ML20202H223

From kanterella
Revision as of 13:10, 1 January 2021 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Rev 1 to Engineering Evaluation Rept, Core Damage Precursor Event at Trojan
ML20202H223
Person / Time
Site: Trojan File:Portland General Electric icon.png
Issue date: 05/31/1986
From: Zukor D
NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD)
To:
Shared Package
ML20202H217 List:
References
TASK-AE, TASK-E514 AEOD-E514, NUDOCS 8607160242
Download: ML20202H223 (17)
v  d  e


Text

m m._ . , , . . , , .x ,,.,,,_,,m,. . _, _ _ . _ . _ . _ . - . _ ,, ,, , ,,, , .., , , ..___ __ _ _ __

AE0D/E514 Revision 1 ENGINEERING EVALUATION REPORT CORE DAMAGE PRECURSOR EVENT AT TROJAN by Office for Analysis and Evaluation of Operational Data .

May 1986 Prepared by: Dr. Dorothy J. Zukor Reactor Systems Section 2

. Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data NOTE: This document supports ongoing AE00 and NRC activities and does not represent the positions or requirements of the responsible NRC program office.

8607160242 860527 PDR ADOCK 05000344 S PDR ,.

AE0D ENGINEERING EVALUATION REPORT UNIT: Trojan EE REPORT N0: AE0D/E514 (Revision 1)

DOCKET N0: 50-344 DATE: May 1986 LICENSEE: Portland General Electrical Co. EVALUATOR / CONTACT: D. Zukor NSSS/AE: Westinghouse /Bechtel

SUBJECT:

CORE DAMAGE PRECURSOR EVENT AT TROJAN

SUMMARY

During 1984 five events occurred at the Trojan nuclear power plant which could have had serious consequences for equipment or personnel had they occurred under different circumstances. The potentially most serious event occurred on September 20, 1984 involving operator errors which initiated the transient and failures of a diesel generator, the diesel-driven auxiliary feedwater pump, and the turbine-driven auxiliary feedwater pump. Thus, multiple, independent, undetected failures of safety-related components resulted in the partial loss of the emergency onsite power supply and the total loss of the safety-grade auxiliary feedwater system (AFWS). If a loss of offsite power had occurred, a core damage scenario could have resulted.

This report also evaluates other potentially significant operating events at Trojan during or immediately after the 1984 refueling outage. 0.1 May 4,1984, the primary system level indication failed causing a temporary total loss of the Residual lieat Removal System (RHR). On September 26, 1984, the reactor tripped and a main steam safety valve stuck open after control room operators failed to notice that the rods were in manual during a turbine runback. On September 13, 1984 a compressive fitting failed during maintenance of the seal table because the fitting was used incorrectly and on September 17, 1984, another compression fitting failed on a pressurizer instrument line because the fitting was incorrectly assembled. Both events represented a breach of the reactor coolant pressure boundary and loss-of-coolant events.

Our findings indicate that the September 20th event was a severe accident precursor with a conditional core melt probability on the order of IE-2 depending upon assumptions. This number should be considered as an upper bound as it assumes that none of the preexisting faults would be detected by monthly surveillance . tests. Our data indicate that the nonsafety grade AFW pump has been called upon for 19% of the known trips occurring in 1983 and 1984.

This indicates an AFWS unreliability far above the desired AFW unreliability of 10E-4. We found that portions of the September 20 event had occurred before.

We found that the settings for some time delay relays were not verified as required by technical specifications despite plant conditions and activities that warranted comprehensive evaluation. Collectively, these five events and others that are mentioned in the body of the report indicate a lack of attention to detail, a lack of good maintenance practices, and a lack of appreciation of the significance of recent operating experience at other facilities. Since the time of these events, the licensee has taken action to correct these deficiencies. If the dependence on the nonsafety-grade AFW pump continues, AEOD suggests that the Region require the licensee to improve the reliability of their safety-grade AFWS. The Region V Administrator met with the licensee L-__.------

mxwwww <n = = = x. .-

on October 12, 1984 to discuss the significance of the September 20th event.

The Region emphasized that senior management must take more of an interest in the operation of the plant. They are also closely following the licensee's corrective actions.

1.0 INTRODUCTION

During 1984, several events occurred at the Trojan nuclear plant which could have had serious safety implications. Fortunately,'these events served to reveal a number of failures that were undetected during surveillance testing and had they occurred under different circumstances could have contributed to ,

a serious event. Among the safety concerns exemplified by these events are the lack of operational readiness following prolonged shutdown, lack of knowledge and use of previous industry experience concerning maintenance activities, and undetected failures of safety-related equipment during surveillance tests.

Five specific events will be discussed in detail and others will be mentioned that further illustrate our concerns. The following events will be described:

o September 20, 1984 Reactor trip and safety injection, o May 4, 1984 Loss of Residual Heat Removal.

o September 26, 1984 Reactor trip and stuck-open main steam safety valve.

o September 13, 1984 Seal table fitting failure.

o September 17, 1984 Pressurizer instrument line fitting failure.

2.0 DISCUSSION 2.1 Reactor Trip and. Safety Injection During startup f allowing an extended 41 month refueling outage, the reactor was at 7% power and the operator was loading the turbine at 5% minute (Refs.1 ,

and 2). To determine if the load was actually being picked up, the operator had two sources of information available to him -- the megawatt meter on the ,

control console and the trace recorder on the back of the main electrical l control board. He chose to use the trace recorder because it provides more l accurate indication at lower power levels. The operator, while watching  !

the trace recorder, thought that the turbine was not picking up load and directed the operator pulling the rods to continue to do so. Had he used the megawatt meter to verify turbine load, he would have known that the trace recorder was not operating properly. The control rod operator failed to block the low power trips when the P-10 permissive was reached. He was either unaware or had forgotten that the trip settings for the nuclear intermediate

range and low power range trips had been reduced from about 25% to about 15%

since physics testing for the new core had not yet been completed at full power. Although the trip setpoints had been lowered, the rod block setpoints were not, i.e., the rods could be withdrawn above 15% power. Normally, it takes about 1 minute to load the turbine to 50 MWe at 5%/ minute. Procedures-then call for the loading rate to be reduced to 0.5%/ minute. At this time in the course of the event, the operator had been loading the turbine at a rate of 5% minute for also 2 i minutes. The operator reduced the turbine ,

loading rate to 0.5%/ minute but not soon enough to maintain the reactor coolant system (RCS) above the low-low Tave setpoint and the intermediate range high flux trip setpoint. The decreased trip setpoints reduced the time l available to the operator to unblock the trips once the permissive had been l received and the reactor tripped on an intermediate range high flux  ;

condition._ As the operators were progressing through the procedure following -

the reactor trip, the shift supervisor noticed that safety injection (SI) had occurred. A valid low-low reactor coolant average temperature (Tave) signal and a spurious high steam flow signal has caused the SI. Verification that the engineered safety features (ESF) equipment had actuated revealed that three components failed to operate properly -- the train "A" west emergency diesel generator (EDG), the diesel-driven auxiliary feedwater pump (DDAFWP),

and the turbine-driven auxiliary feedwater pump (TDAFWP). Thus, one train of the emergency onsite power supply and the entire safety-grade AFWS were inoperable as defined by the plant technical specification. Each of these component failures will be discussed separately.

2.1.1 Emergency Diesel Generator 3 Each emergency diesel generator (EGD) set consists of two diesel engines in tandem to a generator. When the SI start signal was received, both diesels l started, but one tripped. The number two engine in the "A" emergency diesel l generator set tripped on high crankcase pressure causing the engine and thus the generator to lock out. Having this trip active on an emergency start violated the plant's technical specifications since this trip should have been bypassed on loss of voltage on an emergency bus or on an SI actuation signal.

At Trojan, the high crankcase pressure trip is bypassed after 15 seconds on an i automatic start signal. This situation has existed at Trojan since the plant I was completed in 1976.

Further investigation did not reveal the root cause of the high crankcase pressure trip. Instrumented tests performed subsequently indicated that no actual overpressure condition existed; however, out of six test starts, one trip occurred on crankcase overpressure. No reason could be found for the trip. In an IE inspection report, inspectors noted that the vendor prints associated with the EDG were confusing and incomplete (Ref. 3). It is l possible that the incorrect auto-start logic remained unnoticed because the l prints were poor.

l l

A concern in this case is that for ten years, surveillance tests failed to identify the incorrect automatic start logic.

The corrective action to prevent this failure in the futur involved bypassing the high crankcase pressure trip on an automatic start s. . C . In addition, plant drawings are being reviewed with emphasis on the maia control boards and the remote shutdown panel. There are plans to update drawings associated with the control panel for the emergency diesel generator (Ref. 4).

2.1.2 Diesel-Driven Auxiliary Feedwater Pump In response to the SI signal, the DDAFWP attempted to start and tripped on low lube oil pressure. The turbine-driven auxiliary feedwater pump started .

~

satisfactorily (see next section). The start sequence of the pump allows 1 minute for the pumps to get to 600 rpm or 25 psig of lube off pressure and pennits three attempts to meet these criteria before its trips. In addition, after the engine reaches 600 rpm, there is a 25 second delay before the low lube oil pressure trip is introduced into the circuit. This 25 second delay relay was found set to 0.8 seconds. Thus, inadequate time was allowed for the engine to build up sufficient lube oil pressure before automatic trip. The time-delay relay with the incorrect setting is located on the CISO remote shutdown panel. The relays on this panel neither have lockable settings, nor were the correct settings indicated directly on the relays. Extensive modifications were done on this panel during the previous refueling outage in conjunction with upgrading the diesel starting battery. Four improperly set relays were found on this panel. All were unlockable and all were located on the control panel door. At the time of the event, these time-delay relays were not addressed by the maintenance or surveillance procedures, since only those time-delay relays specifically addressed by technical specifications are periodically verified.

Testing did not reveal the problem because the engine could start with the relays improperly set depending upon engine and oil temperature. The concern here is twofold: first, the failure was not detectable during surveillance testing; and second, despite extensive maintenance in the cabinets, the licensee failed to verify equipment settings before returning the system to service.

The corrective action consisted of checking all the time-delay relays associated with the auxiliary feedwater system in addition to random sampling of other safety-related relays. Except for the relays on the C160 panel, no other incorrect relay settings were found.

A maintenance procedure has been implemented to periodically verify the settings of all safety-related time-delay relays. In addition, some relays have been sealed to their setpoints to prevent inadvertent movement.

2.1.3 Turbine-Driven Auxiliary Feedwater Pump Upon receipt of the SI signal, the TDAFWP started, ran for 5 minutes and then tripped on low suction pressure. Thus, both safety-related auxiliary feedwater pumps were inoperable as defined by the plant technical specifications. After

_ m. ,,, - . ,_ , - . - - _ _ - - - -

i ..

3 l

t i

! verifying adequate condensate storage tank level and TDAFWP suction pressure,

! the operator overrode the trip. The pump restarted but turbine steam chest

[ pressure fluctuations and flow oscillations caused the operator to manually

trip the TDAFWP even though the pump was still believed to be capable of pumping water. With both safety-grade AFWPs technically inoperable, the operator l

started the nonsafety-related motor-driven AFWP (MDAFWP) to provide adequate feedwater. Investigation of the pump trip showed that the pressure transmitter in the suction line of the TDAFWP had failed due to an electrical component j failure causing pump trip on low suction pressure. This particular transmitter l

had been calibrated on February 15, 1984. It had failed to operate properly i three times since it was installed in 1980--twice from mechanical problems and

! once from erratic readings. The cause of these failures is believed to be the I mechanical stress that occurs in the suction line as a result of the suction ,

pressure oscillations.

l The cause of the turbine steam chest pressure and flow oscillations during

pump operation is thought to be insufficient dampening of the fluid pressure
in the pump discharge pressure transmitter sensing line which is used for pump ^

! speed control. The cohtrol system for the TDAFWP maintains the pump speed necessary to develop a pump discharge pressure which is 100 psig greater than

! the steam generator pressure. Inadequate dampening of fluctuations in the i discharge pressure transmitter sensing line affects both steam flow and fluid j flow through the pump. The low suction pressure trip was installed in 1980 following the post-TMI upgrading of the AFWS. The MDAFWP was also added at

! that time.

h

! The concern here is that previous failures of this transmitter under similar i conditions indicated'its unsuitability for this application. It is important that the TDAFWP be reliable, because it is the only feedwater pump available  ;

}

I following a loss of all ac power. The DDAFWP is dependent on ac power for I cooling. After the event, the failed transmitter was replaced. The pulsation damper in the pump discharge transmitter was changed to smooth out pump speed control. Procedures were revised to ensure adequate pump suction prior to overriding the low suction trip. The calibration frequency of the suction pressure transmitter was increased to each refueling outage. It should be

! noted that the oscillations, which occurred when the TDAFWP was called upon

during the SI, did not occur during the surveillance testing of this pump i apparently due to' differing operating conditions during test and operation. t h

During the subsequent plant heat-up, the pump was run under varying flow conditions and steam pressures to assure that the oscillations had ceased.  :'

During the spring 1985 refueling outage an evaluation of the suction pressure transmitter was performed. No reason for the transmitter failures was found,  !

but because of past experience, the evaluation recommended replacing it with a newer model. ,

t

! NUREG-0611 published in 1980 mentions that Trojan had a history of problems '

) with both the diesel-driven and the turbine-driven AFWPs (Ref. 5). This evaluation of the Trojan AFW system considered the adequacy of the water supply for the pumps, dependence on non-safety power supplies, restrictions to flow, and the seismic qualifications of the AFWS. The problems with the AFWS which occurred on September 20, 1984 were not specifically addressed.

1 I

s <. m ., m , __ . - . ~ . - .. -

It appears that many of the problems which occurred during this event were due to incomplete actions prior to return to service of both the components of the AFWS and of the control system itself.

An AE00 engineering evaluation (Ref. 6) evaluated five events at various plants where the TDAFWP was unavailable because the steam supply was isolated and this information was not available to the operators in the control room.

In some cases the inoperable condition of the pump was found during an inspection, in other cases the condition was found during an SI when the pump failed to run.

Trojan has had problems similar to those discussed in Reference 6. On January 22, 1983, the operator was unable to restart the TDAFWP when it ,

tripped on overs earlier (Ref. 7) peed because the pump had been manually tripped incorrectly the trip and throttle valve on the TDAFWP was found inoperable due to tripped overload protection contacts. This was discovered during an operability test. The valve had apparently been inoperable from November 23, 1983 until the operability test on January 3,1984. The plant was operating at 100%

power at the time of the discovery (Ref. 8). On August 20, 1983, the TDAFWP started following a reactor trip and tripped on overspeed. The T0AFWP and the MDAFWP were used to supply feedwater to the steam generators (Ref. 9).

Since 1983, the Trojan plant has relied on the nonsafety MDAFWP three times to provide feedwater to the steam generators following a trip (LERs83-002, 83-012 and 84-016). During 1983 and 1984 the nonsafety MDAFWP has been called upon for 19% of the known trips. At Trojan, the MDAFWP is frequently used following a trip. However, for the cases mentioned above the MDAFWP was called upon because of problems with one or both of the other AFW pumps.

2.1.4 Main Steam Isolation Valves In addition to the above failures which occurred in the AFW system during the September 20, 1984 event, the main steam isolation valves did not close on receipt of a coincident low-low Tave and high steam line flow signal. This 1 cannot be considered a failure of the system to function as designed since the

steam line isolation signal was present for less than 1/60th of a second and with a signal of such.short duration the solenoid valves associated with the MSIVs could not actuate. The steam line isolation signal does not seal in electrically but does so mechanically by unlatching the solenoid valve that bleeds pressure off of the spring-locked closing mechanism on the MSIVs. An J operator error occurred when the operators did not notice that the MSIVs had failed to close.

2.1.5 Risk Assessment of the Event on September 20, 1984 As discussed above, during startup of the reactor, a trip occurred and one DG, the TDAFWP, and the DDAFWP did not operate as expected. The non-safety grade

MDAFWP was relied upon to provide AFW to the SG. Had a loss of offsite power i

occurred, no AFW would have been readily available.

i

The NRC currently considers a 10E-4 to 10E-5 unreliability per demand for AFW systems acceptable according to the SRP Section 10.4.9. Trojan has had to call upon the nonsafety grade AFW pump three times in two years suggesting that Trojan's AFW system is not as reliable as desired. The Office of Nuclear Regulatory Research (RES) and the Office of Nuclear Reactor Regulation (NRR) evaluated the risk associated with this event (Ref. 10). The Oak Ridge National Laboratory (ORNL) performed the evaluation for RES. The ORNL estimated two probabilities for severe core damage depending upon the initiating event and the recovery class assumed for the failed equipment using the existing accident sequence precursor methodology (ASP) and data described in their 1980-81 Accident Precursor report ;Ref. 11). The first estimate assumes a recovery class of R1* for the MSIVs and the unavailable diesel generator and a recuvery class of R2 for the failed AFWPs. This results in a conditional .

probability for severe core damage of 1.7E-3. The second estimate assumes a recovery class of R3 for the failed AFWPs and the MSIVs and a recovery class of R1 for the unavailable diesel generator. This results in a conditional probability for severe core damage of 6.3E-4. For both estimates the dominant contribution occurs from loss of feedwater (LOFW) or loss of offsite power (LOOP) sequences.

The Reliability and Risk Assessment Branch (RRAB/NRR) evaluated the risk associated with this event as 1.3E-4 or less. In their analysis of the LOFW sequence, they postulated the probability of the loss of the 00AFWP to be 0.5, the probability of the loss of the TDAFWP to be 0.5 and the loss of the non-safety grade AFWP to be 0.01 to 0.1. These assumptions resulted in a conditional probability of 1.3E-7 to 1.3E-4.

The analyses from RRAB and ORNL differ by about an order of magnitude. Some of this difference is due to differences in the assumed failure rates and in the probability of equipment recovery. RRAB assumed failure rates and recovery probabilities based on engineering judgement /while ORNL used the methodologyandrecoveryclassesdefinedintheAccidentPrecursorStudy(Ref.

11). Both analyses included the MDAFWP as a source for AFW.

The two evaluations were done using different techniques. RRAB analyzed The additional failures or events which resulted in their desired scenario.

ORNL evaluation assumes that the problems with the AFW system would have been detected during the next monthly surveillance test had the start-up on September 20 proceeded normally. As discussed above, there is no assurance that routine surveillance tests would have found the problems in the system.

If credit is not taken for discovery of the faults in the system during the next monthly surveillance tests, the ORNL calculation can be adjusted to account for this. In this case, the first estimate gives an adjusted conditional probability for severe core damage of 4.2E-2 and the second estimate gives an adjusted conditional probability for severe core damage of i

  • Recovery Class R1 means that the failure did not appear recoverable in the required perjud following the assumed initiating event, either from the control room or at the failed equipment -- the probability of failing to ,

recover = 0.58. Recovery Class R2 means the probability of failure to recover = 0.34. Recovery Class R3 means the probability of failure to recover = 0.12.

eg y. - , ., n -- - '

- 8-1.5E-2. These estimates may be overly conservative since they assume that none of the faults would be found during surveillance testing, but they definitely indicate that this event represents a significant accident precursor.

3.0 OTHER OPERATIONAL EVENTS The following four events will be described and discussed to illustrate some of the problems which showed up in the September 20th event. In general, they indicate inadequate solutions to repetitive events, lack of verification of readings before taking action, inadequate communication between management and maintenance personnel, and lack of knowledge of industry experience.

3.1 Total Loss of Residual Heat Removal System On May 4,1984 while draining down the reactor coolant system (RCS) in preparation for refueling, the residual heat removal system (RHR) was lost for 40 minutes (Ref. 12).

RCS level indication consisted of a temporary level transmitter and a tygon hose with a television camera broadcasting to the control room. Both indications were from the drain line in the suction of the "B" reactor coolant pump.

Unknown to the operator, a blockage in the tap line upstream of both the temporary level transmitter and the tygon hose caused erroneous level indication. To perform the ESF response time actuation testing, both RHR pumps were stopped (permitted by technical specifications). The first pump was restarted, but it had to be immediately stopped due to cavitation. It took 10 minutes to determine the problem and another 30 minutes to restore RCS levels before the RHR pumps could be restarted. The RCS temperature increased from 105*F to about 200*F, which is approaching saturation conditions.

Although operations personnel were carefully monitoring the situation, a potential existed for eventual core uncovery and damage. This event therefore represents another core damage precursor. The plant had experienced similar losses of this system, but no actions were taken until recently to preclude recurrence. .

To prevent similar future occurrences, the following actions were taken:

1) the procedure was revised to require that the loop drain to the level standpipe be flushed before use; 2) a second standpipe was installed from a loop flow transmitter sensing line; 3) the procedures were revised to provide better information to the operators during coolant system draining; and, 4) a graph was developed correlating RCS level to the amount of drained water.

This event is included in AE00 case study report C503, which addresses industry-wide decay heat removal problems.

3.2 Reactor Trip and Stuck Main Steam Safety Valve On September 26, 1984 at 10:08 pm, a false main feedwater pump low suction pressure signal was received due to a failed pressure transmitter (Ref.13).

At this time, the operator started reducing turbine load slowly to avoid arming the steam dumps. The control rods were in manual because the operators were performing physics testing following the recent refueling outage. Since the rods were in manual and thereby did not reduce reactor power, the first set

of main steam safety automatically valves lifted at 1170 psig. At 10:25 pm, control room personnel realized that the control rods were in manual and started to manually insert them to reduce RCS temperature. At 10:30 pm, the incoming shift informed the control room personnel that the safety valves were open.

There is no direct indication in the control room to show that a safety valve .

has lif ted, and because of the location of the control room, operators cannot hear a lifted safety valve from the control room.

The turbine load and reactor were reduced in order to reseat the safety valves. The "D" steam line safety valve failed to reseat properly,Following forcing a

the licensee to enter a Technical Specification action statement.

reactor trip at 1.2% power due to low-low level on steam generator "D", the

"D" safety valve reseated at approximately 890 psig. An examination of the safety valve internals indicated that the failure to reseat was most probably due to the presence of debris in the valve.

The main feedwater pump low suction pressure alarm was not verified by an operator before the control room operator started to reduce turbine load. The control room operators failed to notice the mismatch between reactor and turbine power and that the rods were in manual control. One power-operated relief valve (PORV) lifted during the event. The other three PORVs, which should have also opened during this event, failed to open because their setpoints were set above 1170 psig. The required setpoint for these valves is 1125 psig.

No reason could be found for this discrepancy. The PORVs are not safety-related but could have improved the mitigation of the event had they operated properly.

Our concern is that the operators were so intent on preventing a reactor trip, partially due to the other trips they had experienced previously during start up, that they failed to pay attention to other indications in the control room. In addition, similar to the September 20, 1984 event, they chose to believe only one indicator rather than verifying it against other instrumentation. The erroneous setpoints on the power-operated relief valves indicate inadequate preparation for restart. ,

Numerous corrective actions were implemented following the September 26th event. The safety valves that lifted were examined and administrative procedures were proposed to ensure better coordination among the operating crews and to utilize infonnation from all sources on plant status during unusualconditions(Ref.2).

I l

4

3.3 Events Associated With Compression Fittings The following two events are being highlighted because they represent a lack of communication between management and maintenance personnel and a lack of knowledge of industry experience.

On September 13, 1984, a " hot soak" was being performed to verify RCS integrity during hot standby (Ref.14). Three small leaks were identified from three compression fittings in containment at the incore instrumentation seal table. Two of the leaks were stopped by tightening the fittings. The third fitting continued to leak and eventually resulted in an unisolable leak from the primary system and the contamination of two maintenance workers. After the plant was taken to cold shutdown, the leak was stopped. By then about ,

15,000 gallons of reactor coolant had leaked into the containment sump. The failed fitting could not be properly repaired with a similar fitting so the line was welded.

The root cause of the event was an improperly installed compression fitting.

The leaking conduit was found to be tapered at the end where the fitting was installed. This was not noticed during the presoak inspection. Compression fittings are not designed to function in tapered tubes and their performance under such conditions is questionable.

Discussion with plant maintenance engineers indicated that such fittings are, in general, extremely reliable. Problems tend to occur due to improper maintenance or installation rather than defects with the fittings themselves.

At Trojan, the problem which caused the event was a result of the personnel being unable to verify that the fitting was installed properly. The fitting which failed was installed during construction of the unit. A device to verify correct initial installation exists, although it would not have helped in this case since this was not the initial installation. The device is a gauge which allows the maintenance personnel to verify that the compression fitting has been tightened according to the manufacturer's instructions. Its use was not widespread among the personnel at the plant, because it was not considered necessary.

Prior to performing maintenance on this system, an operational assessment review (OAR) has been performed at the plant. In such a review, all pertinent information on a specific topic, in this case seal table repairs during operating temperatures and pressures, is collected and made available in a summary to the Shift Technical Advisors (STAS) and the engineers. As a result of the Sequoyah thimble tube ejection accident which occurred on April 19, 1984, Trojan had alread table repairs (Ref.15)y . Thechanged some ofstated revised procedures the maintenance that maintenance procedures on for the seal table would be performed during hot standby, not during power operation. Although the licensee, the STA and the maintenance supervisor were aware of IE Infonnation Notice 84-55, and the Zion LER on the event of January 20, 1984 discussiong seal table work, the maintenance personnel actually performing the task were not made aware of the experiences at other plants or of the ha7ards involved in performing this work (Ref. 16 and 17).

.. _ ~ ,,

The lack of consnunication between the management and the workers on the subject of previous operating experience and the known hazards of working on hot pressurized systems contributed to the event.

In addition to increasing the availability of the measuring gauges, additional training in the installation and maintenance of compression fittings was planned for mechanics, mechanics' helpers, instrumentation and control technicians, electricians and engineers. The use of compression fittings on thick-walled conduits that require frequent disassembly was reevaluated.

Changes in the design of the seal table have been made so that the high pressure seal does not have tc be broken each refueling outage.

A few days later, another event occurred involving compression fittings and exhibited similar deficiencies in management communication and knowledge of the hazards of working on pressurized systems.

On September 17, 1984 during an RCS integrity test, with the reactor at full pressure and temperature, another event occurred involving an RCS leak due to a compression fitting when a craftsman attempted to tighten a dripping fitting (Ref. 18). The fitting separated when he touched it and he quickly left the containment. Maintenance had been done on this line previous to this failure. Most of the connections in this system are welded. There are four pressurizer level sensors. When the leak developed in one line, it affected both the reference level and the reading level. When the licensee attempted to isolate the leak, the wrong isolation valve was initially closed reducing the total number of sensors from four to one. The fitting leaked because it had been assembled with three ferrules instead of two as required.

No LER was submitted on this event because the leak was small (i.e., within technical specification limits) and there were no adverse consequences. Such an event is not reportable.

Compression fittings have been used reliably on high pressure systems for a number of years. They are used on hydraulic systems because of their easy installation and low failure rate. The problems which have recently beun noticed concerning these fittings appear to be due to incorrect installation techniques. Problems.sometimes occur if more than one type of fitting is used at a plant and parts from one manufacturer are interchanged with parts from another. This tas not been a problem at Trojan, but has happened at another plant.

It appears that correct installation and maintenance practices and replacing these fittings with welds where possible would eliminate many of the problems. In addition, better coordination, training and minimizing maintenance on fully pressurized systems would reduce the hazards to personnel. Actions were taken to correct each of these problems.

4.0 MANAGEMENT ASSESSMENT As a result of the events at Trojan, an independent assessment was performed by the Manager of the Nuclear Safety Branch and two members of the Trojan Nuclear Operations Board (TN08) staff to determine the underlying causes of

the events (Ref. 19). They conclude that the contributing factors generally fell into two categories--plant material condition and conduct of plant operations. The plant material aspect refers to the fact that some of the problems which occurred at the plant in mid to late 1984 had occurred before.

Part of the problem was that the evaluation of maintenance performed is an additional duty of the plant supervisor whose main job is to keep the plant operational . Plant operations was criticized for lack of coordination among control room personnel and the tendency of the STA to focus on one problem ,

rather than providing an overview perspective.

Trojan has had difficulty keeping the same people in the same control room crews. The licensee's committment to improve requalification exam scores removed experienced personnel from the control room for significant time periods. In ,

addition, crew assignments to special projects, training and vacations have caused restructuring of normally stable crews. The assessment stated that Trojan had recently lost four original STAS and they were trying to qualify new individuals for these positions as rapidly as possible.

On October 12, 1984, a meeting was held at the corporate office of Portland General Electric Company between the licensee and the Region V Administrator to discuss the implications of the Trojan events (Ref. 20). Among the subjects discussed were the analysis of serious events, repetitive events, use of operating experience, equipment restoration practices following maintenance, and management and worker attitudes. The Region emphasized that senior management must take more interest in the operations of the plant to ensure that corporate policy regarding plant maintenance and operations are well understood by all of their staff.

The Systematic Assessement of Licensee Performance (SALP) for Trojan which ,

was performed for the period September 1,1983 through October 31, 1984 addressed many of the same concerns mentioned above (Ref. 21). The report stated that the licensee's difficulty in requalifying reactor operators may be partially attributed to the lack of a site specific simulator and insufficient operating crews to allow year-round classroom training. Also noted was the licensee's reluctance to check and readjust all equipment which may be affected by modificationt except for those required by regulations. Three violations were identifie:. concerning maintenance, one of them being the licensee's failure to periodically ensure the proper setting of time-delay relays. The report mentioned that many problems which arose during the assessment period had occurred before and that inadequate investigation of these problems had failed to resolve them. Overall, the report stressed the need for more management involvement in plant operation. The report was critical of the Trojan Nuclear Operations Board since uncertainties in the Board's responsibility and methods of operation had failed to provide a truly independent and critical assessment of nuclear safety concerns. This situation has existed since 1981. The June 1985 inspection report for Trojan indicated that changes in the TN0B's membership, procedures, and a clear definition of responsibility for quality assurance has addressed this concern (Ref. 22).

~ --

_~_ __ . _ . .

Following the Spring 1985 refueling, a " Ready for Startup" program was implemented which helped to assure a smooth return to power. This program included better coordination of operating crews, close involvement of plant management, and better tracking of system readiness for operation.

5.0 FINDINGS AND CONCLUSIONS Our findings indicate that the reactor trip and safety injection event of September 20, 1984 can be considered a severe accident precursor with a conditional core damage probability on the order of IE-2. The following general observations were also made:

1. The root causes of events were not corrected or adequately addressed ,

which led to repetitive events involving multiple failures that accumulated over time.

2. Despite extensive maintenance on the C160 panel, the time-delay relays in the panel were not checked following the maintenance. At the time of the September 20, 1984 event these relays were not covered by any of the plant's maintenance or surveillance procedures.
3. Sometimes the most recent problem receives the most attention to the exclusion of other problems which may also exist.
4. Redundant or corroborating indicators of plant status are not adequately used.
5. The tests for the safety-related AFWP did not verify that the pumps would be operable during expected operating conditions.
6. Prior to the events of 1984, there were no procedures to periodically check some safety-related equipment such as time-delay relays, although it is required by thier technical specifications and constitutes a good maintenance practice.
7. There appears to be an over-reliance on the nonsafety-grade MDAFW to perform the safety function of providing feedwater.
8. The information ava.ilable concerning equipment problems and operating experiences at other plants is apparently not passed on to the workers actually doing the maintenance.

In conclusion, our findings are corroborated by other investigations done subsequent to these events. Although there were some mitigating circumstances surrounding the events, the lack of attention to detail, the lack of good .

maintenance practices, and the lack of appreciation of the significance of operating experience at other plants, in general, cannot be ignored. In addition, the event can be classified as a serious accident precursor with a conditional core melt probability on the order of IE-2 depending upon the l

a

+ r no::. u ,- =-. - - - -

l 14 -

assumptions made. In view of the seriousness of the deficiencies found the licensee developed plans to improve in the areas discussed above, and it appears that these changes have been effectively implemented.

6.0 SUGGESTION There is a past history of problems with the AFWS at Trojan. Problems with the system still exist. We found that the reliability of the safety grade AFW pumps was poor and resulted in the need to rely on the non-safety grade motor driven pump more than is desirable. If the safety grade AFW pumps continue to demonstrate a poor reliability record, as in the past, the Region should take steps to require further improvement. ,

e

l REFERENCE

1. LER 50-344/84-016, " Reactor Trip and Safety Injection."
2. IE Inspection Report, 50-344/84-29.
3. IE Inspection Report, 50-344/84-18.
4. IE Inspection Report, 50-344/85-04,
5. Nuclear Regulatory Commission, "Ceneric Evaluation of Feedwater Transients and Small ~ Break Loss-of-Coolant Accident in Westinghouse Designed Operating Plants," NUREG-0611, January 1980. (Available for ,

purchase from National Technical Information Service, Springfield, VA 22161.)

6. AE0D Engineering Evaluation Report N402, " Events Involving Undetected Unavailability of the Turbine-Driven AFW Train."
7. LER 50-344/83-002
8. LER 50-344/83-022
9. LER 50-344/83-012
10. Memorandum from Gary R. Burdick, Reactor Risk Branch to Ashok Thadani, Reliability and Risk Assessment Branch, "Results of an Evaluation of the Significance of the Multiple Failures Occurring at the Trojan Nuclear Power Plant While Undergoing Startup September 20, 1984" dated March 5, 1985.
11. W. B. Cottrell and others, " Precursors to Potentially Severe Core Damage Accidents: 1980-1981" USNRC Report NUREG/CR-3591, February 1984.

(Available for purchase from National Technical Information Service, Springfield, VA 22161.)

12. LER 50-344/84-010, " Temporary Loss of RHR Cooling In Mode 5."
13. LER 50-344/84-01'7, " Reactor Trip and Stuck Main Steam Safety Valve."
14. LER 50-344/84-014, " Identified Leakage in Excess of 10 gpm from Incore Flux Detector Seal Table."
15. LER 50-327/84-030, " Thimble Tube Ejection."
16. IE Infonnation Notice 84-55, " Seal Table Leaks at PWRs."

17 LER 50-295/84-005, "Incore Instrumentation, Seal Table High Pressure Seal Failure."

m .. , m.. , . .. ,. . . . . . . - . .

1

18. PNO-V-84-62, " Leakage from Pressurizer Level Detection System Tubing."
19. Letter from Bart D. Withers, Portland General Electric Company to John 8.

Martin, NRC Region V. " Trojan Nuclear Plant: Operational Readiness,"

dated October 1, 1984.

20. Letter from T. W. Bishop, NRC Division of Reactor Safety and Projects Region V to Bart D. Withers, Portland General Electric Company, " Report of Meeting with PGE Management," Report 50-344/84-32 dated October 12, 1984.
21. NRC Region V Report 50-344/84-35, " Systematic Assessment of Licensee Performance, Portland General Electric Conipany Trojan Nuclear Plant," ,

dated December 11, 1984.

22. IE Inspection Report, 50-344/85-18.

1 e

e t

1

. ~ . .

Revisions to Engineering Evaluation 514 The major changes made to the original engineering evaluation report are as follows:

1. In section 2.1.5, the conditional probability for severe core damage was calculated assuming that the problems with the AFW system would not be detected during the monthly surveillance test.
2. In section 3.2, the report clarifies that the PORVs did not open because their setpoints were set above that of the safety valves.
3. In section 3.3, the manufacturer's name "Swagelok" was removed and replaced with the generic term " compression."
4. The wording was revised throughout the report, to provide Region V with full and appropriate credit for recognizing the significant of the events when they occurred.

The revisions to the subject engineering evaluation report were developed with the assistance and cooperation of the NRC resident inspector for the Trojan plant. However, this does not necessarily imply his agreement with the conclusions reached in the report.

l 1

l l

Retrieved from "https://kanterella.com/w/index.php?title=ML20202H223&oldid=3071200"