auxiliary feedwater system risk-based inspection guide for
TRANSCRIPT
NUREG/CR--5616
TI91 000762
Auxiliary Feedwater SystemRisk-Based Inspection Guidefor the Diablo Canyon Unit 1Nuclear Power Plant
,Manuscript C_mpleted: August 1990
l.)ate Published: August 199() DISCLAIMER
This report was prepared as an account of work sponsored by an agency of the United States
l'repat'ed by Government. Neither tile United States Government nor any agency thereof, nor any of their
B, ]:, (Jl_re, 'l' V, V(L 1), (J, [-{arl'is(m employees, makes any warranty, express or implied, or assumes any legal liability or responsi.bility for the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed, or represents that its use would not infringe privately owned rights. Refer-
ence herein to any specific commercial product, process, or service by trade name, trademark,manufacturer, or otherwise dees not necessarily constitute or imply its endorsement, recom-
P;:tcit'ic Nurthwest l_tbcwatcwy mendatJon, or favoring by the United States Government ur any agency thereof, The views
Richland, WA 99352 and t_pil_ions of authors expressed herein do not necessarily state or reflect those of theUnited _tates Government or any agency thereof.
Prepared for
Division of Radiation Protection and Emergency Preparedness()fflee of Nuclear Reactor RegulationU.S. Nuclear Regulatory CommissionWashington, DC 20555NRC FIN LI310
SUMMARY
This document presents a compilation of auxiliary feedwater (AFW) systemfailure information which has been screened for risk significance in terms offailure frequency and degradation of system performance, lt is a risk-prioritized listing of failure events and their causes that are significantenough to warrant consideration in inspection planning at Diablo Canyon.This information is presented to provide inspectors with increased resoursesforinspection planning at Diablo Canyon.
The risk importance of various component failure modes was identified byanalysis of the results of probabilistic risk assessments (PRAs) for manypressurized water reactors (PWRs). However, the component failure categoriesidentified in PRAs are rati_er broad, because the failure data used in thePRAs is an aggregate of many individual failures having a variety of rootcauses. In order to help inspectors to focus on specific aspects of componentoperation, maintenance and design which might cause these failures, an extensivereview of component failure information was performed to identify and rankthe root causes Of these component failures. Both Diablo Canyonand industry-wide failure information was analyzed. Failure causes were,sorted on thebasis of frequency of occurrence and seriousness of consequence, and catagorizedas commoncause failures, humanerrors, designproblems, or component failures.
This information is presented in the body of 'this document. Section 3.0provides brief descriptions of these risknimportant failure causes, and Section5.0 presents more extensive discussions, with specific examples and references.Theentries in the two sections are cross-referenced.An abbreviated system walkdown table is presented in Section 3.2 which includesonly components identified as risk important. This table lists the systemlineup for normal, standby system operatinn.
This information permits an inspector to concentrate on components importantto the preventionof core damage, However, it is Importantto note thatinspectionsshould not focus exclusivelyon these components, Other componentswhich perform essentialfunctions,but which are not included becauseof highreliabilityor redundancy,must also be addressedto ensure that degredationdoes not increase their failureprobabilities,and hence their risk importances.
CONTENTS
SUMMARY................................................................. iii
10 INTRODUCTION 1e , eeooeoeoOeeoeeoeeee4eeo6oeeeeooeeoooeee oo6eeoee
2.0 DIABLO CANYONAFWSYSTEM.............. . ........................... 2
2.1 SYSTEMDESCRIPTION...................... .................... 2
2.2 SUCCESSCRITERION....................................... ,... 2
23 SYSTEMDEPENDENCIES.................. . ....... ................ 2
2 4 OPERATIONALCONSTRAINTS 2• le•lI•m1•eq6te_,loeleoelol•ooeeoo,lee
3.0 INSPECTIONGUIDANCEFORTHE DIABLO CANYONAFWSYSTEM........ , .... 5
3.1 RISK IMPORTANTAFWCOMPONENTSANDFAILURE MODES....... ...... 5
3.1.1 MUTLIPLEPUMPFAILURESDUETO COMMONcAUSE ........ ,.. 5
3.1.2 TURBINEDRIVENPUMPI-i FAILS TO STARTORRUN ........ 6
3.1.3 MOTORDRIVENPUMPI-.2 OR i-3 FAILS TO START
OR RUN 7eeoeeeeeeoeeooe_eeooloomlem•oeomoe•,• eooeeoi•e
3.1.4 PUMP1-i, i-2 ORI-3 UNAVAILABLEDUETO
MAINTENANCEOR SURVEILLANCE 7ee•eee•e•oeoeoeeeeoeeooooe
3.1.5 ELECTROHYDRAULICCONTROLLEDVALVESLCV-IIO,
111, 113, OR 115 FAIL CLOSED........ ................. 7
3.1.6 MOTOROPERATEDVALVESLCV-I06° 107,
108 OR I09 FAIL CLOSED 7! ••eooee_eoeoeeo•eoe•oooe¢e_eee
3.1.7 MANUALSUCTIONORDISCHARGEVALVESFAIL CLOSED....... 8
3.1.8 LEAKAGEOF HOTFEEDWATERTHROUGHCHECKVALVES........ 9
3.2 RISK IMPORTANTAFWSYSTEMWALKDOWNTABLE .................... 9
4.0 GENERICRISK INSIGHTS FROMPRAs .................................. 12
4.1 RISK IMPORTANTACCIDENTSEQUENCEINVOLVINGAFW
SYSTEMFAILURE LOSSOF POWERSYSTEM......................... 12
4.2 RISK IMPORTANTCOMPONENTFAILURE MODES.......... , ........... 13
CONTENTSJ
(Continued)
q ,I•
5.0 FAILURE MODESDETERMINEDFROMOPERATINGEXPERIENCE............... 14
5.1 DIABLO CANYONEXPERIENCE.... .................................. 14
5 2 INDUSTRYWIDE EXPERIENCE 15e eoe'eoeooneoo6ooooeeo_eeoo|eeeeoeoeeo
5.2.1 COMMONCAUSEFAILURES................................ 15
5.2.2 HUMANERRORS.......... ...................... . ........ 18
5.2.3 DESIGN/ENGINEERINGPROBLEMSANDERRORS....... ....... 18
5 2 4 COMPONENTFAILURES 19e • e•eee•eeomememmoee•oeeeomeomeme•emm
REFERENCES 23_emooeeeeeemeeoeemoeeeeoee•e,emeo*eeeuomeeoo,m•emeeeoo•oeo•em
vi
1.d INTRODUCT,]ON
This document is /the first of a series providing plant-specific inspectionguidance for auxiliary feedwater (AFW) systems at pressurized water reactors(PWRs). This guidance is based on information from probabilistic riskassessments (PRAs) for slmilar PWRs, industry-wide operating experience withAFW systems, plant-specific AFW system descriptions, an(! plant-specificoperating experience, lt is not a detailed inspection plan, but rather acompilatiorl of AFW system failure ,information which has been screened forrisk significance in terms of failure frequency and degradation of systemperformance. The result is a risk-prioritized listing of failure events andtheir causes that are significant enough tO warrant consideration in inspectionplanning at Diablo Canyon.
This inspection guidance is presented in Section 3.0, following adescription of the Diablo Canyon AFW system in Section 2.0. Section 3.0identifies the risk important syttem components by Dial)lo Canyon identificationnumber, followed by brief descriptions of each of the various failure causesof that component. These include specific human errors, design deficiencies,and hardware failures. The discussions also identify where common causefailures have affected mu'It_ple, redundant Components. These brief discussions
identify specific aspects of system or component design, operation, maintenance,or testing for inspectiorl by observation, records revlew, training observation,procedures review, or by observation of the implementation of procedures. AnAFW system walkdown table identifying risk important components and theirlineup for normal, standby system operation is also provided.
The remainder of the doc _ment describes and discusses the informationused in compiling this inspe t.ion guidance. Section 4.0 describes the riskimportance information whicl" has been derived from PRAs and its sources. Asreview of that section will show, the failure caLegories identified in PRAsare rather broad (e.g., pump fails to start or run, valve fails closed).Section 5.0 addresses the specific failure causes which have been combinedunder these categories.
AFW system operating history was studied to identify the various specificfailures which have been aggregated into the PRA failure mode categories.Section 5.1 presents a summary of Diablo Canyon failure information, and Section5°2 presents a review of industry-wide failure information. The industry-wide information was compiled from a variety of NRC sources, including AEODanalyses and reports, inl:ormation notices, inspection and enforcement bulletins,and generic letters, and from a variety of INPO reports as weil. Some LicenseeEvent Reports and NPRDSevent descriptions were also reviewed individually.Finally, information was included from reports of NRC-sponsored studies ofthe effects of plant aging, which include quantitative analyses of reportedAFW system failures, lhis industry-wide information was then combined withthe plant-specific failure information to identify the various root causes ofthe PRA failure categories, which are identified in Section 3.0.
2.0 DIABLO CANYONAFWSYSTEM
This section presents an overview description of the Diablo Canyon AF'Wsystem, including a simplified schematic system diagram. In addition, thesystem success criterion, system dependencies, and administrative operationalconstraints are also presented.
2.1. System Descrip_t_io_nn
The AFW_systemprovides feedwater to the steam generators (SG) to allowsecondary-side heat retnoval from the primary system when main feedwater isunavailable. The system is capable of functioning for extended periods, which._llows time to restore main feedwater flow or to proceed with an orderlycooldown of the plant to where the residual heat removal (RHR) system canremove decay heat. A simplified schematic diagram of the AFWsystem iS '_hownin Figure 2.1.
The system is designed to start up andestablish flow within one minuteof an automatic start signal. Ali pumps start on receipt of a steam generatorlow-low level signal. (The motor drlven pumps start on low level in one SG,whereas, two low ,level signals are required for a turbine driven pump start.)The motor driven (MD) pumps start on a trip of MFWpumps or a safety injectionsignal and the single turblne driven (TD) pump starts on undervoltage of both12-KV buses.
The normal AFWpump suction is from the condensate storage tank (CST).Each pump draws from a commonheader through a locked-open isolation valveand a check valve. Power, control, and instrumentation associated with eachmotor-driven pump are independent fr am one another. Steam for the turbinedriven pump is supplied by steam generators I-2 and i-3 from a point upstreamof the main steam isolation valves, through valve FCV-95. Each AFWpump isequipped with a continuous recirculation flow system, which prevents pumpdeadheading.
Each auxiliary feedwater pump discharge is provided with a check valveand locally operated isolation valve. Relief valves on the suction lines tothe pumps prevent main feedwater backleakage through the check valves Fromoverpressurizing the suction lines. Each motor-driven pump normally suppliesfeedwater to only two steam generators, but the headers may be cross-connected.The turbine-driven pump normally supplies all four steam generators.
The CST is the normal source of water fo_ the AFWSystem and is requiredto store sufficient demineralized water to maintain the reactor coolant system(RCS) at hot standby conditions for 8 hours with steam discharge to atmosphere.Ali tank connections except those required for instrumentation, auxiliaryfeedwater pump suction, chemical analysis, and tank drainage are located abovethis minimum level. AFWsuction may also be switched to tile raw water reservoirusing the alternative suction valves.
Five additional back-up supplies of water are available. "Fheseare thecondenser hotwell, the transfer tank, the fire water tank, Diablo Creek, andthe Pacific Ocean.
2
2,2 Success Criterion
System success requires tile operation of ai:, least one pump supplying ratedflow to at least two of the four steam generators,
r
2 3 S_.ystemDependenciesi
The AFWsystem clepencls on AC power for motor-driven pumps and level controlvalves, DC power for control l)ower to pumps and valves, and an automatic
" actuation signal. In _dclition, tIle turbine-driven punlp also requires steamav,ai lability.
l
2.4 Operational Constraints
Whenthe reactor is critical the Diablo Cahyon Technical Specificationsrequire that all three AFWpumps anti'associated flow paths are operable witheach motor-driven pump powered from a different vftal bus. If one AFWpump
i lt must be restored to operable status within 72 hoursbecomes noperable,or the plant must sht_'t down to hot standby within the next six hours. If twoAFWpumps are inoperable, the plant must be shut down to hot standby withinsix hours. With three AFWpumps inoperable, corrective action to'restore atleast one pump to operable status must be initiated immediately.
The Diablo Canyon Tecl_nical Specifications require an eight hour supplyof water to be stored in the CST (178,000 gallons), with back up suppliesmaintained in the fire water transfer tank (270,000 gallons), and in the rawwater reservoirs.
3.0 INSPECTION GLIIDANCE FOR TIIE DIABI.:O CANYONAFW SYSTEM
Irl this section the risk important components of the Diablo Canyon AFWsystem are identified, and the important modes by which they are likely tofail are briefly described. These failure modes include specific human errors,design problems, and types of h_r'dware failures which have been observed tooccur for these types of conlponents, both at Diablo Canyon ancl at PWRsthroughout the nuclear industry. The discussions also identify where commoncause failures have affected multiple, redundant components. These briefdiscussions identify specific aspects of system or component design, operation,maintenance, or testing for observation, records review, training observation,_rocedures review or by observation of the implementation of procedures.
Table 3.1 is an abbreviated AFW system walkdown table which identifiesrisk important components. This table lists the system lineup for normal,standby system operation. Inspection of the components identified addressesessentially all of the risk associated with AFW system operation.
3.1 Risk Important AFW ComL_onents and Failure Modes
Common cause failures oF muItiple pumps are tile most risk-important failuremodes of AFW system components, lhese are followecl in importance by single pumpfailures, level control valve failures, and individual check valve backleakagefai lures.
The following sections address each of these failure modes, in decreasingorder of importance. T}ley present the inlportant root causes of these componentfailure modes which have been distilled fronl historical recorcls. Each itenlis keyed to discussions in Section 5.2 which present additional informationon historical events.
3.1.1 Multiple PumD_Failures clue to Common Cause
. The f ol lowi _,a listing su111111arizesthe most important multiple-pump failuremodes identified in Section 5.2.1, Conlmoll Cause Failures, and each item iskeyed to entries in thaL section.,
• Incorrect operator intervention int.o automatic system functioning,including improper manual starting ancl securing of pumps, has causedfailure of all pumps, including overspeecl trip on start, up, and inabilityto restart prematurely secured pumps. CCl,
• Valve mispositioning has caused failure of all pumps. Pump suction,steam supply, and instrumerlt isolation valves have been involved. CC2.
• Steam binding has caused failure of multiple pumps. This resulted fromleakage of hot feedwater [)ast check valves into a common discharge header,with several valves involved including a motor-operated discharge valve.(See item 7 below,) CCIO, Mult. iple-pump steam binding has also resultedfrom inlpropervalve lineups, and-lro,lrunnirlga pulnpcleaclheadecl,CC3,
5
• Pumpcontrol circuit deficiencies or design modification errors havecaused failures of multiple i)UlllpSto atfto start', spurious pump tripsduring operation, and failures to restart after pump shutdown. CC4.Incorrect setpoints and control circuit calibrations have also prevented ',
proper operation of mul_iple pumps. CC5.
, Loss of a vital power bus has failed both the turbine-driven and onemotor-driven pump due to loss of control power to steam admission valvesor to turbine controls, and to motor controls powered from the same bus.CC6.
• Simultaneous startup of multiple pumps has caused oscillations of pumpsuction pressure causing multiple-pump trips on low suction pressure,despite the existence of adecluate static net positive suction head (NPSH).CC7. Design reviews have identified inadequately sized suction pipingwhich could have yielded insufficient NPSHto support operation of morethan one pump. CC8.
3.1.2 Turbine Driven Pump I-I Fails to Start or Run
• Improperly adjusted and inadequately maintained turbine governors havecaused pump failures. HE2. Problems include worn or loosened nuts, setscrews, linkages or cable connections, oil leaks and/or contamination,and electrical failures of resistors, transistors, diodes and circuitcards, and erroneous grounds and connections. CF5.
• Terry turbines with WoodwardModel EG governors have been found tooverspeed trip if full steam flow is allowed on startup. Sensitivitycan be reduced if a startup steam bypass valve is sequenced' to open first.DEl.
• Condensate slugs in steam lines have caused turbine overspeed trip onstartup. Tests repeated right after such a trip may fail to indicatethe problem due to warming and clearing of the steam lines. Surveillanceshould exercise all steam supply connections. DE2.
• Trip and throttle valve (FCV-157) problems which have failed the turbinedriven pump include physically bumping it, failure to reset it followingtesting, and failures to verify control room indication of reset. HE2.Whether either the overspeed trip or TTV trip can be reset withoutresetting the other, indication in the control room of TTV position, andunambiguous local indication of an overspeed trip affect the likelihoodof these errors. DE3.
• Turbines with Woodward Model PG-PL governors have tripped on overspeedwhen restartecl shortly after shutdown, unless an operator has locallyexercised the speed setting knob to drain oil from the governor speedsetting cylincler (per proceclure). Automatic oil dump valves are nowavailable through Terry. DE4.
3.1.3 Motor Driven Pump i-2 or !-_3 Fails to Start or Run
• control circuits used for automatic and manual pump starting are animportant cause of motor driven pump failures, as are circuit breakerfailures. CF7.
• M_spositioning of handswitches and procedural deficiencies have preventedautomatic pump start. HE3.
• Low lubrication oil pressure resulting from heatup due to previous, operation has prevented pump restart due to failure to satisfy the
protective interlock. DE5.
3.1.4 _PumpI-Is i'2 or I-3 Unavailable Due to Maintenance or Surveillance
• Both scheduled and unscheduled maintenance remove pumps from operability.Surveillance requires operation with an altered line-up, although a pumptrain may not be declared inoperable during testing. Prompt schedulingand performance of maintenance and surveillance minimize thisunavailability.
3.1.5 Electrohydraulic Controlled Valves Lcr-IlO i__II iI_____3or 115 Fail Closed
These normally-open EHVs control flow from the motor driven pumps to eachof thesteam generators. They fail open on loss of hydraulic pressure,
• EHVperformance has been poor at other facilities, primarily due tohydraulic problems. CF6. Diablo Canyon experience has been much better.
• Leakage Of hot feedwater through check valves has caused thermal bindingof normally closed flow control MOVs. EHVs may be similarly susceptible.CF2.
• Multiple flow control valves have been plugged by clams when suctionswitched automatically to an alternate, untreated source. CC9.
3.1.6 Motor 02erated Valves LCV-I06_ !Q7_ 1081 or 109 Fail Closed
These normally open MOVscontrol flow from the turbine driven pump toeach of the steam generators. They fail as-is on loss of power.
• Commoncause failure of MOVshas resulted from failure to use electricalsignature tracing equipment to determine proper settings of torque switchand torque switch bypass switches. Failure to calibrate switch settingsfor high torques necessary under design basis accident conditions hasalso been 'involved, CCII.
• Valve motors have been failed due to lack of, or improper sizing or useof thermal overload protective devices. Bypassing and oversizing shouldbe based on proper engineering for design basis conditions. CF4.
• Out-of-adjustment electrical flow controllers have caused improperdischarge valve operation, affecting multiple trains of AFW. CC12.
• Grease trapped in the torque switch sl)ring pack of Limitorque SMBmotoroperators nas caused motor burnout or thermal overload trip by preventingtorque switch actuation. CF8.
• Manually reversing the direction of motion of operating MOVshasoverloaded the motor circuit. Operating procedures should providecautions, and circuit designs may prevent reversal before each stroke isfinished. DE7.
• Space heaters designed for preoperation storage have been found wired inparallel with valve motors which had not been environmentally i qualifiedwith them present. DE7.
3.1.7 Manual Suction or Discharqe Valves Fail Closed
TD Pump I-i Train: Valves 1-121 r !-124t or 1-135MD Pump i-2 Train: Valves 1-159_ 1-162 t or 1-169MD Pump i-3 Train: Valves 1-180 t .I-183. or 1-190
These manual valves are normally sealed open. For each train, closureof the first valve listed would block suction from CST I-i. Closure of thesecond valve would block all pump suction. Closure of the third valve wouldblock all pump discharge except recirculation to CST I-i.
• Valve mispositioning has resulted in failures of multiple trains of AFW.CC2. lt has also been the dominant cause of problems identified duringoperational readiness inspections. HEI. Events have occurred most oftenduring maintenance, calibration, or system modifications. Importantcauses of mispositioning include:
• Failure to provide complete, clear, and specific procedures fortasks and system restoration
• Failure to promptly revise and validate procedures, training, anddiagrams following system modifications
• Failure to complete all steps in a procedure• Failure to adequately review uncompleted procedural steps after
task completion• Failure to verify support functions after restoration• Failure to adhere scrupulously to adnlinistrative procedures regarding
tagging, control and tracking of valve operations• Failure to log the manipulation of sealed valves• Failure to follow good practices of written task assignment and
feedback of task completion information• Failure to provide easily read systein drawings, legible valve labels
corresponding to drawings and procedures, and labeled indicationsof local valve position
8
3.1.8 Leakage of Hot Feedwaterthro__u.ughCheck Valves:
At MFWconnections: Valves _-377 1-378, 1-379, or 1-380Between Pump I-i and MFW:Va,yes i-369, 1-37i_ F--_-_-3_or 1-375Between Pumpi_.2 and _FW: Valves 1 370 or 1-372Between Pump.I-3 and MFW VaFves 1 374 or 1-376At PumpDischarqes: Valves 1-36.!_ 1-362, or 1-363
• Leaka.ge of hot feedwater through several check valves in series has caused
steam binding of multiple pumps Leakage through a closed level controlvalve in series with check valves has also occurred, as wou dbe, requiredfor leakage to reach the motor driven pumps I-2 and i-3. CCIO.
• Slow leakage past the final check valve of a series may not force upstreamcheck valves closed, a!lowing leakage past each of them in turn. Pipingorientation and valve design are important factors in achieving trueseries _rotection. CFI.
3.2 Risk ImportantAFW Szsten_Walkdown Table
Table 3.1 presentsan AFW systemwalkdown table includingonly componentsidentifiedas risk important. This informationallows inspectorsto concentratetheir effortson componentsimportantto preventionof core damage. However,it isessential to note that inspectionsshould not focus exclusivelyon thesecomments. Other componentswhich performessential functions,but which areabsent from this table becauseof high reliabilityor redundancy,must alsobe addressedto ensure that their risk importancesare not increased. Examplesincludethe (open)steam lead isolationvalves upstream of FCV-95,an adequatewater level in the CST, and the (closed)valves cross connectingthe dischargesof the two motor-drivenAFW pumps.
TABLE3.1. Risk Important AFWSystem Walkdown Table
Required ActualComponent # ,ComponentName, Location Position Position
Air
E,Iectr cal
I-I Turbine-Driven Pump Racked In/Closed
i-2 Motor-Driven Pump Racked In/Closed
i-3 Motor-Driven Pump Racked In/Closed
Valve
1-135 AFWTDP I-i Discharge Valve Sealed Open
1-169 AFWMDP I-.2 Discharge _Valve Sealed Open
1-190 AFWMDPI-3 Discharge Valve Sealed Open
1-121 AFWTDP i-I Suction Valve Sealed Open
1-124 AFWTDP I-I Suction Valve Sealed Open
1-159 AFWMDPI-2 Suction Valve Sealed Open
1-162 AFWMDPI-2 Suction Valve, Sealed Open
1-180 AFWMDPI-3 Suction Valve Sealed Open
1-183 AFWMDP i-3 Suction Valve Sealed Open
I-LCV-I06 _ AFWTDP I-I to SG i-I Level OpenControl Valve
I-LCV-I07 AFWTDP I-I to SG I-2 Level OpenControl Valve
I,-LCV-I08 AFWTDPI-I 'Lo SG I-3 Level OpenControl Valve
I-LCV-109 AFWTDP i-I to SG I-4 Level OpenControl Valve
I-LCV-IIO AFWMDP I-2 to SG i-i Level OpenControl Valve
10
TABLE3.1. Risk Important AFWSystem Walkdown Table (Continued)
I-LCV-III AFWMDPi-2 to SG I-2 Level OpenControl Valve
I-LCV-II3 AFWMDPI-3 to SG I-4 Level OpenControl Valve
I-LCV-II5 AFWMDPI-3 to SG 1-3 Level OpenControl Valve
I-FCV-436 Raw Water Storage Reservoir ClosedTDP Isolation Valve
I-FCV.437 Raw Water Storage Reservoir ClosedMDP Isolation Valve
I-FCV-95 AFWTDP Steam Admission Valve Closed
I-FCV-152 AFWTDP Throttle-Trip Valve Open
1-377 Piping Upstream of Check Valve Cool
1-378 Piping Upstream of Check Valve Cool
1-379 Piping Upstream of Check Valve Cool
1-380 Piping Upstream of Check Valve Cool
Ii
4.0 GENERICRISK INSIGHTS FROMPRAs
PRAs for 13 PWRswere analyzed to identify risk-important accidentsequences involving loss of AFW, and to 'identify and risk-prioritize thecomponent failure modes involved. The results of this analysis are describedin this section. They are consistent with results reported by INEL and BNL(Gregg et al 1988, and Travis et al, 1988).
4.1 Risk Important Accident Sequences Involving AFWSystem Failure
Loss of Power System
• A loss of offsite power is followed by failure of AFW. Due to lackof actuating power, the PORVscannot be opened, preventing adequatefeed-and-bleed cooling, and resulting in core damage.
• A station blackout fails all AC power except Vital AC from DCinvertors, and all decay heat removal systems except the turbine-driven AFWpump. AFWsubsequently fails due to battery depletionor hardware failures, resulting in core damage.
• A DC bus fails, causing a trip and failure of the power conversionsystem. One AFWmotor-driven pump is failed by the bus loss, andthe turblne-driven pump fails due to 'loss of turbine or valve controlpower. AFWis subsequently lost completely due to other failures.Feed-and-bleed cooling fails because PORVcontrol is lost, resultingin core damage.
Transient-Caused Reactor or Turbine Trip
• A transient-caused tr____is followed by a loss of PCSand AFW.Feed-and--b_leed cooling fails either due to 'Failure of the operatorto initiate it, or due to hardware failures, resulting in core damage.
Loss of Main Feedwater
• A feedwater' line break dr'ains the commnnwater source for MFWandAFW. The operators fail to provide feedwater from other sources,and fail to initiate feed-and-bleed cooling, resulting in core damage.
• A loss of main feedwater trips the plant, and AFWfails due to operatorerror and hardware failures. The operators fail to initiatefeed-and-bleed cooling, resulting in core damage.
S_.'eamGenerator Tube Rupture
• A SGTRis followed by failure of AFW. Coolant is lost from the primaryuntil the RWSTis depleted. HPl fails since recirculation cannot beestablished from the empty sump, and cor_; damage results.
12
4.2 Risk Important Component Failure Modes
The generic component failure modes identified from PRAanalyses asimportant to AFWsystem failure are listed below in decreasing order ofrisk importance.
I. Turbine-Driven Pump Failure to Start or Run.
2. Motor-Driven Pump Failure to Start or Run.
31 TDP or MDPUnavailable due to Test or Maintenance,
4. AFWSystem Valve Failures
• steam admission valves• trip and throttle valve• flow control valves• pump discharge valves• pump suction Valves• valves _in testing or maintenance.
5. Supply/Suction Sources
• condensate storage tank stop valve• hot well inventory• suction valves.
In addition to individual hardware, circuit, or instrument failures,each of these failure modes may result from commoncauses and humanerrors. Commoncause failures of AFWpumps are particularly riskimportant. Valve failures are somewhat less !mporI_ant due to themultipl_city of steam generators and connection paths. Humanerrors ofgreatest risk importance involve: failures to initiate or control systemoperation when required_ failure to restore proper system lineup aftermaintenance or testing; and failure to switch to alternate sources whenrequired.
13
5,0 FAILURE MODESDETERMINEDFROMOPERATING EXPERIENCE
This section describes the primary root causes of component fallures ofthe AFW system, as determined from a review of operating histories at DiabloCanyon and at other PWRs throughout the nuclear industry, Section 5.1describes experience at Diablo Canyon. Section 5.2 summarizes informationcompiled from a variety of NRC sources, including AEOD analyses and reports,information notices, inspection and enforcement bulletins, and generic letters,and from a variety of INPO reports as weil. Some Licensee Event Reports (LERs)and NPRDS event descriptions were also reviewed individually. Finally,information was included from reports of NRC-sponsored studies of tile effectsof plant aging, which include quantitative analyses of AFW system failurereports. This information was used to identify the various root causes expectedfor the broacl PRA-based failure categories identified in Section 4.0, resultingin the inspection guidelines presented in Section 3.0,
5.1 Di ablo Canyon Experien_ce
Tile AFW system at Diablo Canyon has experienced only 15 significantequipment failures since I_85. These include failures of the AFW pumps, thepump discharge level control valves to steam generators, and pump suction anddischarge valves, Failure modes include elect, rical, instrumentation, andhardware failures, and human errors.
AFW Pu_) Coritrol Log_i_%___Instrumentation and Electrical Failures
There have been five failures of the AFW pumps to st:art and/or runexperienced since 1985. These have resulted from failures of a pressure switch,flow transmitter, pressure gage tap root valve being open, breaker, levelindicator or o_her pump rel_ted failures. Tile failure causes are mechanicalwear, corrosion, or inadequate t:est procedures. Failure of the turbine-drivenpump to achieve rated speed or discharge pressure has resulted from incorrectgovernor adjustment.
Failure of AFW Pump_Discharcle Level Control Valve to Steam Generator
There have been three failures of the pump discharge level control valvessince 1985. These have resulted from valve control circuit failures causedby relay failure, mechanical wear, and by contact oxidation. These valveshave also experienced various packing leaks, as have pump discharge checkvalves.
AFW Valve Failures
Since ]985 there have been only two events involving AFW valve failures.One was a MOV failure caused l)y failure of the overload relay to reset. Thesecond was a manual valve failur'e caused by a sheared valve key.
14
Human Errors
There have been 'five significant humdn errors affect'ing tile AFWsystemSince 1985. Personnel have inadvertently actuated the AFWpumps during tes*[;ing,failed to calibrate equipment or' realign equipment irl the correct positiorlfollowing l_laintenance and testing, and improperly instal led valve pack;,l!],Both personnel et'ror and inadequate procedures have been involved.Misunderstanding of operability requirements has resulted in equipment ex(;:eedingI echni cal Speci f i cat ions I i mit s.
5.2 In dust r _L.Wi_(_l__,..F.[.x;_!__'_i.(2.r_!.(Le4
'Human errors, design/engirleering problems and errors, and coIllI)OWlentfailures are the i)rimary roet causes of AFWSystem failures identified in areview of industI'y wide system operating history. Commoncause failures,which disable more than one train of'this operationally redundant system, arehighly risk sigrlificant, and ca_,result from all of these causes,
This section id[_ntifies important commoncause failure modes, and thenprovides a broader discussion of the single failure effects of human errors,design/engineering problems and errors, and component failures. Paragraphspresenting details of tilese failure modes are coded (e.g., CCI) and (:ross-.referenced by inspection items in Section 3.
5.2.1 ComnlonCause Failures
lhe dominant cause of AI--Wsystem multiple-train failures ilaS buen humanerror. Design/engineering errors and component failures have been lessfrequent, but nevertheless significant, causes of multiple train failures.
CCI. Humanerror 'irl the form of incorrect operator intervention into automaticAFWsystem functioning during transients resulted in the temporar] loss ofall safety-grade AFWpumps during events at Davis Besse (NUREG-1154, 1985)arld Trojan (AEOD/T416, 1983). In the Davis Besse event, improper manualinitiation of the steam and feedwater rupture control system (SFRCS) led tooverspeed tripping of both turbine-driven AFWpumps, probably due to the'introduction of condensate into the AFWturbines from the long, unheated steamsupply lines. (Tile system had never been tested with the abnormal, cross-connected steam supply lineup which resulted.) Irl the Trojan event the ol)eratorincorrectly stopped both AFWpumps due to misinterpretation of MFWpump speedindication. The diesel driven pump would not restart due to a protectivefeature requiring cOral)lcre shutdown, and the turbine-driven pump tripped onoverspeed, requiring local reset of the trip and throttle valve. In caseswhere manual intervention is required durir_i the early stages of a transient,training should emphasize that actions should be performed metIlodically anddeliberately to guard against such errors.
CC2. Valve mispositioning has accounted for a significant fraction of the_uman errors failing multiple trains of AFW. [his includes closure of nor,lallyopen suction valves or steam supply valves, and of isolation valves to sensorshaving control functions, Incorrect handswitch positioning and inadequaL;etemporary wiring changes have also prevented automatic starts of mulLi_It,pumps. Factors identified in studies of mispositioning errors illclude failure
15
F q
r
to add newly installed valves to valve checklists, weak administrative controlof tagging, restoration, independent verification, and locked valve logging,and inadequate adherence to procedures, illegible or confusing local valvelabeling, and insufficient training in the determination of valve positionmay cause or mask mispositioning, and surveillance which does not exercisecomplete system functioning may not reveal mispositiorlings.
CC3. At ANO-2, both AFWpumps lost suction due to steam binding when they
were lined up to both the CST and the hot startup/blowdown demineralizereffl1_ent (AEOD/C404, 1984). At Zion-] steam created by running the turbine-driven pump deadheaded for one minute caused trip of a motor-drlven pump sharingthe same inlet header, as well as damage to the turbine-driven pump (Region 3Morning Report, 1/17/90). Both events were caused by procedural inadequacies.
CC4. Design/engineering errors have accounted for a smaller, but significanti"rra-ction of commoncause failures. Problems with control circuit designmodifications at Farley defeated AFWpump auto-start on loss of main feedwater.At Zion-2, restart of both motor driven pumps was blocked by circuit failureto deenergize when the pumps had been tripped with an automatic start signalpresent (IN 82.01, 1982). In addition, AFWcontrol circuit design reviews atSaleni and Indian Point have identified designs where failures of a singlecomponent could have failed all or multiple pumps (IN 87-34, 1987).
CC5. Incorrect setpoints and control circuit settings resulting From analysiserrors and failures to update procedures have also prevented pump start andcaused pumps to trip spuriously. Errors of this type may remain undetecteddespite surveillance testing, unless surveillance tests model all types ofsystem initiation and operating conditions. A greater fraction ofinstrumentation and control circuit problems has been identified during actualsystem operation (as opposed to surveillanc_ testing) than for other types offai lures.
CC6. On two occasions at a foreign plant, failure of a balance-of-plantInv-_---ertercaused failure of two AFWpumps. In addition to loss of the motordriven l_umpwhose auxiliary start relay was powered by the invertor, the turbinedriven pump tripped on overs peed because the governor valve opened, allowingfull steam flow to the turbine. This illustrates the importance of assessingthe effects of failures of balance of plant equipment which supports the
, operation of critical components. The instrumelt air system is another exampleof such a system.
CC7. Mult'iIle AFWpump trlps have occurred at Millstone-3, COOka_ Trojanan--n-d-Zion-2 IN 87-53, 1987 caused by brief, low pressure oscill ions ofsuction pressure during pump startup . These oscillations occurred despite the
availabili_ of adequate static NPSH Corrective actions taken include:extending e time aelay associated with the low pressure trlp, removing thetrip, and replacing the trip with an alarm and operator action.
16
CC8. Design errors discovered during AFWsystem reanalysis at the Robinsonp--Tc_nt(IN 89-3Q, 1989) and at Millstone-1 resulted in the supply heacler f'romtile CST being too small to provide adequate NPSHto p ione of tile three punlps were operating at rated fl tile iumps ,f more thanow concl tions This coulcllead to multiple pump failure due to cavitation, Subsecluent reviews at Robinsonidentified a loss of feedwater transient in wtilch inadequate NPSHancl flowsless t,tban design values had occurre_l, but which were not recognized at the
time, Event analysis and equipment trending,saS well as surveillance t,estingwhich duplicates service conditions as much a Is practical, can help iclenttfysuch design errors. ,
0C9; Asiatic clams caused failure of two AFWflow control valves at Catawba-2.--w_enlow suction pressure caused by starting of a motor-driv_en pump causedsuction source realignment to the Nuclear Service Water system, Pipes hadnot been routinely treated to inhibit clam growth, nor regularly monitored tocletect i:heir presence, and no strainers were installed. The need forsurveillance which exercises alternative system operational mocles, as well ascomplete system functioning, is emphasized by this event, spurious suctionswitchover has also occurred at Callaway and at McGuire, altnough no failuresresulted.
CCIO. Commoncause failures have also been caused by conlponent Failures"_/C404, 1984). At Surry-2, both the turbine driven pump and one motordriven pump were declared inoperable due to steam binding caused by backleakageof hot water through multiple check valves. At Robinson-2 both motor drivenpumps were found to be hot, and both motor and steam driven pumps were found
to be in operable at differen'! times. Backleakage at Robinson-2 _assed throughclosed motor-operatedbo isolatlon valves in addition to multiple ceckvalves.tAt Farley, t,h motor and turbine driven pump casings were found ho althoughthe pumps were not declared inoperable. In addition to multi-train Failures,numerous inciclenLs of single train failures have occurred, resulting in theclesignation of "Steam Binding of Auxiliary Feeclwater Pumps" as Generic Issue93. This generic issue was resolved by Generic Letter' 88-03 (Miraglia, 1988),which required licensees to monitor AFWpiping temperatures each shift, anclto maintain procedures for recognizing steam binding and for restoring systemoperahi I ity.
CCII. Commoncause failures have also failed motor operated valves. During_otal loss of feedwater event at Davis Besse, the normally-open AFWisolation valves failed to open after they were inadvertently closed. Thefailure was due to improper setting of the torque switch bypass switch, whichprevents motor trip on the high torque required to unseat a closed valve.Previous problems with these valves had been addressed by increasing tile torclueswitcll trip setpoint - a fix which failed during the event due to the highertorclue required due to high differential pressure across the valve. Similarcommon tootle failures of MOVshave also occurrecl in other systems, resultingin issuarlce of Generic Letter 89-i0, "Safety Relatecl Motor-Operatecl ValveTesting ancl Surveillance (Partlow, 1989)." This generic let[er recluireslicensees to clevelop and implement a program to provide for the testing,inspection and maintenance of all safeLy-related MOVsto provide assurancethat they will function when subjected to design basis conclitions.
17
CC12. Other component 'failures have also resulted in AF multi-train failures.include out-of.adJustment electrical flow control,er_ resulting In
improper discharge valve operation, and a failure of oil cooler cooling watersupply valves to open due to silt accumulation.
' 5.2.2 Human Errors
kiel. The overwhelmingly dominant cause o'f problems identified during a seriesof-----ciperational readiness evaluations of AFWsystems was human performance.lhe majority of these human performance problems resulted from incomplete andincorrect procedures, particularly with respect to valve lineup information.A study of valve mispositioning everlts involving human error identified failuresin administrative control of tagging arld logging, procedural compliance and
completion of steps, verification of supporl; systems ancl inadequate proceduresas important. Another study found that valve in..spos tioning events occurredmost ofter_ during maintenance, calibration, or modification activitiF.'s.Insufficient training in determining valve position, and in administrativerequirements for controlling valve positioning were important causes, as wasoral task assignment without task completion feedback.
HE2. Turbine driven pump failures have been caused by human errors inc'a-l-Tbrating or adjust!Tlg governor speed control, poor governor maintenance,incorrect adjustment of governor valve and overspeed trip linkages, and errorsassociated with the tr.ip and throttle valve. TTV-associated errors includephysically bumping it, failure 'to restore it to the correct position afLP.rtesting, ancl failures to verify control room indication of TTV positionfollowlng actuati(_n.
HE3. Motor drivewll pumps have been failed by human errors in mispositioningh-aI'i'dswitches, and I_y procedure deficiencies.
5.2.3 _n/__E_n_g..in__eeringProblems and Errors
DEl. l',s noted above, the majority of AFWsubsystem failures, and the greatestr-e-Tative system degradation, has been found to result from turbine-driven
pump failures. Overspeed Lrips of Terry TM(a) turbines controlled by WoodwardTM(b) governors have Deerl a significant source of these failures (AEOD/C602,1986)." In many cases these overspeed trips have been caused by slow responseof a Woodward Model EGgovernor on startup, at _)lants where full steam flow isallowed immediately. This oversensitivity has peon removed by installing astartup ste._m bypass valve which opens first, allowing a controlled turbineaccelerat.,on and l)uildup of oil pressure to control the governor valve whenfull steam flow is admitted.
DE___2__.Overspeed trips of Terry turbines have been caused by condensate in thesteam SUl)ply lines. Condensate slows down the turbirle, causing the governorvalve to open farther, and oversl)eed results before the governor valve canrespond, after the water slug clears. This was determined to be the cause ofthe loss-of-all-AFW event, at Davis Besse (AEOD/602, 1986), with condensationenhanced due to the long length of the cross-connec.ted steam lines. Repeatedtests following a cold-start Lrip may l)e successful due to systenl heat up.
(a) Terry is a registere(l trademark of tile Terry Corporation, Windsor, CT.
(t)) Wooclwar d i s a Y'egi si: er e,d t rademar k of t he Wooclwar d Govenor Ccmlpany,Rockford, IL,
18
DE3, Turbine trip ancl throttle valve (TFV) pr'o'blems are a significant causeo-f--{urbine driven pump failures (IN 84-66). In some cases lack of Trv positionindication in tile control room prevented recognition .of a tril)l._ed TTV. Inother cases it was possible t:o reset either tile overspeed trip or the TTV
wlttloL.It reseting the'other, iihis problem is compourlded by tlle fact that tilel:)OS t on, of the overspeed tr p. linKage.can be misleading, arid tile mecharlts.nliI,ay lack labe'ls ncltcat:inq when iL is Irl the -t.riPt_e(I t_osiLtorl (AI_IOD/C602,
1986),
DE4, ' Startu I) of tLirbines, with Woodward Mod(-,1PG-PL gov(,rrlor's within 30m-Tiq_tesof shutdown has resulted in overspeed trips when t:he .speed seLtingknob was not exercised locally to drain oil from t,he spee,I set Ling c.ylinder,Speed control Is basecl on starLup with an empty cylinder, Prbblems haveinvolved turbine rotation due to 'both procedure violations and leaking steam,
Terry has marketed two t.ypes of dqmf) valves for automatically draining theoil after shutdown (AFOD/C602, ]986),
At Calvert Cliffs a 1987 .loss-of offsite-power event required a quick coldstartup that resulted in turbine trip due to PG-PL governor stal)i,ity t_r'ob]ems,The short.-teru corrective action was installation of stiffer buffer springs(IN 88-09, 1988), Surveillance had always been.preceded by turbille warmup,which illustrates the inil_urtance of testing which duplicates service conditions8. lllU C h _:1s s pr act. ca1
DES, Rectucecl viscosity of gear box oi.1 heated by prior ot)era-tion causedf-aTTure of a motor' driven pump to sLart due to i insuff cient lube oi'l pressure,Lowering the t)r'essur'e swit(:tl setpoinC solved i:he problem, which had not beendetected durirlg t:esl:ing,
DE6. Waterhamnler at Palisade.s resulted in AFWline and hanger damage aL bothsteam gerlerators. The AFWspargers are locaLed at tile normal steam generatorlevel, and are frequently covered and uncovered du'ring level fluctuations.Waterhammers in top-feed-ring steam generators resulted in ,lain feedlinerupture at Maine Yankee and feedwater Pit)e cracking at Indian Point-2 (IN 84-32, 19B4),
DET. Manually reversing the direction of: motion of an operating valve hasi i iresuIt:ed irl MOVfa lures where such loading was not cons dered n the design
(AEOD/C603, 1986), Control clrcuit (lesign may prevent this, requiring strokecompleLion before _r'eversal.
DE8. At each oi: the unif.s o-f Ltle Sot.lth iexas Pr'o,ject, st)ace heaters provided5y-{[he vendor for use in preinsta'llation storage oi: MOVswere found to be
. wired in parallel Lo the Class lE I25 V DCmotors for several AFWvalves (IR50-489/89-11; 50-499/89-11, 1989). The valves had been environmentallyqualified, but not with the rlon-safety-rel_vted heaters energized,
5.2.4 Component Failures
"In Situ Test:ing Of' VaIres" was ciiGeneric Issue II.E.6.I, vided int, o foursub-issues (Beckjord, 19,19), three of which relat:e directly to prevention ofAFWsystem component fail_,re. AL the recluest of the NRC, in-sit.u testing of
19
check valves was adclressecl by the nuclear industrye resulting "Irl the EPRIreport, "Al)l)lication Guiclelines "for Check Valves in Nuclear Power Plants(Brooks, 1988)." This extensive report provicles information on check valveapl._lications, linlitations, and inspection tecllniclues, In-situ testing ofMOVswas adclressed by Gen_ric Letter 89-10, "Safety Related Motor-OperateclValve '[esting and Surveillance" (Par flow 1989) wllich recluires licensees toclevelol'.l ancl implement a program i:or testing, inspection and maintenance ofall safety-relatecl MOVs, "Thermal Overload Protection for Electric Motors onSafety-Related Motor-Operat'ecl Valves- Gerleric Issue II.E.6.1 (Rothberg, 1988)"concludes that valve motors should be thermally protected, yet in a way whichemphasizes system function over pt,otection of the operator.
CF1. The common-cause steam binding effects of check valve leakage were
_tified in Section 5,2,1 entr_ CCIO. Numerous single-train events provideadditional insights into this problem. In some cases leakage of hot MFWpastmultiple check valves in series has occurred because adequate valve-seatingpressure was limited to the valves closest to the steam generators (AEOD/C404,1984). At Robinson, the pump shutdown procedure was changed 'to delay closingtile MOVsuntil after the check valves were seated. At Farley, adclitionalweights were aclcleclto the back sides of the check valve disks to ensure properseating. Check valv_ rework has been done at a number of plants. Differentvalve clesigns and manufacturers are involvecl in this problem, and recurringleakage has been experiencecl, even after repair and replacement,
CF2, At Robinson, heating of motor operated valves by check valve leakagelai_a-{-causeclthermal binding and failure of AFWdischarge valves to open ondemand. At Davis Besse, high differentia'l pressure across AFW injection valvesresulting from check valve leakage has prevented MOVoperation (AEOD/C603,1986).
CF3. Gross check valve leakage at McGuire and Robinson causedoverpressurization of the /_FWsuction piping, At a foreign PWRit resultedi n a severe waterhamnler event. At Palo Verde-2 the MFWsuction piping wasoverl)ressurizecl by check valve leakage from the AFWsystem (AEOD/C404, 1984).Gross check valve leakage through iclle pulnps represerlts a potential diversionof AIW pump Flow.
CF4. Roughly one third of AFWsystem failures have been clue to valve operatorTfa-aT1ures,with about equal Failures for MOVsand AOVs. Almost half of theMOV'Failures were clue to motor or switch failures (Casada, 1989). An extensivestucly of MOVevents (AEOD/C603, 1986) indicates continuing inoperabilityproblems caused by: torque switch/limit switcll settings, adjustments, orfailures; motor burnout; improper sizing or use of thernlal overload devices;prenlature degradation related to inadequate use of protective devices; danlagedue to misuse (valve throttling, valve operator hammering); mechanical problems(loosened parts, improper assembly); or the torque switch bypass circuitiIlll)roperly ipstalled or acljusted. The study concluded that current methodsand procedures at many plants are not adequate to assure that MOVswill operateWllen neeclecl uncler credible accident conclitions. Specifically, a sur'veillanceLest which the va'lvr passed might result in undetected valve inol)erabilityclue to coIllponent failure (motor burnout, operator parts failure, stem disc
2O
separation) or improper positioning of protective devices (thermal overload,torque switch, limit switch). Generic Letter 89-10 (Part low, 1989) hassubsequerltly requirecl licensees to implement a program ensuring that MOVswitchsettings are maintained so that the valves will operate under design basisconditions for the life of the plant.
CF5, Component Iroblems have caused a significant number of turbine driven(AEODc6o2,ig 6),Oneg oupofev ntl volvodwort ppetfaces, loose cable connections, loosened set screws, inlproperly latched TTVs,and improper assembly. Another involved oil leaks due to component or sealfailures, and oil contamination due to poor maintenance activities. Governoroil',lay not. be sh,:_l'e(l_itll turbine lubrication oil, resulting irl tile need for
separate oil changes. Electrical componerlt failures included transistor orres stor failures due to moisture intrusion, erroneous grounds and connections,diode failures, and a faulty circuit card.
CF6. Electrohydraullc-operatecl discharge valves have performed very poorly,an-n-_--threeof: the five units using them have removed them due to recurrentfailures. Failures included oil lea!'s, contaminatecl oil, , icl hydraulic pumpfai'lures.
CF7. Control circuit failures were the dominant source of motor driven AFWpump failures (Casada, 1989). This includes the controls used for automaticand nlanual starting of the plumps, as opposed to the instrumentation inputs.Most of the remaining problems were due to circuit breaker failures.
CFB. "Hydraulic lockup" of Limitorque TM(c) SMBspring packs has preventedpropel" spring compression 'to actuate the MOVtorque switch, due to greasetrapped in tile sl)ring pack, During a surveillance at Trojan, failure of thetorclu_" switch to trip the TTV motor resulted in tripping of tile thermal overloaddevice, leaving the turl)ine driven pump inoperable for 40 days until the nextsurveillance (AEOD/ET02, 1987). Problems result from grease changes to EXXONNEBULATM(cl) EP-O grease, one of only two greases consiclered environmentallyqualified by Limitorque. Due to lower viscosity, it slowly migrates from thegear case into the spring pack. Grease changeover at Vermont Yankee affectecl40 of the older MOVsof which 32 were safety related. Grease relief kits areneedecl for MOVoperators manufactured before 1975. At Limerick, additionalgrease relief was required for MOVsmanufactured since 1975. MOVrefurbishmentprograms may yield other changeovers to EP-O grease.
CFg. For AFWsystems using air' operated valves, almost half of the systemdegradation has resulted from failures of the valve controller circuit andits instrument inputs (Casada, 1989). Failures occurred predominantly at a•few units using automatic electronic controllers 'for' the flow control valves,with tilemajority of failures due to electrical hardware. At Turkey Point-3,controller malfunction resultecl from water in the Instrument Air system dueto mairltenarlce inoperability of the air dryers.
(c) Limitorclue is a registered trademark of tile Liillitorque Corporation,Lynchl)urg, VA.
(d) Nebula is a registered trademark of tile Exxon Corporation, HousL,on, TX.
21
CFIO. Pot systems using diesel driven pumps, most of the failures were due_co start control and governor speed control circuitry. Half of these occurredon demand, as opposed to during testing (Casada, 1989).
CFII. For systems using AOVs, operability requires the availability ofInstrument Air, backup air, or backup nitrogen. However, NRCMaintenanceTeam Inspections have identified inadequate testing of check valves isolating
the safety-related portion of the IA system at several utilities (Letter, Roeto Richardson). Generic Letter 88-14 (Miraglia, 1988), requires licensees toverify by test that air-operated safety-related components will perform asexpected in accordance with all clesiqn-l:)asis events, including a loss of normal I _-IA " "'
22
6.0 REFERENCES
...... "In SituBeckjord, E S June 30, 1989 Closeout of Generic Issue II E.6.11Testing of Valves". Letter to V. Stello, Jr., U.S. Nuclear RegulatoryCommission, Washington, OC.
Brooks, B. P. 1988. Application Guidelines for Check Valves irl Nuclear PowerPlants. NP-5479,_ Electric Power Researc_ Institute, Palo Alto, CA.
Casada, D. A° 1989. Auxiliary Feedwater System Aging Stud_d]<_.Volume I.Operating Experience and Current Monitoring Practices. NURE-G-/-CR75404.U.S.Nuclear Regulatory Commission, Washington, DC.
Gregg, R. E. and R. E. Wright. 1988. Appendix Review for Dominant GenericContributors. BLB-31-88. Idaho National Engineering Laboratory, Idaho Falls,Idaho.
Miraglia, F. J. February 17, 1988. Resolution of Generic Safety Issue 93_L"Steam Binding of Auxiliary Feedwater Pump_s_"(Generic Letter 88-03). U.S.Nuclear Regulatory Commission, Washington, DC.
Miraglia, F. J. Augt_st 8, 1988. Instrument Air Supply System ProblemsAffecting Safety-Related Equipment_n-e.ric Letter 88-14)_. U.S. NuclearRegulatory Commission, Washington, DC.
Partlow, J. G. June 28, 1989. Safety-Related Motor-Operated Valve Testingand Surveillance (Generic Letter 89-10). U.S. Nuclear Regulatory Commission,Wa---aY_ngton, DC.
Rothberg, O. June 1988. Thermal Overload Protection for Electric Motors onSafety-Related Motor-Operated Valves - Generic Issue II.E.6.1. NUREG-1296.U.S. Nuclear Regulatory Commission, Washington, DC.
Travis, R. and J. Taylor. 1989. Development of Guidance for GenericrFunctionally Oriented PRA-Based Team Inspections for BWRPlants-ldentificationof Risk-lmportant Systems t Components and HumanActions. TLR-A-3874-T6ABrookhaven National Laboratory, Upton, New York.
AEODReports
AEOD/C404. W. D. Lanning. July 1984. Steam.Binding of Auxiliary FeedwaterPump_s. U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/C602. C. Hsu. August 1986. Operational Experience Involvinc I TurbineOverspeed Trips. U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/C'303. E. J. Brown. December_1986. A Review of Motor-Operated ValvePerformance. U.S. Nuclear Regulatory Commission, Washington, DC.
AEOD/E702. E. J. Brown. March 19, 1987. MOVFailure Due to Hydraulic LockupFrom Excessive Grease in Spring Pack. ll.S.Nuclear Regulatory Commission,Washington, DC.
23
_Nb,
L
AEOD/T416. January 22, 1983. Loss of ESF Auxiliary Feedwater PumpCapabilityat T.rojan on January 22f 1983. U.S Nuclear Regulatory Conmission, Washington,
.DC. ' .
Information Notices
IN 82-01. January 22, 1982. Auxiliary Feedwater PumpLockout Resulting fromWestinghouse W-2 Switch Circuit Modification. U.S. Nuclear RegulatoryCommission, Washington, DC.
IN 84-32. 'E. L. Jordan. April 18, 1984 Auxiliary Feedwater Sparger andPipe Hangar Damaqe. U.S Nuclear Regulatory Commission, Washingtoni-DC.
IN 84-66. August 17, 1984. Undetected Unavailability of the Turbine-DrivenAuxiliary Feedwater Train. U.S. Nuclear Regulatory Commission, Washington, DC.
IN 87-34. C. E. Rossi. July 24, 1987. Single Failures in Auxiliary FeedwaterSystems. U S. Nuclear Regulatory Commission, Washington, DC.
IN 87-53. C. E. Rossi. October 20; 1987 Auxiliary Feedwater PumpTr.!psResulting from Low Suction Pressure. U.S. Nuclear Regulatory Commission,l,_ashington, DC.
IN 88-09. C. E. Rossi. March 18, 1988. Reduced Reliability of Steam-DrivenAuxiliary Feedwater PumpsCaused by InstabTI-Tty of WoodwardPG-PL TypeGovernors. U.S, Nuclear Regulatory Commission, Washington, DC.
IN 89-30. R. A. Azua. August 16, 1989. Robinson Unit 2 Inadequate NPSHofAuxiliary Feedwater Pumps. Also, Event No£ification 16375, August 22, 1989.U.S. Nuclear Regulatory Commission, Washington, DC.
Inspection Report
IR 50-489/89-11; 50-499/89-11. May 26, 1989. South Texas Project InspectionR__eport. U.S. Nuclear Regulatory Commission, Washington, DC.
NUREGReport
NUREG-1154. 1985. Loss of Main and Auxi_.liary Feedwater Event at the DavisBesse Pie,ht on June 9 t 1985. U.S. Nuclear Regulatory Commission, Washington,DC.
24
NRC FORM 33B US, NUCLEAR RiCQULATORY COMMI,f_ION I REPONT NUMBER IAIj,_III_{'J by riDE ad_l Vol No ,t_,lvIq2 B41
NRCM t t02 ,' i_ "1 "1 - " "_o,,32o2 BIBLIOGRAPHIC DATA SHEET NURI_,(_/UR-5616SEE INSTRUCTIONS ON T,HE REVEHSE 1:_NL,-7351
2 TITLE AND SUBTITt E J LEAVE BLANK
Auxiliary .Feedwa Ler _',.,ys t:enl R:i.sl(iBased I nspee I::ionGuide for the Diab].o 7Ca,,_yonITn:it ].Nuclear l-_owerPlant:
4 DAIE r_EI'ORI COMPLETED
MONTH ] YEAR5 AUTHORISI
B.F. Gore _August ].990DArE REPORt ISSUED
T.V. VO MON,'. Y_A_D.G. Harrison At_gust l 11.990
PERFORMI_G ORGANIZA1 ION N_ME AND MAILING ADDRESS I/,,,.Vud_ Z,,o Code/ B PROJECT/TASK/WORK UNIT NUMBER
Pacific Northwest LaboratoryP. O. Box 999 _F:;NOR_RAN,NUMI_ER
Richland, WA 99352 Bl310
_0 SPONSORING ORGANIZATION NAME AND MAILING ADDRESS Ilnclude Z,p Codtl I la TYPE OF REPORT
Division of Radiation Protection and EmergencyPreparedness Technica ]
office of Nuclear Reactor Regulation _PEr_'OOCOVERED,.........,,,,,l
U.S. Nuclear Regulatory Co_unission 9/89 to 8/90__ Washington, DC ._2Q555
12 SUPPLEMENTAR'_ NOTES
13 a.BSTRACT (200 wot_t_ a, 'etl/
In a study sponsored by the U.S. Nuclear Regulatory Comnlission (NRC), PacificNorthwest Laboratory has developed and applied a methodology for deriving plant-specific risk-based inspection guidance for the auxiliary feedwater (AFW) system atpressurized water reactors that have not undergorle probabilistic risk assessment
(PRA). This methodology uses existing PRA results and plant operating experienceinformation. Existing PRA-based inspection guidance information recently developedfor the NRC for various plants was used to identify generic COml:)onent failure modes.This information was then combined with plant-specific and industry-wide componentinformation and failure data to identify failure modes and failure mechanisms forthe AFW system at the selected plants. Diablo Canyon-I was selected as the firstplant for study. The product of this effort is a prioritized listing of AFW failureswhich have occurred at the plant and at other PWRs. [his listing is intended foruse by NRC inspectors in the preparation of inspection plans addressing AFW risk-important comporlents at tile Diablo Canyon-1 plant.
14 DOCUMENT ANALYSIS .. ii KEYWOROS/DESCRIPTDR5 _'15 AVAILABILITY
STATEMENT
Inspection Risk, PRA, bi_,blo Canyon Unlimitedauxi].iary feedwater (AI,34)
6 SECURITY CLASSIFICATI(
( T_,_t laJge_l
,DENT,_,eRS/OPE_.ENOEDTERMS UnclassifiedI l'hl! reDortl
Unclassifiedt7 NUMBER OF "_GES
16 PRICE
i
