sir gle f ailure effects of human errors, design /enoir.cering problems and errors, and component failures.
Paragraphs present;ng details of these failure modes are coded (e.g., CCl) and cross-ra'erenced by inspection items in Section 3.
5,2.1 Common cause Failures The dom?nant cause of AFW system bultiple train failures has been human error. Design / engineering errors and component failures have-been less frequent, but nevertheless significant, etusss of multiple train failures.
((l Human error in the form of incorrect operator intervention into automatic AFW system functioning during transients resulted in the temporary loss of all safety-grade AFW pumps during events at Davis Besse (NUREG 1154, 1985) and Trojan (AEDD/T416,1983).
In the Davis Basse event, improper manual initiation of the steam and feedwater rupture cont., system (SFRCS) led to overspeed tripping of both-turbine driven ATW pumps, probably due te the l
introduction of condensate into the AFW turbines fror the long, unheated steam l
l 15 l
l l
l i
supply lines.
(The system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.)
In the Trojan event the operator incorrectly stopped both AFW pumps due to misinterpretation of MFW pump speed indication. The diesel driven pump would not restart due to a protective feature requiring complete shutdown, and the turbine driven pump tripped on overspeed, requiring local reset of the trip and throttle valve. In cases where manual intervention is required during the early stages of a transient, training should emphasize that actions should be performed methodically and deliberately to guard against such errors.
E Valve mispositioning has accounted for a significant fraction of the human errors failing multiple trains of AFW.
This includes closure of normally open suction valves or steam supply valves, and of isolation valves to sensors having control functions.
Incorrect handswitch positioning and inadequate temporary wiring changes have also prevented automatic starts of multiple pumps.
Factors identified in studies of mispositioning errors include failure to add newly installed valves to valve checklists, weak o
administrative control of tagging, restoration, independent verification, and locked valve logging, and inadequate adherence to procedures.
lilegible or confusing local valve labeling, and insufficient training in the determination of valve position may cause or mask mispositioning, and surveillance which does not exercise complete systeu functioning may not reveal mispositionings.
. E At ANO 2, both AFW pumps lost suction due to steam binding when they were lined up to both the CST and the het startup/ blowdown demineralizer effluent ( AEOD/C404,1984). At Zion 1 steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor driven pump sharing the same inlet headerf as well as damage to the turbine driven pump (Region 3 Morning Report, 1/17/90).
Both events were caused by procedural inadequacies.
E Design / engineering errors have accounted for a smaller, but significant fraction of common cause failures.
Problems with control circuit design modifications-at f arley defeated AFW pump auto start on los", of main feedwater. At Zion-2, restart of both motor driven pumps was blocked by circuit failure to deenergize when the pumps had been tripped with an automatic start signal present (IN 82-01,1982).
In addition AFW control circuit design reviews at Salem and Indian Point have identified designs where failures of a single component could have failed all or mul'.iple pumps (IN 87-34,1987).
' E incorrect setpoints and control circuit settings resulting from analysis errors and failures to update procedures have also prevented pump start and caVsed pumps to trip spuriously.
Errors of this type may remain undetected despite surveillance testing, unless surveillance tests model all types of system initiation and operating' conditions. A greater fraction of instrumentation and control circuit problems has been identified during actual system operation (as opposed to surveillance testing) than for other types of failures.
g ppw p p p w ca4 (m 2 ~ ~l b &
~d'f** ' #
l 4 I, I e-n.
uj e.+.-.-
16
~ _ _ _ _ _ _ _ _ _ _
E On two occasions at a foraign plant, failure of a balance of plant inverter caused f ailure of two MW pumps.
In addition to loss of the motor driven pump whose auxiliary start relay was powered by the inverter, the turbine driven pump tripped on overspeed because the governor valve opened, allcwing full steam flow to the turbine.
This illustrates the importance of assessing the effects of failures of balance of plant equipment which supports the operation of critical components.
The instrument air system is another example of such a system.
E Multiple AFW pump trips have occurred at Millstone 3, Cook 1, Trojan and Zion 2 (IN 87 53, 1987) caused by brief, low pressure oscillations of suction pressure during pump startup.
These oscillations occurred despite the availability of adequate static NPSH.
Corrective actions taken include:
extending the time delay associated with the low pressure trip, removing the trip, and replacing the trip with an alarm and operator action.
R Design errors discovered during AFW system reanalysis at the Robinson plant (IN 89 30, 1989) and at Millstone 1 *esulted in the supply header from the CST being too small to provide adequete NPSH to the pumps if more than one of the three pumps were operating at rated flow conditionsT This could lead
+
to multiple pump failure due to cavitation. Subsequent reviews at Robinson identified a loss of feedwater transient in which inadequate NPSH and flows less than design values had occurred, ba which were not recognized at the time.
Event analysis and equipment trending, as well as surveillance testing which duplicates service conditions as much as is practical, can help identify such design errors.
E Asiatic clams caused failure of two AFW flow control valves at Catawba-2 when low suction pressure caused by starting of a motor driven pump caused suction source realignment to the Nuclear Service Water system.
Pipes had not been routinely treated to inhibit clam growth, nor regularly monitored to detect their presence, and no strainers were installed.
The need for surveillance which exercises alternative system operational modes, as well as complete system functioning, is emphasized by this event. Spurious suction switchover has also occurred at Callaway and at McGuire, although no failures resulted.-
CC10.
Common cause failures have also been caused by component failures (AE0D/C404,1984).
At Surry 2, both the turbine driven pump and one motor driven pump were declared inoperable due to steam binding caused by backleakage of hot water through multiple check valves. At Robinson-2 both motor driven pumps were found to be hot, and both motor and steam driven pumps were found to be inoperable at different times.
Backleakage at Robinson 2 passed through closed motor-operated isolation valves in addition to multiple check valves.
At f arley, both motor and turbine driven pump casings were found hot, although the pumps were not declared inoperable.
In addition to multi train failures, numerous incidents of single train failures have occurred, resulting in the designation of ' Steam Binding of Auxiliary Feedwater Pumps" as Generic Issue 93. This generic issue was resolved by Generic Letter 88 03 (Miraglia,1988), which recuired licensees to monitor AFW L
piping temperatures each shift, and to maintain procedures for recognizing steam binding and for restoring system operability.
f prv 94 o w o-.4s (..;k2s n) g w i ~t, p w w M. n u g
+4. e C 5 T5
-. -. ~ - - - - - - - - - - - - -
[QL. Common cause f ailures have also f ailed motor operated valves. During the total lbss of feedwater event at Davis Besse, the normally open AFW isolation valves failed to open after they were inadvertently closed. The failure was due to improper setting of the torque switch bypass switch, which prevents motor trip on the high torque required to unseat a closed valve.
Previous problems with there valves had been addressed by increasing the torque switch trip setpoirt a fix which failed during the event due to the higher torque required dun to high differential pressure across the valve.
Similar common mode failutes of MOVs have also occurrr.J in other systems, resulting in issuance of Ge.7eric Letter 8910, " Safety kelated Motor Operated Valve Testing and Surveillance (Partlow,1989).* This generic letter requires licensees to develop and implement a program to provide for the testing, inspection and maintenance of all stfety related M0)s to provide assurance that they will function when subjected to design btsis conditions.
- CCl2, Other component failures have also resuited in AFW multi-train f ailures. These include out-of adjustment electrical flow controllers resulting in improper discharge valve operation, and a failure of oil cooler cooling water supply valves to open due to silt accumulation.
5.2.2 Human Errori E The overwhelmingly dominant cause of problems identified during a series of operational readiness evaluations of AFW systems was human performance. The majority of these human performance problems resulted from incomplete and incorrect procedures, particularly with respect to valve lineup information.
A study of valve mispositioning events involving human error identified f ailures in administrative control of tagging and logging, procedural compliance and completion of steps, verification of support systems, and inadequate procedures as important. Another study found that valve mispositioning events occurred most often during maintenance, calibration, or modification activities.
Insufficient training in determining valve position, and in adminirtrative requirements for controlling valve positioning were important causes, a was oral task assignment without task completion feedback.
E Turbine driven pump failures have been caused by human errors in calibrating or adjusting governor speed control, poor governor maintenance, t
- rect adjustment of governor valve and overspeed trip linkages, and errors h vciated with the trip and throttle valve. TTV associated errors include physically bumping it, failure to restore it to the correct position after testing, and failures to verify control room indication of TTV position following actuation.
liLL Motor driven pumps have been f ailed by human errors in mispositioning handswitches, and by procedure deficiencies.
18
)
e 5.2.3 Desion/Encineerino Problems and Errors E As noted above, t N majority of AFW subsystem failures, and the greatest relative system degradation, has been found to result from turbine driven pump failures. Overspeed trips of Terry TH(a) turbines controlled by Woodward TH(b) governors have been a significant source of these failures (AEOD/C602, 1986).
In many cases these overspeed trips have been caused by slow response of a Woodward Model EG governor on startup, at plants where full steam flow is allowed immediately. This oversensitivity has been removed by installing a startup steam bypass valve which opens first, allowing a controlled turbine acceleration and buildup of oil pressure to control the governor valve when full steam flow is admitted.
DH. Ov Rspeed trips of Terry turbines have been caused by condensate in the steam supply lines. Condensate slows down the turbine, causing the governor valve to open farther, and overspeed results before the governor valve can respond, after the water slug clears. This was determined to be the cause of the loss of all-AFW event at Davis Besse (AEOD/602, 1986), with condensation enhanced due to the long length of the cross connected steam lines.
Repeated tests following a cold-start trip may be successful due to system heat up.
E Turbine trip and throttle valve (TTV) problems are a significant cause of turbine driven pump failures (IN 84 66).
In some cases lack of TTV position indication in the control room prevented recognition of a tripped TTV.
In other cases it was possible to reset either the overspeed trip or the TTV vithout resetting the other. This problem is compounded by the fact that the position of the overspeed trip linkage can be misleading, and the mechanism may lack labels indicating when it is in the tripped position (AEOD/C602,1986).
DL4.,.
Startup of turbines with Woodward Model PG-PL governors within 30 minutes of shutdown has resulted in overspeed trips when the speed setting knob was not exercised locally to drain oil from the speed setting cylinder.
Speed control is based on startup with an empty cylinder.
Problems have involved turbine rotation due to both procedure violations and leaking steam.
Terry has marketed two types of dump valves for automatically draining the oil after shutdown (AEOD/C602, 1986).
At Calvtrt Cliffs, a 1987 loss-of-offsite-power event required a quick, cold startup that resulted in turbine trip due to PG pl governor stability problems. The'short-term corrective action was installation of stiffer buffer springs (IN 88-09,1988).
Surveillance had always been preceded by turbine warmup, which illustrates the importance of testing which duplicates service conditions as much as is practical.
(a) Terry is a registered traden rk of the Terry C W oration, Windsor, CT.
(b) Woodward is a registered tradsaik M the Hodward Governor Company, Rockford, IL.
19
E Reduced viscosity of gear box oil heated by prior operation caused f ailure of a motor driven pump to start due to insufficient lube oil pressure.
Lowering the pressure switch setpoint solved the problem, which had not been detected during testing.
E Waterhammer at Palisades resulted in xFW line and hanger damage at both steam generators.
The AFW spargers are located at the normal steam generator level, and tre frequently covered and uncovered during level fluctuations.
Waterhammers in top feed ring steam generators resulted in main feedline rupture at Maine Yankee and feedwater pipe cracking at Indian Peint 2 (IN 84 32,1984).
E Manually reversing the direction of motion of an operating valve has resulted in MOV failures where such loading was not considered in the design (AEOD/C603,1986).
Control circuit design may prevent this, requiring stroke completion before reversal.
E At each of the units of the South Texas Project, space heaters provided by the vendor for use in preinstallation storage of MOVs were found to be wired in parallel to the Class 1E 125 V DC motors for several AFW valves (IR 50 489/89 11; 50 499/89 11, 1989).
The valves had been environmentally qualified, but not with the non safety related heaters energized.
5.2.4 Comoonent Failures Generic issue ll.E.6.1, 'In Situ Testing Of Valves
- was divided into four sub issues (Beckjord,1989), three of which relate directly to preventice of AFW system component failure. At the request of the NRC, in situ testing of check valves was addressed by the nuclear industry, resulting in the EPRI report, " Application Guidelines for Check Valves in Nuclear Power Plants (Brooks,1988).*
This extensive report provides information on check valve applications, limitations, and inspection techniques.
In situ testing of MOVs was addressed by Generic Letter 89-10 " Safety Related Motor Operated Valve Testing and Surveillance" (Partlow,1989) which requires licensees to develop ard implement a program for testing, inspection and maintenance of all safety-related MOVs.
' Thermal Overload Protection for Electric Motors on-Safety-Related Motor-0perated Valves Generic issue ll.E.6.1 (Rothberg,1988)*
concludes that valve motors should be thermally protected, yet in a way which
-emphasizes system function over protection of the operator.
E The common-cause steam binding effects of check valve laakage were-identified in Section 5.2.1, entry CC10. Numerous single-train events provi6e additional insights into this problem.
In some cases leakage of hot MFW pasi; multiple check valves in series has occurred because adequate valve seating pressure was limited to the valves closest to the steam generators (AEOD/C404, 1984).
At Robinson, the pump shutdown procedure was changed to delay closing l
the MOVs until after the check valves were seated.
At Farley, check valves were charged from swing type to lif t type. Check valve rework has been done at a number of plarts. Different valve designs and manufacturers are involved in this problem, and recurring leakage has been experienced, even after repair and replacement.
20
s..
J E At Robinson, heating of motor operated valves by check valve leakage has caused thermal binding and f ailure of AFW discharge valves to open on demand.
At Davis Besse, high differential pressure across AFW injection valves resulting from check valve leakage has prevented MOV operation (AE00/C603, 1986).
E Gross check valve leakage at McGuire and Robinson caused overpressurilation of the AFi; suction piping.
At a foreign PWR it resulted in a severe waterhammer event. At Palo Verde.2 the MFW suction piping was oveipressurized by check valve leakage from the AFW system (AE00/C404,1984).
Gross check valve leakage through idle pumps represents a potential diversion of AFW pump flow.
[14.,.
Roughly one third of AFW system failures have been due to valve operator failures, with about equal failures for MOVs and A0Vs. Almost half of the MOV failures were due to motor or switch failures (Casada,~1989).
An extensive study of MOV events (AEOD/C603, 1986) indicates continuing inoperability torque switch / limit switch settings, adjustments, or problems caused by:
failures; motor burnout; improper sizing or use of thermal overload devices; premature degradation related to inadequate use of protective devices; damage due to misuse (valve throttling, valve operator hammering); mechanical problems (loosened parts, improper assembly); or the torque switch bypass circuit improperly installed or adjusted. The study concluded that current methods and procedures at many plants are not adequate to assure that HOV' will operate when needed under credible accident conditions.
Ipecifically, a surveillance test which the valve passed might result in undetected valve inoperability due to component failure (motor burrout, operator parts failure, stem disc separation) or improper positioning of protective devices (thermal overload, toroue switch, limit switch).
Generic Letter 89-10 (Partlow, 1989) has subsequently required licensees to implement a program ensuring that MOV switch settings are maintained 50 that the valves will operate under design basis conditions for the life of the plant.
{1L. Component problems have caused a significant number of turbine driven
_ pump trips (AEOD/C602, 1986). One group of events involved worn tappet nut faces, loose cable connections, loosened set screws, improperly latched TTVs, and improper assembly. Another involved oil leaks due to component or seal failures, and oil contamination due to poor maintenance activities. Governor oil may not be shared with turbine lubrication oil, resulting in the need for separate oil changes.
Electrical component failures included transistor or resistor failures due to moisture intrusion, erroneous grounds and connections, diode failures, and a faulty circuit card.
& Electrohydraulic-operated discharge valves have performed very poorly, and three of the five units using them have removed them due to recurrent failures.
Failures included oil leaks, contaminated oil, and hydraulic pump failures.
E Control circuit failures were the dominant source of motor driven AFW pump failures (Casada,1989). This includes the controls ured for automatic and manual starting of the pumps, as oppose, m the instrumentation inputs.
Most of the remaining problems were due to circuit breaker failures.
21 l
~
,, _ - ~ _,
8'
,s o
(fL " Hydraulic lockup" of Limitorque TM(c) SMB spring packs has prevented proper spring compression to actuate the MOV torque switch. due to grease trapped in the spring pack. During a surveillance at Trojan, failure of the torque switch to trip the TTY motor resulted in tripping of the thermal overload device, leaving the turbine driven pump inoperable for 40 days until the next surveillance (AEOD/E702, 1987).
Problems result from grease changes to EXXON HEBULA TH(d) EP 0 grease, one of only two greases considered environmentally qualified by Limitorque. Due to lower viscosity, it slowly migrates from the gear case into the spring pack. Grease changeover at Vermont Yankee affected 40 of the older HOVs of which 32 were safety related.
Grease relief kits are needed for MOV operators manufactured before 1975. At Limerick, additional grease relief was required for MVs manufactured since 1975. HOV refurbishment programs may yield other char.geovers to EP 0 gie,ase.
.C.f ol. For AfW systems using air operated valves, almost half of the system degradation has resulted from failures of the valve controller circuit and its instrument inputs (Casada, 1989). Failures occurred predominantly at a few units-using automatic electronic controllers for the flow control valves, with the majority of failures due to electrical hardware. At Turkey Point-3, controller malfunction resulted from water in the Instrument Air system due to maintenance inoperability of the air dryers.
CF10.
For systems using diesel driven pumps, most of the failures were ' ue to d
start control and governor speed control circuitry. Haif of these occurred on demand, as opposed to during testing (Casada, 1989).
{.El L For systems using A0Vs, operability requires the availability of Instrument Air, backup air, or backup nitrogen.
However, NRC Maintenance Team inspections have identified inadequate testing of check valves isolating the safety related portion of the 1A system at several utilities (letter, Roe to Richardson). Generic Letter 88 14 (Miraglia, 1988), requires licensees to verify by test that air-operated safety-related components will perform as expected in accordance with all desb n basis events, including a loss of normal IA.
l l
(c) Limitorque f s a registered trademark of the Limitorque Corporation,
(
Lynchburg, VA.
i (d)- Nebula is a registered trademark of the Exxon Corporation, liouston, TX.
l 22
^
i l
.t
.. s 6.0 EffjRENCES Beckjord, E. S.
June 30, 1989.
Closecut of Generie issue 11.E.6.1. 'In Situ Testino of Valves'. Letter to V. Stello, Jr.,
U.S. Nuclear Regulatory Comission, Washington, DC.
Brooks, B. P.
1988. AoMication Guidelines for Check Valves in Nucleai-Power Plants. NP 5479, Liectric Power Research Institute, Palo Alto, CA.
Casada, D. A.
1989. Auxiliary S edwater System Aoino Study.
Volume 1.
Ooeratino Excerience and Curren*. Vonitorino Practices. NUREG/CR 5404.
U.S.
Nuclear Regulatory Comission, Washington, DC.
Gregg, R. E. and R. E. Wright. 1988.
Aeoendix Review for Dominant Generic Contributors. BLB-31-88.
Idaho National Engineering Laboratory, Idaho falls, ldaho.
Miraglia, F. J.
February 17, 1988.
Resolution of Generic Safety Issue 93.
" Steam Bindino of Auxiliary Feedwater Pumos* (Generic letter 88-03).
U.S.
Nuclear Regulatory Comission, Washington,'DC.
Miraglia, F. J.
August 8, 1988.
Instrument Air Sucolv System Problems Affectino Safety Related Eqyioment (Generic Letter 88-14).
U.S Nuclear Regulatory Comissitn, Washtngton, DC.
Partlow, J. G.
June 28, 1989. Safetv-Related Mottr-Ocerated valve Testino in1 Surveillance (Generic letter 89-10).
U.S. Nuclear Regulatory Commission, L.hington, DC.
Rothberg, O.
June 1988. Thermal Overload Protection for Electric Motors on Safetv-Related Motoy-Ocerated Valves Generic Issue II.E.6.'
U.S. Nuclear Regulatory Commission, Washington, DC.
Travis, R. and J. Taylor.
1989. Deveicoment of Guidance for Generic.
Functionally Oriented PRA Based Team Insoettions for BWR Plants-Identification of Risk-Imoortant Systems. Components and Human Actions. TLR-A-3874-T6A Erookhaven National Laboratory, Upton, New York.
AEOD Reoorts AE00/C404 W. D. Lanning. July 1984.
Steam Bindino of Auxiliary Feedwater Pumps.
U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/C60:'.
C. Hsu. August 1986. Doerational Experience involvino Turbine j
h gsceed Trios.
U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/C603.
E. J. Brown. December 1986. A Review of Motor-Ocerated Valve Performance.
U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/E7ts.
E. J, Brown. March 19, 1987, MOV Failure Due to Hydraulic loc Q From Excest_ve Grease in Sorina Pack.
U.S. Nuclear Regulatory Commission, i
Washington, DC.
23 I
s
+
4 AE00/T416. January 22,_1983.
Loss of ESF Auxiliary Feedwater Puro Caoability at Troian on January 22. 1993.
U.S. Nuclear Regulatory Commission, Washington, DC.
Information Notices IN 82-0). January 22, 1982.
Auxiliary Feedwater Pumo lockout Resultina from Westinahouse W-2 Switch Circuit Modification.
U.S. Nuclear ".c<ulatory Commission, Washington, DC.
E. L. Jordan.
April 18, 1984.
Auxiliary Feedwhl:
- oarcer and Pioe Hanc.ar Damaae, U.S. Nuclear Regulatory Commission, Wasnengton, DC.
IN 84-66. August 17, 1984. Undetected Unavailability of the Turbine Driven Auxiliary Feedwater Train.
U.S. Nuclear Regulatory Commission, Washington, DC.
C. E Rossi.
July 24, 1987.
Sinale Failures in Auxiliary
~
Feedwater Systems.
U.S. Nuclear Regulbtory Commission, Washington, DC.
C. E. Possi.
October 20, 1987.
Auxiliary Feedwater Pumo Trios Resultino from low Suttion Pressure.
U.S. Nuclear Regulatory Commission, Washington, DC.
C. E. Rossi.
March 18, 1988.
Reduced Reliability of Steam-Driven Auriliary Feedwater Pumos Caused by Instability of Woodward PG-PL Tvoe Governors.
U.S.
Nuclear Regulatory Commission, Washington, DC.
R. A Azua.
August 16, 1989.
Robinson Unit 2 Inadecuate NPS4 of Auxiliary Feedwater Pumos. Also, Event Notification 16375, August 22, 1989.
U.S. Nuclear Regulatory Commission, Washington, 00.
Inspection Reoort IR 50 489/89-11; 50-499/89-11. May 26, 1989.
South Texas Proiett inspection Report.
U.S. Nuclear Regulatory Commission, Washington, DC.
1985.
Loss of Main and Auxiliary Feedwater Event at the Davis Hesse Plant on June 9. 1985.
U.S. Nuclear Regulatory Commission, Washington, DC.
1 24
.