ML20234D517
| ML20234D517 | |
| Person / Time | |
|---|---|
| Issue date: | 12/31/1987 |
| From: | Ornstein H NRC OFFICE FOR ANALYSIS & EVALUATION OF OPERATIONAL DATA (AEOD) |
| To: | |
| References | |
| NUREG-1275, NUREG-1275-V02, NUREG-1275-V2, NUDOCS 8801070069 | |
| Download: ML20234D517 (128) | |
Text
NUREG-1275 Vol. 2 Operating Experience Feedback Report - Air Systems Problems Commercial Power Reactors U.S. Nuclear Regulatory
, Commission Office for Analysis and Evaluation of Operational Data H. L. Ornstein I p'* co9 l
fh'h"!
- u Og10g g 8717e 1275 R PDR L_________.________ _ _ _ _ _ _ __ _ _ . _ _ _ _ _ _ _ _ _
NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:
- 1. The NRC Public Document Room,1717 H Street, N.W.;
Washington, DC 20555
- 2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013 7082
- 3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, it is not intended to be exhaustive.
Referenced docurrents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licensee documents and correspondence.
The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.
Documents available from the National Technical Information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.
Documents available from public and special technical libraries include all open literature items, such as books, journal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.
Documents such as theses, dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.
Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Information Support Services, Distribution Section, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library,7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.
I NUREG-1276 Vol. 2 Operating Experience Feedback Report - Air Systems Problems 1 Commercial Power Reactors ,
I I
Manuscript Completed: November 1987 Date Published: December 1987 H. L. Ornstein Office for Analysis and Evaluation of Operational Data ;
U.S. Nuclear Regulatory Commission j Washington, DC 20555 p u%,
's.
Previous Reports in the Series
" Operating Experience Feedback Report - New Plants,"
R.L. Dennig, P.D. O'Reilly, NUREG-1275, Vol. 1, July 1987 i
l I
i' ABSTRACT This report highlights significant operating events involving observed or potential failures of safety-related systems in U.S. plants that resulted from degraded or malfunctioning non-safety grade air systems. Based upon the
~
evaluation of these events, the Office for Analysis and Evaluation of Operational Data (AE0D) concludes that the issue of air systems problems is an important one which requires additional NRC and industry attention. This report also provides AE0D's recommendations for corrective **tions to deal with the issue.
i iii
1 TABLE OF CONTENTS PART ONE (1)
Page EXECUTIVE
SUMMARY
............................................... I 1.0 INTP0 DUCTION ............................................... 3 l
- 2.0 AIR SYSTEM DESCRIPTIONS .................................... 5 2.1 Function and Purpose .................................. 5 2.2 System Design and Operation ........................... 5 2.3 Safety-Related Functions .............................. 8 3.0 AIR SYSTEM REQUIREMENTS .................................... 10 3.1 Air Quality Pecuirements for Pneumatic Equipment ...... 10 3.2 Industry Standards .................................... 10' 3.3 NPC Requirements ...................................... 11 4.0 AIR SYSTEMS FAILUPE MODES AND EFFECTS ...................... 12 4.1 Contamination ......................................... 12 4.1.1 Water .......................................... 12 4.1.2 Particulate ................................... 12 4.1.3 Hydrocarbons ................................... 12 4.2 Air System Component Failures ......................... 13 4.2.1 Compressors .................................... 13 4.2.2 Distribution Systems ........................... 13 4.2.3 Dryers and Filters ............................. 13 4.2.4 Accumulator Check Valves ....................... 13 4.2.5 Design, Installation, and Maintenance Errors.... 13 5.0 OPERATIONAL EXPERIFFCE ..................................... 15 i
5.1 Safety Systems Failures ............................... 15 l 1
5.1.1 Shutdown Cooling System - Palisades ............ 15 5.1.2 Auxili ary Feedwa ter Systems . . . . . . . . . . . . . . . . . . . . 15 i 5.1.2.1 Turkey Point 3 and 4 .................. 15 5.1.2.2 Indian Point 2 ........................ 21 5.1.3 BWR Scram Systems .............................. 22 5.1.3.1 Susquehanna ........................... 22 5.1.3.2 Dresden 3 ............................. 25 t
Y i
- - - - - - 1
TABLE OF CONTENTS (Continued)
Page 5.1.4 Power-Operated Relief Valves and Low Temperature Overpressurization Protection Systems ................... 26 5.1. 4 .1 - -Ginna Tube Rupture Event ........................ 26 5.1.4.2 Westinghouse PWR Low Temperature Overpres su ri za ti ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.1.5 Service Water and Component Cooling Water Systems . .. . . .... 29 5,1.5.1 Service Water System - Calvert Cliffs 1 and 2 ... 29 5.1.5.2 Component Cooling Water System - Calvert Cliffs 1 and 2 .................................. 30 5.1.5.3- Salt Water Cooling System - San Onofre 1 ........ 31 5.1.6 Main Steam Isolation and Feedwater Isolation Valves ....... 31 5.1.6.1 Byron, Callaway, Summer and Vogtle . . . . . . . . . . . . . . 31 5.1.6.2 Turkey Point 3 and a and H. B. Robinson 2 ....... 33 5.1.6.3 Brunswick ....................................... 34 5.1.7 Emergency Diesel Generators ............................... 35 5.1.7.1 Ai r Starti ng Sys tem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 5.1.7.2 Pneumatic Controls - Cooper-Bessemer, Nordberg .. 36
.5.1.7.3 Emergency Diesel Generator Cooling -
Maine Yankee, Haddam Neck ....................... 37 5.1.8 Safety Injection Systems .................................. 37 5.1.8.1 Fort Calhoun .................................... 37 5.1.8.2 Point Beach 1 and 2 ............................. 37 5.1.9 Containment Isolation Valves -
G r an d Gu l f 1 an d 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.1.10 Reactor Coolant Pump Seal Injection ....................... 39 5.1.10.1 B&W Generic ..................................... 39 5.1.10.2 St. Lucie ....................................... 40 5.1.11 Reactor Cavity and Spent Fuel Pool Pneumatic
. Seal Failures ............................................. 41 5.1.11.1 Haddam Neck .................................... 41 5.1.11.2 Susquehanna 1 and 2 ............................ 41 5.1.11.3 Rancho Seco .................................... 42 l
1 vi
TABLE OF CONTENTS (Continued)
Pace 5.1.11.4 A rkansas Nuclear One Unit-2 . . . . . . . . . . . 43 5.1.11.5 San Onofre 2 .......................... 43 5.1.11.6 Sequoyah 1 and 2 ...................... 45 5.2 Foreign Reactor Experience ............................ 45 5.2.1 Loss of Containment Integrity .................. 45 5.2.2 Loss of Fuel Pool Inventory .................... 45 5.2.3 Low Peactor Coolant System Level ............... 45 6.0 ANALYSIS AND EVALUATION OF OPERATIONAL EXPERIENCE .......... 46 i 6.1 Failures of Safety and Safety-Related Systems ......... 46 ;
6.2 Reactor Transients and Safety System Degradations. . . . . . 47 6.2.1 Trends and Patterns Analyses ................... 47 6.2.2 Reactor Trip Analyses .......................... 48 6.2.3 H. B. Robinson Study ........................... 49 6.3 Patterns Observed Pegarding failures of Air-Operated Components ............................... 50 6.3.1 Component Contamination ........................ 50 6.3.2 Accumulator Failures ........................... 52 6.3.3 Individual Component Failures Resulting in Loss of Ai r Sys tem Events . . . . . . . . . . . . . . . . . . . . . . 52 6.4 Risk Assessments ...................................... 52 6.4.1 Calvert Cliffs ................................. 53 6.4.2 Oconee Unit 3 .................................. 53 6.4.3 NRC Pressurized Thermal Shock Program .......... 54 7.0 FINDINGS ................................................... 55 7.1 Root Causes of Air Systems Problems ................... 55 7.2 Consequences of Air Systems Problems .................. 55 7.3 Risks ................................................. 56
8.0 CONCLUSION
S ................................................ 57 9.0 RECOMMENDATIONS ............................................ 58 vii
. _ _ _ _ _ _ _ _ _ _ - _ _ _ - _ l
l l
TABLEOFCONTENTS(Continued)
Page
10.0 REFERENCES
............................................... 60 APPENDICES APPENDIX A PAPTIAL LISTING OF AIR-0PERATED E0tlIPMENT FAILURES SORTED BY FAILURE MODE APPENDIX B TECHNICAL REVIEW 0F EMERGENCY DIESEL GENERATOR COOLING SYSTEM FAILURES DUE TO AIR SYSTEMS INTERACTIONS APPENDIX C OPERATION OF RALPH A. HILLER COMPANY AIR SPRING ACTUATORS PART TKO (2)
PART TWO: OPERATING EXPERIENCE RELATED TO AIR SYSTEMS PROBLEMS SINCE DECEMBER 1986 1.0 Emergency Diesel Generators ............................ 2-1 2.0 Power-0perated Relief / Valves ........................... 2-2 3.0 Inability tn Achieve Safe Shutdown During/Subsecuent to a Fire - Peach Bottom Unit 3 ........................... 2-3 4.0 Control Room Habitability - Summer Plant ............... 2-3 5.0 Main Feedwater, Auxiliary Feedwater, and Emergency Feedwater Isolation Control Systems - Rancho Seco ...... 2-3 6.0 Containment Isolation - Browns Ferry 1, 2, and 3 ....... 2-4 REFERENCES .................................................. 2-5 I
i viii
PART ONE (1) 3 LIST OF FIGURES 1 Figure 1 Simplified Diagram of a Typical Air System at'a One-Unit Station (PWR) .................................... 7 2 Sc ram Va l ve A rra ngeme nt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3 Layout Drawing of Scram Pilot Solenoid Valve ............. 24 4 Low Temperature Overpressure Protection System {
at Ginna ................................................. 28 i 5 ANO-2 Sp en t Fu el Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 LIST OF TABLES Table 1 Fouipment and Systems Which Utilize Instrument Air ......... 6 2 Air System Malfunctions Which Resulted in Multi-Plant Transients ................................................. 9 3 Effects of the Presence of Particulate in the Instrum9nt Air System Upon Safety-Pelated Equipment at
' Turkey Point 3 and 4 ...................................... 17 4 Maximum Acceptable Particle Size for Reliable Operation of Safety-Related Equipment at Turkey Point 3 and 4 .......... 18 5 Turkey Point. Unit 3 Auxiliary Feedwater Valve History During July. 1985 .......................................... 20 6 Plants with Air Check Valves / Actuators Similar to Byron 1.. 33 7 Penefits of Improving Instrument Air Systems............... 49 8 Safety Systems that Interface with the Instrument Air Systen at H. B. Robinson .................................. 50 9 Core Melt Frequency Attributed to Compressed Air System-Failures at Oconee 3 ...................................... 54 ix
PREFACE i
'AE00 case study report C701, " Air Systems Problems At U.S. Light Water Reactors,"
which is included as Part 1 of this report, was issued in March 1987. The case study report highlights 29 significant events involving safety-related systems in U.S. plants that resulted from degraded or malfunctioning non-safety grade air systems. The data base for the case. study report was current through 1985. Since the report was issued, similar events or design deficiencies have been observed to be occurring with a frequency of about one per month. These 4 more recent events included in Part 2 of this report, provide an update '
of operating experience involving air systems problems since the issuance of the case study report. The rate of continuing occurrences and the safety significance of these additional events provide further basis for concern over air system failures.
These _recent operating events reconfirm the findings and recommendations in AE0D case study report C701. As indicated in the case study report C701, AE0D recommends that corrective actions to deal with the air systems problems be initiated either by the industry or the regulatory process. These actions address the following areas:
- 1. Licensees should ensure that air system quality is consistent with equipment specifications and is periodically monitored and tested.
- 2. Anticipated transient and system recovery procedures and related training for loss of air systems should be reviewed for adecuacy and revised as necessary.
- 3. Plant staff should be trained regarding the importance of air systems.
- 4. The adequacy of safety-grade backup air accumulators for safety-related equipment should be verified.
- 5. All operating plants should be required to perform gradual loss of instrument air system pressure tests.
l l
xi
Part 1 AE0D/C701 Case Study Report
" Air Systems Problems at U.S. Light Water Reactors" i
)
AE0D/C701 CASE STUDY REPORT
- AIR SYSTEMS PPCBLEMS AT U.S. LIGHT WATER REACTORS March 1987 Prepared by:
Dr. Harold Ornstein Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data U.S. Nuclear Pegulatory Commission
- This report documents the preliminary results of a study completed to date by the Office for Analysis and Evaluation of Operational Data with regard to a number of operating events. The findings and recommendations do not necessarily represent the position or requirements of the responsible program office or the Nuclear Regulatory Commission, i 1
i
EXECUTIVE SUWARY This study provides a comprehensive review and evaluation of the potential safety implications associated with air system problems at U.S. light water reactors (LKRs). The report analyzes operating data, focusing upon degraded air systems, and the vulnerability of safety-related equipment to common mode t
failures associated with air systems. The report analyzes this data from the perspectives of trends'and patterns, risk assessments, end cost / benefit studies.
Several recommendations are presented to reduce risk, enhance safety, ar.d improve plant performance. l Air systems are not safety grade systems at most operating plants. As a result, plant accident analyses assume that safety-related eouipment dependent upon air systems will either " fail safe" upon loss of air or perform its intended function with the assistance of backup accumulators. This report highlights 29 failures of safety-related systems that resulted from degraded or malfunctioning air systems. These failures contradict.the assumption that safety-related equipment dependent upon air systems will either " fail safe" upon loss of air or perform its intended function with the assistance of backup accumulators. Some of the systems which were significantly degraded or failed were decay heat removal, aur.iliary feedwater, BWP scram, main steam isolation, salt water cooling, emergency diesel generator, containment isolation, and the fuel pool seal .
system. '
The root causes of most of those failures were traceable to desian and/or management deficiencies. The design and operating problems found appear to reflect a lack of sufficient regulatory requirements and review, and the view by many applicants and licensees thet air systems are not highly important to assuring plant safety.
We view the events in which safety systems have been adversely affected by degraded or malfunctioning air systems as important precursor events. They indicate that further industry or regulatory actions are necessary to assure that air systems are maintained and operated at levels which will enable plant equipment to function as designed and are not subject to unanalyzed failure modes possibly resulting in serious consequences. Up to now, such failures have not occurred in connection with a limiting transient or accident and, therefore, no serious consequences resulted.
The report addresses specific deficiencies which were found in the following areas: (1) mismatched equipment - the air quality capability of the instrument air system filters and dryers do not always match the design requirements of the equipment using the air; (2) maintenance of instrument air systems is not always performed in accordance with manufacturer's recommendations; (3) air quality is not usually monitored periodically; (4) plant personnel frequently do not understand the potential consequences of degraded air systems; (5) operators are not well trained to respond to losses of instrument air, and the emergency operating procedures for such events are frequently inadequate;
(6) at many plants the response of key eouipment to a loss of instrument air has not been verified to be consistent with the FSAR: (7) safety-related backup accumulators do not necessarily undergo surveillance testing or monitoring to confirm their readiness; and (8) the size and the seismic capability of safety-related backup accumulators at several plants have been found to be inadeouate.
The recommendations from this study address: (1) ensuring that air system quality neets the requirements specified by the manufacturers of the plants' air-operated equipment; (2) ensuring adequate operator response by formulating and implementing anticipated transient and system recovery procedures for loss-of-air events; (3) improving training to ensure that plant operations and maintenance personnel are sensitized to the importance of air systems and the vulnerability of safety-related equipnent served by the air systems to common mode failures;.(4) confirmin l f l
. backup accumulators; and (5)g the adequacy and reliabi ity of sa ety-re atedverifying e air to ensure that such losses do not result in events which fall outside FSAR analyses.
IIPDATE Since the preliminary case study report on air system problems was prepared for peer review in December 1986, three additional safety significant events have occurred. Each of these events is very similar to one of the events discussed in the preliminary report.
- 1. On Decenber 3, 1986, 140,000 gallons of radioactive weter drained from the spent fuel pool at Hatch I and 2 due to deflated pneumatic seals caused by a nispositionec air line valve. (This event is similar to the events discussed in Section 5.1.11.2 of this repert.)
- 2. On December 24, 1986, engineers for the Carolina Power and Light company discovered a potentiel for a common mode loss of all of the emergency diesel generators at Brunswick I and 2. It was found that the HVAC supply dampers for the diesel generator building would fail closed upon a loss of offsite power. Loss of the air system upon a loss of offsite power would cause the dampers to fail closed causing the emergency diesel generator controls to heat up. It was calcu-lated that within one hour the air temperature in the rooms would exceed the qualification temperature of the control systems.
- 3. On March 15, 1987, with one emergency diesel generator out of service, a running emergency diesel generator at the Zion 1 plant I could not meintain load because of a stuck open relief valve on the starting air system. Both diesel generators were inoperable for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. (The issue of energency diesel generator dependenc upon starting air is discussed in Section 5.1.7.2 of this report)y .
These additicnal events underscore the need for the remedial actions presented in the recommendations section of this report.
. k' .
[,
} %
, s
'(
1.0 INTRODUCTION
i Vany U.S. Tight dater reacEYs (LWRs) rply uaon air sjstems to actuate or control safety-related equipment du?ing normal operution. However, at most LWRs the eir
, systems tnemstives are d.ot classified as safety systems. Plant safety analyses
- typically assuee that nonsafety-related air systems become inoperable during i t transients and 'ccidents, a anD that the air-operated equipment which is served fWs"in" known, predictable modes (e.g., fails open, fails closed, fails as-is).
16 addition, air-operated equipment which must function during transients or accidents are provided'with a backup air (ce nitrogen) supply in the form of
. safety grade accumulators to ensure that the equipment can continue to perform its intended fvrtions.
On March 10, 1980, a prolonged loss of all it water cooling occurred at San Onofre Unit .1 due to air system problems (Pef. 1). A significant cause of the event was desiccant contamination found throughout the air system. An evaluation of the incident revealed that numerous safety-related systems could have been adversely affected by the desiccant (Ref 2). Pecause of the seriousness of the cause and potertial consequences of '.ne San Onofre event, it was. reported
, *{toCongressasraAbnormalOccurrenceinFebpary1981.
t Many other significant operational events since the San Onofre occurrence have been traced to air system design, operation or maintenance deficiencies. A.
previous study by ORNI on the operational p u formance of air systems found that air system problems do not pose a significant challence to plant safety, e and thereby concluded that no changes to the existing NRC regulations were W rnauired (Ref. 3). However, potential' common cause failures resulting from air-j; / system degradations were not considered in this earlier study. In addition, the stuc'y'did not focus on air system malfunctions or degradations which might initiate, complicate or increats the severity of transients or accidents. How-
,ever, we find in the reported operational experience examples of. air system alfedctions that havfinitiand'or exacerbated significant events, including:
. A feedwahr.trans6rt caused by water in the instrument. air system, which developed into the core melt accident at TMI-2 (Ref. 4).
- ~
'. A steam generator tube rupture esent at Ginna in 1982, exacerbated by an
,q 'i mproperly installed instrument air discharge line (Ref. 5).
. Aloss of decay heat rebcul, and significant primary system heatup at Palisades, caused by an n r system malfunction (Ref. 6).
. 'The prolonged loss of salt water cooling at San Onofre 1 in 1080, caused by desiccantcontaminationo{theairsystem(Reis.1,2).
l l
, *; .A loss'of the auxiliary feedwater systems at> Turkey Point Units 3 and 4 in 1985, caused by water and dirt; particles in the air system (Refs. 7, 8).
I :
. The inability to scram four control rods at Susouehanna 1 in 1984, caused by oil in the air system (Ref. 9).
\
- 7. - .f
4 The following sections of this study provide a comprehensive review and evalua-tion of the actual operational experience and the potential safety implications associated with air system problems at U.S. LL'Rs. The study also is intended to evaluate the various modes of air system performance problems, and to discuss the significant pl6nt responses to air system losses not fully addressed in previous reports. Also, several recommendations are presented to address the major deficiencies and design weaknesses noted in the review.
i L_ _- -_ - _ --
2.0 AIR SYSTEM DESCRIPTIONS 2.1~ Function and Purpose Most LWR plants have several air. systems.* Generally, the highest purity air system, frecuently referred to as the " instrument air" (IA) or " control air" (CA) system is used for vital instrumentation and controls (e.g., safety-related diaphragm or cylinder actuated valves, safety-related current-to pressure [I/P1 or electro-pneumatic [E/P] converters). Instrument or control air systems also are used to provide motive power for nonsafety-related equipment at some plants.
Table I lists several important LWP systems which utilize IA (or CA).
Most LWR plants also have lower quality air systems, frecuently called the
" plant. air" (PA), " service air" or " station air" systems. These lower quality air systems are usually allowed to operate with larger size particulate, and with higher moisture and oil content than the IA systems. The PA systems are comonly used for nonsafety-related equipment, routine maintenance activities, pneumatic tools, breathing air,** etc.
2.2 System Design and Operation A simplified diacram of a typical air system at a single unit station is shewn in Figure 1. Nuclear plant air systems generally have two branches--the higher
- l. quelity IA (or CA) branch and the lower quality service or plant air branch.
l Although operating at different evalities, both branches are usually supplied from the same air compressors. Air for the instrumentation or control branch usually is purified and dehumidified at the beginning of the IA branch. Air l finving in the plant or service air branches usually is unfiltered (no filtra-tion downstream of.the compressor intake screens), and is not dehumidified.
IA dehumidification may be performed by either the desiccant stack drying method, or by the refrigeration condensation method. In some plants refrigeration and i
desiccant type dryers are used in series. As shown in Figure 1, filtration is performed by filters downstream of the dehumidification equipment and by in-line filters (i.e., satellite filters, or filter regulators) immediately upstream of (or an integral part of) the equipment which uses the air. Some plants do not have in-line filters.
Typical air systems are made up of two or more 100% capacity compressors which deliver air at a pressure of about 100 psi When the IA system pressure decreases below a predetermined setpoint (g. typically in the range of 70-80 psig),
the redundant air compressor (s) is automatically started and the PA system is shed from the main air header. In addition to the redundant air compressors, many plants have other backup air sources which can be utilized (e.g., portable skid-mounted diesel-driven or gasoline-driven compressors). At some plants,
- Since air systems are generally categorized as nonsafety, balance of plant systems, their designs vary significantly from plant to plant, reflectine utility and architectural engineer preferences. This section has been generalized to indicate common features among widely varying systems.
- Some plants tap into the IA system to use it for breathing air on a temporary I
basis.
l
1 Table 1 Equipment and Systems Which Utilize Instrument Air
- 1. Scram System
- 2. Reactor Coolant System (Pump Seals /Pelief Valves) l 3. Safety Injection System
- 4. Auxiliary.Feedwater System
'6. Chemical Volume Control System /Chargino and Letdown System /Ecration System
- 7. High Pressure Injection /Make-up System
- 9. Low Temperature Overpressurization Protection System
- 10. Component Cooling Water Sy' tem
- 11. Decay Heat Removal System
- 12. Service Water System
- 13. Emergency Diesel Generators l .. 14. - Reactor Cavity / Spent Fuel / Fuel Handling System -
l 15. - Torus and Drywell/ Vent and Vacuum System i 16. Station Batteries l 17. Main Steam System / Pain Steam Isolation Valves / Auxiliary Boiler
- 18. Peactor Building / Auxiliary Building-Ventilation and Isolation System
- 19. Main Feedwater System /Feedwater Isolation Valves
- 20. Condensate System / Polishers /Demineralizers Pl. Moisture Separation / Reheat System
- 22. Containment Atmosphere System
- 24. Floor / Sump Drain System
- 25. Sampling Systems
- 26. Fire System
- 27. Turbine-Generator System l
R S T N V T S E R N I R R L S NU S N R S ER S S E / E DE E A S I OMR DO E TS EY I
D E I I E N D E E GN V LD UA W D I
V ICSA EP L CT U TS A T LWSDAR D P DA R DS N TO' A B HE O S I
N R R VY E E LB B UO N CO YRM N Y NU AI O H AO HA G R T O GP T HA E RES NYWNNRBT E E E EGP O NTO C C SH C C ME E MOEE TI C N Y 4PS V NSO N PM OYINN GZ EAC YGRT E XI T WOPIBVC ETORU I
I F
NT P O R E R T STCV L A I
D MMRLAMTK P EETARL BLARER ANO UP YSSWS ASAR YEE O OR AA EDAROR ENA I I AWH M S SW RS C*
- E E TUUAEO RYNUOPMET S l
a * *
- FADTVRC.WMTHATCSEG 7
"RE R D E MA O DO T AT R E
H E 3R Y t IhER
" 1 D
I?-
~
f 1
DR IhER MR E Y
R D
IhER X X R R R E E E
RIV RI V RIV I E I E I E AC AC AC E E E R R R R R R O O O S S S S S S E E E R R R P P P M M M O O O C C C E R K
ER ER R E R K E R K E I AT I AT AT ATL ATL IATL NF I
NF I
NI I F I
_ I
the backup air supply is of relatively low quality and may be fed directly into the IA system header downstream of the dryers and filters.
Accordingly, when these backup sources are operating, the potential for con-taminating the IA system can be significantly increased.
At most plants, the air lines penetrating containment are equipped with an automatic isolation valve which closes on a containment isolation signal.*
Some plants have a different and separate air system to supply air-operated equipment inside containment. One advantage of such a configuration is that
'the air supply inside containment is not necessarily lost due to a containment isolation. In addition, since the system draws upon the containment atmosphere l for its supply, a malfunctioning IA system inside containment does not have the potential for causing a containment pressure increase.
The IA systems at some multi-plant stations are designed so that they can be interconnected if needed. Cross-connecting plant air systems provides rec'un-dancy; however, when the plant is operating with such interconnections, the risk of multiple equipment loss resulting in simultaneous system transients (including a reactor scram) initiated by a loss of the air system is increased.
Single air system malfunctions have been responsible for multi-plant transients and scrams. Some examples of multi-plant trar.sients resulting from air system malfunctions are provided in Table 2.
2.3 Safety-Related Functions Air systems at most U.S. LWRs are not categorized as safety systems. Conse-
.quently, most safety analyses assume that air systems fail to maintain operating air pressure during postulated transients and accidents. Safety analyses assume that (unless there is a safety-grade source of air or nitrogen) air-operated equipment will " fail" to a known state in accordance with its design. For example, air-operated valves may fail open, fail closed, or fail as-is. Such equipment " failure" assumptions can be avoided if, for example, the air system is cualified as safety-grade, or if backup local accumulators (bottles) are provided near the eouipment. The isolation boundary between the safety-grade '
accumulator and the nonsafety grade air system is usually a check valve. Some plants have qualified safety-grade air systems which are assumed to be available during transients or accidents. Plants in this category include Zion 1 and 2, i which have " penetration pressuri7ation air compressors," and Sequoyah I and 2 which have " auxiliary control air compressors" installed for this purpose.
t l
- In such plants when the isolation occurs the air supply (and pressure) to the air headers inside containment is lost.
l
l Table 2 Air System Malfunctions k'hich Pesulted in Multi-Plant Transients Plantr, Date Description of Event Peference Brown Ferry 8/28/78 The cylinder head of 1 air PN0-78-147 1,2,3 compressor failed, and there was a loss of control air to all three units. Units 1 and 2 were scrammed while Unit 3 was already shut down.
LaSalle 10/25/83 Loss of cooling water to 10 CFR 50.72 1,2 Unit ? service air compressor 10/25/83 resulted in loss of Unit 1 IE Daily Peport lA. Unit I was manually 10/26/83 scrammed.
Grand Gulf 7/2/84 Unit I had a reactor scram LER 1,2 after the loss of the Unit 2 84-033 air compressor. (The scram occurred subsequent to scram pilot valves drifting open, low IA pressure and high scram discharge volume level.)
McGuire 11/P/85 Break in compressor discharge LER 85-034 1,2 line resulted in loss cf IA 10 CFP 50.72 to both units, and scram of reports 2615, both units on low steam 2618, 3335 generator level.
3.0 AIR SYSTE!' REQUIREMENTS 3.1 Air Quality Requirements'For pneumatic Equipment Because of the materials and the small clearances of the internal moving parts of pneumatic equipment, clean, dry, and oil free air is required for reliable, trouble-free operation. The level of contamination at which pneumatic equipment performance deorades or fails completely deps upon the equipment's specific design features. For example, particulate con omination has been found to be responsible for many solenoid air pilot valve and system check valve malfunctions.
Observed pilot valve failures have included particulate blocking the internal air passageways and air exit ports. Particulate buildup has also been known to prevent air line check valves from seating properly. Leakage of accumulator-check valves has resulted in compromising the safety function of backup accu-mulators and has adversely affected safet/-grade equipment. Air system oil contamination has been responsible for gum or varnish buildup which resulted in sticking valves. Oil contamination has also been responsible for degradation and failure of solenoid air pilot valve seals.
A major solenoid valve manufacturer whose solenoid valves are used as pilot operators on thousands of control valves in U.S. LWRs does not specify any quantitative air quality requirements. The statement made by the manufacturer in technical bulletins is that the valves are "for (oil free) instrument air" use. However, " oil free" is not defined in the manufacturer's literature, and the manufacturer does not specify maximum allowable particle size or moisture content. The valve manufacturer's engineering staff recommends the use of strainers upstream of the valves. The minimum size strainer that the valve manufacturer supplies is 250 microns, whereas the air quality standard of the American National Standards Institute (/NSI) specifies a maximum particle sire of 3 microns.
3.2 Industry Standards The ANSI standard MC 11.1-1976 (ISA-S7.3), "Ouality Standard for Instrument Air" (Ref.10) establishes IA quality limits to preclude malfunctions of equip-ment supplied by the air systems. The standard specifies: a maximum allowable dew point (to limit moisture content), a maximum allowable entrained particle size (to prevent plugging, wear and erosion of passages and orifices) and a maximum allowable oil or hydrocarbon content (to avoid malfunction from clogging and wear of components). For outdoor service, the dewpoint must be at least 10 C below the minimum local recorded ambient temperature at the plant site while, for indoor service, the dew point must be at least 10"C below the minimum temperature to which any part of the IA system is exposed, but not hioher than 2'C. Entrained particles must not exceed 3 microns, while the maximum oil or hydrogen content cannot exceed 1 part per million. The standard also addresses permissible levels for corrosives and toxic contaminants.
3.3 NRC Requirements Over a period of years, the NRC has issued several regulations and guidelires for air systems. However, older plants are not required to meet any of the NRC's regulations or guidelines on air systems. In contrast, " safety-related" compressed air systems at newer plants and plants presently under construction are required to meet ANSI MC 11.1-1976 (ISA-57.3), Regulatory Guide 1.68.3, "Preoperational Testing of Instrument and Control Air" (Ref. 11), and Standard Review Plan 9.3.1, " Compressed Air System" (Ref.12).
Regulatory Guide 1.68.3 requires that new plants (licensing actions after May 24, 1982) perform specific preoperational tests on the instrument and control air systems. Those tests must simulate both rapid and. gradual pressure losses in the air system. Regulatory Guide 1.68.3 also requires that new plants meet the requirements of ANSI MC 11.1-1976 (ISA-57.3), and that all plants which undergo major modifications or repairs to the instrument and control air system, l or portions thereof, perform similar tests prior to restart. However, once the
! preoperational (or post-modification) testing has been successfully completed, I there are no requirements that plants continue to meet the ANSI MC 11.1-1976 (ISA-S7.3) requirements.
Regulatory Guide 1.fE.3 was preceded by Regulatory Guide 1.80 "Preoperational Testing of Instrument Air Systems" (Ref.13). Regulatory Guide 1.80 addressed IA, but not control air. It reouired plants to verify that IA met " cleanliness requirements" with respect to oil, water, and particulate matter entrained in the product air. It did not provide the required cleanliness specifications, however, and it did not recuire the plants to continue to meet the " cleanliness requirements" after successfully completino the preoperational (or post-modification) tests.
Standard Review Plan 9.3.1, " Compressed Air System," provides NPC's review plan for safety-related compressed air systems (SPCAS). The review evaluates the i conformance of the SRCAS design, testing and operating characteristics with ,
General Design Criteria (GDC) 1, 2, and 5. The review identifies safety-related i air-operated equipment that is supplied by the compressed air systems, reviews equipment failure modes, and determines the effects of the postulated failures upon plant response during transients and accidents. The review also addresses the design of the SRCAS with respect to the capability of the system to supply high quality IA which meets ANSI Standard P.C 11.1-1976 (ISA-S7.3). However, once a plant is licensed, there is no clear requirement that the air systems continue to meet the ANSI /ISA air quality standard. Although Standard Review Plan 9.3.1, paragraph III.2.b.l.4 states that, "A regular periodic check should be made to assure high quality instrument air," this requirement is contained in a section of the standard review plan that addresses system desien relating to corrosive contaminants, hazardous gases, etc., in the IA. The requirement does not address actual air system operation subsequent to startup.
l
4.0~ AIR SYSTEMS FAILURE' MODES'AND EFFECTS 4.1 Contamination 4.1.1 Water Moisture in the air is one of the most frequently observed contaminants in air systems. Pater contamination results from inadequate dryer and/or moisture separator operation. Water droplets entrained in the air can initiate the formation of rust or other oxide particles (rust and particulate contamination are discussed in Section 4.1.2).
Water droplets can cause the malfunction of E/P or I/P converters by blocking internal passageways, or by forming corrosion products which block internal passageways or cause sticking or binding of moving parts. In addition, water droplets can obstruct the discharge ports on solenoid air pilot valves, degrading their ability to function properly. Furthermore, moisture can cause corrosion of air system internal surfaces as well as the internal surfaces of equipment :
connected to the air system (e.g.,' valve bodies). Pust and other oxides have been observed to cause the exit orifices of air pilot valves and other (air-operated) equipment to be partially or totally blocked, resulting in degraded equipment operation or complete loss of function. Additionally, rust particles on the inside of the piping or connected equipment have the potential to be dislodged during severe vibrations -(e.g., earthquake or water hammer), which could lead to common mode equipment failures.
4.1.2 Particulate Particulate matter has been found to have degraded or prevented air from venting through discharge orifices of solenoid air pilot valves and valve air operators.
A clogged orifice changes the bleeddown rate, which affects the valve-opening or closing times and can result in stuck valves. Additionally, small particles have been found to have prevented E/P or I/P converters from functicring properly (i.e., open or close upon demand). Abrasive or gritty-like particulate mdtter le.g., air dryer desiccant) has been found to damage solenoid air pilot .
valve seals (0-rings), preventing air-operated valves from functioning properly.
4.1.3 Hydrocarbons Hydrocarbon contamination of air systems can cause sluggish valve operations as well as a complete loss of valve motion. Hydrocarbons (e.g., compressor oil) have been observed to leave gummy-like residues on valve internal com-ponents. This causes the valves to operate sluggishly, erratically, or even stick completely. Hydrocarbons have also been found to have caused valve seals to become brittle and to stick to mating surfaces, thereby preventing valve motion. In some cases, the seals were found to have torn apart or to have flaked off, resulting in loose particles which blocked air discharge orifices. j l
f 4.2 Air System Component Failures 4.2.1 Compressors In most plants, instrument and service air systems include redundant compressors, but generally are not designed as safety-grade or safety-related systems. As a result, a single failure in the electric power system or the compressor cooling water supply system can result in a complete loss of the station air system compressors. Because the plants have redundant air compressors and automatic switching features, single random compressor failures usually do not result in total loss of air systems. Most air system compressors are of the oilless type.
However, some plants have used non-oilless compressors, and have experienced oil contamination of their air systems. Similarly, the temporary use of non-oilless backup or emergency compressors (e.g., skid-mounted.. diesel-operated) without adequate filtration and drying can result in significant air system degradation.
4.2.2 Distribution Systems Since most instrument and service air systems are not designated as safety-grade, or safety-related, they are vulnerable to a single distribution system failure.
For example, a single branch line, or distribution header break can cause depressurization in part, and possibly all, of an air system.
4.2.3 Dryers aid Filters Single failures in the IA filtration or drying equipment can cause widespread air system contamination, resulting in common mode failures of safety-related equipment. For example, a single failure such as a plugged or broken air filter, a malfunctioning desiccant tower heater timer, or a plugged refrigerant dryer drain can cause dessicant, dirt or water to enter the air lines. As discussed in Section 4.1,- such contaminants can result in significant degradation, or even failure, of inportant air system components.
4.2.4 Accumulator Check Valves Undetected accumulator check valve leaks could prevent safety-related equipment from performing its safety function upon loss of IA. Contaminants in the IA system can also cause multiple undetected accumulator check valve failures, which could prevent redundant safety-related equipment from performing its ,
intended function. !
4.2.5 Design, Installation, and Maintenance Errors Plant safety analyses assume th3t safety-related, pneumatically-operated equip-ment responds to the loss of 1A in a mode which is in accordance with the equip-ment design. For example, valves may be designed to fail open, fail closed, ;
fail as-is, or to continue to operate with the assistance of safety-grade
)
accumulators. However, design, installation, or maintenance errors can invalidate such assumptions, resulting in equipment operating in a manner dif-ferent from that assumed in safety analyses. Such reported errors include:
inadequate accumulator sizing, inadequate seismic supports for lines connected to the accumulators, valves with incorrect loss-of-air failure modes, and incorrectly installed inlet and exit air supply lines from testable check valve air operators.
l
5.0 OPERATIONAL EXPERIENCE This section presents 29 operational events at U.S. LWRs in which a safety-related system
- failed because of degradation or failures of air systems or air-operated eouipment. Eleven different safety-related systems were involved.
These events were chosen to show the wide variety of safety-related systems that would be impaired by faulty air systems or failures of air-operated equipment; this section is not intended to present a complete listing of all such events. Many of these events illustrate the common mode failure potential I that air systems can have to cause multiple-independent trains of safety-related systems to fail. In addition, this section provides brief descriptions of similar events that have occurred at foreign LWRs. The cutoff date for data which was used in this section was December 31, 1985. However, many similar events have occurred since then.
Additional operational experience is presented in Appendix A, which contains a tabulation of about 150 equipment failures sorted by cause. It presents a representative cross-section of such events, and is not intended to be a com-plete tabulation of all such failures. Post of the safety-related failures presented in this section are not repeated in Appendix A. Appendix A does not include the nany MSIV failures events which are identified by NRC's Office of Inspection and Enforcement in Reference 14.
5.1 Safety Systems Failures 5.1.1 Shutdown Cooling Syster - Palisades In 1978 and 1981, two separate events occurred at the Palisades plant in which shutdown cooling system flev was lost (Refs. 6 and 15). On both occasions, water in the lA system filled a valve positioner, ceusing the control valve to fail closed. The 1978 event lasted for 45 minutes, allowing the primary coolant system to heat up from 130 F to 215 F. The 1981 event lasted over li-hours, allowing the primary coolant system to heat up from 123*F to 197 F.
The licensee reported that water entered the IA line due to improper air dryer operation. The dryer purge valve had apparently been throttled excessively, ,
causing insufficient air flow during the dryer's recereration cycle (Ref. 6). l The licensee also discovered a construction error in the air receiver tanks' !
discharge lines. Contrary to the design drawing, the lines were located at the l bottom of the tanks instead of at the top. This arraroement increased the potential for water accumulation and entrainment in the downstream air system piping. The Palisades events clearly illustrate that moisture buildup in air lines can cause failure of air-operated valves, particularly during periods of ,
high demand (Ref. 16). l 5.1.2 Auxiliary Feedwater Systems 5.1.2.1 Turkey Point 3 and 4 During surveillance testing from July 21-26, 1985, Turkey Point Units 3 and 4 ,
experienced recurrent failures of the auxiliary feedwater (AFV) system due to IA system contamination (Refs. 7,17,18,19,20). The recurrent problems
- In this report the term " safety-related systems" will be used interchangeably with safety systems.
involved simultaneous failures of the AFW flow control and steam generator bypass valves. During the events, I/P converters and pneumatic valve
( positioners experienced common mode failures. The three turbine-driven AFV pumps (which serve both Turkey Point units) experienced overspeed trips which l
were complicated by the sticking of multiple flow control valves and sluggish steam generator bypass valves.
The plant operations staff had been aware of an IA system water accumulation problem for some period of time. However, the operations staff was unaware of the potential problems which might be caused by the water. Accordingly, the operations and maintenance staff initially attempted to correct the AFW control i valve problem, as they had previously, by blowing down the air regulators (i.e., fix the symptoms). The procedure was not successful in restorino the functional reliability of the valves. When they became aware of the problem, the licensee's engineering staff hypothesized that corrosion products formed inside the IA system may have been a source of the gross degradation. With the subsequent realization that contaminated IA might be the root cause of many of the recurrent AFU system problems, the licensee requested the architect engineer to evaluate the effect of contaminants in the IA supply on the safety and nonsafety-related equipment. The architect engineer also was requested to determine the maximum particulate size that the safety-related instrument air system equipment could accommodate without adverse effects, end the effects of particulate on the IA system. The architect encineer's analysis determined that many safety-related devices could be adversely affected by particulate in the IA system. The safety-related systems which could be affected are:
Secondary system (steam dump to atmosphere)
Salt water system (flov from the essential heat exchanger)
Charging system Residual heat removal (PHP) system AFW system As shown in Table 3, at Turkey Point the AFW system for both units could be lost as a result of IA system contamination (Pef. 21). It is important to note that in July 1985, several of thr AFW system flow control valves failed simul-taneously as a result of IA contamination. In addition, the nonsafety-related main feedwater bypass valves have experienced simultaneous common mode failure (closed) as a result of water in the IA. This failure is potentially signifi-cant because the bypass valves are used to control the diverse nonsafety-related backup AFW flow provided by the two motor-driven startup pumps.
Failure of the main feedwater (MFW) bypass valves could result in the loss of AFV diversity.
At the licensee's request, the architect engineer canvassed manufacturers of the safety-related equipment that had been determined to be susceptible to IA contamination, and to failure in an " unsafe manner." The vendors were requested to provide information on the susceptibility of the eouipment to particulate in the IA system. Some vendors indicated that if their ecuipment was supplied with IA which met the ISA standard, no failures should be I
Table 3 Potential Effects of the Presence of Particulate in the Instrument Air System Upon Safety-Pelated Equipment at Turkey Point 3 and 4 (Ref. 21)
Components Affected Result of Each Failure All flow control valves for AFW " Control of valve is lost. AFW to to steam generators for both units S/G cannot be established, or may CV-3-2816, 2817, 2818 not be controllable" CV-4-2816, 2817, 2818 CV-3-2831, 2832, 2833 CV-4-2831, 2832, 2833 All AFW pump turbine differential " Trip and throttle valve control pressure transmitters and speed will be unavailable. Trip and l controllers for both units: throttle valve position is DPT 2401, 240?, 2403 indeterminate for component DPC 2401, 2402, 2403 failure" All AFV flow avg I/P converters " Automatic or Manual ccr. trol of for both units: the AFW pump to Steam Generator Y-3-1401, 14E7, 1458 supply valves may be unavailable."
Y-4-1401, 1457, 1458 expected. However, since the IS/ standards, which allow a maximum particulate size of 3 micrors, were not met at Turkey Point, the vendors were subsequently requested to provide information on the maximum particulate size that would not impair the operation of their safety-related eouipment. Table 4 presents the results of that survey (Ref. 22).
A review conducted by the licensee found that most of the safety-related equip- l ment installed in the plant was rot equipped with the filter sizes recommended !
by the manufacturers. For some equipment, no filters were installed. The licensee subsequently purchased and installed the correct size filters upstream of the safety-related ecuipment.
In addition to the engineering support from the architect engineer, the licensee obtained the services of a consultant with extensive knowledge of If systems. Based on the consultant's evaluation, the licensee initiated the following modification, repair, maintenance, testing and surveillance activities on the IA system and components that had previously been affected by i contaminated air:
The air dryer desiccant columns and post dryer air filters were changed out; Individual filters were either installed or replaced upstream of critical components in the AFW and MFP systems (e.g., valve positioners, I/P converters);
k 1
i Table 4 Maximum Acceptable Particle Size for Reliable Operation of {
Safety-Related Equipment at Turkey Point 3 and 4 (Pef. 22)
]
i Maximum /cceptable !
Function Component No. Manufacturer Filter Size i '
(Microns)
Steam dump CV *-1606 Fisher- 40 to atmosphere CV *-1607 Governor CV *-1608 Salt water CV *-2201 Fisher- 40 from essential CV *-2202 Governor j heat exchanger Charging HCV *-121 Fisher- 40 flow to reactor Governor coolant system RHR outlet I/P *-758 Fisher-Governor 40 flow control HCV *-758 Continental 25 i AFW to CV *-2816 Valtek 25 steam generator CV *-2817 CV *-2818 CV *-2819 CV *-2831 CV *-2832 CV *-2833 AFW flow I/P F/Y *-1401A-6&B-f Masonellian 5 converter F/Y *-1457A-6&B-6 F/Y *-1457A-6&B-6 4
- Indicates two components: replace
- by 3 for Unit 3 and by 4 for (! nit 4 (e.g., CV *-1606= CV-3-1606 and CV-4-1606).
i
_ 19 The selector switches, cycle timer, and three-way valve limit switch on the No. 4 instrument air dryer were replaced; Periodic dew point checks were initiated at critical locations (e.g., air dryer outlet, AFW and MFW regulators);
Control valves and regulators associated with the AFW and MFW systems were blown down and cleaned out; and Provisions were made to periodically blow down the IA system including the moisture separator and low points of the system which tend to collect moisture.
i Table 5 provides e history of AFW valve problems that were experienced on Unit 3 during July 1985. It should be'noted that the AFW system lineup is such that failures of steam generator flow control valves CV2831, 2832, and 2833 constitute a loss of train No. 2, which serves the B AFW pump, and failures of CV2816, 2817, and 2818 would constitute a loss of train No. 1, which serves the A and C AFh pumps. As noted in Table 5, air system contamination had the potential to render both AFW trains inoperable. By 12:37 a.m. on July 22, 1985, AFW control valve CV-2833 was cleaned and released for operations. Three minutes later, the level in steam generator B dropped, resulting in an AFW actuation. Subsequently, the A and C turbines tripped on mechanical overspeed and the B pump operated erratically and tripped on electrical overspeed. At that point, all three AFW turbines were inoperable. The operator reset the mechanical overspeed trip and restarted one of the AFW turbines. On July 25, 1985, by 5:40 a.m. all 12 regulators had been cleaned; however, less than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> later ore of the-valve positioners again failed.
Subsequent to the TMI accident, the NRC and the licensees have been focusing attention on the potential that a loss of IA would have upon the operation of the AFW system. Like many other PWRs, Turkey Point 3 and 4 installed backup j nitrogen accumulators to assure that the AFW controls would be available upon j
-the loss of IA. In 1985, the NRC resident inspectors found, however, that. 3 l
(1) The Turkey Point plant staff did not have adequate procedures to enable l operators to operate the AFW system upon loss of the IA system.
(2) The backup accumulators were not being tested to confirm that the AFW system would operate properly upon a loss of the IA system.
(3) The accumulators would provide only 6 minutes of control air to the AW I system vs. the licensee's design value of 30 minutes. A test confirmed the inspector's calculations.
(4) The supports for the tubing connecting the nitrogen accumulators to the AFW system were not speced in accordance with the architect engineer's recom- I mendations. As a result, the possibility existed that the l
l I
_____ ________ _______-___ - - _ _ D
Table 5 Turkey Point Unit 3 AFW Valve History During l
July 1985 (Ref. 18) l Day Date Time Event / Corrective Action Sunday T/TT 7063: CV-2822 sticks open, cleaning positioner booster solves symptom.
Monday 7/22 0000: CV-2833 fails to reclose. Actuation of blow out pluo l on positier.er allows valve to close. While attempting i to check calibration of CV-2833 found I/P would drift up slowly. Trouble shooting finds I/P exhaust port clogced. 1/P cleaned, calibrated and reinstalled.
Cleaned positioner, verified loop cal. _ Released to operations @ 12:37.
Wednesday 7/24 0640: CV-2832 & CV-2833 failed to reclose.
0730: All six I/P's and positioners are cleaned. Cleaned and calibration checked "B" train. Found CV-2831 1/p non-linear due to fouled booster port on I/P. Stroked all valves satisfactorily. Released to operations at 12:20.
1244: CV-2833 failed tc closc on AFW test. Actuated blow out plug on position EER, restroked 5 times satisfactorily.
1400: CV-2833 positioner's regulator inspected. Found moisture and a thin undefined film in regulator.
Blew down instrument air lines to both trains and found moisture, and an undefined black substance in lines.
i Thursday 7/25 0540: Cleaned all (12) regulators and swapped AFW control l valve positioners for CV-2833 & CV-2817. l 0913: CV-2817 fails to release. Decision made to replace ;
positioner on CV-2817 with a OC positioner from the l chiller system.
1705: CV-2817 stroke checked and released to operations. '
Friday 7/26 0950: CV-2817 did not fully close. Found positioner was inadequately set for valve travel. Adjusted stroke on positioner and released to operations:
" safety-related" nitrogen accumulator backup system would not be capable of performing its intended function subsequent to a design basis accident (Refs. 19 and 20).
As a result of the aforementioned deficiencies, the licensee improved the subject procedures, modified the backup nitrogen accumulator system, and committed to implementing appropriate operator training. However, backup accumulators were not provided for the MFW bypass valves which control the diverse AFW flow (motor-driven standby startup pumps).
The licensee recognized the severity of the IA degradation problem and took appropriate corrective actions in July 1985. However, two months later, on September 20, 1985, plant operators allowed the IA to completely bypass the dryers. The Unit 4 IA dryer was removed from service due to a purge valve failure (Ref. 23) and rather than routing the air through the Unit 3 air dryer (in accordance with approved operating precedures), the plant operators allowed the air to completely bypass all dryers. In approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, the Unit 4
, air dryer purge valve was repaired and the system was returned to normal l
operation. However, during the 6-hour period that the air dryers were bypassed, much safety-related air-operated equipment were put at risk to common I mode failure as a result of meist IA. Although there were no immediate l
component failures, the moisture which entered the IA system during that 6-hour period had the potential to cause longer term effects such as pitting, corrosion, and oxide formation on the IA system surfaces which could result in future equipment malfunctions.
5.1.2.2 Indian Point 2 l
Indian Point 2 has also experienced AFW regulating valve problems es a result of moisture in the IA system (Fefs. 24 and 25). These problems were manifested in sluggishly operating AFW flow regulating valves. The valves had to be manually controlled to prevent overfeeding the steam generators. Similar to Turkey Point 3 and 4, moisture in the instrument air system caused the I/P converters to malfunction. The licensee's short term corrective action was to blow down the IA lines and clean and recalibrates the I/F converters. Over a 5-year period, poor cuality IA has caused many I/P converter failures at Indian Point 2. Some of the components affected have been the AFW flow regulating valves, the charging pump flow control valves, and the MFW flow regulating l
valves.
The Indian Point 2 IA system used refrigeration type dryers in series with des-iccant type dryers. The Indian Point 2 IA system has been cited, however, for having many recurring maintenance work orders on this system (Ref. 26).
Because of faulty dryer operation, the licensee considered modifying the IA drying system. The licensee has indicated that IA system maintenance has been a major source of recurring maintenance operations - with most of the problems emanating from the refrigeration dryers. The Indian Point 2 IA system lines are all copper, to minimize rust potential, however, they do not have any
" satellite" filters upstream of the air-operated equipment, to minimize contamination from small particulate. During the May 1986 outage the licensee upgraded the 1A system. (The refrigeration type dryers were replaced with desiccant type dryers).
5.1.3 BWR Scram Systems 5.1.3.1 Susquehanne On October 6, 1984, while Susquehanna 1 was operating at 60% power, two control rods failed to insert during individual rod scram testing. Further scram test-ing revealed that a total of four rods would not insert while nine additional rods hesitated before inserting. A similar event had occurred previously at Susquehanna on June 13, 1984, when several control rods hesitated momentarily before inserting (Ref. 9). Two of the control rods that failed to insert on October 6 had not met the technical specification scram time requirements on June 13. The licensee did not become aware of the June 13 malfunctions until the October 6 failures were investigated. ,
The October 6 failures were attributed to common mode contamination of the IA system. The combination of contaminants (oil ard/or water) and high tempera-tures (140 F) caused the scram pilot solenoid valve (SPSV)* internals to de-grade and become stuck. The SPSV polyurethane disc holder subassembly seats were found to be stuck to the SPSV exhaust port orifice. This prevented air from the scram inlet and outlet valve air operators from bleeding off thrcugh the SPSV exhaust ports, which prevented the scram inlet and outlet valves from opening. Figure 2 illustrates the scram valve arrangement, Figure 3 shows the internal components of the SPSV.
Independent laboratory examinations of the failed solenoid pilot valves con-cluded that the polyurethane parts degraded because of a combination of conta-mination in the IA and elevated temperature (Ref. 27). The first laboratory (Franklin Institute) cited the failure mechanism as hydrolytic decomposition of the polyurethane seats due to a combination of water and elevated temperatures.
The second laboratory (General Electric) indicated that polyurethane seat fail-ure was caused by contamination of the IA with a synthetic diester oil (SDO, which is a plasticizer). Both Franklin Institute and General Electric recom-mended replacing the polyurethane seats with a seat material capable of operat-ing at high temperatures and having an improved contaminant resistance. The recommended material was Viton-A. The licensee changed out all of the SPSV polyurethane seats on Units 1 and 2 (i.e., about 290 seats) for all Unit I control rods, half of the Unit 2 control rods, and all the backup scram valves.
(Half of the SPSV discs for the Unit 2 control rods had already been replaced in 1983 with Viton-A discs.)
- Susauchanna 1 and 2 and some of new BWRs use ASCO "T" solenoid valves. Most BWRs use the valves discussed in Section 5.1.3.2.
I
- _ - _ - _ - - - - - _ - - - - - I
DO _I SIA SOAI A C, R B _MI TEL EVR S" A E DE RL ERI
<* P R R
CTAHGDA SUS WRN N
- " N A A ASE E P
- OEEl
- " S."
P R
E VS TDLO NL iTV C
S O
l T
.ONALIEAO N .NAVCDVVT A'
! ' :li;-
E T A' -" V."
N , FY
- t
=
=
t m
e "
- g t
E V , gM ,a ",
u" ,a i
IM L
""HA I R S f u" HC
,a S 5 D
"" L M'i INE /
u" ,s AVTA SVR L
LDOR "
- : K ASND T C L N T DO
/ E ,s N 'lOL A
H a" V E V t i HRB )
v 2 t
- 3 A - Y CS T s u" AP D p u"g R MlOE S N E T T t t A NV V E N Lp D
- REL E E y, ~ J E
- CLA G MM B
B SOV R UU R
."n CS S A~
HE R O L lgv APR CM T SV . i u" SU N T' I
DO L I RE
,= E L S MV H TS
" " E A T UE
' ' V R OOV L
-A L C MMA
- S OAV RR C:
D*
r OC; D 1 AVM FC t
-A ' a m'A L S s
+ R C
Q m7i
" S -
P U
K
" " C A
B -
-D
- R C
C; , CL D1 D*
,n L : L M G O I
GO , 8 qAE T
'rRL I
S RTI R S RTIR d #
- e CN lI' P P 5
NA 5 NA SI 7 OC 7 OC G
NR I E G
R T _ - O2 E E
S L
AA - H HW C G N
l 2 / rL b O N 4 1J NR A
H C
l i ,
o.
r \,A
\* f r
=
0 f ..
c
~
~
/
't ;:ll:l 1
w
= ' !!
>*i *ll @
l> & .-
i EE b
l
-~~ .
! !l
=
il
"- g
!e I s
~
~" = ll ;li .
5' l l !!! o I1
,$ li is
- ;I ii:t !" 8 r 1 *r n
~ it --.
o 19 y, ::'
, Es '
5:
!? e i i'! E I !s .
Il*-
11 j Ii. . E E] :n e
o is O!
- E e l- f .
V)
Elf
- r% cn a.i ,h !i l
!e:!
f 1 '
! 1j. 1-i 45:5 sh . 1Y w $s ' y n' 't.
1
- . s. , , K V-ll UEj 8 ~N*
5 $ 11
- ,g }i
,? , ii f e O
'o I 1 1 .r v,
yi a
.f
- )
>f,f 5
s k e
I! !
ili j le- 5 ll ;;
E w
- t. =
./ ri.gl.p ;,,
.l)
= . O
/ le E
- g. I
/
-~~
1 It is important to note that due to the common air supply, the common mode failure potential (i.e., water / oil and high temperature *) which existed for the Unit 1 and 2 control rods, also existed for the SPSVs that actuate the backup scram valves. The backup valves are intended to provide a diverse scram capa-bility to protect against common mode failures.
The licensee's investigation found that the pilot solenoid valve for the scram l discharge volume vent and drain valves on Unit I had a polyurethane disc which I was also susceptible to the same type of failure. The solenoid pilot valves for.the vent and drain valves were also replaced with other pilot valves having '
Viton-A discs.**
The October 6, 1984, scram system degradation at Susquehanna was later to be reported to Congress as an abnormal occurrence (Ref. 28). The NRC staff con-cluded that the event involved a " major degradation of essential safety-related equipment," and demonstrated the plant's susceptibility to common mode failure. The failure caused a reduction in "the required ' extremely high probability' of shutting down the reactor in the event of an anticipated operational occurrence" (Ref. 28).
Another scram discharge volume (SDV) system component failure attribeted to '
contaminated air occurred at Susquehanna 1 on December 21, 1984 (Ref. 29).
During surveillance testing a solenoid air pilot valve which controls the SDV vent and drain line isolation valves malfunctioned as a result of particulate matter that was lodged between the pilot valvr. disc and the valve seat. As a i result the SDV vent and drain valves were stuck open. Since the reactor was at power. 'if the pilot valve had failed to fully seat after a scram, the potential for an unisolated primary leak outside containment would have signifi-cantly increased.
5.1.3.2 Dresden 3 During recovery from a reactor scram from El% power on September 19, 1985, Dresden 3 experienced a leak of reactor coolant outside primary containment.
The leakage path was through the scram outlet valves and the SDV vent and drain valves (Refs. 30,31,32).
After the reactor scrammed, the control room operators attempted to reset the reactorprotectionsystem(RPS). RPS channel A was successfully reset but
- The SPSVs for the backup scram valves are not normally subjected to tempera-tures as high as the scram inlet and outlet valve SPSVs. However, they are tested less frecuently than the scram inlet and. outlet valve SPSVs.
- The valve chosen was a larger size, made by another manufacturer. The original Unit I valve was undersized and the replacement made was the same as the one on Unit 2.
l 1
channel B could not be reset.* This channel configuration allowed SPSVs to vent air, resulting in reduced air header pressure. The reduced air header pressure (38 psig) was sufficient to allow the SDV vent and drain valves to open (opening pressure v 8 to 15 psig), but it was not sufficient to enable the scram inlet and outlet valves to reclose (m 42 psig required to close).
For approximately 23 minutes reactor coolant leaked outside primary containment into the reactor building. The high temperature reactor coolant flashed to steam, resultino in elevated radiation levels on the first three floors of the reactor building.
Subsequent scram system tests indicated that many of the SPSVs had degraded internal parts (e.g. , o-rings, diaphragms). Several SPSVs which had been re-cently refurbished, however, also leaked as a result of the half scram configuration.
A similar event had also occurred in 1972 at Dresden 2. An IE information notice (Ref. 33) was issued after the event to alert licensees of the potential for reactor coolant leakage at BWPs having two separate ASCO scram pilot air solenoid valves. This potential was not associated with plants having the ASCO "T" solenoid valves.
5.1.4 Power-0perated Relief Valves and Low Temperature Overpressurization Protection Systems 5.1.4.1 Ginna Tube Rupture Event On January 25, 1982, the Ginna nuclear power plant experienced a steam generator tube rupture and reactor trip from 100'4 power. Shortly after the reactor tripped, IA'inside containment was automatically isolated due to an actuation of the engineered safety features actuation system (ESFAS). As a result, control of numerous valves inside containment was lost [e.g., the chemical and volume control system (CVCS), charging and letdown line valves, the pressurizer spray valve and the auxiliary pressurizer spray valve]. The IA supply to the pressurizer PORVs was also isolated, although nitrogen (stored in !
backup accumulators) could be used to actuate the PORVs. Pecovery from the rupture was thereby significantly hampered by malfunctioning and inoperable air-operated valves (Ref. 5).
To facilitate recovery, the operatnrs reset safety injection. When the ESFAS was reset, IA and control of many of the air-operated valves inside containment was restored. The operators attempted to reduce primary system pressure by cycling one of the pressurizer PORVs after IA was restored. (The backup nitrogen system could have been used earlier while the IA system was isolated, but, as noted in Pef. 5, the IA system was the " preferred system for control-ling the pressurizer PORV. . ."). The PORV was successfully cycled three times within 2 minutes, but failed to reclose after the' fourth time it was opened.
- Channel B remained tripped because of stuck contacts on the reactor mode switch. However, a similar event could be initiated by a similar half scram caused by errors in maintenance or surveillance preceded by a full scram.
1
To terminate.the RCS blowdown (concurrent with the steam generator tube rupture), the operators closed its associated block valve. The operators eventually successfully shut the plant down. However, if the operators had failed to recognize that the PORV was stuck open, or if the block valve had malfunctioned, the operators' ability to bring the plant to a safe shutdown would have been seriously impacted.
Following the event, the licensee performed several tests on the POPV that had stuck open. It was shown in the tests that if the exhaust port were.to become blocked by debris, it would result in the PORV reopening (see Figure 4).
Prior to the event, the licensee had intentionally crimped the air discharge line in order to increase the PORV closure time for operation in the low temperature overpressurization (LTOP) mode. However, a review of. vendor installation and maintenance instructions conducted after the event found that restricting the exhaust lines was specifically prohibited. The vendor's instructions also indicated a need for a filtered air supply. However, no
" satellite filters" had been installed in the IA system prior to the event.
Subsequent to the event Westinghouse personnel performed modellirp which showed that the solenoid valve was operating in a " marginally operable" zone because of. the severely restricted discharge (crimped discharge line). Analysis also showed that in its marginally operable condition small changes in valve body temperature and small amounts of debris in the IA would tend to make the valve inoperable (Ref. 34).
Prior to returning to power, the licensee replaced the discharge line to remove the crimps, installed strainers upstream of the solenoid valves in accordance with the manufacturer's recommendations, and tested the new configuration to demonstrate that it met the POPV performance requirements.
5.1.4.2 Westinghouse PWR Low Temperature Overpressurizatior.s This section discusses several LTCP events which occurred at selected Westing- f house PWRs. A comprehensive study and listing of LTOP events is provided in '
Peference 35.
There have been many events at Westinghouse plants in which the loss of IA ;
resulted in an LTOP of the reactor coolant system (Refs. 36, 37 and 38).
Typically, in these events, the loss of IA resulted in closure of the letdown line isolation valves, the opening of valves in the charging line, and an in-crease in the charging pump speed (i.e., flow). One such event occurred at j Farley 2 on October 15, 1983.
The plant was " solid" (in preparation for startup). An operator inadvertently isolated the IA system. As a result, while the charging pump was on, the letdown line isolated (per design) and the throttle valve in the charging line
-opened to its full open position (per design). The RCS pressure increased and relieved through one RHR pump suction relief valve. The other RHP train's relief valve was unavailable. The RCS pressure rose to 700 psi which was in excess of the'FSAR's calculated value for an LTOP event (Ref 38).
i
_ )
V V0 R C3 P4 O PI V3 C3 P4 h e 6 cv 1 ot 5t SVa r
e y- ~ it r
u s
s
~ e r
h e P 5cv 1 ol 6l BVa V4 C3 P4
)
VCV1 R C
P 4P3O T1 A rL (
V 9 S 61 l
g .
8
- r k en ir o S S e T g/ /
s oe 8 Oe si fe u
el clv V9 1 Ctv r e S e S 6 S e PR AV 8 AV t
A "
! S ' "
A V
8 ((
v02 "
V 20 S 6 S 6 8 8 A
A e V6 S 6 1
/ V6 1
/
ir S 6 ir 8 8 t
n A t n A V
e t n
S ve V t
n e e m m u
r u
r ts ts I
n I n
N 7 f
( V
~ N y N y
lp N
p e #
up u S S
i Other IA failures have caused events at many plants in which the P0FV or LTOP protection system were degraded or made inoperable (Refs. 39,40,41). A review of these operating experiences has shown tnat human error, technical specification deficiencies and equipment failures can increase the likelihood of an air system-induced LTOP event, which can result in the 10 CFR 50 Appendix G limits being exceeded. A discussion of the causes of some of these ;
events is presented below: '
Maintenance, surveillance, or testing errors made during shutdown could negate LTOP protection features. As a result, features which are relied upon to limit primary system pressure may be rendered inoperable, thereby l
resulting in primary system pressurization in excess of Appendit G limits.
For example, an event occurred at Point Beach Unit 2 in which a human error associated with the IA and backup nitrogen control for PORVs pre-vented a PORV from operating to mitigate the pressurization event. The l POPV was blocked for 4 months because an IA valve had been left closed.
l The event was attributed to a procedural inadequacy in which the mainte-l nance personnel were not specifically instructed to reopen the valve after the maintenance was completed (Ref. 41).
As noted in an earlier study (Ref. 35), the technical specifications for many PWRs allow redundant PORVs which are relied upon for LTOP mitigation to be inoperehle for up to 7 days. Between 1980 and 1983, 37 LTOP events were reported in which one or both trains of the overpressure mitigation system were disabled. In 12 of the events, both trains were inoperable.
Essentic11y, the LTOP protectier system was prone to single failures.
Another FE0D study (Fef. 42) indicated additional technical specification inadequacies of LTOP protection systems.
Two LTOP events which occurred at Callaway (Pef. 43) were induced by air system
- problems. On a loss of air, the positive displacement charging pump went to full speed, accompanied by closure of the letdown line er.d full opening of the valves in the charging / makeup line. The LTOP mitigation system functioned properly (the PORV opened manually during one event, and operated automatically during the other event - both events taking place on the same day). However, ,
if one PORV had been out of service (as allowed by plant technical specifica-tiens for 7 days), and the other valve malfunctioned, a potentially serious event could have occurred, since the primary system was " solid."
5.1.5 Service Water and Component Coolipp Water Systems 5.1.5.1 Service Water System - Calvert Cliffs 1 and 2 On Fay 20, 1980, with the reactor operating at 100% power, an air compressor intercooler at Calvert Cliffs Unit 1 developed a leak which resulted in loss of the Unit 1 service water system (Refs. 44 and 45). Leakage of air into the service water system caused pump cavitation, which subsequently shut down both service water pumps. The loss of service water flow caused the feed pump turbine bearing and the main turbine bearing temperatures to increase. The operators responded by manually scramming the reactor.
___.___.-m__.__--____..m.--m_-. _____m_ ______.-_.
The Unit 1 instrument and plant air compressors also tripped on the loss of service water. The Unit 2 PA system then automatically supplied air to the Unit 1 IA and PA systems via the cross-connection line. With the Unit 2 com-pressors supplying air to both the Unit 1 and Unit 2 air systems, a reducticn in the Unit 2 air system pressure occurred. An attempt was made to prevert loss of the Unit 2 IA system by diverting a limited amount of Unit 2 service water to the Unit I air compressors. However, the operators received alarms indicating cavitation of the Unit 2 service water system pumps. The indicators included low service water header pressure and high head tank level. Those signals were similar to those previously received for the Unit I service water pumps when they cavitated. In order to avoid losing the Unit 2 service water system, the operators reclosed the valves in the cross-connect line. Foilowing this action, the Unit 2 service water system returned to normal.* If the operators had allowed the Unit 1 air compressors to be cooled by Unit 2 service water, this event might have resulted in the simultaneous loss of service water at both Units 1 and 2, in addition to a simultaneous loss of IA at Units 1 and 2.
Although the actual safety consequences of the May 20, 1980 event were limited, the event demonstrates the vulnerability of redundert safety-related systems in adjacent units to a single failure in the nonsafety-related air system. At Calvert Cliffs the service water system provides cooling to the emergency diesel generators, the containment air coolers, and the spent fuel pool heat exchangers.
A similar event occurred at Calvert Cliffs about 3 months later (Ref. 46).
During the latter event, a different tube leaked in the air compressor after-cooler, causing a flow of air into the service water system. The air which accumulated was vented and the service water system continued to operate satis-factorily. The licersee's planned corrective action was to change out the aftercooler tubirg.
5.1.5.2 Component Cooling Vater System - Calvert Cliffs 1 and 2 On October 22, 1981, plant personnel at Calvert Cliffs Unit I discovered that air-operated isolation valves on the component cooling water syster would fail open on a loss of air or electrical power, even though the fail safe position (plant safety analysis assumption) is to have them fail closed upon loss of air or electrical power (Refs. 47 and 48). Safety-related equipment served by the component cooling water system includes the shutdown cooling heat exchangers, the letdown heat exchanger, the reactor coolant pump seals, the HPSI pump seals, and the LPSI pump seals. Five years earlier, the licensee had issued facility change requests to modify the valves, but implementation of the requests had been delayed.
- Subsequent to shutdown of the Unit 1 air compressor IA continued to leak l through the intercooler into the Unit 2 service water system.
l
s r, ,
i After the deficiency was rediscovered o7 Unit 1, instrumentation and control (I&C) personnel were requested to evaluate the corresponding Unit 2 vcives and determine their failure positions. The ISC personnel examined the valves and reported that they would fail closed on a loss of cir or electrical power. The next day, the NRC resident inspector requested that the licensee reverify the Unit 2 valves' failure positions. It was then discovered that the Unit 2
' valves would also fail open (uncenservatively) on a loss of air or electrical power.
5.1.5.3 Salt Water Cooling System - San Onofre 1 On March 10, 1980, with the plant operating at 100% power, San Onofre Unit I sustained a total loss of salt water cooling for 58 minutes. Subsequent in-vestigations performed by the licensee concluded that desiccant contamination of the IA system was ona of the principal causes of the event. Desiccant par-ticles in the IA had acted as abrasives and degraded an 0-ring seal of an air-operated valve, thereby disabling one of the salt water cooling system's redundant trains. Later analyses (Ref. 2) indicated that under certain condi-tions (e.g., in the early stages of RHR operation), a total loss of the salt water cooling system could lead to damage to safety-related equipment in only a few minutes. Some of the safety-related equipment which ceuld be so affected are RHR heat exchangers, charging pump oil coolers, RHR pumps, spent fuel heat exchangers, and recirculation heat exchangers.
Fortunately, the March 10, 1980 loss of salt water cooling event (and four sub-sequent similar events at that plant) did not occur during the early stages of RHR operation. To improve the reliability of the salt water cooling system, the licensee removed its inter-dependency on the air system by replacing the air-operated valves with check valves and administratively centrolled motor-operated valves in series.
5.1.6 Main Steam Isolation and Feedwater Isolation Valves 5.1.6.1 Byron, Callaway. Summer and Vogtle During startup testing on March 14, 1985, the Byron 1 plant was intentionally tripped from 12% power as part of a loss of offsite power test (Ref. 49). With the loss of ac power, the station air compressor tripped, resulting in a grad-ual depressurization of the IA system. During the transient, a low steam line pressure signal occurred and two of the four main steam isolation valves (MSIVs) closed. One MSIV remained fully open, and the other closed only partially. Attempts to manually close the two valves were unsuccessful.
Operators eventually were able to close the valves with the assistance of air-powered hydraulic pumps after IA pressure was restored.
Each FSIV is provided with an accumulator bottle isolated from the MSIV by two check valves. The purpose of the check valve is to allow accumulator air to I provide motive power to the MSIV in the event of a loss of the IA system.
1
L F
Subsequent bench testing of spare valves and in-situ testing of valves which were installed in the plant revealed that 11 out of 19 air check valves associ-ated with the MSIV accumulator bottles would not close tightly on a gradual loss of-IA pressure (there are two air check valves per MSIV). However, testing showed that the valves would close properly for a rapid loss of If pressure.
HRC issued an information notice on this event to all U.S. nuclear power reactor facilities (Ref. 50). The information notice reported that many U.S.
plants are known to depend upon the same type of air check valve / actuators to close MSIVs and feedwater isolation valves (FWIVs) upon loss of IA. The list of known applications appears in Table 6.
Each MSIV at Byron and Braidwood has two check valves in the air supply line tn the valve actuators (Pef. 51). The failure of either check valve to seat pro-perly would result in the MSIV partially closing. The failure of both check valves would result in the VSIV remaining fully open.
Subsequent to determining the cause of the MSIV failures at Byron, and before finding a permanent solution, the licensee installed the eight check valves that had passed the in-situ and bench leakage tests (slow depressurization
. tests) in the plant. Following this tenporary corrective action, the licensee proceeded with startup' testing. The NRC agreed to this interim corrective action on the condition that the MSIVs' ability to close during a gradual air system depressurization be tested monthly. When the licensee performed the first n:onthly tests of the MSIVs, two of the eight check valves failed. Sub-sequently, the check valves were modified to assure closure upon a gradual loss of IA pressure.
Based upon information provided by the supplier, similar check valves have been replaced at other plants. Some of the affected plants had been operating with the check valve design deficiency prior to becoming aware of the problem. The Callaway plant FWIVs were also found to be subject to the same kind of check valve design deficiency. Until the deficiencies were corrected, the Callaway plant had an elevated probability for having both multiple MSIVs and FWIVs remain open during an operational transient or accident.
Byron 1 operated with the faulty air accumulator check valves at low power for about 1 month. Callaway operated with faulty accumulator check valves on the FSIVs and the FWIVs at full power for about half a year. During these periods, the plants were operating outside the bounds of the plant FSAR accident analysis assumptions (i.e., a main steamline break with multiple isolation valve failures could have resulted in offsite doses in excess of those presented in the FSAF).
The Summer and Vogtle plants have MSIVs of a different design which was not vulnerable to the aforementioned check valve failures. However, the FWIVs at these plants were provided with similar check valve / actuators that were subject to the aforementioned check valve failures. Although the main feedwater system
Table 6 Plants with Air Check Valves / Actuators Similar to Byron 1 Plant Application Byron 2 MSIV Braidwood 1, 2 MSIV Callaway MSIV, FWIV Wolf Creek MSIV, FWIV WNP 1 MSIV, FWIV WNP 3 MSIV Palo Verde 1, 2, 3 MSIV, FWIV Millstene 3 FWIV Summer FWIV Waterford 3 FWIV Vogtle 1, 2 FWIV is not a safety system, plant safety analyses take credit for FWIV closure.
For example, the Summer FSAR assumes that the FWIVs perform their safety function during the following events:
(1 Excess heat removal due to a feedwater system malfunction',
(? Major rupture of a main steam iine, and/or (3 Fajor rupture of a main feedwater line.
The Summer plant received notification of the air accumulator check valve prob-lem in Vay 1985-(Pef. 50). In September 1P85, a feedwater transient and IA system isolation occurred at 93% power at Summer. The event was accompanied by-an improperly seating check valve that prevented the FWIV from closing on derand.(Ref. 52). After the September event, new positive closing check velves were installed in the air supply line to the FWIVs.
5.1.6.2 Turkey Point 3 and 4 and H. B. Robinson ?
In February 1985, hPC inspectors found that MSTV surveillance testing at Turkey Point 3 and 4 had been performed in a manner that did not verify operability during accident conditions. Similar findings had been made earlier at H. B.
Robinson 2 in November 1984 (Ref. 53). The nonsafety-related (unqualified) air systems at all three plants'were being relied upon to assist MSIV closure.
This was contrary to the FSAR, which assumed that unqualified air systems were unavailable during the postulated accidents.
Subsequent analysis and testing was performed which showed that the.MSIVs would not close under certain accident conditions. The air accumulators alone did not have adequate capacity to assure MSIV closure for low steam flow conditions (i.e., a small steam line break). The Turkey Point 3 and 4 PSIVs are spring loaded and closure force is provided by air stored in accumulators mounted on
the valve assemblies, assisted by IA, and the steam flow (Ref. 54). The assisting force from the steam flow during a small steam line break would not be adequate to assure MSIV closure. Failure of the F.SIVs to close could result in an uncontrolled steam blowdown which could result in the loss of the steam generators as the secondary heat sink. In addition, the only " qualified" AFW pumps at Turkey Point 3 and 4 in February 1985 were steam driven. The occurrence of a loss of IA followed by a small steam line break could have jeopardized the ability of the AFW system to remove reactor decay heat to brina the plant to a safe shutdown. The licensee for Turkey Point determined that MSIV closure would be assured for a large steam line break, even without IA.
The licensee for Turkey Point issued a Part 21 notification and took several corrective actions. The actions included increasing the air accumulator volumes, developing procedures to require a plant shutdown on loss of the IA system, and installine a temporary backup diesel-driven air compressnr until the accumulator modifications were made.
H. B.' Robinson Unit 2 was also found to have a similar MSIV accumulator sizing deficiency. An interim corrective action proposed for H. B. Robinson Unit 2 was to provide redundant nitrogen bottles te back up the air accumulators.
Several additional plants were also suspected of having similar MSIV accumu-lator deficiencies. Those plants founo to require corrective actions were
'Haddam Neck and St. Lucie 1 and 2 (Fef. 55).
5.1.6.3 Brunswick On September 27, 1985, during surveillance testing at Brunswick 2 three pneu-natically operated MSIVs failed to fast close (Refs. 56, 57). Two of the valves that failed to fast close were on the same steam line. An investigation of the failures found that the MSIVs failed to close due to disc-to-seat sticking of the air actuator solenoid air pilot valves. The internal 0-rings on the solenoid valves were also found to be degraded. They were brittle, and several 0-rings were stuck to the valve body. Several solenoid valve discs came apart after becoming brittle. Pieces of one solenoid valve disc became wedged in the valve's exhaust port. One valve disc stuck to the exhaust port while another valve lost a piece of its disc.
A laboratory analysis of the three failed solenoid valves d m : %ed that a significant amount of hydrocarbon was present in the valves. The combination of hydrocarbons and elevated temperature caused the ethylene propylene discs to swell and fill the solenoid valves' exhaust ports. The swelling blocked the i discharge of air in the air actuator and increased the frictional force oppos-ing solenoid valve core movement. The IA system was believed to have been the source of the hydrocarbon contamination. (The valve manufacturer discounted the possibility that the hydrocarbons were introduced during the valve manu-facturing process.)
From a safety standpoint, a steam line break with two failed open MSIVs on the j same main steam line is an unanalyzed event. The plant's FSAP analysis of a
main steam line break accident takes credit for fast closure of at least one of the two MSIVs on each steam line. Closure of the MSIV limits the loss of reactor coolant and the release of radioactive materials outside containment.
Failure of both MSIVs on the same steam line would result in a more .evere accident than that analyzed in the FSAR.
Because of the susceptibility of the ethylene propylene solenoid valve parts to hydrocarbon contamination, the licensee replaced all of the solenoid valves with a type having Viton discs and seals. Viton has a higher tolerance to hydrocarbon contamination, but a lower threshold to radiation damage. Accord-ingly, the Viton parts must be changed out more frequently.
The September 27, 1985, PSIV failures at Brunswick 2 demonstrated that contami-nation of a "nonsafety-related" air system has the potential to cause multiple failures of safety-related components. The results of such failures could, in the event of an accident, result in conditions having consequences which exceed the plent's design basis. Specifically, the failure of three MSIVs to fast close during the event was a major degradation of essential safety-related equipment. Accordingly, the event was also reported to Congress as an abnormal occurrence. The abnormal occurrence report categorized the event as one which resulted in the " loss of plant capability to perform essential safety functions such that a potential release of radioactivity in excess of 10 CFR Part 100 guidelines could result from a postulated transient or accident" (Pef. 58).
5.1.7 Emergency Diesel Generators j 5.1.7.1 Air Starting System Nuclear plant emergency diesel generators (EDGs) typically have dedicated air start systems, consisting of high pressure compressors (*200-300 psig) and air receiver tanks. Some diesels are crank started by injecting high pressure starting air directly into the engines while others are started by motors which are driven by the starting air. Although the starting air compressors are not safety grade in many plants, the air receiver tanks and the piping downstream of the receivers are safety grade at all plants.
Fany events have been reported which involved a failure of an EDG to start as a result of poor starting system air cuality (e.g., dirt, moisture, corrosion, sticking of system components due to contaminants). Inadequate EDG starting system air quality is not a new problem. In the late 1970s, the NRC har' a con-tractor conduct a study of EDG operating experience (Ref. 59). The study presented many recommendations for improving EDG reliability. One of the recommendations was to upgrade the EDG starting air system to improve the quality of the starting air. Standard Review Plan 9.5.6 (Pef. 60) was formu-lated as a result of the aforementioned study. It requires new plants to meet i
- many of the study's recommendations by installing dryers in the EDG starting i
air system. However, the EDG starting air systems of older plants are not required to meet those air quality standards. l
)
l
5.1.7.2 Pneumatic Controls - Cooper-Bessemer, Nordberg The analysis and evaluation of operating data for this study revealed that several plants (e.g., Zion I and 2, and Cooper) have experienced unanticipated shutdowns of operating EDGs as a result of failures in the EDG pneumatic control system. EDGs designed and built by Cooper-Bessemer have pneumatic control systems which operate off the air starting system. Once started, the early' vintage Cooper-Bessemer EDGs (Zion 1 and 2, and Cooper Station) require air to continue to operate. The control logic for the newer Cooper-Bessemer EDGs* do not need air to continue to operate. They need air only for automatic shutdown.
Cooper-Bessemer technical personnel have stated that a continuous source of control air is required during operation of (the older model) Cooper-Bessemer EDGs. The older model units consume about 5 standard cubic feet of air per minute (Ref. 61). Since the EDG air start system is the source of the control air, and since the air start system compressors may not be seismically qualified, these older model EDGs may not be aveilable following an earthquake. The control air for the older model Cooper-Bessemer EDGs may therefore be limited towhatremainsinthereceivertankgsubsequenttostarting. Assuming an air start receiver volume of about 60 ft (Ref. 61), and a receiver pressure of about 15 atmospheres, neglecting the air consumed during starting, it is estimated that the receivers would have enough air to control the EDGs, for about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Upon receipt of low receiver pressure signals, the EDGs would shut down.
Discussions with NRC and utility personnel familiar with Cooper-Bessemer EDGs, revealed that they were not aware of this design arrange-ment and the potential for depleting the control air supply during continuous EDG operation. A limited review conducted for this study indicatt: that this control air dependency also exists at other plants having Nordberg EDGs which are also pneumatically controlled **. In order to assure continuous EDG operation *** at plants having the aforementioned pneumatic control systems, it may be necessary to assure that the EDGs have long term sources of oualified (safety grade) control air.
Discussions with personnel at the four affected stations revealed that the McGuire station EDG air system is safety grade and the supply of air to the EDG pneumatic control system is assured to operate subsequent to a seismic
- These EDGs are located at: Susquehanna 1 and 2; Palo Verde 1, 2, and 3; Byron 1 and 2; Braidwood 1 and 2; Waterford 3; South Texas; and Nine Mile Pt. 2.
- Minimum EDG fuel requirements are typically seven days of continuous full load operation.
_-_..--_.-__m_ u._ _ . _ _ _ _ _ _ . . _ -
event. However, as of March 1987 the licensees for the Zion, Cooper and Brunswick stations could not confirm that the EDG pneumatic control systems would continue to operate following a design basis seismic event.
5.1.7.3 Emergency Diesel Generator Cooling - Maine Yankee, Haddam Neck A recent study (see Appendix B) has identified design deficiencies at Maine Yankee and Haddam Neck. At each plant the teflure of a sinole air-operated control valve could result in the simultaneous failure of both of each plant's EDGs. The study concluded that the design deficiencies were not generic and appeared to be confined to those two plants (Ref. 62).
In the case of Haddam Neck (1985), air-operated control valves for the EDG cooling system (service water) were found to fail open in the event of a postu-lated loss of air. Similarly, a loss of ac power to the solenoid-cperated air-supply valve could also prevent proper operation of the EDG cooling system.
For Maine Yankee, it was found that the cooling water temperature control i valves to both EDGs (component cooline water system) had a common air supply. '
A' single failure (loss of air) would cause the temperature control valves for each EDG to close, resulting in a loss of cooling for both EDGs. The licensees took prompt corrective action to prevent the loss of multiple EDGs from the aforementioned single failures (air supply valves, loss of air, etc.).
5.1.8 Safety Injection Systems 5.1.8.1 Fort Calhoun On September 17, 1982, the Fort Calhoun licensee informed NRC of the results of its review of environmental qualification of electro-pneumatic (E/P) valve positioners (Ref. 63). The review found that failure of the "nonqualified" E/P valve positioners would result in an IA system leak. As a result, air-operated valves in the safety injection system would open and allow part of the safety injection flow to be diverted from the reactor coolant system during a postu-lated LOCA. The plant safety analyses had assumed that the safety injection flow would not be diverted.
The licensee's short term corrective action was to modify the plant's emergency procedures to require operators to monitor the positions of the air-operated valves, and take manual action to assure that the valves were closed during a postulated design basis LOCA. For the long term, the licensee comitted to redesign the valve actuation circuitry to assure that no safety injection flow would be diverted from the reactor following a postulated LOCA.
5.1.8.2 Point Beach 1 and 2 On July 24, 1985, the Point Beach licensee informed the NRC of a design defi-ciency which could result in the failure of the safety injection system at Point Beach 1 and 2 (Ref. 64). It was found that a loss of IA would result in closure of two air-operated valves in the recirculation (and test) line for the i
. _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ - O
I l
safety injection system. The valves were designed to fail closed on a loss of electrical power or IA to assure isolation of the RWST from the containment l sump during the recirculation phase of a postulated LOCA. Initiation of a safety injection signal during a small break LOCA would cause the safety injec-tion pumps to start. As long as reactor pressure was above the safety injec-tion pump shutoff heed, injection would not take place, and the valve alignment would allow the safety injection pump discharge to return to the refueling water storage tank (PWST). A loss of IA, however, would cause the air-operated valves in the recirculation lines to close. Continued pump operation with the air-operated valves in the closed position could result in the pumps over-heating and could possibly cause the failure of both pumps. Valve closure would also occur from a failure of the air-operated valve control circuitry.
The licensee's immediate corrective action included modifying the manual hand-wheel operators or the air-operated valves to prevent the valves from closing following a loss of electrical power or IA, administratively controlling the position of the air-operated valves, and revising the plant emergency proce-dures. These actions reduced the potential for having an air system failure degrading the safety injection system. Administrative controls were also added to assure that the containment sump isolation valves would be kept closed until the RWST recirculation line was closed following a postulated LOCA.
The NRC issueo Information Notice 85-94, to address the loss of safety injec-tion pump minimum flow protection during a LOCA (Ref. 65). The information notice included details of the Point Beach design deficiency. In response to the recommendations of Information Notice 85-94, the H. B. Robinson 2 licensee found e similar design deficiency. The H. B. Robinson planc's deficiency was discovered on January 7, 1906 (Ref. 66). In order to prevent damage er failure to all three ECCS safety injection pumps, the H. B. Robinson licensee planned to install mechenical blocks to keep the recirculation line air-operated velves open in the event of a loss of IA.
5.1.9 Containment Isolation Valves - Grand Gulf 1 and 2 In May 1962, the NRC was informed by the Grand Gulf licensee that fail safe closure of the plant's air-operated containment isolation valves could not be assured under certain accident conditions. During preoperational testing, which was conducted in accordance with Regulatory Guide 1.80, the plant operating staff discovered that about 48 air-operated containment isolation valves did not close when the IA system was slowly depressurizing. Although the air-operated valves would not close during a slow bleeddown of the IA system, it was believed that the valves would close properly during a rapid air system depressurization. However, subseouent testing which simulated a rapid loss of IA also resulted in failure of the air-operated valves to go to their fail-safe positions. The plant safety analysis had taken credit for closure of the valves during plant transients and accidents. Accordingly, the licensee filed a 10 CFR 21 report (Ref. 67). The Part 21 report stated that the
" Instrument Air System" was not seismic Category 1; and that a line break
I l
l-causing a rapid loss of IA was a realistic concern. Had an IA line break occurred coincident with a postulated LOCA, then failure of the pneumatic valves to fail closed could have resulted.in a loss of drywell, containment or secondary containment integrity. The Part 21 report concluded that potential site accident doses could have exceeded the limits specified in 10 CFP Part 100. In response to the Part 21 report, the NPC issued Information flotice 82-25 (Ref. 68) to alert all nuclear facilities of the problem.
The actuators were designed to close the valves properly for a rapid. loss of air. Originally, the valve actuators.were to use spring-loaded closure mech-anisms. However,duetospacelimitations,thearchitectengineer(Bechtel) l modified the design to use pneumatic actuators for valve closure. The valve
- procurement specifications required the valves to go to specified positions in the event of a loss of IA however as is commonly done in practice, the specifications did not designate the rate of air system depressurization. The l
valve assembly (valve and actuator) procurement documents were in place the year before Regulatory Guide 1.80 was issued. Consequently, the procurement specifications did not require that the valve assemblies meet the testing requirements of the guide.
The pneumatic actuators for the containment isolation valves at Grand Gulf have air accumulators which supply air to the valve actuator cylinders. In the event of a gradual loss of air, the accumulators bleed down to the atmosphere rather than to the actuator cylinder (see Appendir C for the manufacturer's drawings and a description of pneumatic actuator operation). To correct the deficiency, the licensee added safety-related pressure switches to sense supply L
air pressure. Upon sensing low pressure, the switches de-energize the solenoid air pilot valves, causing the valves to close before air pressure drops below a level which is insufficient to fully close the valve.
Fore recently, the valve actuator manufacturer has indicated that several utilities have expressed a concern about this deficiency (Pef. 69). Hcwever, as of April 10, 1986, the manufacturer was not aware of any plants other than Grand Gulf and Turkey Point that had completed actuator modifications to assure valve closure on a gradual loss of IA. Information Notice 82-25 provides the NPC's generic response for this issue. The information notice is also based on the understanding that the actuator manufacturer had developed a rrodification which would correct the problem. However, a review of closecut information suggests that no confirmatory action correspondence was developed for this issue for any plants other than Grand Gulf I and 2.
5.1.10 Reactor Coolant Pump Seal Injection 5.1.10.1 B&W Generic In 1983, a B&W plant had an event in which there was inadequate seal injection flow to all four reactor coolant pumps (RCPs). The event was initiated by dirt which blocked and obstructed a pneumatically operated flow control valve (FCV).
Although information about that event is limited, our review of B&W plants found that all B&W 177 design plants have the same single failure vulnerability.
! The Oconee:3 PRA (Ref. 70) analyzed a similar event. . It found that failure of one air-operated FCV (3 HP-31) will cause a loss of seal injection to all four RCPs. Furthermore, a loss of RCP pump seal injection for as little as half an-seals and simultaneous seal hour leakage could resultfour from-all in common mode RCPs (Ref. damage 70). to the3 pump (and other BW plants), a At Oconee loss of the IA system would also cause a containment isolatten, a loss of component cooling water, and a loss of cooling of all four RCPs seals.
Prior to the TVI-2 accident, the NRC did not view a loss of RCP seal injection or RCP seal cooling to be a potentially serious event. More recently, the NRC has designated RCP seal integrity a high priority generic safety issue since the loss of seal cooling or injection could result in multiple small break LOCAs.
It is important to note that in many plants RCP seal leakage and/or failure is highl4 dependent upon the IA system and components which interact with the IA system. For example, at Oconee 3 it is necessary to restore RCF seal injection within half an hour after closure of air-operated FCV 3 HP-31, in order to prevent RCP seal damage. (Ref. 70)*
There is a bypass line around FCV 3 FP-31, but it requires entry into contain-ment to manually open a valve in the bypass line. More importantly, it is not certain that a failure of the air-operated flow control valve FCV 3 HP-31 would be detected and corrective action taken within 30 minutes to prevent RCP seal damage and subsequent seal leakace.
5.1.10.2 St. Lucie In April 1077, with the plant operating at full power, St. Lucie 1 experienced a failure of the containment IA compressor (Ref. 72). The backup compressor was successfully started, but discharged back through the failed compressor.
As a result of the loss of containment IA, air pressure dropped in the system causing a loss of control of all air-operated valves inside containment. Fany of the air-operated containment isolation valves drifted closed resulting in a loss of RCP seal cooling water. The plant was tripped and the RCPs were secured. Subsequent seal damage resulted.
After the event, the licensee installed a compressed gas cylinder (outside con-tainment). On a loss of containment IA, the gas cylinder can be connected to supply the appropriate air-operated containmer.t isolation valves to assure that )
RCP seal cooling is maintained. J
- Contrary to this reference, the plant emergency operatina procedures (Ref. 71) indicate that a loss of RCP seal cooling and seal injection will not result
)
in seal failure if the RCP is shut off.
i i
5.1.11 Reactor Cavity and Spent Fuel Pool Pneumatic Seal Failures
\
5.1.11.1 Haddam Neck On August 21, 1984, a gross failure of the refueling cavity seal occurred at the Haddam Neck Nuclear Power Plant, resulting in a rapid draindown of the refueling pool to the top of the open reactor vessel. Approximately 200,000 gallons of water drained from the refueling cavity to the reactor huilding floor in about 22 minutes. The water filled the reactor building sump and flooded the reactor building to a level of 18 inches.
The Haddam Neck event was caused by a desion deficiency of a pneumatic seal, rather than an air systeu malfunction. Nonetheless, other draindown events have occurred at other plants as a result of air system failures (e.g., ANO-2 in 1981, San Onofre 2 in 1984, Sequoyah 1 and 2 in 1985; those events are dis-cussed below).
Following the Haddam heck event, the NRC issued IE Bulletin 84-03 (Ref. 73),
requesting all owners of U.S. LWRs to perform evaluations to determine the susceptibility of their plants to failures similar to that which occurred at Haddam Neck. Licensees were to report their findings to the NRC, and to take action to assure that fuel uncovery during refueling remains an unlikely event at each plant.
At the time of the Haddam Neck event, no fuel was being moved in the refueling cavity. If a fuel assembly was being moved it could have been uncovered, resulting in very high radiation levels, and possibly elevated release of radioactivity outside secondary containment. If the fuel transfer canal had been open, the spent fuel pool could also have drained, possibly uncovering the top of the fuel stored in the spent fuel pool.
5.1.11.2 Susquehanna 1 and 2 In response to IE Bulletin 84-03, the licensee for Susquehanna evaluated the susceptibility of the Susquehanna plant to the type of event which occurred at Haddam Neck. The Susquehanna pneumatically-inflated seal design was very similar to that used at Haddam Neck. However, the Susquehanna plant used two seals in series while Haddam Neck used only one. Nonetheless, it was noted that due to a lack of testing, a failure of one of Susquehanna's redundant seals could go undetected, thereby increasing the likelihood that Susquehanna i would be susceptible to a major draining event like Haddam Neck's as a result l of a single additional seal failure (Ref. 74). I The review of Susquehanna also found that the redundant seals at Susquehanna are pressurized by a common IA line. A loss of air would therefore result in a common mode deflation failure of both seals which would defeat the dual seal redundancy. In addition, the licensee found that the air supplies to the reac-tor cavity seals and the air control valves were not adequately labeled.
l l
Inadequate labeling of the air supplies could increase the likelihood of an operator error that would cause the loss of both seals. Three air header isolation valves were also found inadequately marked. Inadvertent closure of the valves would isolate the reactor cavity seals from the air supply thereby affecting seal integrity.
The licensee calculated that reactor cavity seal failures could result in draining the spent fuel pool down to a level 5 inches above the fuel. The l calculation showed that with 5 inches of water above the fuel bundles, the I
radiation level caused by one irradiated fuel bundle would be 100,000 rem /hr at the water's surface. Furthermore, any irradiated fuel raised in the fuel handling equipment would be completely uncovered in the event of a draindown event.
The licensee determined that the instrumentation available to monitor spent fuel pool radiation was incapable of monitoring the high radiation levels which would result from the postulated fuel pool draindown event. In addition, the operators would not have any indication of pool water level or temperature.
Adequate knowledge of water level was considered essential for protecting the fuel from overheating and failing. The licensee also noted that there were no operating or emergency procedures for a reactor cavity seal failure, and that the lack of maintenance and testing procedures increased the likelihood of a seal failure (Ref. 74).
The licensee concluded that in the unlikely event of a reactor cavity seal failure, a rapid drop in the spent fuel pool level was a credible outcome and the consequences-would be severe. Water could quickly drain to a level at which unacceptably high radiation fields would result. The FSAR did not consider the consequences of such an event, The licensee concluded that, "a pneumatic seal design (single or double) used without a leak limiting device is highly susceptible to failure and may pose significant consequences for the operator and possible health and safety concerns for the general public." In response to the deficiencies found, the licensee implemented several changes to minimize the likelihood of a seal failure, and to improve the operator's ability to mitigate the consequences of such an event. ,
5.1.11.3 Rancho Seco Following their review in cf.nnection with IE Bulletin 84-03, the Rancho Seco I licensee informed the NRC ttat during certain conditions a single pneumatic f seal (spent fuel "stop log") is the only barrier between the drained fuel 1 transfer canal and the spent fuel pool. Subsequently, nitrogen bottles were provided as a backup pneumatic source to prevent seal bladder depressurization (Ref. 75). To minimize the vulnerability, the licensee is planning to modify the air supply to the stop log by replacing a flexible hose 1 in the IA supply line with a permanent pipe.
.)
5.1.11.4 Arkansas Nuclear One Unit-2 On May 15. 1981, while the ANO-2 reactor was in Mode 6 and core alterations were in progress, the IA system was temporarily isolated so that modifications could be made to the system (see Figure 5). When the air system was isolated the spent fuel pool " tilt pit" gate seal air pressure began to drop. The drop in the pressure resulted in a loss of seal integrity, and a leak peth was established between the fuel pool and the containment building (Ref. 76). The spent fuel pool water level dropped approximately 5 feet in a period of 40 minutes (Ref. 77). The minimum level was 21 feet, which is about 2 feet less than the minimum level allowed by the plant technical specifications. To terminate the event the IA system was unisolated, restoring pneumatic seal integrity. Borated water was also added to the spent fuel pool to restore level.
One week after the draindown event, while the reactor was shut down (in Mode 5), the licensee completed an analysis of a postulated loss of IA to the spent fuel pool, gate seal. The analysis concluded that a longer duration loss i of IA similar to the one which had occurred on May 15, could have resulted in ;
the fuel pool draindown to a level near the top of the upper end fittings of ;
the spent fuel assemblies (Ref. 78). As a result of the May 15 event, and the subsequent analysis the licensee implemented administrative controls to prevent a significant reduction in spent fuel pool water level in the ever.t of a loss of IA.
5.1.11.5 San Onofre 2 On October 2, 1984, San Onofre 2 was operating at full power when a grid dis-turbance caused a trip of the service air compressor. The backup compressor failed to start, causing the service air pressure to decrease. With air pres-sure reduced, the pneumatic seals between the spent fuel pool and the spent fuel shipping container pit collapsed, and water drained from the spent fuel pool through the seals into the pit. The pneumatic seals were reinflated upon restoration of the service air compressor 37 minutes later. As a result seal integrity was restored, and the leakage was stcpped. During the time that the service air system was lost, 20,000 gallons of water were drained from the spent fuel pool.
The water level in the spent fuel pool fell about 1-2/3 ft, but it remained above the minimum level required by the plant technical specifications. During this event no irrediated fuel was in the spent fuel pool. Nonetheless, a fail-ure to restore service air would have resulted in a continued draindown of water to a level below the top of the fuel normally stored in the pool.
The licensee's followup review determined that failure of the service air system was not considered in the seal system design. As a result, a design change was implemented to provide redundant compressed gas cylinders and low seal pressure alarms to assure seal integrity upon loss of the service air system (Ref 79).
Il I ! -
j
.i ::"uT::
j Sy,E,7 O '
I i / _
l '/ - .
. .L _ _ __j: ( ,
m
, , .-, , g CASK I TILT bd GATE T l PLAN VIEW PIT SEAL Y
TO REACTOR BUILDING FUEL I GE xt :
1 .
a
'O'
~Ew S/fa' faS -
, Gg '
c^Ss
\ .
, ./- _
m, i
, L,
("" . .
7 .
l
/ .
Y$
l SPENT l CASW
! #eS i is" i / !'
VR I
. I TILT /
PIT bb ELEVATibN VIEW FIGURE 5 ANO-2 SPENT FUEL POOL
45 -
5.1.11.6 Sequoyah 1 and 2 On December 18, 1985, with Sequoyah I and 2 in cold shutdown, the station air supply was lost (Pef. 80). Air pressure dropped, causing the pneumatic gaskets t on the door connecting the spent fuel pool to the transfer. canal to begin to leak. The operators restored the air supply within 36 minutes. During that time, the water level in the spent fuel pool decreased to approximately 21 feet above the top of the irradiated fuel, which is 2 feet below the minimum allow-able technical specification water level.
5.2 Foreign Reactor Experience i
Although not within the stated scope of this study, there have been numerous I events at foreign reactors which were caused by air system degradation and i failures. The following is a brief summary of a few of the most significant reported foreign events.
1 5.2.1 Loss of Containment Integrity A pressure regulator failure cut off the air supply to seals on the personnel airlock in the reactor building at a foreign PWR. The loss of air resulted in a common mode failure of redundant latch seals. The loss of compressed air causeda45-minutelossofcontainmentigtegrity. Since radioactivity levels were low, the release of about 35,000 ft of containment air.resulted in nep-ligible radiological consequences. Had the event occurred subsequent to a LOCA, the radiological consequences would have been significantly increased.
Analysis of the event showed that even though the containment air lock door seals were intended to be single failure proof, certain single failures of the air supply could cause a simultaneous loss of integrity to the redundant door seals.
5.2.2 Loss of Fuel Pool Inventory During a refueling outage at a foreign PWR, an operator inadvertently isolated the air supply for the pneumatic seals of the hatch between the fuel pool and the fuel transfer canal. The pneumatic seal deflated, causing a draindown of water from the fuel pool. An analysis of the event showed that, had rapid air system recovery not occurred, high radiation levels would have prevented access to the fuel pool area. One of the contributors to the event was that portions of the air system serving the fuel pool pneumatic seals had been modified, but had not undergone post-modification testing.
5.2.3 Low Reactor Coolant System level A break in a 1/2-inch air line occurred at a foreign two-unit BWR station and resulted in low control rod air header pressure at both units. A low rod drive pressure alarm sounded in the control room. The main feedwater control valves closed and reactor vessel level could not be controlled. Manual actions were taken to control reactor level. The reactor was automatically scrammed when '
the reactor low level relays were deenergized. To prevent recurrence of this event, the licensee installed isolation valves in the air systems.
l 1
l l 6.0 ANALYSIS AND EVALUATION OF OPERATIONAL EXPEPIENCE 6.1 Failures of Safety and Safety-Related Systems In this section of the report, we present the results of our analysis of 29 failures of safety systems which were presented in Chapter 5. Those 29 events were chosen to show the wide variety of safety systems that could be impaired by faulty air systems or failure of air-operated equipment. Those events l illustrate the potential seriousness of air system failures and failures of air-operated equipment.
Many of those 29 events had multiple causes. For example, the loss of primary system pressure control during the Ginna steam generator tube rupture event had three causes:
(1) Design deficiency - the licensee did not install satellite filters in the air supply immediately upstream of the PORV actuators.
(2) Human error - contrary to the manufacturer's recommendations, plant per-sonnel crimped the air discharge lines downstream of the PORV actuators.
(3) Air system contamination - dirt in the air system plugged the crimped air discharge line.
Our analysis of the 29 safety system failures which were presented in Chapter 5 revealed the following:
Twenty-four (83%) of those failures are attributed to design deficiencies, such as: inadequately sized air dryers, improperly located air receiver tank outlets, improperly selected materials (0-rings, seals, gaskets not compatible with IA system contaminants), inability of equipment to function properly or fail safely during partial or gradual loss of air events, inadequately sized filters, lack of satellite filters contrary to eouipment manufacturer's recommendations, failure to recognize single failure vul-nerability to loss of air.
Seven (24%) of these events involved operator errors, or operations and maintenance deficiencies, such as: inadvertent isolation of air lines, bypassing air dryers, failing to conduct perioFc maintenance on air dryers and filters, crimping of air lines.
Fifteen (52%) of those events involved: gross loss of air, or gradual air system depressurization caused by component or line failures.
Ten (34%) of those events involved contaminated air. The contaminants being water, corrosion products resulting from water, dirt, desiccant or oil.
For older plants, built prior to invoking the standard review plan (SRP), the NRC has categorized air systems as nonsafety systems that are assumed to fail
87 -
in a safe manner during plant transients and accidents. As reported in Chapter 5 of this report, the assumptions that air systems will fail in a safe manner and will not have adverse affects on plant safety are not always correct. For non-SRP plants, the only NRC requirements for air system quality and operability involve startup testing as outlined in Regulatory Guides 1.80, and in a few cases, 1.68.3. Subsequent to initial startup, or subsequent to major modifica-tions to the IA system, the older plants do not appear to be required to maintain or verify the quality of their IA systems. It should be noted that ANSI /ISA S7.3-1975 is mentioned in Regulatory Guide 1.68.3; however, there are no specific requirements for plants to meet the ANSI /ISA or similar air quality standards requirements once preoperational testing is completed. Furthermore, many plants are not bound by Regulatory Guide 1.68.3 (which was implemented in 1982). As noted in Section 5.1.2.1, Turkey Point 3 and 4 operated many years with filters which would allow particles in excess of the maximum particle size which could plug up the seismically cualified, safety-related, I/P converters that regulate AFK flow to both units.
At many plants the priority given for repairina air system components is low, and as a result, component or system redundancy is frequently lost. For example, the licensee for H. B. Robinson 2 has concluded that significant gains in air system availability (and overall plant availability) could be achieved by assigning a high priority to air system maintenance and repair operations (Pefs. 81 and 82).
Pany plants operate with high moisture content in the air system, and routinely drain out water from the air lines. There have been many cases where malfunc-tioning air dryers were bypassed for long periods of time. For example, shortly after Turkey Point 3 and 4 sustained significant problems from degraded air systems in 1985, Turkey Point management committed to improve the plant air quality. Nonetheless, shortly after making that commitment, Turkey Point 4 operated the IA system completely bypassing the air dryers (Pef. 23).
Plant personnel are generally unaware of the potential for simultaneous or common rode failures of redundant safety-related equipment which can result from contaminated air systems. There have been many events in which safety equipment was impaired by air system degradation. Credible common mode failures could result from contaminants in the air system and could lead to more severe events than those that had been experienced.
Plant emergency procedures frequently are not complete, and do not alert opera-tors to anticipated equipment failure modes subsequent to a loss of air. j 6.2 Reactor Transients and Safety System Degradations i 6.2.1 Trends and Patterns Analyses The NRC's Office for Analysis and Evaluation of Operational Data (AE0D) has analyzed the trends and patterns of unplanned trips at U.S. LWPs in 1984 ,
i l
I l
l I
i
______ _________-_ _-__ _ ____ _ ____ _ a
(Ref. 83). The study utilized Licensee Event Reports (LERs) for the source of information about the reactor trips. The level of technical detail contained
-in the LERs, and accordingly in the study, was such that many events which were caused by degraded air systems were not categorized as such. For example, reactor trips which were initiated by sluggish feedwater regulator valves were categorized as " valve" initiated feedwater transients. Powever, if the valve was sluggish because of contaminants in the IA system, but was not identified as such in the LER, air system contamination would not be listed in the study as the cause of the. trip.
The AE0D study cites only four reactor trips in 1984 as having been caused by air system problems. The four events involved major air system failures (e.g., air line ruptures or. separation of air line fittings). A more recent AEOD analysis of 1985 reactor trip data focuses.on the underlying or root causes, such as transients which are induced by degraded air systems (Ref. 84). The 1985 data indicate that, similar to 1984 ' data, gross air systems failures (com-pressor failures, air line breaks. etc.) account for only about 1% of the reported reactor trips. However, an estimate based on the 1985 data suggests that degraded air systems were responsible for approximately 5% of 1985's reactor trips.
6.2.2 Reactor Trip Analyses The NRC's Office cf Inspection and Enforcement (IE) has studied forced shutdowns induced by IA system failures. In two of these studies, it was concluded that between 1977 and 1985, gross air system failures (air line rupture, compressor failure, etc.) accounted for approximately 1% of all plant forced shutdowns (Refs. 85 and 86). The data presented in these reports, however, do not include trips which were caused by degraded air systems, but do include information from 10 CFP 50.72 reports, 10 CFR 50.73 reports (LERs), regional daily reports, NRC " gray books," regional inspection reports and Phs.
These studies evaluated the risks associated with IA system failures and the '
likely costs and benefits associated with specific corrective actions. Based upon review of the Browns Ferry and Calvert Cliffs Integrated Reliability )
Evaluation Progran (IREP) studies (Refs. 87 and 88), it was concluded that the J risk due to gross IA system failures constitutes about one half of one percent of all core melt risk. For PWPs, the analysis assumed that transients which were caused by gross IA system failures constituted 10% of the PWR power con-version system (PCS) failures. Therefore, it was assumed that the PWR risk from air systems was limited to 10% of the risk attributed to PCS failures at Calvert Cliffs. Similarly, for BWPs, References 85 and 86 assumed that gross
~
IA systems failures caused 5% of all BWR PCS failures. Therefore, these studies assumed that the BWR risk from air systems was limited to 57 of the risk attri-buted to PCS failures at Browns Ferry. Those analyses did not take into account safety system failures due to degraded air systems and design deficiencies such as those described in Section 5.1 of this report.
l 1
i >>
., 1 The IE reactor trip studies show that, based on downtime alone, there appears j to be a significant financial incentive to improve air system reliability. This conclusion was based only on gross air system failures, and did not consider failures induced by degraded air systems. The quantitative results from IE's ;
first forced shutdown report (Ref. 85) are presented in Table 7. As noted in I the IE reactor trip studies, the aforementioned benefits did not take credit for risk avoidance from other accident sequences induced by degraded air systems.
Table 7 Benefits of Improving Instrument Air Systems
- l Avoidable public Total industry Plant Estimate dose (person-rem benefit (millions Type Category reactor-year) of dollars)**
PWRs high 71 88 best estimate 14.2 18 low 3.55 4.4 I
high BWRs 50 40 best estimate 10 7.5 low 2.5 2.0
- Based upon halving the frequency of air system losses by strengthening administrative procedures for maintenance and operation of air systems at a cost of $50,000/ plant-year - cost per shutdown = $500,000; frequency = .2 shutdowns per reactor-year.
- Based on $1,000/ person-rem 6.2.3 H. B. Robinson Study In 1983, the licensee for H. B. Robinson 2 assessed the reliability of the plant's IA system (Refs. 81 and 82). The licensee concluded that, although l the plant had a better reliability record than industry averages, it would be cost-effective and beneficial to plant safety to upgrade the IA system. The main benefit would be a reduction in the number of plant trips and a higher unit availability.
l The licensee's analysis found that implementation of several relatively inex-pensive improvements involving air system hardware, procedures, and mainten-ance practices, would increase system reliability and reduce risk. In addition:
A major finding of this study is the degree to which the IA system has safety ramifications even though it is classified as a nonsafety system in the HBR Final Safety Analysis Report. The system supplies air to eleven safety systems and eleven nonsafety systems. Loss of instrument air pressure and flow would make unavailable many air-
operated valves and other plant instrumentation. Although not speci-fically required to allow safety shutdown as defined in the FSAR and
. federal regulations, recovery from the ensuing transient without air-operated components would be an extremely difficult challenge to the ;
operators. Post safety related components will fail in the ' safe'- i position; however, these components are nevertheless unavailable if the operator needs or wishes to operate them. It should be noted that poor instrument air quality (i.e., excessive moisture, oil, or particulate) can cause components to fail in an unsafe position as documented in several of the LERs... Nonsafety-related equipment, ;
which may be needed for backups, may be lost entirely. Due to the i extent of plant equipment failures, the loss of instrumentation, and the transients induced by loss of instrument air, operator response to such situations would be severely impaired and the probability of damage and off-site releases-would increase significantly. (Ref. 82.) ;
)
A listing of the safety systems that interface with the IA system at ;
H. B. Robinson are listed in Table 8. A significant hardware modifica- l tion that was proposed was to power the primary" air system off the emergency bus. In addition, it was believed that a very significant gain in l system reliability would be achieved by assigning a higher priority to i maintenance and repairs of the IA system. ]
Table 8 Safety Systems that Interface with the Instrument Air System at H. B. Robinson (Ref. 81)
Auxiliary Feedwater Safety Injection !
Residual Heat Removal Emergency Diesel Generator Pain Steam i Reactor Coolant !
Chemical Volume Control Component Cooling Service Water ;
Penetration Pressurization l Fire and Makeup Water l
6.3 Patterns Observed Pegarding Failures of Air-Operated Components 6.3.1 Component Contamination Water and particulate contamination appear to be the most frequently observed l IA system problems, even though water and particulate contamination are easily corrected with simple hardware modifications and periodic maintenance. A pattern l
l l
of progressively degrading IA systems that has been observed at many plants follows:
Initial licensee responses to the component malfunctions were limited.
Usually the licensee would clean, repair, or replace the malfunctioning component without recognizing the root cause.
The licensees would frecuently drain or blow down air lines near the com-ponents which had the water or particles which caused the malfunction.
They also performed maintenance on the IA dryers and filters. However, on many occasions, they did not recognize the root causes of the failures (root causes being undersized air drying equipment, improperly sized filters, inadequately maintained desiccant stacks, filters, etc.). At many plants, the maintenance and operations staffs accept major water accumulations in the IA system as normal occurrences. At those plants, blowdown and draining accumulated water in the IA system are performed routinely on a daily or even per shift basis, and IA system dewpoint monitoring is virtually nonexistent. After cleaning, fixing, or repairing the malfunctioning component, continued operation with poor cuelity IA eventually led to additional failures of air-operated equipment. At many plants, the root cause of the IA system contamination was not fixed until they experienced excessive numbers of component failures, excessive amounts of down-time, or failure of safety-related equipment. Some plants that experienced repetitive failures of air-operated equipment which resulted from widespread IA I system contamination as described above are:
Indian Point 1 (oil)
Rancho Seco (water)
San Onofre 1 (desiccant)*
ANO-2 (desiccant)
Indian Point 2 (water)
Turkey. Point 3, 4 (water and rust)*
Duane Arnold (desiccant)
Zion 1, 2 (oil)
Maine Yankee (desiccant)
Operating for long periods of time with degraded IA systems increases the likelihood for common mode failures which would cause failures of multiple trains of safety systems (as described in Section 5.1 of this report).
It appears that virtually all failures of air-operated equipment which were caused by contaminants in the IA system (Appendix A and Section 5.1) could have been prevented if the IA systems were designed and maintained to meet
- The extensive clean up that was necessary after operating many years with degraded air systems at San Onofre 1 and Turkey Point are described in References 2 and 18.
industry standards (ANSI /ISA-57.3). However, most plants do not have aggressive 1 (or any) programs to monitor and maintain air quality to meet industry standards.
6.3.2 Accumulator Failures Safety-related air-operated equipment which are required to function during transients or accidents are usually supplied with air or nitrogen backup accumulators. The designs of such accumulators have frequently been found to be deficient. For example, accumulator sizing and procedures for the use of accumulators have been found to be inadequate for the reovired applications.
Also, accumulator check valves have not been tested frequently (or at all), and accumulator pressures are not necessarily monitored or alarmed. Many plants i have experienced undetected accumulator bleed off which resulted from excessive I check valve leakage. There have been many instances in which the piping or tubing connecting seismically qualified accumulators to seismically qualified safety-related equipment was not supported adequately to assure that it could survive the seismic events for which the accumulators were installed.
IE inspectors have found instances in which accumulators have been installed in accordance with NRC requirements (TMI Lessons Learned) but have never been tested to verify their adequacy (e.g., Turkey Point-discussed in Section 5.1.2.1 of this report, Ft. Calhoun - Ref. 89 and Oconee 1, 2, 3 - Pef. 90). Similarly, IE inspectors found that air accumulators at Palisades have not been periodically tested to verify their operability (Ref. 91).
6.3.3 Individual Component Failures Resulting in Loss of Air System Events In view of the fact that IA systems are generally not designated as safety systems, it is not surprising that failures of single air system components (e.g., IA distribution system piping, air dryers, air filters, interconnected air compressors) frequently cause a total loss of the IA system.* In addition, loss of ac power or compressor cooling water have resulted in loss of the IA system at many plants. The data analyses of Section 6.2 and the failure data of Appendix A highlight the fact that the loss of IA is a commonly occurring event, similar to events such as loss of offsite power, that the operating staff at each nuclear power plant should be able to cope with.
Reviews of plant procedures indicated that many plants do not provide adeouate training for loss of air system events--both rapid and slow bleeddown events. In addition, it is important to recognize that recovery from a loss of IA can become complex since a loss of IA can initiate several simultaneous transients. For example, review of Rancho Seco's emergency operating procedures (Ref. 92) shows that a loss of IA at Rancho Seco would simultaneously cause the following transients:
- 0peration and maintenance staff errors have also resulted in many loss of IA system events.
Loss of Control Rod Drive Cooling Loss of Reactor Ceolant Makeup / Letdown Reactor Coolant Pump / Motor Emergency Loss of Steam Generator Feed Control The Rancho Seco erergency procedures do indicate the response of many important components to a loss of IA. However, the emergency procedures for many plants i
do not provide the operators with such information. In fact, the emergency pro-cedures at some plants simply tell operators to restore the air system without providing information on anticipated equipment failures and failure modes.
l 6.4 Risk Assessments This section contains information which was obtained from three selected risk assessments to highlight the importance of air systems.
6.4.1 Calvert Cliffs As part of NRC's resolution program for Unresolved Safety Issue (USI A-45),
" Shutdown Decay Heat Removal Requirements," Sandia Laboratories assessed the potential benefits of requiring safety-grade cold shutdown systems (Ref. 93).
The Sandia study included assessments of the core melt potential associated with losing decay heat removal capability at the Calvert Cliffs nuclear power plant.
The study found that loss of IA is a major contributor to core melt at Calvert Cliffs because of the inability to open an air-operated injection valve on the auxiliary pressurizer spray system (APSS) on a loss of air. Other air-operated equipment at Calvert Cliffs also were found to contribute to risk, but the air-operated APSS injection valve failure was determined to be one of the most significant contributors. The failure of the unqualified IA supply subsequent to loss of offsite power or an eart contributor to a core melt with a frequency of between 4 x 10~/yr hquake and 9isx a 10majog/yr.Following an earthquake or a loss of offsite power, the APSS is required to operate to depressurize the primary system to the point where the shutdown cooling system (RHP) can be operated to bring the plant to cold shutdown. If the APSS fails and cannot be restored, core melt will result. Because the APSS was found to be an important contributor to the core melt risk, the Los Alamos National Laboratory was re-quested to perform independent calculations of the plant response. The Los Alamos calculations confirmed the importance of the APSS (Ref. 94).
6.4.2 Oconee Unit 3 A probablistic risk assessment (PRA) for Oconee 3 is presented in NSAC-60 (Ref. 70). The PRA found that even though the compressed air system (i.e..
IA and SA) was not designated a safety system, its failure had a significant effect on many accident sequences that could lead to core melt. At Oconee 3, the compressed air system interfaces with the main feedwater and emergency
1 feedwater systems, the RCP seal conling flow control, the high pressure injec-tion pumps, the service water control system, the decay heat coolers and many )
control room instruments.
To support the NRC's review of the Oconee 3 PRA, the Brookhaven National Labora-tory (BNL) performed a detailed review of the Oconee 3 PRA core damage sequence j analyses. BNL's review (Ref. 95) found that the values chosen in the Oconee PRA were non-conservative with regard to the IA system. Based on interviews with plant personnel, and operating experience reviews, the Brookhaven study concluded that the loss of IA was the dominant contributor to core damage fre-quency. The effects of the compressed air system upon core melt frequency are shown in Table 9.
Table 9 Core Melt Frequency Attributed to Compressed Air System Failures at Oconee 3*
i Percent of Frequency transients Percent of all Source (1/yr) with scram transients 4
Original Oconee 3 PRA 3.2x10 11 6 Brookhaven Review 3.1x10 49 33 l
-core melt with a frequency of 3.1 x 10~g/yr.*e.g. The Brookhaven This represents 33% of study found.that the core melt ars l
I frequency of all transients considered.
l 6.4.3 NRC Pressurized Thermal Shock Program To assist in the resolution of the pressurized thermal shock (PTS) issue (Unre-solved Safety Issue A-49), ORNL evaluated the potential for PTS events at several PWRs. Their evaluations of PTS at Calvert Cliffs 1 (Ref. 96) and H. B. Pobinson 2 (Pef. 97) indicate that air system failures could initiate severe PTS events.
For example, for Calvert Cliffs 1 the ORNL study noted that:
~
i A passive failure of the main instrument air header results in the l freezing of the MFW control valves in position (open) and in the iso-lation of the cooling water flow to the RCP seals. Failure of the operator to trip the RCPs could result in a coupled MFW overfeed of both SGs and an eventual small LOCA.
1 i Similarly, for H. B. Robinson 2, ORNL identified the loss of IA as a potential concern with respect to PTS. The loss of IA would present a PTS concern because '
of the resultant loss of control of AFW flow and charging flow.
L 7.0 FINDINGS 7.1 Root Causes of Air Systems Problems The root causes of most air systems problems are traceable to design and management deficiencies. The design deficiencies appear to reflect a lack of sufficient regulatory requirements and review, end the view by many applicants and licensees that air systems are not highly important to plant safety. The specific deficiencies we found are:
(1) Fismatched equipment - the air quality capability of the IA system filters and dryers do not always match the design requirements of the equipment using the air (particulate size, moisture content, oil. content, etc.).
(2) Maintenance of IA syst' ems is not always performed in accordance with the air dryer and air filter manufacturer's recommendations (e.g.
inadequate frecuency of filter and desiccant stack changeout).
(3) Air quality is not usually monitored periodically to assure that the It system dryers and filters are working procerly.
(4) Plant operations and maintenance personnel frequently do not understand the potential consequences of degraded air systems. They are often unaware of the potential for simultaneous or common mode failures of redundant safety-related equipment which rely upon air systems.
(5) In many plants, operators are not well trained to respond to losses of IA, and the emergency operating procedures for such events are frequently inadequate.
(6) At many plants, the response of key equipment to a loss of IA (slow and rapid losses of IA) has not been verified as consistent with the FSARs.
(7) Inspections of several plants found that safety-related backup accumulators do not undergo surveillance testing or monitoring to confirm their readiness to perform their function when needed.
(8) The size and the seismic capability of safety-related backup accumulators (including connecting piping) at several plants have been found to be inadequate.
7.2 Consequences of Air Systems Problems (1) Failures of significant safety systems have resulted from plant eperations with degraded IA systems. Transients and accidents which can be caused by or exacerbated by such failures including common mode failures, are not always analyzed in plant licensing analyses. The consequences of such events could be more severe than those predicted by present FSAR analyses.
(2) Operational events have shown that a loss of the IA system by itself or the loss of the IA system accompanying another transient can be difficult to mitigate if emergency procedures and operator training do not include adequate information on equipment failure modes and equipment availability.
(3) Losses of shared IA systems at multi-plant stations have resulted in simultaneous transients. The recovery from some of those events has been complex.
7.3 Risks (1) ' Degraded IA systems can account for a very significant portion of overall
. risk (accounting for as much as 33% of the core melt frequency of all transients at one plant). Many existing analyses have not accounted for the effect of common mode IA system failures caused by degraded air.
(2) Traditional PRAs, which do not account for the effects of air system degradation and/or common mode failure of air operated safety-related equipment, may greatly underestimate the risks from the failure and degradation of IA systems.
l-L__-______--____-_--____--__-_-____ - - _ _ - _ - - _ _ _ _ _ _ _ _ - _ _ _ _ _ - _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ - - - _ _ _ _ _ _ _ -
~ 57 -
8.0 CONCLUSION
S We view the multitude of events in which safety systems have been adversely affected by degraded or malfunctioning air systems as important precursor events. They indicate that further attention and actions are necessary to assure that air systems are maintained and operated at levels which will enable plant equipment to function as designed, and to identify and eliminate unanalyzed failure modes possibly resulting in serious consequences.
Operational data has shown that simply addressing symptoms of air degradation without correcting the root causes is ineffective. Our primary concern with air system degradation is the potential for common mode failures that could result in the simultaneous loss of safety systems required to mitigate transients and to bring the plant to safe and stable conditions. Some safety systems that have been disabled or degraded by air system problems are:
. Auxiliary feedwater system
. Main steam isolation systems
. Emergency AC power systems
. Safety injection systems
. Containment isolation systems Failures of such equipment during postulated transients or accidents are not predicted in plant safety analyses (FSARs) as a result of disabled or degraded air systems. Consequently, some plants with significant IA system degradation may be operating or may have operated with much higher risk than previously estimated (for examples, see section 6.3.1).
Because many plants do not have specific license requirements prohibiting operation with degraded IA systems, high confidence does not exist that all plants will voluntarily take corrective action to avoid plant operation with degraded air systems in the absence of a serious event.
9.0 RECOMMENDATIONS As noted previously, we believe that further attention and actions are necessary tc assure that the plant air systems receive the emphasis warranted by their contribution to predictable and safe operation. Thus, we recommend the following actions be initiated either by the industry or the regulatory process.
(1) Licensees should ensure that air system ouality is consistent with equipment specifications and is periodically monitored and tested.
Licensees should verify (and periodically monitor) that their plants' air system quality is within the specifications of the manufacturers of all pneumatic equipment that is either safety-related or relied upon to perform a safety function (such as the equipment discussed in Section 5.1 of this report) er analysis should be performed to assure that no unacceptable effects will result from the most unfavorable credible failure of the pneumatic ecuipment. If the air system Quality does not meet the pneumatic equipment manufacturer's requirements, either the air system should be modified to assure that those requirements are met, or the pneumatic equipment should lie replaced with equipment that can perform the required function with the existing air system.
(2) Anticipated transient and system recovery procedures and related training for loss of air systems should be reviewed for adequacy and revised as necessary.
(a) Operating experience has shown that the loss of air systems can cause equipment response that is not necessarily favorable or " safe" for all transients. Because of the strong interdependence and interactions between safety-related equipment and air systems, it is recommended that licensees verify the availability and adequacy of anticipated transient and recovery procedures for loss of air systems events.
(b) The plant staff should be trained in the aforementioned procedures to respond to loss of air systems events.
(3) Plant staff should be trained regarding the importance of air systems.
Plant operations and maintenance personnel should be sensitized to the importance of air systems and the vulnerability of safety-related equipment to common mode failures that could result from air system degradation. This should be accomplished by implementing training sessions applicable to air system operation and maintenance.
(4) The adequacy of safety-grade backup air accumulators for safety-related equipment should be verified.
Operating experience has raised doubts about the adeouacy of backup air accu-mulators required for plant responses to postulated transients and accidents.
--__m______ . _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _
In several instances, safety-grade backup air accumulators have been sized inadequately, have had discharge lines inadequately restrained, or have not been verified to operate under appropriate test conditions. In addition.
- there have been cases in which the operational transient procedures for using the accumulators were either wrong or nonexistent. In order to assure that plants are capable of responding to postulated transients and accidents in the manner described in plant FSAR analyses, it is recommended that safety-grade backup accumulators be. reviewed relative to the aforementioned design, installation, testing and operational deficiencies at all operating plants.
Specifically, this recommendation includes (a) periodic testing of safety-grade backup accumulator check valves for leakage; (b) monitoring and/or alarming accumulator pressure; and (c) verifying the adequacy of safety-related accumulators (including air receiver tanks for emergency diesel generators that require compressed air to sustain continuous operation).
(5) AM operating plants should be receired to perform gradual loss of instrument air system pressure tests.
Gradual instrument air system pressure loss tests (preoperational testing) have revealed deficiencies in safety system equipment including common mode failure potential. A number of such failures have not been &;ithin the envelope i of FSAR accident analyses. Accordingly, it is recommended that all plants verify th6t credible gradual IA system bleeddown events will not result in H unanalyzed and/or unacceptable conditions. If plants have performed the Regulatory Guide 1.68.3 bleeddown tests previously, no additionel bleeddown testing should be required unless significar.t ' system modifications have been made subsequent to such testing. Id'fitionally, plants which have never performed a rapid bleeddown test (e.J., s9th as was required in Regulatory Guido 1.80), should be required to perform such testing.
\
- I a
,,a +
' N
- e ip r
^
6 ;
I b 6
i'\
\ g i j 1
4
^
l (~$a #
4 i k
'4 i i/j ,
l
\ ,jt -
a tr i
k
{
Y , J
i
10.0 REFERENCES
- 1. Southern California Edison, Licensee Event Report (LER) 50-206/80-006, San Onofre - Unit 1, dated Parch 24, 1980.*
- 2. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study No. AEOD/C204, " San Onofre Unit 1 Loss of Salt Water Cooling Event on Farch 10, 1980," July 1982.*
- 3. E.W. Hagen, " Compressed Air and Backup Nitrogen Systems in Nuclear Power Plants," Oak Ridge National Laboratory, NUREG/CR-2796, ORNL/NSIC-206, July 1982.
- 4. General Public Utilities, "GPU Accident Review Task Force Final Summary Report," December 15, 1980.
j
- 5. U.S. Nuclear Pegulatory Commission, "NRC Report on the January 25, 1982 Steam Generator Tube Rupture at R.E. Ginna Nuclear Power Plant,"
NUREG-0909, April 1982.
- 6. Consumers Power Company, licensee Event Report (LER) 50-255/78-003, -;
Palisades, dated January 31, 1978.*
- 7. Floridh Fower & Light Company, Licensee Event Report (LER) 50-250/85-021- i Rev. 1, Turkey Point Unit 3, dated August 21, 1985.*
- 8. - U.S. Nuclear Regulatory Commission Inspection Report No. 50-250/85-26; l
50-251/85-26, Turkey Point Units 3 and 4, October 9, 1985.*
l
- 9. U.S. Nuclear Regulatory Commission Inspection Report No. 50-387/84-35; 50-388/84-44, Susquehanna Steam Electric Station, November 15, 1984.* _
- 10. American hational Standards Institute (INSI) Standard MC 11.1-1976/Instru-L ment Society of America Standard ISA-57.3,1975, " Quality Standard for 7- Instrument Air."
$ 11. U.S. Nuclear Regulatory Commission, Regulatory Guide 1.68.3, "Preoperational Testing of Instrument and Control Air Systems," April 1982.*
- 12. U.S. Nuclear Regulatory Commission Standard Review Plan 9.3.1, Rev. 1,
" Compressed Air. System " NUREG-0800, July 1981.**
- 13. U.S. Atomic Energy Commission Regulatory Guide 1.80, "Preoperational Testing of Instrument Air Systems," June 1974.*
14 U.S. Nuclear Regulatory Commission, Of fice of Inspection and Enforcement, Circular No. 81-14. " Main Steam Isolation Valve Failures to Close,"
November 5, 1981.*
1
- 15. Consumer Power Company, Licensee Event Report (LER) 50-255/81-030, Palisades, dated August 18, 1981.*
3 c See footnotes on last page.
l
l
- 16. U.S. Nuclear Regulatory Commission, " Power Reactor Events," NUREG/BR-005),
Vol. 3, No. 4, May-June 1981, January 1982.
- 17. U.S. Nuclear Pegulatory Commission, Inspection Report 50-250/85-26, 50-251/85-26, Turkey Point Unit 3 and Turkey Point Unit 4, September F.
1985.* ;
- 18. Florida Power & Light Company, F. Southworth, et al., " July 21-26, 1985 Short Outage Critique " Turkey Point Unit 3, August 6, 1985.
- 19. U.S. Nuclear Regulatory Commission, Inspection Report 50-250/85-40, 50-251/85-40, Turkey Point Unit 3 and Turkey Point Unit 4 January 2, 1986.*
1
- 20. U.S. Nuclear Regulatory Commission, Safety System Functional Inspection Report 50-250/85-32, 50-251/85-32, Turkey Point Unit 3 and Turkey Peint Unit 4, October 7, 1985.*
- 21. Letter from A. W. Wilk, Bechtel Power Corporation, to S. G. Brain, Florida Power & Light Company,
Subject:
Turkey Point Units 3 and 4, Bechtel ,
Job 5177-458, Effect of Particulate in the Instrument Air System, July 29, 1985.
- 22. Florida Power & Light Company Interoffice correspondence from S. G. Brain to K. L. Jones,
Subject:
Turkey Point Units 3 and 4, " Effects of Particu-lates in Instrument Air on Safety Related Equipment," File:PTP100-16, August 5, 1985.
- 23. U.S. Nuclear Regulatory Commission. Inspection Report 50-250/85-30, 50-251/85-30 Turkey Point Unit 3 and Turkey Point Unit 4, hovember 12, 1985.*
- 24. U.S. Nuclear Regulatory Commission, inspection Report 50-247/85-10, Indian Point Nuclear Generating Station, Unit 2, June 11, 1985.*
2E. Consolidated Edison Company of N.Y., Inc., Licensee Event Report (1.FP) 50-247/85-006, Indian Point 2, dated May 16, 1985.*
- 26. Telephone discussion between J. Curry, Consolidated Edisen Co. and H. L. Ornstein, NRC, August 27, 1985.
- 27. U.S. Nuclear Regulatory Commission, Inspection Report No. 50-387/85-09, 50-388/85-09, Susquehanna Steam Electric Station, April 15, 1985.*
- 28. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, October-December 1984," NUREG-0090, Vol. 7, No. 4, May 1985.
- 29. U.S Nuclear Regulatory Commission, inspection Report No. 50-387/84-38, 50-388/84-37, Susquehanna Steam Electric Station, February 27, 1985.*
See footnotes on last page.
- 30. U.S. Nuclear Regulatory Comission, Preliminary Notification, PNO-III-85-84, September 20, 1985.*
- 31. U.S. Nuclear Regulatory Commission, Daily Report Regi0n III, September 24, 1985.*
- 32. Commonwealth Edison Company, Licensee Event Report (LER) 50-249/85-018, Dresden Nuclear Power Station - Unit 3, dated October 1, 1985.*
- 33. U.S. Nuclear Regulatory Commission Office of Inspection and Enforcement, Information Notice No. IN 85-95 " Leak of Reactor Water to Peactor Building Caused by Scram Solenoid Valve Problem," December 23, 1985.*
34 U.S. Nuclear Regulatory Comission, " Safety Evaluation Report Related tn the Restart of R. E. Ginna Nuclear Power Plant, NUREG-0916, May 1982.
l
- 35. U.S. Nuclear Reculatory Commission, Office for Analysis and Evaluation of Operational Data, Case Study Report AEOD/C401, " Low Temperature Overpres-surization Events at Turkey Point Unit 4," March 1984.*
- 36. Union Electric Company, Licensee Event Report (LER) 50 a83/84-015, Callaway Unit 1, August 10, 1984.*
- 27. Consolidated Edison Company of N.Y., Inc., Licensee Event Report (LER) 50-247/76-2-15, Indian Point 2, September 24, 1976.*
l
- 38. Letter from F. L. Clayton, Jr. , Alabama Power Company to J. P. O'Reilly, NRC,
Subject:
J. M. Farley Nuclear Plant Special Report - Unit 2, November 14,-1983.
l 39. Connecticut Yankee Atomic Power Company, Licensee Event Report (LER) 50-213/83-020, Haddam Neck Plant, November 30, 1983.*
- 40. Connecticut Yankee Atomic Power Company, Licensee Event ;<eport (LER) 50-213/83-021, Haddam Neck Plant, November 30, 1983.*
- 41. Wisconsin Electric Power Company, Licensee Event Report (LER) 50-301/82-007, Point Beach Nuclear Plant, Unit 2, October 25, 1982.*
- 42. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluetion of Operational Data, Engineering Evaluation Report AE0D/E426, " Single Failure Vulnerability of Power Operated Relief Valve (PORV) Actuation Circuitry for Low Temperature Overpressure Protection (LTOP)," October 24, 1984.*
- 43. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluetion of Operational Data, Technical Review Report AE0D/T504, " Loss of Instrument Air and Subsequent Transient," May 17, 1985.*
- 44. Baltimore Gas 8 Electric Co., Licensee Event Report (LER) 50-317/80-027, Calvert' Cliffs 1, June 3, 1980.*
See footnotes on last page.
1 - _ _ _ _ - - - - _ _ - - - - - - _
- 45. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluetion of Operational Data, Case Study Report AE0D/C105, " Report on the Calvert Cliffs Unit 1 Loss of Service Water May 20, 1980," December 1981.* .
- 46. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-317/80-041, Calvert Cliffs 1, August 26, 1980.* -
- 47. Baltimore Gas & Electric Co., Licensee Event Report (lEP) 50-317/81-074, $
Calvert Cliffs 1. November 4, 1981.*
{
- 40. Baltimore Gas & Electric Co., Licensee Event Report (LER) 50-318/81-045, Calvert Cliffs 2, November 4,1981.*
- 49. Commonwealth Edison Co., Licensee Event Report (LER) 50-454/85-027, Byron Station, Unit 1, July 25, 1985.*
1
- 50. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, !
Information Notice No. 85-35, " Failure of Air Check Valves to Seat," i April 30, 1985.*
- 51. Letter from R. E' Querio, Commonwealth Edison Co. to J. G. Keppler,ifSNRC,
Subject:
" Notification of Possibly Defective Airline Chect Valves in Byron Unit 1 (Docket Number 50-454) Main Steam Isolation Valve Actuators," dated March 21, 1985.*
- 52. South Carolina Electric and Gas Co., Licensee Event Report (LER) l 50-395/85-027, Summer Nuclear Station, dated October 18, 1985.*
1
- 53. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 85-84, "Inadeouate Inservice Testina of Pain Steam Isolation Valves," October 30, 1985.*
- 54. Florida Power & Light Co., Licensee Event Report (LER) 50-250/85-020 Turkey Point 3, dated July 29, 1985.*
i
- 55. U.S. Nuclear Regulatory Commission, Minutes of Operating Reactor Briefing No. 85-13, August 13, 1985.*
- 56. Letter from P. V. Howe, Carolina Power & Light Co. to J. N. Grace, NBC, Sub-ject: Docket Nos. 50-325 and 50-374 Brunswick Steam Electric Plant, Units 1 and 2, " Failure of ASCO Model 8323A36E Double Solenoid Valves,"
October 15, 1985.*
- 57. Carolina Power & Light Company, Licensee Event Report (LER) 50-324/85-008, Brunswick Unit 2, October 25, 1985.*
- 58. U.S. Nuclear Regulatory Commission, " Report to Congress on Abnormal Occurrences, October-December 1965," NUREG-0090, Vol. 8, No. 4, May 1986.
See footnotes on last page.
- 59. G. L. Boner and H. W. Hanners, " Enhancement of On-Site Emergency Diesel Generator Reliability," USNRC Report NUPEG/CR-0660 UDR-TR-79-07, University of Dayton Research Institute, February 1979.
- 60. U.S. Nuclear Regulatory Commission Standard Review Plan 9.5.6, Rev. 2,
" Emergency Diesel Engine Starting System, NUREG-0800, July 1981,**
- 61. Telephone discussion between C. C., Bemiller, Cooper-Besserer Reciprocating Division of Cooper Industries and H. L. Ornstein, NRC, June 4, 1986.
- 62. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Technical Review No. AE0D/T602, " Emergency Diesel Genera-tor Cooling Water System Design Deficiencies at Maine Yankee and Haddam Neck," April 1986.*
- 63. Omaha Power District, Licensee Event Report (LER) 50-285/82-018, Ft. Calhoun Station, dated September 17, 1982.*
64 Letter from S. Burstein, Wisconsin Electric Power Company, to J. G. Keppler, NRC, Subject Docket Nos. 50-266 and 50-301, " Single Failure Potential for Safety Injection Recirculation Path, Point Beach Nuclear Plant, Units 1 and 2," dated July 24, 1985.*
- 65. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 85-94, " Potential for Loss of Minimum Flow Paths Leading to ECCS Pump Damage During e LOCA," December 13, 1985.*
- 66. Carolina Power & Light Company, Licensee Event Peport (LER) 50-261/86-001, H. B. Robinson-2, dated February 5, 1986.*
- 67. Letter from J. P. McGaugby, Jr., Mississippi Power & Light Company, to J. P.
O'Reilly, NRC,
Subject:
" Grand Gulf Nuclear Station Units 1 and 2 Docket Nos. 50-416/417, Final Report Unit 1. Interim Report Unit 2. Hiller Actuators," dated June 11, 1982.+
- 68. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, i
Information Notice No. 82-25. " Failures of Hiller Actuators Upon Gradual i Loss of Air Pressure," July 20, 1982.*
- 69. Letter from J. R. Nanci, Ralph A. Hiller Company, to H. L. Ornstein, NRC,
Subject:
Telecon Request Regarding IE Information Notice 82-25, dated April 10,1986.
- 70. Nuclear Safety Analysis Center / Electric Power Research Institute /Duka Power Company, "0conee PRA A Probabilistic Risk Assessment of Oconee 3," l >AC-60 June 1984. Available from Research Reports Center (RRC), Box 50490, Palo Alto, CA 94303.
See footnotes on last page.
- 71. - Duke Power Company, Oconee Nuclear Station, Procedure No. OP/2/A/1103/06, Rev. 22, Reactor Coolant Pump Operation, March 19, 1985.
- 72. Florida Power & Light Company, Licensee Event Report (LER) 50-335/77-023, St. Lucie' Unit 1, dated May 13, 1977.*
- 73. U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Bulletin No. 84-03, " Refueling Cavity Water Seal," August 21, 1984.*
'7a. Pennsylvania Power and Light Company, Suscuehanna Steam Electric Station',
Nuclear Safety Assessment Group Project Report No. 13-84, " Implications of loss of Water from the Spent Fuel Pool Oue to Reactor Cavity Seal Failure or Other Causes " December 18, 1984.
- 75. U.S. Nuclear Regulatory Commission, Inspection Report 50-312/85-27, Rancho
'Seco Nuclear Generating Station Unit No. 1, November 5, 1985.*
- 76. A'rkansas Power & Light Company, Licensee Event Report (LER) 50-368/81-019, Arkansas Nuclear One - Unit 2, dated June 11, 1981.*
- 77. Telephone Discussion between D. B. Lomax, Arkansas Power and Light Company, and H. L. Ornstein, NRC, July 28, 1986.
- 78. U.S. Nuclear Regulatory Commission, Region IV Daily Report, May 27, 1981.*
- 79. Southern California Edison Company, Licensee Event Report (LER) 50-361/84-060, Sen Onofre Nuclear Generating Station, Unit 2, dated November 2, 1984.*
E0. U.S. Nuclear Regulatory Commission, Region II Daily Peport, December 19, 1985.*
- 81. EDS Nuclear Inc., "H. B. Robinson Unit 2 Instrument Air System Reliability Study," Report No. 03-1320-1035 Revision 0, December 17, 1982.
- 82. Memorandum from J. D. E. Jeffries, Carolina Power and Light, to P. J. Furr,
Subject:
"H. B. Robinson 2 Instrument Air System Reliability Study - CNS and EDS Nuclear, Inc., Recommendations," dated February 16, 1983.
- 83. U.S. Nuclear Regulatory Commission Office for Analysis and Evaluation of Operational Data, Case Study No. AE0D/P504, " Trends and Patterns Report of Unplanned Reactor Trips at U.S. Light Water Reactors in 1984,"
August 1985.*
- 84. U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of 4 Operational Data, Case Study No. AECD/P602, " Trends and Patterns Report
)
l of Unplanned Reactor Trips at U.S. Light Water Reactors in 1985," August I 1986.*
See footnotes on last page.
L_ - - - - - - - -----_----------_--------_-o
- 85. Memorandum from R. Singh, NRC to E. L. Jordan, " Forced Shutdowns Induced by Instrument Air Failures," April 2,1985.*
- 86. Memorandun from R. Keppler, S. Krill and P. Koutaniemi, NRC, to D. Allison, _
" Forced Shutdowns Induced by Instrument Air Failures in 1985," March 14, 1986.*
- 87. A. C. Payne, Sandia National Laboratories, " Interim Reliability Program:
Analysis of the Calvert Cliffs Unit 1 Nuclear Power Plant," USNRC Report-NUREG/CR-3511, Vols. I and 2, SAND 83-2086, March 1984.
- 88. S. E. Mays et al., EG&G, " Interim Reliability Program: Analysis of the Browns Ferry Unit 1 Nuclear Plant." USNRC Report NUREG/CR-2802, EGG-2199, August 1982,
- 89. Letter from J. M. Taylor, NRC, to B. W. Reznicek, Omaha Public Power District,
Subject:
Safety Systems Outage Modification Inspection (Design) 50-285/85-22, dated January 21, 1986.*
- 90. ' Letter from J. M. Taylor, NRC, to H. B. Tucker, Duke Power Company,
Subject:
Safety System functional Inspection Peport Numbers 50-269/86-16, 50-270/86-16, and 50-289/86-16, dated August 1, 1986.* 2
- 91. Letter from J. M. Taylor, NRC, to F. W. Buckman, Consumers Power Company,
Subject:
Safety System Functional Inspection Report Number 50-255/86-029, dated December 22, 19P6.*
- 92. Rancho Seco Nuclear Generating Station, Plant Operations Panual, Emergency Procedures, Pay 1984.
- 93. D. R. Gallup, D. M. Kunsman, V. P. Bohn, Sandia National Laboratories, "Poten- l tial Benefits Obtained by Reouiring Safety-Grade Cold Shutdown Systems,"
USNRC Report NUREG/CR-4335, SAND 85-1339, November 1985. I
- 94. Memorandum from L. B. Marsh, NPC, to H. B. Polz, "Calvert Cliffs LOSP Calculations (LANL)," February 21, 19CE.*
- 95. N. A. Hannan, D. Ilberg, D. Xue, R. G. Fitzpatrick, T-L. Chu, Brookhaven National Laboratory, "A Review of the Oconee-3 Probabilistic Risk Assess-ment: Internal Events Core Damage Frecuency," USNRC Report NUREG/CP-4374, 1 Vol. 1, BNL-NUREG-51917, March 1986. {
1 l 96. D. L. Selby, et. al., Oak Ridge National Laboratory, " Pressurized Thermal J Shock Evaluation of the Calvert Cliffs Unit 1 Nuclear Power Plant," USNPr Report NUREG/CR-4022, ORNL/TM-9408, September 1985. 3 J
See footnotes on last page.
l
- 97. D. L. Selby, et. al., Oak Ridge Fational Laboratory, " Pressurized Thermal Shock Evaluation of the H. B Robinson Unit 2 Nuclear Power Plant," USNRC l Report NUREG/CP-4183, Vol.1, ORNL/TM-9567/V1, September 1985.
i 1
j
- Available in the NRC Public Document Room at 1717 H Street, F.W., Washington, D.C. 20555 for inspection and copying for a fee.
- Available for purchase from National Technical Information Service, Springfield, VA 22161
l l
l i
l APPEP.'OIX A Partial Listing of Air-0perated Equipment Failures Sorted by Failure Pnde t'OTE: This listing does not include most events presented in Chapter 5, or the events listed in Reference 14.
I
WATER / CORROSION PRODUCTS Haddam Neck 12/14/85 Licensee review of maintenance IE Inspection '
50-213 history for MSIV failures Report concluded root cause "to be 50-213/E4-28 solenoid valve failures caused by impure control air" (water vapor freeze up in air lines, carbon steel corrosion products).
I Oyster Creek 6/11/82 During spent resin transfer LER 82-016 *1 50-219 operations a check valve failed and '
water backed up into the service air system. The SAS became contaminated and a radioactive release resulted.
Nine File 7/15/80 Foisture and corrosion products LEP 80-013 Pt. I prevented scram solenoid from 50-220 operating properly - air could not be exhausted from the scram valves thereby preventing rod insertion.
Indian Pt. 2 2/13/85 A hydrogen recombiner was LER 85-003 50-247 inoperable because rust plugged up filters in the IA lines leading from the hydrogen flow transmitter.
Indian Pt. 2 4/16/85 1/P converters malfunctioned - LER 85-006 50-247 sluggish response of AFW control valves.
Palisades 1/31/78 Water in the air line to a valve LER 78-003 50-255 eperator caused closure of the shutdown cooling system heat exchanger resulting in a 45-minute loss of DHR system - primary coolant heated up from 130 F to 215 F (see Section 5.1.1 of this report).
Palisades 7/18/81 Air-operated valve on the shutdown LER 81-030 50-255 cooling system heat exchanger failed closed. Removal of water from the air line to the valve operator re-stored the valve to operation. The PCS heated up from 123 F to 197 F (see section 5.1.1 of this report).
A-1
Oconee 1 12/25/83 Poisture in the IA line to the LER 83-021 50-269 BKST level transmitter froze and Oconee 2 1/11/77 BWST level indication was lost. LER 77-001 50-270 Oconee 3- 3/3/75 LER 75-005 50-287 Crystal 9/29/82 Fan damper operator failed causing LER 82-061 River 3 overheating of Reactor Building.
50-302 (Water was introduced into the IA system from the fire service water system.)
Crystal 3/23/83 Check valves failed due to the LER 83-016 River 3 presence of water in the IA system.
50-302 Resulted in loss of 2 accumulators for 2 AFW valves. These failures were discovered during testing.
The licensee reported that water in the IA system had caused both air accumulators to be inoperable previously.
Rancho Seco 1/19/75 Air-operated containment isolation LEP 75-001 50-312 valve was prevented from closing by water in the IA lines.
Rancho Seco 2/2/81 Containment isolation valve failed. LER 81-004 50-312 Water in the IA system prevented the valve actuator from operating.
Pancho Seco 9/30/81- Containment isoletion valve failed LER 81-050 50-312 to close due to the presence of water and rust from IA system in ,
the solenoid valve. I i
Brunswick 2 2/3/76 A drywell penetration isolation LER 76-032 50-324 valve was stuck due to moisture in the IA lines.
Duane Arnold 1/10/84 Moisture or foreign matter in the LER 84-004 I
50-331 IA system contributed to failure of air-operated solenoid valves 1 which resulted in failure of both l trains of the safety related control room intake treatment system standby j filter units (the function of the ~
standby filter units is to minimize operator radiation exposure during an accident).
A-2
North Anna 2 7/1/81, Air-operated valves on the TDAFW LER 81-053 50-339 7/3/81 pump steam supply failed to operate because of contaminants and corrosion products in the IA system (two parallel valves failed from the same cause within a 3-day period).
Grand Gulf 11/16/P3 ADS /MSIV/SRV accumulators corroded; IE Daily 1, 2- due to the presence of moisture Report 50-416 and faulty accumulator coatino. 11/16/83 50-417 The coating material flaked off the accumulators ano' contaminated the IA system.
1 A-3
PA CIC 4.ATES/ FOREIGN MATTER Big Rock 11/73 Backup .1.,upply was depleted Nov. 27, 1973 Point (enough for eight operations vs. Letter to AEC 50-155 the design valve of 50 operations) due to particulate under the seat of one solenoid valve, and a loose fitting on the other.
Big Rock Pt. 2/1/84 Foreign particles were found Feb. 2, 1984 50-155 in the IA system leading to Letter - R. Krich possible equipment failure. The Consumers Power Co.
licensee committed to install to D. Crutchfield, air filters at the discharge of NRC - Big Rock ;
the IA dryer. Pt. - Plant Inte-grated Assessirent of Oper Issues l
Oyster Creek 12/12/7F An air-operated valve on the LER 78-036 50-219 12/19/78 stand-by oas treatment system 12/26/78 failed to operate due to buildup of dirt and corrosion in the valve operator.
Dresden 2 11/E/78 Accumulation of dirt in a solenoid LER 78-061 50-237 valve's air-cperator prevented a containment vent valve frcm closing.
Dresden 2 10/4/79 Accumulation of dirt and corrosion LER 79-055 ,
50-237 products in a solenoid valve air-crerator prevented a containment vent from closing.
Millstone 1 12/5/77 A drywell vent valve fciled to LEP 77-004 50-245 close. Failure was caused by dirt in the air line leading to the valve's operator.
Ginna 2/19/84 Dirt in an I/P converter caused a N LER 84-001 50-244 leak and loss of a safety injection accumulator.
Millstone 1 9/14/78 Prywell vent valve failed to close. LER 78-022 50-245 Dirt in the IA caused a malfunction of the valve operator.
A-4
Monticello 3/24/80 Containment isolation valve leaked LER 80-010 50-263 because dirt deposits from the IA system were on the valve seat.
Point Beach 1 4/30/77 A control room ventilation system LER 77-003 50-266 damper could not close because of dirt in the IA system. A similar event occurred on 5/28/77 (LER 77-004).
Peach 9/4/78 Radioactive liquid from the LER 78-039 Bottom 2 and radwaste system demineralized 50-277 9/21/78 backed up to the service air system. Dirt in the air system lodged on the seats of check valves and prevented their closure,
-resulting in the back flow. As a result the service air system became contaminated. Service air is occasionally used to supply breathing air to maintenance workers in areas with high airborne contamination.
I Peach 11/17/E3 Particulate in the IA system LEP 83-018 Bottom 3 caused two scram solenoid valves 50-278 to fail, thereby preventing their normal scram insertion. The rods were scrammed using backup scram solenoid valves.
Surry 1 1/7/80 Contrary to design, a feedwater LER B0-003 50-280 bypass valve did not fail closed upon loss of IA. Failure of the valve to close upon safety injec- ,
tion could cause an excessive cooldown. The pilot valve was dirty and sticking. The failure was discovered during pre-startup testing.
ANO-1 10/21/76 Dirt from the IA system prevented LER 76-032 50/313 positive actuation of a solenoid valve actuator. As a result, a containment isolation valve would not close upon demand.
A-5
r i
I Hatch 2 2/20/80 A small foreign object in the air LER 80-018 l 50-366 supply line to an air-operated l valve prevented a torus-drywell l vacuum breaker valve from opening.
McGuire 1 1/28/86 Dirt in the IA system caused drift LER 85-004 50-369 of pneumatic pressure transmitters, resulting in spurious main steam POPV actuation. This event resulted in low steam generator level and a reactor trip.
Grand Gulf 1 9/03 Inoperability of SDV solenoid IE Inspection 50-416 valves. Foreign material in the Report 50-416/
air header collected in internal 83-39 parts of the scram discharge sole-noid valves blocking air discharpe through the valve ports.
Palo Verde 1 4/25/85 Control room air handling unit LER 85-027 50-528 dampers failed to close on demand because of " foreign matter" in the air supply lines. ,
A-6
. HYDROCARBON CONTAMINATION Indian Point 1 1/71 Sixty three of 191 containment Letter frem 50-003 isolation valves failed as a~ result -Consolidated of oil contamination in the air system. (Sticking valve operators EdisonCompany).
(T. A. Griffin and malfunctioning valve to USAEC DRL solenoids). (P. A. Morris)
January 20, 1971 Browns 3/10/83= Containment isolation valve LER 83-014 Ferry .1 closure time exceeded tech spec 50-259 values. "0ily, gummy film" covered solenoid valve internals pre-venting air.from exhaustino.
Browns 3/21/83 Primary containment isolation LER 83-022 Ferry 3 valve failed open. 011 50-296 accumulation on solenoid valve shaft prevented air leak off.
Susquehanna.1 15'64- Oil.or water contamination / loose Numerous 50-249' several particulate caused degradation references. See-events of the scram system pilot valves - 'Section 5.1.3 failure of control rods to insert.
Zion 1 12/15/75 Containment isolation valve failed LEP 75-032 50-295 to close during testing. The sole-noid pilot valve was stuck due to oil residue which was baked onto the valve. The oil entered the IA system from the PA system, when the PA system was used to supplement the IA system's capacity.
Zion 1 8/11/76 011 in the IA system' caused stick- LEP 76-044 50-295 8/11/76 ing of solenoid pilot valves result- 76-046 9/30/76 ing in failures of air-operated 76-061 1/23/77 valves. (Numerous containment isola- 77-004 7/23/77 tion valve failures.)77-043 1/25/78 78-017 4/8/78 78-030 7/7/78 78-059-8/30/78 78-086 9/14/78 78-094 11/20/78 78-124 3/2/79 79-011 l
1 l
A-7 I
Zion 2 3/11/75 Oil in the IA system caused LER 75-010*
50-304 5/P/77 sticking of solenoid pilot valves77-030 6/15/77 resulting in failures of air- 77-036 5/9/78 operated valves. (Numerous78-037 6/3/78 containment isolation valve 78-045 7/3/78 failures.)78-051 3/ /79 79-020 5/9/80 80-018 AN0-1 3/29/82 Containment isolation valve would LER 82-008 50-313 not remain closed upon demand. Oil in the IA system impregnated 0-rings in a pneumatic relay, causing failure of a reactor building isolation valve.
l i
- This LER reported 10 such failures.
I l
l A-8 l
DESICCANT CONTAMINATION San Onofre 1 1/9/80 Containment isolation valve failed L EP 80-003 50-206 to close upon demand. Desiccant particles in IA system prevented solenoid air control valve from operating.
San Onofre 1 7/17/80 Recurrence of 1/9/80 event LER 80-032 50-206 which had been reported in LER80-003). Event was probably caused by residual desiccant which had not been cleaned out after the first malfunction.
Millstone 1 12/24/85 Several control rods failed to IE Daily Peport 50-245 screm. The HCU pilot valves failed 12/24/85 to actuate because of the presence of small amounts of desiccant.
Point Beach 5/17/74 Dirt / desiccant / rust (from a burst Letter from 50-266 filter)preventedcomplete Wisconsin Electric closing of containment isolation (S. Burstein) to valves, llSAEC DRL (J. O' Leary) 6/25/74 Maine Yankee 4/4/85 Widespread desiccant contamination IE Inspection 50-309 existed at the plant - components Report 85-06 reported as being affected include main feedwater regulating valves and heater drain tank level con-trol. Thirty of 480 in-line filters had been changed out. Overheating and burning of the desiccant had caused its breakdown and carryover into the IA system.
ANO 1 10/21/76 Reactor building chilled water LER 76-032 50-313 2/18/77 isolation valve failed due to LER 77-003 3/29/82 " foreign matter" (desiccant) in LER 82-008 l the IA system which lodged in l the solenoid valve actuator.
Between 1976 and 1984 this valve, and a similar valve, have failed on at least six occasions.
A-9 t _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
AE0-2 6/18/84 IA system contamination (desiccant) LER 84-014 50-368 caused 1/P converter on the main feedwater bypass valve to mal-function, causing a high steam generator level and a reactor trip.
ANO-2 10/8/85 Main feedwater regulating valve's LER 85-022 50-368 I/P converter malfunctioned due to desiccart carryover in the air lines. Caused a high steam generator level and a reactor trip.
Subsequently the licensee replaced 40 micron in line filters (upstream of the I/P converters) with 1 micron in-line filters.
l l
l l
l l
A-10
CHECK VALVE FAILURES San Onofre 1 7/20/81 The check valve which was designed LER 81-018 50-206 to isolate the IA from the backup N supply leaked. As a result, IA leaked into the backup N system.
Oxygen was then introduced into the waste gas decay tank cover gas.
Subsequently a hydrogen-oxygen ignition damaged the tank and resulted in a radioactive release.
Palisades 9/15/81 Check valve failures resulted in LER 81-38 50-255 the inoperability of containment isolation valves.
Cooper 4/1E/80 Cneck valves on three of six ADS LER 80-011 50-298 accumulators had excessive leakage.
Buna-M 0-ring seals were replaced with ethylene propylene ones.
Hatch 2 4/4/80 ADS safety relief valve accumulator LEP 80-045 50-360 check valves leaked. All accumulator check valves were repaired or replaced prior to unit startup.
LaSalle 2 1/14/65 Two ADS valves were inoperable as a IE Daily Report 50-374 result of accumulator check valve 1/14/85 failures.
l l
l 1
A-11 I w _- _-___________
DESIGN DEFICIENCIES .
Big Rock Pt. 8/13/01 Reactor containment was pressurized L ER 81-016 50-155 due to IA system and SA system leaks. The conditions experienced were not addressed in the plant accident analyses. The licensee determined that containment pres- g surization and radiological releases I could exceed FSAR values. The FSAR analysis had omitted the contribution from gross failure of air system components.
Big Rock Pt. 2/22/84 The reactor depressurization rysten LER 84-001 <- - - - _
50-155 failed (three of four isolation Abnormal
valves failed to open). Plant Occurrence Report modifications which increased to Congress f 84-3, air supply pressure contributed NUREG-0900, Vol. 1, to binding of the valves while No. 1, July 1984 closed at hot conditions. ,
Haddam Neck 11/2/84 Loss of control air may cause AFW Licensec letter 50-213 turbine to overspeed, resulting 11/6/85 in a turbine trip and a loss of IE Inspection AFW. The plant design was found Peport 50-213/
to be contrary to the PRC's SER; 85-PC 1.e., a single credible failure LER 85-005 such as stuck air-operated valve could prevt.nt the automatic feeding of all SGs.
Oyster Creek 10/2?/84 Containment isolation valves for LER 84-023 50-219 the main drywell ventilation and purge system would not isolate on loss of IA - there was no backup '
accumulator system. Since the plant's initial criticality in 1969, the potential existed for releases of fission products in excess of FSAR calculations.
Nine Mile 7/11/83 The containment spray system had LER 83-020 Pcint 1 four test valves that relied upon 50-220 air operators that were not seismically qualified.
A-12
Turkey 8/3/83 Steam generator blowdown isolation LER 83-009 Point 4 valve failed to close upon demand.
50-251 The isolation valve required IA to close - however IA had been isolated.
Subsequently a modification was made to enable the blowdown isolation valve to close upon a slow loss of IA.
Palisades 9/16/77 Loss of the air supply to contain- LER 77-045 )
50-255 ment isolation valves would cause a loss of containment integrity -
no redundant air source was provided.
Browns Ferry 8/80 A loss of control air pressure AEOD memo.
1, 2, 3, and could result in an ATWS. C. Michelson to other BWRs H. Denton 8/10/80 50-259, 260, " Potential for 296 Unacceptable Inter- '
action Between the Control Rod Drive System and Non-essential Control Air System at the Browns Ferry Nuclear Plants."
PNO-78-147 Peach 1/10/80 Accumulator check valves for the LER 80-0CE Bottom 2 ADS safety-relief valves leaked.
50-277 An incorrect seat material had been used. Its deterioration caused the leakage. Subsequently all such valve seats were changed on all Unit 2 and Unit 3 ADS accumulators.
Peach 3/27/81 Air supply piping to pneumatic LER 81-029 Bottom 2 damper operators for the emergency 50-277 switchgeer and battery rooms was not seismically qualified.
Surry 2 8/7/75 Vibration caused a partial loss of LER 75-015 50-281 IA. The decreased IA supply resulted in closure of three BIT recirculation valves.
i l-13 L____-___-____--____
Oconee 3 10/9/76 Loss of an inverter caused loss of LER 76-018 50-287 ac to a vital instrument panel.
As a result, an air-operated valve opened allowing Lake reowee to flow into the CCW discharge, thereby flooding the turbine building base-
, ment. The emergency feedwater pump l "was affected." The emergency feed-water pump, lube oil pump, and the circulating water pumps were sub-merged. (Note: external . flooding has been found to be Oconee 3's largest risk contributor.).
Pilgrim 1 2/25/81 1A lines to SDV isolation valves LER 81-004 50-293 were incorrectly located, thereby biccking the vent path. The inability of SDV vent end drain valves to close following a scram would' result in a primary leak outside containment.
Calvert 1983 Pressurizer spray valves drift If Inspection Cliffs 1, 2.. open upon loss of IA. .They were Report 50-317 supposed to be capable of being .
50-317/85-28 50-318 operated from outside containment. 50-318/85-28 (Local accumulators were added to provide remote operation of the valve.)
Brunswick 2 2/10/83 Inadequate seismic support of LER 83-019 50-324 tubing associated with ADS valve accumulators could result in the inoperability of SRV/ ADS valves.
Sequoyah 2 4/19/83 An incorrectly sized metering LER 83-0C0 50-328 orifice in a pneumatic relay prevented automatic operation of the AFW system - the same error existed on Unit I as well.
1 LaSalle 1 12/30/82 Drywell accumulator check valves LER 82-178 50-373 were not designed to close upon slow depressurization.
Callaway 1 11/5/84 Fatigue cracking of air lines LER 84-059 50-483 11/6/84 supplying feedwater regulator valves caused two reactor trips on successive days.
A-14
OPERATOR ERRORS Nine Mile 2/4/82 . An operator secured air to a level LEP 82-003 Point 1 indicator on the cleanup filter 50-220 sludge tank. An erroneous reading enabled filling operations to con-tinue. The tank overflowed, and radioactive contaminates were released in the reactor building.
Ninety people were exposed after the event during reactor building decontamination.
Browns 8/14/84 A solenoid valve for a testable IF Daily Reports Ferry I check valve had reversed air ports. 8/15, 22, 24, 50-259 As a result the valve remained 27/84 open instead of closed. The low IE PNO-II P4-49 pressure core spray system was IE Information pressurized by primary coolant. Notice 84-74 The potential 'sted for a primary leak outside et inment (Event V).
Browns Ferry 12/13/85 MSIV testing was not conducted IF Daily Peport 1, 2, 3 properly. IA compressors are #3054 50-259, 260, operable during tests whereas 12/13/85 296 testing should have been conducted with only accumulator air available. As a result the testing did not verify MSIV closure capability in the absence of IA.
Peach 9/10/82 Service air leaked into primary LER 82-027 Bottom'2 containment. Two containment 50-277 isolation valves had been left open, enabling air to enter the drywell through leaking service air connection valves. The leaks introduced oxygen into the inerted containment.
Prairie 1/23/76 Air supply lines for the post LOCA LER 76-04 Island 1, 2 hydrogen control systen for both 50-282 units were found to be capped.
50-306 (Both plants had operated at least one fuel cycle in this condition.)
A-15
- ___---_=_-_____-_ _-______-_- _ \
I Point Beach 2 9/25/82 An operator erroneously isolated LER 82-007 50-301 the air line to a PORV rendering '
the PORY inoperable.
Hatch 1 7/24/80 A seismic support for a seismically LEP 80-086 50-321 qualified air supply was omitted.
Therefore, contrary to plant design, a seismic event could cause a piping failure which could render eight valves on the post LOCA hydrogen venting system inoperable. A similar omission was discovered on 8/23/79.
Hatch 1 12/21/85 An operator isolated service air. 10 CFR 50.72 50-321 Air-operated torus isolation valves Report #3126 failed open upon loss of service IE Daily Peport
, air, causing flooding of several 12/23/85, reactor building rooms. Two RHP PN0-II-85-121 pumps, a core spray pump, a room fan cooler, an PHP jockey purrp and the HPCI barometric condenser were submerged.
Farley 2 10/15/83 An operator isolated the IA system. Iicensee letter 50-364 With the charging pump on, the loss to NRC 11/14/83 l of IA isolated the letdown line and l brought the throttle valve in the charging line fully open. At the time of the transient, the plant was solid (in preparation for startup).
RCS relieved through a RHR pump suc-tien relief valve. However, PCS pressure rose to 700 psi (which was in excess of the FSAR's calculated value). The second RHR train's relief valve was unavailable.
(See Section 5.1.4.2.)
Hatch 2 f/7/83 Air supply lines were installed LER 83-112 50-366 backwards to a testable check IE Information valve. This resulted in a stuck Notice 64-74 open isolation check valve. Low AE0D Engineering pressure piping was overpres- Evaluation E414 surized by primary coolant. The potential existed for a primary leak outside containment (Event V).
l l
A-16 u- _.
I.IR LEAKS Big Pock Pt 8/13/81 Reactor containment was pressurized LER 81-016 50-155 due to IA system and SA system leaks. The conditions experienced were not addressed in the plant accident analyses.
(This event is also listed in the design deficiency section of this table.)
Dresden 2 8/29/82 As a result of an IA line leak, a LER 82-039 50-237 drywell isolation valve could not close upon demand.
Monticello 5/18/76 IA leaked into the nitrogen supply LER 76-003 50-263 line. As a result primary containment oxygen levels increased beyond technical specification limits.
Monticello 1/21/85 IA system leaks caused excessive 10 CFR 50.72 50-263 drywell oxygen concentration. Report 1/21/85 and IE Daily l Peport 1/22/85 Erunswick 1 5/16/78 Air system leaks caused the LER 78-055 50-325 drywell and torus oxygen concen-trations to exceed allowables. ,
loose stainless steel tube fit-tings on the vacuum breaker It lines were the source of inleakage.
Oconee 3 5/17/81 A broken air line caused a loss of LEP 81-010 50-287 cooling of a motor driven emer-gency feedwater pump.
Crystal 6/15/84 A broken IA supply line (3/8") LER 84-012 River-3 caused all auxiliary building ex-50-302 haust fans to fail closed. Reactor building exhaust fan dampers were also inoperable, thereby disabling the hydrogen purge system, f-17
D.C. Cook.1 11/25/85. An air line break caused a reactor 10.CFR 50.72-50-335- tri p. Recovery operations were Report 2871 complicated by the loss of the 11/25/85 and IE TDAFW control system which was Daily Report dependent on IA. 11/26/85 Calvert 1/12/03 It was found that the loss of IA LER 83-003
, Cliffs 2 to the AFW regulating valves' I/P 50-318 converters could cause an overcooling transient.
Sequoyah 2 2/25/83 Reactor containment was pressurized. LER 83-027 50-328 due to a leak in a 1/2" essential I
air-line.
LaSalle 7/26/82 A ruptured air hose caused the LER 82-075 50-373 inoperability of ADS valves.
Catawba 1 1/15/84 During excavation activities an IE Daily Peport 50 413 IA line was broken. Loss of IA 1/15/84 to the containment chilled water 10 CFR 50.72 system resulted in a loss of cool- Report 1/15/84 ing to RCP motors and chiller loads.
The RCP seals heated up. The reactor was manually scrammed, and the RCPs were tripped. Pressurizer control was lost and there was insufficient boron mixing as o.
result of the RCP trip.
A-18 l
a , + , ,. S
- , 9 II .-) I .g , ,p
^
{) 'yj //J l j l',, y '
% n, V4 j ,y Y m -
?
1 Q (i 3 3
/,
y
'E MISCEll.ipFOUS S
COMPONENT FAltlM.S a 4 a
. 3- p: s t s* iy
[~ g Haddam Neck 31/0P/04' Failures of solenoids r.onWollina LER 85-005 i I
50-213 4, _' air pressure to air-ope' rated valves ,
4 caused a loss of'autorLaticN . ,
'y 3 4 1
initiationoftwo(rainsofAFF. s
['
L' Indian Point 2 i 9/12/76 A desiccant' dryer inlet valve mal 'LER76-2-1 'eda)'
function caused a loss of IA. t ,,
/
1 p , Thfsresultedintheclosureofr?.y ,
-5 lletday valves and the opening of '
'm s ' charging lines with one charging 3 <.
Sump running. The RCS was soli), , 1 preparing to start the RCPs. Tre ,
1 5
i RHAfq11ef valve opened to limit 1- RCS pressure. - e
/ )
A simN3r event occurred on 5/18/13 3 s (prior to power operation).
- Indian , 2/13/?$1 A failed air regulatod resulted in IE Paily Pepert i Point ? 4
\ 4 the inoperability o'? the hydrogen 2/14/85.'c 1 T 50-247 ;, recodiner. / l
- g. t y Turkey 1/13/85t A so 4 noid pilot failed.to bleed IE Daily Rerp,rt Point 3 off ?Abfrem a valve opdrator. 1/14/85 ,
50-P50 This resuled in the failure of
'- a containment ^ isolation valve i s
to close rpori dew nd.
1 ,
Browns 8/28/7Ee Tiie cylir. der heaf of $ne sir '
PNO-78 1,,47 s Ferry 1, * ' compre:cor failed, and thcre was 4 2, 3 i a; loss of control air to all three 50-259, units. lnits 1 and 2 were scrammed .
+
260, 296 while Unit 3:was already shut down.
Browns f/19/84 The SA system compre'sMtHpped IE Daily Peport Ferry 1 ,
causing depressurization oF the 9/24/84 50-259 - < SA system. As a result an offgas
, discharge from the hydrogen analyzer entered the service g air system. ,.
Haddam heck 11/1/05 Containment control dir was lost LER 83-020 ;
,50-213 due to an incorrectly', installed )
L ' cir filter. As a result control
,' i, ! cf the pressurizer s' pray valves and the pressurizer PORVs was
,k lost far about 45-minutes.
.,) , v
.t , ,
A-19
. J >- -
11/28/83 Failed air filter - identical event
~
Haddam Neck LER 83-021 50-213 to LER 83-020 (11/1/83). Contain-ment control air was lost, and the control of the pressurizer spray o , valves and the pressurizer PORV was
- M y lost for less than an hour, a <
Pilgrim 1 0/29/83 An air-operated testable check IE Information 50-293 valve failed open. The failure Notice 84-74 resulted in overpressurization of 3 the HPCI suction piping. Primary coolant pressurized a low pressure I portion of the HPCI system. The i potential existed for a primary I'
system leak outside containment (Event V).
i Hatch I & 2 12/31/85 An air compressor failure resulted 10 CFR 50.72 50-321, 366 in a loss of IA. Upon loss of Report #3205 IA, the air-operated deluge valves 12/31/85
- on a cooling tower opened (per design). Fire pumps started and
? sprayed down the cooling tower, thereby draining down both units' f e fire protection water storage tanks to below the technical specification minimums.
Il St. Lucie 1 4/15/77 A containment IA compressor LEP 77-23 60-335 failed. Control of all air- (See Section operated valves in containment 5.1.10) was lost. RCP seal cooling was lost, and the RCP seals were damaged.
Limerick 1 9/4/84 It was determined that malfunc- IE Daily Report 50-352 tioning air-operated pilot valves 9/4/84 could result in the loss of the emergency services water system.
The malfunctioning pilot valves were replaced.
McGuire 1, 2 11/2/85 A break in an IA compressor LER 85-034
.50-360 discharge line resulted in the 10 CFP 50.72 loss of IA to both units. As a Reports 2615, result both units scrammed 2618, 33?E on low SG level.
p p
A-20
L l
LaSalle 1, 2 10/25/83 Loss of cooling water to the l 10 CFR 50.72 i 50-373 Unit 2 service air compressor 10/25/83 50-374 resulted in loss of Unit 1 IA. IF Daily Report Unit I was manually scrammed. 10/26/83 Summer 1 6/29/84 Failure of an air-operated isola- IE Daily Report 50-395 tion valve on the steam admission 7/3/84 and line to tbr TLAFW pump caused the 10 CFR 50.72 Pepert I TDAFW pump to turn. If the TDAFW 7/2/84 pump had then been called upon to opetate it would have tripped on overspeed.
1 Summer 1 9/8/85 An air compressor trip resulted NPR/IE briefing 50-395 in a drop in IA pressure. The 9/16/EE drop in IA pressure caused the LEP 85-026 steam admission valve to the TDAFV pump to open partially and turn the turbine. If the TDAFW pump had then been called upon to operate it would have tripped on overspeed.
Grand 7/2/84 Unit I had a reactor scram after LER 84-33 Gulf 1, 2 the loss of the Unit 2 air com-50-416 pressor. (The scram occurred subsequent to the scram pilot valves drifting open, low 7A header pressure, and high SDV level.)
A-F1
7 1
l APPENDIX P Technical Review of Emergency Diesel Generator Cooling System Failures Cue to Air Systems Interactions
i p D (n. cl.4 APR 2 S 1986
( MEMORANDUM FOR: Stuart D. Rubin, Acting Chief AE00/T602 Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data FROM: Eric J. Leeds, Reactor Systems Engineer Reactor Systems Section 1 Reactor Operations Analysis Branch Office for Analysis and Evaluation of Operational Data
SUBJECT:
EMERGENCY DIESEL GENERATOR COOLING WATER SYSTEM DESIGN DEFICIENCIES AT MAINE YANKEE AND HADDAM NECK The enclosed technical review report is forwarded for your information and consideration. The study evaluated two recently identified system design deficiencies involving air-operated control valves. The deficiencies, found at two different operating pressurized water reactors, could have resulted in a common mode failure of both the onsite emergency diesel generators at the involved plants. The study found that the use of air-operated valves to control the emergency diesel generator cooling water supply was unique to the Maine Yankee and Haddam Neck plants. The study also found that the use of an automatic bus transfer device at Haddam Neck (to ensure the availability of redundant power supplies to a vital motor control center for emergency core cooling equipment) was also apparently plant unique. The interaction and
(- potential adverse impacts of degraded or failed nonsafety-grade air systems on safety-related nuclear plant systems is currently being evaluated on a generic basis in an ongoing AE00 case study on plant air systems. It is suggested, therefore, that the design , deficiencies identified at the Maine Yankee and Haddam Neck plants be considered for inclusion in the plant air systems case study. The study also suggests that the' details of the design deficiencies identified at the Maine Yankee and Haddam Neck plants be included in a forthcoming issue of Power Reactor Events.
/H Eric J. Leeds, Reactor Systems Engineer Reactor Systems Section 1 j Reactor Operations Analysis Branch !
Office for Analysis and Evaluation f of Operational Data
Enclosure:
As Stated f
cc: Hal Ornstein, AE00 )
Paul SwetlaaJ, R1 )
Cornelius Holden, RI !
Alan Rubin, NRR
( /
- "'c' > ..R M S , ,,,,,, .E;BQ. ,, ,,,,,,,,,,,,,,, ,, ,,,,,, ....,,,,,,,,,
cu ,u c> . ................. SRubin ..................... .. .... ......... . ....................
Ele s:ks ............. . .....................
om> . .Y. ../. ... 4/.
. ... 86 ..f.
. . ../2.}/.8. 6.......
- - - - = = gg.x fr u.s.om mmo l
t AE00 TECHNICAL REVIEW REPORT
- UNITS: Maine Yankee TR REPORT N0: AE0D/T602 Haddam Neck DATE: April 29, 1986 50-309 and 50-213 EVALUATOR / CONTACT: E. Leeds DOCKET N05:
LICENSEES: Maine Yankee Atomic Power Northeast Utilities NSSS/AE: Combustion Engineering / Stone & Webster Westinghouse / Stone & Webster
SUBJECT:
EMERGENCY DIESEL GENERATOR COOLING WATER SYSTEM DESIGN DEFICIENCIES AT MAINE YANKEE AND HADDAM NECK
SUMMARY
On June 25, 1985, during a review of systems required for safe shutdown, per-sonnel at Maine Yankee identified a design deficiency that could result in a common mode failure of the cooling water supply for the onsite emergency diesel generators (EDGs). At Maine Yankee, the cooling water supply to the EDGs de-pended on the proper operation of air-operated temperature control valves and
( plant personnel determined that a credible single failure could cause a loss of i the air supply to these valves, resulting in a loss of cooling water flow to the EDGs. On November 1,1985, a probabilistic safety study for the Haddam Neck plant identified a previously unrecognized failure sequence that could result in a loss of all cooling water flow to the onsite EDGs due to a single component failure. At Haddam Neck, EDG cooling water flow also depended on proper opera-tion of air-operated supply valves. The probabilistic study found that a single component failure could result in a loss of power to the solenoid air pilot valves that control the position of the cooling water supply valves. A loss of power also resulted in the cooling water valves to both EDGs failing closed.
The design deficiencies at Maine Yankee and Haddam Neck were investigated and evaluated to assess their potential applicability to other nuclear plants.
The study found the use of air-operated valves to control the EDG cooling water supply to be unique to the Maine Yankee and Haddam Neck plants. The study also found that the use of an automatic bus transfer (ABT) device at Haddam Neck (to ensure the availability of redundant power supplies to a vital motor control center for emergency core cooling equipment) was also apparently plant unique.
However, the interaction and potential adverse impacts of degraded or failed nonsafety-grade air systems on safety-related nuclear plant systems is currently being evaluated on a generic basis in an ongoing AE00 case study on plant air systems. It is suggested, therefore, that the design deficiencies identified at Maine Yankee and Haddam Neck be considered for inclusion in the plant air systems case study.
(
- This document supports ongoing AE0D and NRC activities and does not represent the position or requirements of the responsible NRC program office.
B-2
(
DISCUSSION I
'Recently, independent design reviews at Maine Yankee and Haddam Neck identified deficiencies at each plant that could result in common mode failure of the cool-ing water supply to.the onsite EDGs. A sustained interruption or complete loss of cooling water without prompt operator actions would cause the EDGs to'over-heat and subsequently fail. In view of the significant adverse safety implica-tions associated with the identified design deficiencies, a study was initiated to review the EDG cooling water system configurations at Maine Yankee, Haddam Neck and other early-generation light water reactor plants to determine if the design deficiencies had potential applicability to other nuclear power facilities.
Design Review Experience
- 1. Maine Yankee On June 25, 1985, during a design review of the systems required for safe shutdown and accident mitigation, personnel at Yankee Atomic Electric Company identified a deficiency.in the cooling water control system for the onsite EDGs (Re f. 1) . The design deficiency was such that a single component failure could At Maine Yankee, potentially disable the cooling water supply to both EDGs.
two diesel generators provide emergency onsite ac power, with each cooled by a separate component cooling water system. The 'A' EDG heat exchanger is coole(
by the " primary" component cooling water (PCCW) system and the 'B' EDG heat
{ exchanger is cooled by the " secondary" component cooling water (SCCW) system.
Each EDG cooling water supply is regulated by a separate air-operated tempera-ture control valve. However, both control valves share a common air supply (Figure 1). Because the temperature ' control valves are designed to fail closed on a loss of air, a single failure in the air supply could have resulted in a loss of cooling water to both EDG heat exchangers.
The licensee's immediate. corrective action was to align the back-up fire water cooling supply to the EDG heat exchangers to allow automatic transfer to fire water cooling in the event of a loss of the air supply. However, leakage past the supply valves allowed untreated fire water to contaminate the PCCW and SCCW ~
systems. The contamination of the PCCW and SCCW systems was determined to be unacceptable by the licensee since both systems utilize demineralized water treated with corrosion inhibitors. Therefore, on June 26, 1985, following a determination that full cooling water flow through the EDG heat exchangers would be acceptable with respect to lube. oil and jacket water temperatures, heat exchanger tube erosion, and component cooling flow demand, the temperature control valves were blocked open to provide continuous full flow to the heat exchangers. The fire water temperature control valves were then reisolated to prevent fire water leakage into the PCCW and SCCW systems.
- 2. Haddam Neck On November 1,1985, a probabilistic safety study for the Haddam Neck plant identified a scenario that could result in a loss of cooling water flow to both EDGs by the failure of a single component (Ref. 2). At Haddam Neck, two diesel
( Each EDG has a cooling water 9enerators provide onsite emergency ac power.
supply with an air-operated control valve which opens to allow cooling water to B-3
I l
(
PCCW FLOW- '
(SUPPLY) A = SIGNAL FROM ASSOCIATED JACKET WATER TEMP. SWITCH WILL CH ANGE SOV POSITION AT 190*F. THIS WILL OPEN FIRE VALVES 1724A & 1725A &
CLOSE CCW VALVE TCV-1730A.
~
N = AIR SYSTEM
,a A A'
YARD LOCATED I f FS 37 4..
's
-&<0 ll TCV 1724A 4.. .
' ( (FAILS OPEN) j g jg m FIRE WATER TO I -
DIESEL 1B FIRE WATER -
SUPPLY s U
TEMPERATURE CONTROLLER , DG-1 A 1
,, ,, , ,, TDIC HT EX 1730A ' '
E-82A ,
s <
I U
> m .m ,
FIRE WATER TO CAPIELARY 4)* 4( STORY DM
- SENSING f LINE TCV-1725A i
. L y 1 r 4**
.._ A^ (FAILS OPEN) s ,
- SOV-1730A b *
' p V ^^--- A
- f' ,;'
3,, -'
SOV-1724A
' s TCV 1730A
[L3 ,
CONTROL AIR 4
p (FAILS CLOSED ON d SUPPLY LOSS OF AIR) %" BYPASS q I'?
' FOR DG 1B y
4" d COOLING d
3 L
PCV 2701
- DIESEL
'P ,'
,, j g ,, ,, - ^
STARTING
'l ,,
,;, ,;, ;> ,j - ,j ' ,;' ,, ,,
, u ' ' " '
AIR TKS i f PCCW FLOW INSTRUMENT
( (RETURN) ,f' AIR SYSTEM Figure 1 Cooling Water Control Schematic for "A" EDG at Maine Yankee B-4 --
(
flow from the service water system to the EDG heat exchanger when the EDG starts. The cooling water supply valves fail oren on a loss of air pressure.
However, each air-operated cooling water supply valve is positioned by a solenoid air pilot valve. With the solenoid valve energized, air is vented from the air-operator allowing the cooling water supply valve to open. Both solenoid valves receive control power from a common motor control center (MCC).
This MCC (MCC-5) can be supplied emergency ac power from either EDG via an ABT (Figure 2). As seen from the figure, the ABT interincks the output breakers from Bus 5 and Bus 6 so that only one of the two breakers can be shut at any time. If the bus supplying power to MCC-5 is deenergized, the ABT automatically opens the deenergized output breaker and closes the alternate bus output breaker (if the alternate bus is energized). The ABT ensures a continuous power supply to MCC-5. Since ac power is required for the solenoid valves to energize (and thereby open the cooling water supply valves), a loss of offsite power coin-cident with an interruption of emergency power to MCC-5 could cause a simultaneous loss of cooling water flow to both EDG heat exchangers.
The licensee's immediate corrective action was to evaluate the consequences of maintaining the cooling water supply valves in the full open position to ensure cooling water flow to the EDG heat exchangers. Based on this review, the licensee modified the cooling system by blocking open the cooling water supply valves. The licensee is also monitoring the EDG lube oil temperatures daily to ensure the lube oil temperature remains above 85 F in accordance with the EDG manufacturer's specifications.
( Analysis and Evaluation
- 1. Maine Yankee l
At Maine Yankee, the ' A' EDG neat exchanger is cooled by the PCCW system and the 'B' EDG heat exchanger is cooled by the SCCW system. When the plant was originally constructed, both EDG heat exchangers relied on the site fire water system for a backup source of cooling water. Fire water cooling1)(to EDGeither' jacketEDG heat exchanger was designed to be automatically initiated if :
water temperature reached 190'F, then fire water cooling supply valves (TCV-1724A and TCV-1725A) would open and the temperature control valve (TCV-1730A) would close (see Figure 1); or (E) a complete loss of the air supply occurred, then the temperature control valve would fail closed and the fire water cooling supply valves would fail open. The licensee isolated the backup fire water cooling supply in late 1981, however, because the fire water leakage past the supply valves was causing contamination of the PCCW and SCCW systems. The l'censee believed that isolating the fire water cooling supply was not a safety concern because the temperature control valves that regulate the nonnal cooling water supply to the EDG heat exchangers are equipped with a seismically qualified, safety-grade backup air supply.
Normally, each EDG temperature control valve receives its air supply from the instrument air system, which is a nonsafety-grade system. The instrument air ,
system consists of three snotor-driven air compressors powered from vital buses.
Additionally, the temperature control valves and the fire waterTherefore, cooling supply the valves must remain operable during all postulated accidents.
( instrument air system has a back-up tie-in from the diesel air starting system B-5
_m___.___-_
lll D
I E R
EE O
NLV ) Wm )
TV EA A )
AL WA L
OV Lm I V S G
( I e
N m
a d
d a
H l
t a
Y 5-iT R
.O C
N E
m% )
- I
(
i C C
EA S
E IE, G
R E
m& 6 I
( M o
r S
DN S f n'
M E
R M
U B
I
'H 5-io t
n
_E
,O R
F =
C C
b l
u t
t I
M e
_SN A
5 I
i D
R Y R S - c O C U i
r T
LT EA N
E B
I
) t c
e S R G )
E IE DN P mm I l l
E y
E E
M my ( c n
G E e g
r e
m E
2 e
r u
) L I
( i F
g E
N A
P L V E 0 L N 8 4
E O A I CR E R P WT (
I T V U& (
EW S V C m o,
i The instrument air system
) which is a seismically qualified, safety-grade system.
supplies air at 95 psi to both the temperature control valves and air The diesel thestarting fire water cooiing supply valves through a common piping header.
system is a 200 psi system which supplies a back-up source of air to the valves through a single regulating valve, PCV-2701, which is connected to a common piping header (see Figure 1). If instrument air system pressure drops below 40 psi, the regulating valve will open and regulate the back-up air system pressure to maintain 95 psi air pressure in the header.
l During a review of the systems required for safe shutdown and accident mitiga- l tion, personnel at the Yankee Atomic Electric Company found that the single l failure of the back-up air supply regulating valve (PCV-2701) coincident with j a loss of offsite power could result in the loss of cooling water to both l EDG heat exchangers. Following a loss of offsite power, the instrument air system compressors would lose power, resulting in a Aloss of the failure of thenormal backup(instru-1 ment) air supply to the temperature control valves.
air supply regulating valve would then result in a complete loss of air to the temperature control valves. With a loss of air pressure the temperature control volves would fail closed and the fire water control valvesHowever, would fail open to because the allow backup fire water cooling to the heat exchangers.
fire water cooling supply system had been isolated, a loss of the normal and backup air supplies to the temperature control valves would result in a complete loss of cooling water to both EDG heat exchangers. I The licensee's corrective action consisted of blocking open the temperature
(. control valves to provide continuous full cooling flow to both EDG heat ex-changers, The temperature control valves were originally designed to be posi-tiened by a temperature controller to maintain a 25 F delta-temperature across each EDG heat exchanger (see Figure 1). This arrangement was used to balance the component cooling water flow demand.
However, the licensee determined that full cooling flow through the heat exchangers Additionally, was acceptablefullincooling regard to theto flow cooling w1s of the PCCW and SCCW systems.
the heb .L:hange a did not impact on the EDG lube oil and jacket water tempera-tures because each EDG has an internal " thermostat" to specifically regulate the lube oil and jacket water temperatures. Finally, the licensee determined that full cooling flow would not adversely increase the rate of heat exchanger tube erosion. Therefore, blocking the temperature control valves open was acceptable and would eliminate the possibility of a loss of air supply causing a loss of cooling water to both EDG heat exchangers.
- 2. Haddam Neck At Haddam Neck, control air pressure overcomes an internal spring force to shut the cooling water supply valves for the EDG heat exchangers. When i.e., control air the pressure is lost, the cooling water supply valves will " fail safe,"
spring force will open the valves to ensure a cooling water supply to the EDG heat exchangers. The air supply to each cooling water Whensupply an EDGvalve is notisrunning, con-trolled by a three-way solenoid air pilot valve.
its associated solenoid valve is deenergized, allowing control air pressure to be supplied to the air actuator of the cooling water supply valve keeping the supply valve closed. When an EDG starts, the solenoid valve is energized and
( depositions, venting air from the air actuator. The spring force will then open B-7
~
- _ - - _ _ _ - - _ - - _ ~ ^ ~ ~ ~ ' ~ ~ ~ - _ - ~ . _ , _ _ _ _ _ _ _ _ ___
1 i'
the cooling water supply valve allowing cooling water flow to the EDG heat ex-changer. The control air system at Haddam Neck uses large accumulators which maintain air pressure in the event that the compressors are lost. However, if electrical power to the solenoid valves is lost, the solenoid valves will not reposition. In such an event, with air pressure available, the cooling water supply valves will remain closed. Therefore, a loss of electrical power to the solenoid valves would result in a loss of cooling water flow to the EDG heat exchangers.
The solenoid air pilot valves for both EDGs are supplied electrical power from MCC-5. This MCC normally is supplied by offsite power though emergency Buses 8 and 9. The MCC is supplied with emergency ac power from either EDG via an ABT (Figure 2) in the event that offsite power is unavailable. The scenario identified by the licensee, which could lead to a loss of cooling water to both EDGs, . involves a postulated loss of offsite power and the coincident failure of the ABT for MCC-5. The ABT failure sequence is as follows: . Ini-tially, offsite power is assumed to be supplying Buses 5 and 6 and the preferred l source selector switch for the ABT is assumed to be set for Bus 5. In this alignment, Bus 5 is supplying power to MCC-5 (the Bus 5 output breaker is shut). I The scenario begins with a loss of offsite power which results in a loss of power to emergency Buses 8 and 9 and consequently to Buses 5 and 6. As soon as the electrical frequency associated with Bus 5 decreases by a predetermined l
amount, the ABT, as designed, would open the Bus 5 output breaker. However, since the electrical frequency associated with Bus 6 would also decrease by the same amount, the ABT will not shut the bus 6 output breaker. Thus, MCC-5 would be deenergized with both Bus 5 and Bus 6 output breakers open. However, the EDGs start following a loss of offsite power and begin to load 10 to 13 seconds later. When the EDGs reenergize Buses 5 and 6, the ABT would sense that the selected source (Bus 5) had electrical power and would attempt to shut the Bus 5 output breaker. It is postulated that the Bus 5 output brecker fails to close (single failure). By design, the ABT would continue to attempt to shut the selected source (Bus 5) output breaker as long as the bus had electrical power.
The ABT will not transfer and shut the alternate source (Bus 6) output breaker unless electrical power to Bus 5 is interrupted or an operator selects bus 6 with the ABT's preferred source selector switch. Thus, MCC-5 would be deenergized with neither Bus 5 nor Bus 6 supplying power. In this situation, the EDG cooling water supply valves would remain closed since the solenoid valves would have no power to reposition to vent air from the cooling water supply valve air actuators.
To fully evaluate the significance of this failure mode, background information regarding MCC-5 is presented. MCC-5 is a single 480 volt distribution bus which powers many vital loads (such as the motor-operated injection valves) for both safeguards trains. However, MCC-5 is not a single failure proof power distri-bution center. Furthermore, MCC-5 was not originally required to meet the single failure criterion. This fact had been identified and determined to be acceptable by the then Atomic Energy Commission in the safety evaluation for the plant's operating license. Subsequently, the use of an ABT (to provide redundant power supplies to MCC-5) was discussed at an Advisory Committee on Reactor Safeguards (ACRS) subcommittee meeting held in Washington, D.C. on April 7,1983 (Ref. 3). The meeting was held to review the results of Phase II
,\
of the Systematic Evaluation Program as applied to the Haddam Neck plant.
Questions raised by the subcommittee prompted an analysis to evaluate the availability of power for vital equipment powered from MCC-5. The analysis, B-8
--__-_._--__----_____-___-_-__,____a
f performed in 1983 and utilizing probabilistic risk assessment (PRA) techniques, determined that the frequency of a loss of power to MCC-5 is 9E-4/yr (Ref. 4).
This frequency was based on the yearly testing interval at Haddam Neck for the ABT and associated breakers. If a monthly test interval is assumed for these '
components, the frequency drops to 7.3E-4/yr. The analysis also determined that the frequency of a total station blackout, a loss of offsite power coinci-dent with the failure of both EDGs, is 7.2E-4/yr. Therefore, it appeared that the probability of losing power to MCC-5 was of the same order of magnitude as a total station blackout.
The failure scenario for the ABT identified in the new probabilistic safety study completed by Northeast Utilities (the licensee) significantly affects the probabilistic frequency for a loss of power to MCC-5 (Ref. 5). The scenario presented in the new study (previously discussed in this report) was not identified in the 1983 PRA.
I Based on the new scenario, the frequency of a loss of power to "CC-5 is calcu- i lated as follows:
F(MCC-5) = F(LOSP)
- P(BKR) where:
F(MCC-5) = frequency of a loss of power to MCC-5 F(LOSP) = loss of offsite power frequency
( P(BKR) = probability of a breaker failing to close for Haddam Neck, F(LOSP) is assumed to be .2/yr and P(BKR), based on its yearly testing interval, is approximately 1.0E-2. Therefore, F(MCC-5), the frequency of a loss of power to MCC-5, becomes 2.0E-3 (Ref. 5). The current PRA indicates that the frequency of a loss of power to MCC-5 is an order of magnitude greater than the probability of a loss of offsite power coincident with a failure of both EDGs for other causes. Thus, a loss of power to the solenoid valves con-trolling the EDG cooling water supply valves was determined to be a significant safety concern.
The licensee blocked the EDG cooling water supply valves open by removing the control air lines which provide the air pressure necessary to hold the valves closed. This eliminates the potential for a loss of electrical power to MCC-5 to cause a loss of cooling water to the EDG heat exchangers. However, redundant and nonredundant equipment necessary for safety injection is still powered from MCC-5. A coincident loss of MCC-5 during a postulated loss of coolant accident (LOCA) would prevent initiation of safety injection and could lead to core damage. The resident inspector at Haddam Neck has raised this concern with the licensee (Ref. 6). The licensee stated that the probability of a LOCA with a loss of offsite power and coincident loss of MCC-5 is sufficiently low that imediate corrective action is not required. Region I has requested the Office of Nuclear Reactor Regulation (NRR) to review the potential concerns resulting from the new higher probability scenario for a loss of MCC-5 (Ref. 7). The region has also requested NRR to take the lead responsibility for reviewing the recently completed probabilistic safety study and for determining whether the
(
- The frequency of a loss of a single ac bus is small enough so that the loss of offsite power will dominate the frequency for a loss of power to the buses.
Br9
t licensee's plan of action regarding potential MCC-5 failure consequences during a postulated LOCA or main steam line break is acceptable. \
Generic Applicability To generically assess the extent to which air-operated valves are used in EDG cooling water systems, the EDG cooling systens at eight operating plants were reviewed. Because Stone and Webster (S&W) was the architect engineer (A/E) for both Maine Yankee and Haddsm Neck, the review included four S&W plants: North l Anna, Surry, Beaver Valley and Fitzpatrick. The other plants included in the review were licensed some time before or after Maine Yankee and Haddam Neck.
These were: Ginna, Oyster Creek, Quad Cities and Fort Calhoun, None of the plants examined used air-operated valves in their EDG cooling water systems (Ref. 8). Six of the plants used manually operated valves which were locked open to permit full cooling water flow through the EDG heat exchangers. One plant used a motor-operated valve for cooling water control and one plant uses I air-cooled EDGs. For additional independent verification, Reference 9 was reviewed to assess whether significant EDG failure operating experiences were reported to have been caused by air-operated valve problems associated with the EDG cooling supply. The review of Reference 9 revealed no evidence of other plants utilizing air-operated valves in their EDG cooling water control systems.
Due to the absence of data involving the loss of EDG cooling water (Ref. 9) caused by air-operated valve problems, it was concluded that the deficiencies associated with the design of the EDG cooling water systems at Maine Yankee and Haddam Neck were unique to those plants. Therefore, this issue does not
( appear to be a generic concern.
Similarly, the issue of using an ABT to provide redundant power supplies for ECCS equipment was examined to assess its generic applicability. Historically, the Nuclear Regulatory Comission has required that ECCS equipment be supplied by separate and redundant power sources. Exceptions to these requirements (e.g.,
MCC-5 at Haddam Neck) appear to have been accepted by the AEC on a case-by-case basis for some of the earlier licensed plants. To determine if any other operat-ing plants have vital motor control centers or load centers which receive normal and alternate power supplies through an ABT device, the design of six plants licensed in the 1960s and early 1970s were reviewed. They were: Quad Cities, Ginna, Zion, Oconee, Oyster Creek and Fitzpatrick. None of these plants were found to have an ABT arrangement similar to the design for MCC-5 at Haddam Neck (Ref. 10). Therefore, it appears that this arrangement is also unique to Haddam Neck and is, therefore, not a generic concern.
!NDINGS AND CONCLUSIONS Both of the design deficiencies evaluated in this study identified the potential for a failure in a nonsafety-related system to adversely affect the onsite safety-related EDG systems. Specifically, at Maine Yankee, the loss of the nonsafety-related air supply to the temperature control valves could have re-suited in a loss of cooling water flow to the EDG heat exchangers. At Haddam Neck, an interruption of power to the solenoid air pilot valves (which control the position of the EDG cooling water supply valves) could have resulted in a loss of cooling water flow to the EDG heat exchangers. A sustained interruption or complete loss of cooling water would cause the EDGs to overheat and subse-quently fail without prompt operator actions. The corrective action taken at both plents was virtually identical, uncomplicated and adequate - the air-B-10
(.. _ _ _ -_ __ __ _ . _ _ _ _ _ _ -
( operated valves controlling the cooling water supply to the EDG heat exchangers were blocked open. Blocking the valves open, in effect, eliminated the poten-tial adverse interaction between the safety-related system (i.e., the EDG cool-ing water system) and the nonsafety-related system (i.e., the air supply system).
However, a review of the EDG cooling water system designs at eight nuclear plants has led to the conclusion that the use of air-operated valves in EDG cooling water systems is unique to the Maine Yankee and Haddam Neck plants and that this issue is, therefore, not a generic concern.
At Haddam Neck, the use of an ABT to provide redundant power supplies to MCC-5 J was initially reviewed in the licensing process for the original plant design and was again accepted during the Systematic Evaluation Program review of exist-ing plant system configurations. However, a recently completed probabilistic safety study identified a previously unrecognized failure mechanism for the ABT which significantly affects the probabilistic frequency for a loss of power to MCC-5. The licensee found that a loss of MCC-5 would cause the loss of cooling water-to both EDGs and took appropriate corrective actions. However, signifi-cant redundant and nonredundant equipment necessary for safety injection is also powered from MCC-5. A coincident loss of MCC-5 during a postulated LOCA wou'Id prevent initiation of safety injection and could lead to core damage.
Region 1 has requested that NRR take lead responsibility to review the recently completed probabilistic safety study and determine whether the licensee's plan of action regarding potential MCC-5 failure consequences during a postulated LOCA or main steam line break is acceptable. A review to generically assess the use of ABTs to provide redundant sources of power to ECCS equipment concluded
( that this type of arrangement is unique to Haddam Neck and is, therefore, also not a generic concern.
SUGGESTIONS At both Maine Yankee and Haddam Neck, the cooline water supply to the EDG heat exchangers is dependent on the proper operation of air-operated control valves.
The interaction and impact of nonsafety-grade air systems on other nuclear -
plant systems is currently being evaluated on a generic basis by an AE0D case study on plant air systems. Therefore, it is suggested that the design defi- l ciencies identified at Maine Yankee and Haddam Neck be included in the plant air systems case study.
The use of an ABT to provide redundant power supplies to emergency core cooling I system equipment appears to be unique to the Haddam Neck plant. Since Region I has requested that NRR review the ABT issue at Haddam Neck, it is suggested l that no further AE00 review on this subject be taken at this time. ;
1 REFERENCES
- 1. Licensee Event Report 85-006, Maine Yankee Atomic Power Plant, Docket No. 50-309, June 25, 1985.
- 2. Licensee Event Report 85-029, Haddam Neck Plant, Docket No. 50-213, November 1,1985.
( 3. Letter from J. C. Ebersole, ACRS, to N. J. Palladino, Chairman, NRC,
Subject:
ACRS Report on the Systematic Evaluation Program Review of the Haddam Neck Plant, May 17, 1985.
B ,11
"----__m _ _ _ . _ __
l
- 4. D. Gallagher and others, " Review and Assessment of Various Automatic Bus Transfer Designs for Haddam Neck " performed for USNRC by Science Applications, Inc. May,1983.
- 5. Telecommunications between E. Leeds and F. Akstulewicz, NRC. and M. Bain, J. Bickle and D. Dube, Northeast Utilities, February 13, 1986.
- 6. NRC Inspection Report No. 50-213/85-21, January 5, 1986.
l 7. Memorandum from R. W. Starostecki, NRC, to F. Miraglia, NRC,
Subject:
Increased Potential for Loss of Offsite AC Power Leading to loss of Emergency Core Cooling, February 18, 1986.
- 8. Telecommunications between E. Leeds (AE00) and the resident inspectors at North Anna,Surry, Beaver Valley, Fort Calhoun, Ginna, Oyster Creek, Quad Cities and Fitzpatrick, April 10, 1986. .
i
- 9. NUREG/CR-2989, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," by R. E. Battle and D. J. Campbell, July, 1983.
- 10. Telecommunications between E. Leeds (AE00) and the resident inspectors at Quad Cities, Ginna, Zion, Oconee, Oyster Creek and Fitzpatrick, April 10, 1986.
-(
L i
l l
l l
l
. B-12 -
~
L____________.__ ._ _ I
APPENDIX C Operation of Ralph A. Hiller Company Air Spring Actuators
'I
roh Ralph A. Hiller Company April 24, 1986 United States Nuclear Regu!atory Commission Of fice for Analysis and Evaluation And Occretional Data Mail Stop EWS205A Washington, D.C. 20555 ,
Attention: Mr. Al Ornstein
Dear Mr. Ornstein,
Per your request, enclosed are drawings of air spring act-uators and a description of their coerating orincioles.
OPERATION Plant air enters the fil ter/ regulator (I tem 7) and is regulated to operating pressure. The air is then oiced to the accumulator (item 1), which is an air storage tank, the 3-way solenoid valve (i tem 6), and the 4-way di rectional control valve (item 2). The 3-way solenoid valve (Item 6) controls the ooera-tion of the circuit.
To ooerate the ci rcui t, an electrical signal is sent to the solenoid valve (Item 6), which shifts from its failure mode and allows pilot air to be sent to the 4-way valve (item 2). The 4-way valve (l tem 2) shi f ts f rom its failure mode and allows operating air to flow to the actuator. Piping is arranged to allow air to enter under the actuator piston for a fail close actuator or over the actuator oiston for a fail open actuator.
As air oressure moves the actuator to the desired position, the air on the opposite side of the piston is simultaneously vented to the atmosphere throught the second port of the 4-way valve (I tem 2) and the exhaust muf fler (I tem 5). The rate of ooening and closing of the actuator is controlled by adjusting the flow control valves (i tem 8) .
For the actuator to move to its failure mode, the electrical signal to the solenoid valve (ltem 5) is stocoed and the solenoid valve moves to its failure mode. The oilot air suoplied to the 4-way valves (I tem 2) is then blocked and the air in the pilot line is vented to the atmosphere. This venting allows the 4-way valve (Item 2) to move to its failure mode, and the operating air being supplied to the actuator is shut off. The air in the act-uator is vented to the atmosphere through the 4-way valve (Item 2) and the exhaust muf fler (I tem 5), while simul taneousl y the ai r stored in the accumulator is allowed to flow through. the se9ond port of the 4-way valve and either (1 Over the actuator piston for a fall close actuator or (2. Under the actuator oiston for a 951Kilkarney Drive.Pittsburgh,Po.15234 4t2-882-53OO . Telex 81-2360 C-1 l !
l U.S. Nuclear Regulatory Commission Page 2 fall open actuator. Air tight joints and a check valve (ltem 4) will allow air from the accumulator to hold the actuator in the failed position until the solenoid is re-energized. I l hope that the drawings and explanation answer all your cuestions. If you require additional information, please contact me.
S incerel y yoursi, RALPH A. HILLER COMPANY
\ .e Michael Meketa.
Engineering / Quality Assurance Manager MM:es RolphR.HillerCompony 951Kiliomey Ddve Pittsburgh,Po.15234 c-2
NA/
O _. .
A 3_
P
/ W
_ _L E T.A M5 2 L'I
'7 F T A V AE P
/
R O.V.E T.
_ H _..
.t / ARU C_.E.FEP L L O
ky C OI A
R P, N E
G VL A C
S R A L 7.V_.M G RT LH /
C /_L. O E AJ-g LG R(
L . RN I R P.
E . CUAW_V 6 H O T . V __ 66_0/ A TO Q.
A B__
. U 6. F6 O A.Y_7 KU 6 RC C_A Y ET Y['r P T /R H S_,
A-MEHA
- 6 AP R
N B4 L C E3 FF N. R D
M __
. - h 4 S 678 -
E _ / _ 2 __ 3 T
/ _.
4 _ ~)' -
[\ &
s.
e
, L S
_ a f ;e, Q
- s 2 f
n-
~
6 o
~
i
^ .
M U J CM
,l L
C A
l 3
e e a s e e e e o
N E H
/T)VESf T C
,C
,T)VL
/A M/gLo W(AV /W(AL f L 6 Vc a
p
. .s
.p A~
/ LO 0
P2 M5 O S:
T .
Ol
.R/REL A'&9__.
.' O _. 8 'Q C RPA 7ACpA A.E
/ v, r ,_ u E ,6 O /R OS g
,g
. Ao
/o~ D-LH LG GE
'm. i fLiq I R /
O R. 4 H .U NF
~_-
~ . _
AB O /
_~ - HS L 6 6 q r _ P T- j Li NO i T . 3 "_.
AP R E T K
- :- _ __ =
w_ ll _
= _
_ _ ! J_ NR
/Dc
}Lr_= _
_ O _ _ 6L __
i_ _ _ _
gRu__==
_ __!t
_ gT c _ _ __
- ~; ONR- =. .
. . - i G._
c =-
_ pCll-O _
_ C __
%NE .
. )
4 T
X -_. _
_ W E
_ A =
R T
E
}
R c
L_itl
_ q4I l li E
_ 5
_ O_ R
&a_
~
U_ __ O T
_ _ - ~.~ _ L
, - r A
f( 6 ._
U x
L_ T
- 't C
A R RC O/
O T TT A AA L U1hO T UE U -
M C ET ANAN
_ O C
C _ RPR A _ ..
/E AYP E/LO PMRO YA/T l
- gk . TFA6 P.
- l
l Part 2 Operating Experience Related to Air Systems Problems Since December 1986 l
Operating Experience Related to Air Systems Problems Since December 1986
- 1. Emeraency Diesel Generators 1.1 Brunswick 1 and 2 In December 1986, Carolina Power and Light Company infonned the NRC of a I design deficency that was found at the Brunswick 1 and 2 plants. As noted in i References 2-1, 2-2, 2-3, a loss of offsite power could result in loss of all of the emergency diesel generators (EDGs) at the Brunswick Station.
A loss of offsite power at that station would result in a loss of instrument air. Loss of instrument air to the EDG building would result in closure of the air-operated ventilation dampers to each of the four EDG rooms. Operation of the EDGs subsequent to closure of the dampers would result in rapid EDG room heatup. Heatup of equipment in the rooms, particularly the EDG controls, to temperatures in excess of their qualification temperatures could cause degrada-tion and failure of the electrical and electronic components in the control panels. In essence, the EDGs could be disabled when needed to operate during a loss of offsite power event. This failure mechanism, which was common to all four EDGs at Brunswick, was discovered by a contractor perfonning a PRA for the licensee.
1.2 H. B. Robinson 2 On May 1,1987 as a followup to an NRC Safety Systems Functional Inspection (SSFI), Carolina Power and Light Company discovered a design deficiency in the EDG systems at the H.B. Robinson 2 plant (References 2-4 and 2-5). The licensee found that a loss of offsite power could result in a loss of all the EDGs.
The design deficiency was similar to that which had been found at the Brunswick station. A loss of offsite power would result in the startup of EDGs with j subuquent failures of the EDGs due to room heatup. The sequence of events which culd result is as follows: a loss of offsite power would result in a loss of ristrument air, a. loss of instrument air would result in closure of ,
air-operated ventilation dampers to the EDG room resulting in heatup of the i EDG controls to temperatures in excess of their qualification temperatures.
It should be noted that an earlier H.B. Robinson 2 air system reliability study (References 2-6, 2-7) recommended that the instrument air compressors be powered from the emergency bus, but the licensee did not implement that recommendation (see section 6-2 of case study report C701 for additional 4 details).
1.3 Cooper Station In May 1987, NRC's SSFI of the Cooper Station emergency electrical systems confinned C701's finding (section 5.1.7.2) that the EDGs require starting air to continue to operate. The SSFI report (Ref. 2-8) noted that the licensee had '
1 1
1 2-1 l
w- _ _ _ _ _ _ _ - - -
incorrectly determined that the air system was only required to start the diesel generators and incorrectly classified all system components upstream of the air receivers as nonessential.
The SSFI also found an EDG room cooling problem which was similar to the problems described above at the Brunswick and H.B. Robinson stations. A loss of the non-safety instrument air system would cause the dampers in the EDG rooms to close, causing EDG room heatup in excess of the maximum temperature for which the EDG controls were qualified.
1.4 Fort Calhoun On September 23, 1987, Omaha Public Power District discovered a coninon mode failure mechanism for the EDGs at the Fort Calhoun Nuclear Power Plant.
During a surveillance test an EDG tripped off 9 minutes after being loaded.
The trip was due to high engine cooling water temperature. Apparently, the exhaust damper on the EDG's radiator had failed to open. The damper failure was attributed to water in the backup air accumulator, and the presence of a gummy substance in a pilot valve and the internals of an air motor which was used for opening and closing the radiator exhaust damper.
The water was determined to have entered the instrument air system several months earlier from the fire system. The licensee had blown down the instrument air system when it discovered the water intrusion, but the licensee did not recognize that the water had entered the EDG air accumulators. The redundant EDG was also affected since the instrument air was supplied to both EDGs' dampers through a comon header. If a loss of offsite power had occurred while the air system was degraded, the high temperature trip would have been overrid-den and the first diesel could potentially have run to destruction, the second diesel would probably have also auto started and it could also have had the potential for a s;milar failure, resulting in a station blackout, with little chance for quick recovery of the dedicated EDGs (References 2-9, 2-10).
- 2. Power-Operated Relief / Valves 2.1 Surry 1 and 2 '
On December 23, 1986 and January 2,1987, Virginia Electric and Power Company found that contrary to plant safety analyses the power operated relief valves I (PORVs) at Surry I and 2 could not be opened within their allowable stroke times !
when using the safety-grade backup air accumulators. These deficiencies were discovered from tests which were performed in accordance with Information Notice 86-50, " Inadequate Testing to Detect Failures of Safety-Related Pneumatic Components or Systems," (Reference 2-11). Those tests represented the first time that the PORVs were tested using the backup air accumulators. Previous testing had been done using the non-safety instrument air system.
The licensee determined that the excessive stroke times were caused by inadequately sized air regulators, and undersized air lines between the accumulators and the PORVs. The deficiencies were discovered while both plants were in cold shutdown and the reactor vessels were not fully protected from pressure transients which may challenge appendix G limits (References 2-12 to 2-14).
2-2
2.2 Catawba 1 and 2 i
On March 10, 1987, Duke Power Company discovered that air supply piping to the pressurizer PORVs at Catawba I was incorrectly routed. As a result, nitrogen from the safety-related backup accumulators was supplied to the wrong valves.
Effectively, one of :wo PORVs required for mitigation of steam generator tube rupture events was inoperable. The liceasee did not know why this deficiency was not discovered during initial tests that were run in 1986.
The licensee indicated that a similar problem had been discovered earlier at Catawba 2, and that the problem had been corrected there previously (References 2-15 and 2 -16).
- 3. Inability to Achieve Safe Shutdown During/Subseauent to a Fire - Peach Bottom 3 A special safety inspection that was conducted by the NRC in April 1987 verified Philadelphia Electric Company's finding that a fire in a single area of Peach Bottom 3 could prevent the plant from being brought to a safe shutdown.
The four methods that the licensee had outlined for bringing Peach Bottom 3 to a safe shutdown during or subsequent to a fire all reauired the use of safety /
relief valves for depressurization. Operation of those valves requires the use of either instrument air or backup nitrogen. The piping connecting the instru- ,
ment air and the nitrogen to the valves was made of sweat fitted copper tubing. I It was found that a fire in one particular zone would cause the instrument air lines and the nitrogen lines to degrade thereby rendering the safety / relief j valves inoperable. (Reference 2-17) l 4 _ Control Room Habitability - Summer Plant In early 1987, South Carolina Electric and Gas Company performed a SSFI of the Sumer 1 plant's emergency feedwater system (EFW). That inspection found i several unreliable, incorrectly selected air-line check valves. Concerned about these design deficiencies, the licensee reviewed the Summer 1 plant's instrument air system for similar problems. In July 1987, the licensee found a non-safety related check valve was being used in the main instrument air supply header to backup accumulators for the control room normal and emergency air handling systems. A failure of this non-safety related air-line check valve could compromise control room habitability (References 2-18 to 2-21).
Subsequently, the licensee replaced the check valve, and the architect engineer filed a part 21 report (Reference 2-22).
- 5. Main Feedwater, Auxiliary Feedwater, and Emergency Feedwater Isolation Control Systems - Rancho Seco In Reference (2-23), the NRC reported the results of an Augmented Systems Review and Test Program Inspection (SRTP) which was performed at the Rancho Seco Nuclear Power Plant from December 1986 through February 1987. The inspection 2-3
team reviewed 8 systems including the instrument air system. The review of the instrument air system identified 31 problems, 6 of which were related to l inadequate provision for backup air for the main feedwater, the auxiliary j feedwater, and the new emergency feedwater isolation control (EFIC) system.
Deficiencies found included check valve design errors, incorrectly oriented check valves, accumulator sizing errors, inadequate monitoring of accumulator i pressure, and the use of non-seismically cualified valves for safety-related l functions.
- 6. Containment Isolation - Browns Ferry 1, 2 and 3 On September 2, 1987, Tennessee Valley Authority informed the NRC that restart testing at Browns Ferry 2 revealed that contrary to plant safety analyses, two primary containment isolation valves would not fail closed on loss of control l air. Such a failure would place the plant in an unanalyzed condition (Reference 2-24). The licensee determined that the valves were not designed to fail closed j upon loss of air. '
Subsequent review by the licensee determined that similar incorrectly specified isolation valves had been installed at Browns Ferry units 1 and 3. !
The incorrect valves had been installed in all three plants after 1982 as part of the licensee's equipment qualification program. Corrective actions are being implemented by the licensee.
i i
l 2-4 l
1 L___ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ . _ . _ _ _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ - - -- --. -
' REFERENCES' 2-1 .U.S. Nuclear Regulatory Commission,10 CFR 50.72 Report Number 7297, December 24, 1986.*
2-2 Carolina Power and Light Company, Licensee Event Report (LER) 50-325/86-003, L . Brunswick 1, January 23, 1987.*
2-31 U.S. Nuclear Regulatory Comission, Office of Inspection and Enforcement.
Information Notice Number 87-09, " Emergency Diesel Generator Room Cooling Design Deficiency," February 5.1987.*
2-4 U.S. Nuclear Regulatory Comissicn 10 CFR 50.72 Report Number 8550, May 1, 1987.*
2-5 Carolina Power and Light Company, Licensee Event Report (LER) 50-261/87-006, H.B. Robinson Steam Electric Plant Unit 2, May 29, 1987.*
2-6 : EDS Nuclear Inc... "H.B. Robinson Unit 2 Instrument Air System Reliability Study," Report Number 03-1320 - 1035 Revision 0, December 17, 1982.
2-7 Memorandum from J. D. E. Jeffries, Carolina Power and Light, to B. J. Furr,
Subject:
"H.B. Robinson 2 Instrument Air System Reliability Study - CNS and EDS Nuclear, Inc., Recommendations," dated February 16, 1983.
2-8 U.S. Nuclear Regulatory Comission, Safety System Functional Inspection Report Number 50-298/87-10, Cooper Nuclear Station, September 22 1987.*
2-9 .U.S. Nuclear Regulatory Comission, Inspection Report-50-285/87-27, Fort Calhoun Station, October 23, 1987.*
2-10 U.S. Nuclear Regulctory Comission, Region IV Daily Report, November 3, 1987.*
2-11 U.S. Nuclear Regulatory Comission, Office of Inspection and' Enforcement, Information Notice Number 86-50," Inadequate Testing to Detect Failures '
of Safety-Related Pneumatic Components or Systems," June 18, 1986*
2-12 Virginia Electric and Power Company, Licensee Event Report (LER) 50-280/87-001, Surry Power Station, Unit 1, dated January 22, 1987.*
2-13 U.S. Nuclear Regulatory Commission 10 CFR 50.72 Report Number 7362, January 2,1987.*
2-14 U.S. Nuclear Regulatory Comission, Region II Daily Report, January 5, 1987.*
2-15 U.S. Nuclear Regulatory Comission, Region II Daily Report, March 12, ;
1987.* i
- Available in the NRC Public Document room at 1717 H Street, N.W.,
Washington, D.C. 20555 for inspection and copying for a fee.
2-5
2-16 U.S. Nuclear Regulatory Comission, Minutes of Operating Reactor Briefing i March 16,1987.*
2-17 U.S. Nuclear Regulatory Comission, Inspection Report 50-277/87-11; 50-278/87-11, Peach Bottom Units 2 and 3, May 6, 1987.*
2-18 U.S. Nuclear Regulatory Comission 10 CFR 50.72 Report Number 9487, July 30, 1987.*
2-19 U.S. Nuclear Regulatory Comission 10 CFR 50.72 Report Number 9588, August 7, 1987.*
2-20 U.S. Nuclear Regulatory Cemission, Pegion II, Daily Report, July 31.,
1987.*
2-21 U.S. Nuclear Regulatory Comission Inspection Report 50-395/87-19 Sumer Nuclear Station, August 6,1987.*
2-22 'U.S. Nuclear Regulatory Comission 10 CFR 50.72 Report Number 9590, l '7 August 7, 1987.*
l l
2-23 U.S. Nuclear Regulatory Comission Augmented Systems Review and Test Program Inspection Report Number 50-312/86-41, Rancho Seco Nuclear Generating Station, April 10, 1987.*
! 2-24 U.S. Nuclear Regulatory Comission 10 CFR 50.,72 Report Number 9843,
! September 2, 1987.*
- Available in the NRC Public Document room at 1717 H Street, N.W.,
Washington, D.C. 20555 for inspection and copying for a fee.
2-6 -
p , 7
3-y y g9,< .,
t . .
~~
-" u s wuc. ou meci.Iony Cownissio= 5 aoust Nuveta s wr*aar reoS naa ve *e . " ** <
waC eomu sas 3
o ssi .' r .
h"s"3% BIBLIOG .PH!C DATA SHEE7p NUREG-1275, Vol. 2
$tE aN$TauCTIONS ON TME mEVINSE 2 fit Lt .NQ Sv8111 La a Lt.vtgL.N.
Operating Expefience Fee 8 ack eport - Air Systems i
/
Problems . c.1.. c , cue,m ic f
Commercial Power Reactors "o~'- I
- =T aoa a.
1 November l 1987 f."/
. o.ri oraai ,,sp j
.t {
MONTH V4.h Harold i.. Ornstein I O pecember 1987
> 0 a.oa .~a ana.~ a.lio~ ~... .~a . .uso . goo,i , ,.., u c. , ,
. .on c1. .s ..oa y Nu .. a Office for Analysis and Evalua 'on of Operational "
/
Data 4 U.S. Nuclear Regulatory Cormissi s
- "~oa'"af""
j - ,
Washington, D.C. 20555 .
ia ., ~soa,~o o o.~,,y7,os ~.n .No 3,~o .oones. ,,,,, 9 c ,
y
/
i,j,ee,ei,ve, l 1
Sar,$e as above f -
> ,,,,,,,co,,,,o,,,,,,,,,,,,,,,
4
.A l
i2 $vPPLEMt%1.Rv NOTES g 2 2 ..st a .C. ,= .r , i This report highlights significant 'ratin'g dvents.invc1ving observed or '
potential failures of safety-relat - stems in U.S. plants that resulted I from degraded or malfunctioning ,n-s ety orade air systems. Based upon I the evaluation of these events the Of ice for Analysis and Evaluation of
' Operational Data-(AE0D) conc 1 es that he issue of air systems problems is an important ona'which requ es additio 31 NRC and industry attention.
This report also provides OD's recomme dations for corrective actions to deal with the issue.
i J
r I
' , 3 14 DDCvMt 41.N.L v5as - KE S A083 DESCmiP'Qa5 16 . T v.aTeuiNT
,L.ti u Y v j OperatJn Experience Feeaback unlimited ]
' Air S tems Problems
, J
'6 $ECVaiTv CL.88afic.710N 1 iTnon neres e IDENT>,iER&'OPf N ENDED Tsar th (Faes re unciorrsassifieo 17 NUMStB of P.Gib I:
y i8 PRiLE j
. # 4 I i
, l 'l '.
- - -- ---