NUREG-1275 Vol. 11 Operating Experience Feedback Report—Turbine-Generator Overspeed Protection Systems Commercial Power Reactors Manuscript Completed: October 1994 Date Published: April 1995 HLL. Omstein Safety Programs Division Office for Analysis and Evaluation of Operational Data US. Nuclear Regulatory Commission Washington, DC 20555-0001 MASTER DISTRIBUTION OF THIS DOCUMENT IS UNLIMITED‘DISCLAIMER This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, make any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof.DISCLAIMER Portions of this document may be illegible in electronic image products. Images are produced from the best available original document.ABSTRACT This report presents the results of the U.S. ‘Nuclear Regulatory Commission's Office for ‘Analysis and Evaluation of Operational Data (AEOD) review of operating experience of main turbine-generator overspeed and over- speed protection systems. It includes an indepth examination of the turbine overspeed event which occurred on November 9, 1991, at the Salem Unit 2 Nuclear Power Plant, It also provides information concerning actions taken by other utilities and the turbine manufac- turers as a result of the Salem overspeed event, AEOD’s study reviewed operating pro- cedures and plant practices, It noted differ- ences between turbine manufacturer designs and recommendations for operations, main- tenance, and testing, and also identified significant variations in the manner that individual plants maintain and test their turbine overspeed protection systems. AEOD's study provides insight into the shortcomings in the design, operation, mainte- nance, testing, and human factors associated with turbine overspeed protection systems. Operating experience indicates that the frequency of turbine overspeed events is higher than previously thought and that the bases for demonstrating compliance with NRC's General Design Criterion (GDC) 4, “Environmental and dynamic effects design bases,” may be nonconservative with respect, to the assumed frequency. GDC 4 requires structures, systems, and components impor- tant to safety to be appropriately protected against dynamic effects that may result from equipment failures and from events and conditions outside the nuclear power plant. In addition, compliance with GDC 4 may not have considered fires and flooding associated with destructive turbine overspeed events. While turbine overspeed protection is only part of the criteria for meeting GDC 4 and compliance may be accomplished in other ‘ways, improvements in maintenance and testing as noted in the study can enhance the reliability and operability of the main turbine- generators and their overspeed protection systems, and thus, raise confidence that the plants comply with GDC 4 by providing assurance that turbine overspeed event initiator frequency is consistent with assumptions. iii NUREG-1275, Vol. 11CONTENTS EXECUTIVE SUMMARY FOREWORD .. ABBREVIATIONS Ww 1 INTRODUCTION .. 1 2 HISTORICAL REVIEW . 1 3 SALEM UNIT 2 OVERSPEED EVENT 7 3.1 Description of the Event 1 32 Licensee's Response to the Event un 33 NRC Responses to the Event .... 15 33.1 Immediate Actions . 15 332 Longer Term Actions . 16 3.4. Root Causes of the Event . 16 34.1 Equipment Failure . cu 342 Inadequate Preventive Maintenance . W Inadequate Review and Feedback of Operational Experience . ci Inadequate Surveillance Testing .. W Human Factors Deficiencies in Front Standard ‘Testing . w ‘Test Lever .. uv 4 NUCLEAR INDUSTRY INITIATIVES AFTER THE SALEM UNIT 2 OVERSPEED EVENT . 8 4.1 Public Service Electric and Gas Company at Salem Units 1 and 2 . 8 42. Public Service Electric and Gas Company at Hope Creek 8 43. Westinghouse Power Generation Business Unit . 19 44 General Electric Power Generation Division 2 45. Nuclear Power Plant Insurers 2 46 Waterford Unit 3 2B 4.7 Comanche Peak Units 1 and 2 and Siemens/Allis Chalmers Turbines 25 48 Specialized Turbine Overspeed Protection System Solenoid-Operated Valves . 26 5 RECENT OPERATING EXPERIENCE . 26 5.1 Diablo Canyon .. 6 5.11 Diablo Canyon Unit 1 Turbine Overspeed Event (September 12, 1992) 26 5.12. Diablo Canyon Unit 2 Test Handle Trip (January 30, 1993).......... 2B 52 St. Lucie Unit 2 . 30 521 St. Lucie Unit 2 Turbine Overspeed Event (April 21, 192) 30 v NUREG-1275, Vol. 11CONTENTS (continued) 522 St. Lucie Unit 2 Spurious Turbine Trip During Solenoid-Operated Valve Testing (July 10, 1992) ... 53. Big Rock Point 5.3.1 Big Rock Point Common-Mode Bypass Valve Failures 532. Big Rock Point Repetitive Failures of the Turbine Trip System 533 Big Rock Point Long-Term Unavalabiliy of Emergency Governor Exerciser 54. Palisades Common-Mode Failure of Six Steam Admission Valves . 55 Comanche Peak Unit 1 Inadequate Followup to Turbine Overspeed Protection System Test Failure (May 16, 1992) . FINDINGS . 6. Complacency Toward Turbine Overspeed . 62. Testing That Defeats Diversity 63 Nonrevealing Surveillance Testing 6.4 Inadequate Solenoid-Operated Valve Maintenance 65 Blectrohydraulic Control System Fluid Quality 66 Blectrohydraulic Control System Fluid Incompatil 6.7 Human Factors Deficiencies 68 Surveillance Testing Required By Plant Technical Specifications CONCLUSIONS 7.1 Missiles . 72 Fires, Explosions, Flooding 73. Common-Mode Failure Precursor 74 Industry Response to the Salem Unit 2 Overspeed Event 7.42 Turbine Manufacturer Actions . 7.43 Nuclear Utility Actions . 15 Tip Test Lever Human Factors Deficiency .. 176 Qverestimate of Design Life of Turbine Overspeed Protection Sytem ‘Components . . : 17 Nonconservative Probabil 78 Trends in Turbine Overspeed Protection System Testing . 79 Procedures for Shutting Off Steam Supply 7.10 Summary . REFERENCES . NUREG-1275, Vol. 11 vi &88ES 49CONTENTS (continued) APPENDICES Page A _ LIST OF PLANTS BY SUPPLIER—REACTOR, TURBINE, GENERATOR B SUMMARY OF SERT REPORT RECOMMENDATIONS CUSTOMER ADVISORY LETTER 92-02, “OPERATION, MAINTENANCE, TESTING OF AND SYSTEM ENHANCEMENTS TO TURBINE OVERSPEED PROTECTION SYSTEM” D_ AVAILABILITY IMPROVEMENT BULLETIN 9301, “STEAM TURBINE, OVERSPEED PROTECTION SYSTEM” E HAMMER VALVE F OPERATION & MAINTENANCE MEMO 108, “MAINTENANCE OF MAIN STOP VALVES & REHEAT STOP VALVES” FIGURES 1 W-estimated probability of missile ejection from Salem Unit 2 turbine as a function of valve test interval . 5 2 Schematic of Salem turbine control system prior to November 1991 ..........00ccc 9 3. Schematic of Salem wype (generic) emergency and overspeed protection contro system prior to November 1991 + 10 4 Photograph: Salem Unit 2, showing holes in turbine casing . 2 5 Photograph: Salem Unit 2, showing damage to low-pressure turbine ........... 7 B 6 Photograph: Salem Unit 2, showing condenser damage ... uM 7 Proposed improvement of Salem type (generic) emergency and overspeed protection control system... » 8 Waterford Unit 3 turbine control system . 4 9 Diablo Canyon turbine steam admission valves .. an 10 Photographs: Salem Unit 2 front standard panel (original and modified) » 11 St. Lucie block for testing EHC system SOVs independently 33 12 Big Rock Point—Original hand-trip solenoid valve . 37 13 Big Rock Point—Replacement hand-trip solenoid valve . 39 14 Cross-sectional drawing of Parker Hannifin SOV MREN 16MX 0834 .........22.2+0++ 8B vii NUREG~1275, Vol. 11CONTENTS (continued) TABLES Page 1 Turbine system reliability criteria ........24.4+0+8+ 7 4 2 US. nuclear plant turbine overspeed events .. 6 3. Precursors to the Salem Unit 2 overspeed event 8 4 Major modifications made at Salem Units 1 and 2 ........ 8 5 Turbine overspeed protection system enhancements made at Hope Creek. . . 2 6 Big Rock Point failure to trip history before 1992 35 NUREG-1275, Vol. 11 viiiEXECUTIVE SUMMARY On November 9, 1991, the Salem Unit 2 nuclear power plant experienced a destructive turbine overspeed. The event did not result in any release of radioactivity or personnel injury; however, it did cause extensive damage to nonsafety-related equipment, and it did result in a 6-month outage. Safety-related equipment needed to cope with an accident or shut down the plant was not affected. The overspeed occurred as a direct result of simultaneous common-mode failures of three solenoid-operated valves in the turbine’s overspeed protection system. As a result of the event, a comprehensive review and eval- uation of turbine-generator overspeed protec- tion systems at U.S, light-water reactors was performed by AEOD. AEOD conducted extensive reviews of the ‘Salem event, its causes, and the corrective actions taken at Salem and at other nuclear plants, actions taken by major turbine manu- facturers and by the U.S. Nuclear Regulatory Commission in response to the Salem event. AEOD's review found that there were many precursors to the Salem overspeed event. However, before the Salem event, the potential for compromising the diverse and redundant turbine overspeed protection systems resulting in a destructive overspeed event was con- sidered highly unlikely. The manufacturer of the Salem Unit 2 main turbine had previously estimated the likelihood of a turbine missile ejection event (primarily caused by a turbine overspeed) to be on the order of 10-7 to 10- per turbine-year which is well below the NRC staff’s evaluation criteria of 10°5 to 10~* per turbine-year. However, the point estimate for a destructive turbine overspeed event based ‘on operating experience (one failure at Salem) is much higher, about 10° per turbine-year. NRC's concerns for turbine hazards have historically focused upon large, high energy missiles that would damage safety equipment. The Salem event (as well as other events) demonstrated that the vibration from turbine overspeed events can result in discharges of flammable, explosive fluids, and collateral flooding. The Salem event raised questions about the adequacy of plant protection from explosions, fires, and flooding which could result from turbine overspeed events. For- tunately, the exceptional dedicated fire fight- ing group and the “open” turbine building at Salem helped minimize the effects of the fires and explosions which occurred. Although many utilities, including the Salem licensee, have made recent submittals to the NRC advocating the position that reducing the frequency of turbine overspeed protection system tests will reduce the likelihood for destructive overspeed events, the turbine manufacturers have emphasized the necessity for frequent surveillance testing of turbine overspeed protection systems. However, tur- bine overspeed protection system testing as performed at many plants is incapable of revealing the degradation and failure of re- dundant components as experienced at Salem. Furthermore, the turbine overspeed protection system testing required by many nuclear plants’ Technical Specifications focuses only on possible sticking of steam admission or bypass valves and does not address the elec- trohydraulic control system or its associated hardware. {As a result of the Salem event, there has been a heightened awareness of the potential for main turbine overspeed. Many utilities have modified their turbine overspeed protection system maintenance and testing practices and the major turbine manufacturers have given their equipment owners guidance to reduce the likelihood of another destructive turbine overspeed event. However, our sample survey found that many plants have not effectively implemented the turbine manufacturers’ recommendations. AEOD performed indepth examinations of ‘common-mode equipment failures, and deficiencies in operating, maintaining and testing turbine overspeed control systems. NUREG-1275, Vol. 11‘The root causes of many turbine overspeed protection system malfunctions were: © lack of understanding of the sensitivity of hydraulic oil to contaminants © lack of understanding of the limited design life of solenoid-operated valves © failure to recognize the need for individ- ualized testing of redundant components ¢ failure to provide backups when defeat- ing protective equipment during testing * failure to provide operators with specific instructions on how to proceed when a test anomaly is observed © failure to integrate human factors con- siderations into a highly stressful test environment Important differences were found among, turbine manufacturer practices: for example, equipment hardware; physical configuration; and guidance for operations, maintenance, surveillance, and testing of turbine overspeed protection systems. Significant plant to plant Variations were found in the way turbine ‘manufacturer guidance was implemented re- garding maintenance, operations, and testing of turbine overspeed protection systems, Reviews are provided of the Salem precursor events (Ginna, Crystal River, and Salem) and other similar events that have occurred after the Salem overspeed event (events at St. Lucie, Diablo Canyon, Big Rock Point, and Comanche Peak). These recent events indicate that many of the lessons from the Salem event have not yet been adequately disseminated and learned. They are viewed by AEOD as Precursors to future turbine overspeed events. ‘The Salem overspeed event provides a point estimate of turbine overspeed failure rate of about 10° per turbine-year. NRC accepted analyses which assumed a maximum turbine failure rate of 10 per turbine-year in cordance with Regulatory Guide 1.115, “Protection Against Low-Trajectory Turbine NUREG-1275, Vol. 11 Missiles.” These analyses were taken as the bases to assure that US. light-water reactors ‘meet the NRC’s requirements that structures, systems and components important to safety be appropriately protected against the effects of missiles that could result from equipment failures in accordance with the NRC’s General Design Criterion (GDC) 4, “Environmental and dynamic effects design bases” (U.S. Code of Federal Regulations, Title 10, Past 50, Appendix A). ‘The turbine overspeed frequency assumption is a part of many plants’ analyses demonstrat- ing plants meet GDC 4. However, compliance with GDC 4 can be demonstrated by analyz- ing missile trajectories and the physical barriers protecting structures, systems, and components important to safety. ‘The study questions the completeness of plant safety analysis regarding another aspect of ‘compliance with GDC 4: the issue of damage from vibration and discharge of flammable, explosive fluids and collateral flooding which can result from turbine overspeed. This issue is the subject of another AEOD study which is currently underway. ‘The report focuses on deficiencies associated with turbine overspeed protection systems. For example: © common-mode hardware deficiencies = steam admission valve failures at Diablo Canyon and at Palisades ~ sticking of turbine bypass valves at Big Rock Point due to solidification of Garlock 938 valve packing - incompatibility between hydraulic fluids and electrohydraulic control system solenoid-operated valves = overestimation of pressure switch design life, ete. © common-mode testing deficiencies - methodology- effectiveness of testing = defeating diversity and/or redun- dancy, “smart testing” human factors = procedures common-mode maintenance deficiencies = frequency = design life - fluid cleanliness Eliminating the aforementioned deficiencies can enhance the reliability and operability of the main turbine-generators and their over- speed protection systems, help reduce the frequency of turbine overspeed events, and thereby raise confidence that the turbine ‘overspeed protection systems will operate reliably to assure conformance with assumed turbine overspeed initiator frequencies in Regulatory Guide 1.115 and compliance with GDC 4. NUREG-1275, Vol. 11FOREWORD This report presents the results of an indepth examination of the Salem Unit 2 overspeed event, subsequent industry initiatives, and recent operational experience. It reviews details of the event, the root causes and con- tributing causes of the event, precursors, and followup actions taken by the licensee at Salem Units 1 and 2 and its adjacent Hope Creek plant. Information about other more recent events involving turbine overspeed and turbine control system malfunctions and actions taken by the Nuclear Regulatory Commission and the U.S. nuclear community is included. ‘The root causes of turbine overspeed were found to be (1) poor turbine control and protective equipment maintenance and (2) poor periodic testing of turbine control and protective equipment. ‘The Salem event indicates that the likelihood of a damaging overspeed event is higher than previously estimated and that the conse- quences of turbine overspeed can go beyond just missile generation. As a result, the Office for Analysis and Evaluation of Operational Data is conducting a parallel study of the safety consequences of catastrophic turbine failures, particularly those resulting in fire, flooding, and missiles. This document does not contain any new regulatory requirements. It is being distrib- uted for information to assist licensees in ‘improving performance and enhancing nuclear safety by incorporating the lessons learned from operating experience. xiii NUREG-1275, Vol. 11AEOD AST AIT BOP CAL cB DEH EGE EHC ESFAS FPL GE Gpc ABBREVIATIONS US. Atomic Energy Commission Analysis and Evaluation of Operational Data (NRC’s Office for) Availability Improvement Bulletin (Westinghouse] ‘Augmented Inspection Team (NRC) auto stop oil automatic turbine testing balance of plant Customer Advisory Letter [Westinghouse] containment building Combustion Engineering digital electrohydraulic (control system) [Westinghouse] Executive Director for Operations @xRo) ‘emergency governor exerciser Big Rock Point] electrohydraulic control engineered safety feature actuation system Florida Power and Light Company General Electric Company General Design Criterion HIS IN LER IWR MLEA MOV MSL PG&E PSE&G PWR RPS SERT sov ‘TORS Ts Tsv hand-trip solenoid Information Notice Licensee Event Report light-water reactor Main Line Engineering Associates {of Exton, PA] motor-operated valve main steam line US. Nuclear Regulatory Commission Nuclear Reactor Regulation (NRC's Office of) Pacific Gas & Electric Co. Public Service Blectric and Gas pressurized-water reactor reactor protection system Significant Event Review Team {Salem/PSE&G] solenoid-operated valve ‘echnical Information Letter [General Electric} turbine overspeed protection system ‘Technical Specification turbine stop valve Westinghouse Electric Corporation NUREG-1275, Vol. 111 INTRODUCTION On November 9, 1991, a turbine overspeed event at the Salem Unit 2 nuclear power plant caused extensive damage to the turbine, gen- erator, and main condenser. The turbine over- speed event resulted in a hydrogen explosion and fire, as well as lube oil fires. Although there was no loss of life or personnel injury, the event resulted in property damage and a 6-month plant shutdown. At the request of the U.S, Nuclear Regulatory Commission's (NRC’s) Executive Director for Operations (EDO), the NRC Office for Anal- ysis and Evaluation of Operational Data (AEOD) expanded its ongoing study of the Salem Unit 2 overspeed event in 1992. This report presents the results of an indepth study of the Salem Unit 2 overspeed event, subsequent industry initiatives, and recent ‘operational experience. The report reviews details of the event, the apparent and root causes of the event, precursors, and followup actions taken by the licensee at Salem Units 1 and 2 and Hope Creek (an adjacent plant ‘owned by the same utility), The report includes information about other more recent events involving turbine overspeed and turbine control system malfunctions and describes actions taken by the NRC, other utilities, ‘manufacturers, and the insurance companies that provide liability and property damage coverage to U‘S. nuclear power plants. The report also delineates actions for improving the reliability of the turbine overspeed protection sytem (TOPS) to reduce the likelihood of experiencing a catastrophic turbine overspeed event. 2 HISTORICAL REVIEW ‘Turbine failures have long been recognized as having the potential for throwing off missiles that can cause loss of life, extensive damage, Tong plant outages, and major financial loss. ‘Many catastrophic turbine failures have occurred because of manufacturing or design defects, as well as from human error. In 1973, $, Bush (Ref. 1) published information about 21 main turbine failures that occurred throughout the world between 1950 and 1972. Bush's paper provides the basis for NRC assumptions about turbine failure rates. Fourteen of the 21 failures generated missiles ‘that penetrated the turbine casing, Of these Vé events, 9 were caused by manufacturing defects or design deficiencies in the rotating parts and occurred near or at normal operat- ing speeds, Bush noted that, due to improved turbine design and improved manufacturing techniques, most of these failures would be unlikely to recur. The other five overspeed events that generated missiles were caused by ‘common-mode failures—sticking of steam control and dump valves. The valves were prone to such failures because of the small clearances around the valve stems and the presence of foreign material. The small Clearances were also aggravated by faulty adjustments, design errors, shop errors, and faulty materials. Information about similar main turbine failures appears in a 1973 General Electric (GE) memo.! Of interest is a 1970 event in which a low-pressure rotor of a Mitsubishi turbine undergoing factory testing burst at 117 percent of rated speed. An 8-ton fragment was thrown eight-tenths of a mile. Delails about a significant overspeed event which did considerable damage at Uskmouth #5 in the United Kingdom in 1956 are also germane!. The turbine oversped to 170 per- cent of rated speed and burst the low-pressure rotor. The event was caused by common-mode contamination of the lubrication and hy- draulic oil. Fine iron oxide particles which resulted from water intrusion in the oil cooler deposited sludge which caused simultaneous sticking of hydraulic control valves and redun- dant oil trip valves in the emergency over- speed system. Bush (Ref. 1) stated that the Uskmouth failure resulted from stuck steam admission valves which were caused by magnetite buildup. Most of the overspeed events deseribed by Bush (Ref. 1) occurred at non-nuclear ‘General Bectri Company, Turbine Department, “Memo Re- ‘port Hypotetical Turbine Missles~-Frobabilt of Occur Fence," Mareh 14, 1973. NUREG-1275, Vol. 11facilities with high-temperature steam (©1000 °F). High-temperature steam pro- moted the buildup of “boiler salts”—that is, salts or oxides—on the steam admission valves. The buildup of such foreign materials would not be expected at the lower tempera- tures in light-water reactors (LWRs) (650 steam). In addition, tight control of water chemistry at LWRs reduces the likelihood for ‘common-mode sticking of turbine steam admission valves. In the USS, early-vintage pressurized- water reactors (PWR) used phosphate-type secondary-side water treat- ‘ment. The phosphates were found to be a major cause of turbine steam valve sticking, Switching from phosphate treatment to all-volatile treatment reduced the salt buildup problems and improved turbine valve relia bility. Bush also noted that the incidence of overspeed events markedly decreased (in non-nuclear plants) between 1961 and 1972 because turbine valves were exercised daily or weekly during load change tests. Exercising the valves eliminated the buildup of deposits in the valve stem guide area. In the early 1970's, when Bush wrote his paper, experience with main turbine failures led to estimates of turbine missile frequency of about 10 per turbine per year. However, Bush’s paper indicated the expectation that technological improvements in manufacturing and testing would reduce the turbine missile generation probabilities. The turbines used at most U.S. nuclear plants benefitted from advancements in manufacturing and inspec- tion techniques that were not available for the turbines that failed from 1950 through 1972. If periodic inspections are performed properly and defects repaired satisfactorily, catastroph- ic main turbine failures would not be expected to ocour at U.S. nuclear plants unless there was a turbine overspeed, Because of earlier turbine failure history, the U.S. Atomic Energy Commission (AEC), its successor agency, the NRC, and the licensees focused on steam admission valve operability and diver- sity of overspeed protection systems (types of speed sensors) as ways of minimizing the damage to the plants from such credible events. Based upon earlier fossil plant NUREG-1275, Vol. 11 2 experience and the perceived diversity of TOPS (ic, electronic, mechanical, electro- hydraulic speed sensors and control fluid subsystems), the AEC/NRC concentrated on verification that the steam admission valves were not stuck, while overlooking other critical hydraulic, mechanical, and electrical sub- system components such as solenoid-operated valves (SOVS), pressure switches, relays, etc. Although NRC Standard Review Plan 10.2 (Ref. 2) noted that such components needed to be testable, the NRC did not require surveil- lance testing of these components. Plant. designs were analyzed for turbine failures as a tesult of which missiles could penetrate the containment building (CB) and affect safety systems. To protect against turbine-generated missiles, the turbines at many plants were oriented in a “favorable direction” with the axis of rotation perpendicular to the CB so that turbine-generated missiles would not be likely to strike the CB. Using the methodology outlined in Regulatory Guide 1.115 (Ref. 3) to show that the likeli- hood of turbine missiles causing unacceptable damage to safety-related equipment was less than 10-7 per turbine-year, licensees were able to demonstrate that their plants’ main turbine-generators met the NRC’s licensing requirements of General Design Criterion (GDC) 4 of Appendix A to Part 50, Title 10 of the Code of Federal Regulations (10 CFR [Ref. 4)). The Regulatory Guide 1.115 methodology is as follows: The probability of a turbine missile striking safety-related equipment and causing unacceptable damage is referred to as P,, It is the product of 3 proba- bilities (.e,, Py = Pj x Py x Ps) probability that a high energy turbine missile will penetrate its casing probability that the high energy turbine missile will strike safety. related equipment (referred to as the “strike” probability) probability that the high energy turbine missile strike will causeunacceptable damage to safety- related equipment (referred to as the “damage” probability). In accordance with Regulatory Guide 1.115, if a licensee could demonstrate Ps to be less. than 10-7 assuming P; equals 10~* (based upon Bush [Ref, 1)), the plant’s main turbine- erator was considered to have satisfied ;DC 4 turbine missile concerns. Such analy- ses overlooked vibration-induced fiuid leaks (of hydrogen and of lubrication and hydraulic oils) that could accompany a destructive turbine overspeed. ‘A.1987 NRC staff review of Westinghouse Electric Corporation (W) topical reports on turbine missiles, turbine failures, and turbine ‘overspeed noted that based upon various icensing applications, the turbine missile “trike and damage probability” (Le. the probability of having a high energy turbine missile strike and cause unacceptable damage to safety-related systems) was estimated to be between 10°? and 10° for unfavorably ori- ented turbines!#, and between 10~* and 10° for favorably oriented turbines. The NRC staff’s safety evaluation report (Ref. 5) approved the use of the W topical reports. It provided the foundation for licensing actions, in which the Technical Specification (TS) requirements for turbine overspeed testing were relaxed for plants with W turbines. Reference 5 noted the large uncertainty in the likelihood for turbine missile generation: «depending on the specific combination of material properties, operating environment, and mainte- nance practices, the Py (probability of turbine missile generation) can have values between 10° to 10-! per turbine-year depending on test and inspection intervals, ‘The NRC stafi’s safety evaluation report (Ref. 5) discouraged the elaborate calculation of the strike and damage probabilities for low- trajectory turbine missiles, As an alternative it gave credit of 10°? for the product of the ‘eturbines with the ais of rotation parallel to the CB, strike and damage probabilities for favorably oriented turbines and 10° for unfavorably oriented turbines. ‘The turbine system reliability criteria pro- vided as guidance in Reference 5 have been reproduced in Table 1. ‘A 1987 W topical report sponsored by several ‘W turbine owners" supported relaxing the frequency with which the turbine steam admission valves are exercised. The topical report estimated the probabilities of turbine missile ejections due to overspeed at the respective plants. If the November 9, 1991, overspeed event at Salem Unit 2 is considered, the W topical report’s probabilistic assess- ment of turbine missile ejections at Salem Unit 2 can be shown to be nonconservative by three to five orders of magnitude (see Fig- ure 1), The assessment is nonconservative and therefore invalid because the turbine and its overspeed protection system were not main- tained and tested in the manner assumed in the analysis. Common-mode errors involving ‘human factors and equipment could not be and were not quantified or included in the assessment. This issue is discussed in detail in Section 7.4 of this report. Several turbine overspeed events have oc- curred at US. nuclear power plants, although the Salem Unit 2 event is the only one known to have generated missiles, Turbine overspeed events at U.S, LWRs are listed in Table 2, The Salem Unit 2 event caused significant damage and resulted in a 6-month outage. Chapter 3 of this report provides more details. Appen- dix A contains a list of the manufacturers of main turbines and generators at all U. LWRs. At US. nuclear power plants, main turbines are categorized as balance of plant (BOP) equipment, However, as noted below, at many plants the turbine trip function is part of the engincered safety feature actuation system (ESFAS) instrumentation, the safety-related Westinghouse Ble Cae See CAT Tiassa eaton duction neurbine Valve Test Frequency," Jone 1987. NUREG-1275, Vol. 11Table 1 Turbine system relial lity criteria* ‘Turbine missile ejection probability, yr Favorably Oriented Turbine Unfavorably Oriented Turbine Required Licensee Action () Pi < 104 (@) 104 11% Haddam Neck January 1982 > 128% D.C. Cook Unit 2 January 1983 > 112% Crystal River Unit 3 February 1988 103 % ‘Three Mile Island Unit 1 September 1991 > 109% Salem Unit 2°** November 1991 160 % St. Lucie Unit 2 April 1992 103 % Diablo Canyon Unit 1 September 1992 104 % Beaver Valley Unit 1 October 1993 > 111% _—_—_—_—_—oO “In recent yeas, several destructive turbine overspeed events have alo occurred at USS fossi-powered plants. Evens ip whic turbine ged exceeded 100 porent but wa ss than 109 percent are included because they wee the result of operational TOI (Gestracte) overspeed evens equipment malfuneions and some of them are Viewed precursors fo more serous ‘This table should not be construed es being complete since other events may not ave been reported. , mechanical oersped testing at 110 ‘Bien mans commend ang ey CSE ee a is performed once pr fuel cele (W and GE turbine slr coin maintenance work pedo. *7*Yankee Rowe sustained major turbine damage in 1980 (overspeed not involved during that event). ***The Salem Unit 2 event was the only overspeed event that generated misiles which penetrated the casing. function of which is to reduce the potential for severe overcooling transients and mitigate the consequences of steam generator overfill, Be- cause of concerns about damage from turbine overspeed and turbine missiles, TS of many plants require that at least one TOPS be oper- able, that the steam admission valves undergo periodic test cycling and inspection, and that ‘TOPS channels be calibrated periodically. Itis important to note that, although the tur- bine trip system serves an ESFAS function and is linked to the reactor protection system (RPS), the limiting conditions for operation for the TOPS instrumentation are not in- cluded in TSs, At all W plants and at some PWRs designed by other manufacturers, the P-4 interlock provides for a turbine trip signal NUREG-1275, Vol. 11 6 after a reactor scram. At some of those plants, the P-4 interlock also provides for a turbine trip signal on high steam generator level. Plants that have TS requirements for periodic ESFAS surveillance testing of the turbine trip function are not required to test each train of turbine trip signals independently. In boiling- water reactors (BWRs), the turbine trip fea- ture is integrally connected to the RPS and the turbine trip function for BWRs is also an ESFAS feature, In PWRs and BWRs, inspec- tion and maintenance requirements for main turbine electrohydraulic control (EHC) or auto stop oil (AST) systems and for their component SOVs, pressure switches, etc., associated with turbine trip, are not specific- ally addressed in plant TSs.‘As part of their operating licenses, some newer plants such as Seabrook and South ‘Texas have committed to adopt turbine maintenance programs recommended by the turbine manufacturer and based on the manu- facturer’s missile generation calculations, with the alternative of period volumetric inspec- tions of all low-pressure turbine rotors. The bases for the Seabrook TS requirements state that the TOPS prevents the turbine from experiencing an excessive overspeed which could generate missiles that “could impact and damage safety-related components, equip- ment or structures.” ‘ In contrast, many plants have virtually no TS requirements for the main turbines or their overspeed protection systems. Offsetting the NRC's limited role in the area of main turbines and TOPS is the fact that failures of the main turbine and its associated systems have the potential to cause significant financial loss and erode public confidence. ‘The plants are supposed to be designed so that turbine/generator-induced failures or hazards do not create conditions outside the plants’ safety analyses. However, the AEOD staff have observed situations where turbine building hazards could have the potential for affecting safe plant operation, AEOD is studying the issue of turbine building hazards and will publish a special report on the issue soon, ‘There were many precursors to the Salem Unit 2 overspeed event (see Table 3). However, the lessons to be leaned from those events generally went unheeded. In some cases, the licensees’ reporting of the events focused on the initiating events and did not raise con- cerns about the overspeed potential, The most likely reasons being the main turbine and generator were considered to be nonsafety BOP items, and the possibility of a destructive turbine overspeed event resulting in missile ejection compromising public health and safety was not considered credible. The pre- ‘cursor events that were reported in licensee event reports (LERs) were reported in accordance with 10 CFR 50.73 (Ref. 4), which requires reporting of TS violations and RPS actuations, As a result, in many cases the LERs provided litle, if any, detail about the ‘TOPS anomalies or failures. 3 SALEM UNIT 2 OVERSPEED EVENT 3.1 Description of the Event Salem Unit 2 is an 1106 MWe W PWR with a ‘W turbine and a GE generator. On Novem- ber 9, 1991, while the plant was operating at 100 percent power, the licensee was conduct- ing a monthly test of turbine mechanical pro- tective devices (overspeed trip, vacuum trip, low-bearing oil pressure trip, and thrust bearing trip). In order to perform the test without causing an unwarranted turbine and associated reactor trip, the testing required complete isolation of the AST system from the turbine control or trip function. An operator isolated the AST system by holding the tur- bine bypass lever (overspeed trip test lever) in the test position (see Figure 2). Disabling the AST system defeated the mechanical over- speed trip and 12 additional remote trip signals. During testing, while the mechanical overspeed trip is disabled, protection against overspeed is provided by three redundant ‘SOVs: BT-20, which is designed to be actu- ated on a reactor scram, and OPC 20-1 and OPC 20-2, which are designed to actuate at turbine speeds of about 103 percent (see Figure 3). On November 9, 1991, the licensee had just successfully completed testing the mechanical protective devices when a momentary (15 second) drop in the AST system pressure occurred, The low AST system pressure caused the interface valve to open and relieve the electrohydraulic fluid pressure (see Fig- ure 2), This fluid pressure drop was inter- preted by the RPS as a turbine trip signal and generated a reactor scram, signaling the turbine stop valves (TSVs), governor valves, reheat stop valves, and intercept valves to ‘close. The RPS signaled the BHC system to trip the emergency trip SOV, ET-20. However, ET-20 failed to respond to the demand signal. NUREG-1275, Vol. 11-sompaoord womjoy 01 ‘omprey ‘synsox 1801 Jo Surpueistopun ue ‘uonearunumNdD ays}s1940 -dnyreys aurqamy a10yoq Paniosor AqproyoysT3es 10U Sem 3801 ‘Tonuo wowaGeuem srenbopeu] —uoHoUny prous|os DAO amp ur ouaa —LIO-T6/TTE-0S 6ST QQ. Z MUN WATS “pueurap uo “uwo1s03309 0} anp eles OZ=LAl fea prousyos asnes0q aATeA prous|os Jo Surpurq peorueyDayy diy royoear uo din 01 payres amqmNT, —ZL0-06/PHC-0S _O6ET Taquiordag euUID “WONUNy 10U PINOX Z-9Z QAO pur “02 DdO 22H pofeanas dnaoyjos “suiqop pue afpnys 01 onp soayea wuss paadsraxo snoauoxre we Kq Prousjos Jo Supurq TeoreysoWY —poonput sea din auiqim pure imseY —E-N6/ELZ-0S _O6ET OQUIdaS 1 UA WORE “Bunsen waisés jonuos aurqim Supmp ainssord Igy Mo] Jo asnvoaq “saoyi10 Atddns waysts Igy pad8o[Q Pazmnd00 dyn oujqiny pue roe ST-S8/ZLZ-0S S86L IsnBny — | yu WIE ‘pueurop uo ayezado 01 pores aayea prowsjos g-1y ways “aATea plousjos yo Supuig jeorweyooyy =i) s0}9var uo dim 0} parle} aUIGIME, —90-R8/ZOE-0$ SBE ATENIGag _oATY TeISKID ‘pueutap uo ayezado 01 Polley aayea prowapos O¢-—La ways “SABA prouspos Jo SuypuIg JeouLyooy dyn zoyovex uo din 0} payrey aurqinE, §——_L0-S8/P¥2-05 sg6t dy BUI asned POW aanyieq saquiny y10day aed ued quaag aasuaayy s30249 paadssad0 Z uN wa[Ug ay) OF SYOSANDaIY ¢ a1qR, NUREG-1275, Vol. 11T6GT Aaquiaaoyy 03 so12d woys&s jox}uod suyqany Woqes Jo MHEMIEHDS Z amnNBIy NUREG-1275, Vol. 11Figure 3. Schematic of Salem type (generic) emergency and overspeed protection control system before November 1991 ‘The 30-second reverse power protection timer started at the time of the trip signal. When the 15-second low AST pressure perturbation cleared, the interface valve closed, the electro- hydraulic trip fluid repressurized, and the ‘TSVs started to reopen. Because the AST pressure switch GS-H/AST was incorrect set the turbine’s analog electrohydraulic system did not detect the initial turbine trip con- dition. If 63-3/AST had been set correctly, and had functioned properly, the analog elec- trohydraulic system would probably have reduced the governor valve demand to zero when the initial AST system pressure drop occurred. The analog electrohydraulic system could also have prevented the governor valve from reopening by actuating an auto-stop tri However, the failure of the 63-3/AST to actuate allowed the governor valves to reopen when the AST pressure perturbation cleared. ‘The main generator output breakers opened as designed (the signal for main generator output breakers to open comes from the RPS with a 30-second time delay). However, about NUREG-1275, Vol. 11 10 11 seconds after the generator output breakers opened, the TSVs reached the open position (> 90 percent open). At that time, the turbine-generator was unloaded (disconnected from the grid) and receiving steam through the admission valves. The turbine started to overspeed. As the turbine speed approached 108 percent, the overspeed protection con- troller signalled for SOVs OPC 20-1 and OPC 20-2 to shift positions to dump electrohy- Graulic trip fluid to close the intercept and governor valves to limit the overspeed con- dition to 103 percent. However, both SOVs failed upon demand. The operator at the front standard panel continued to hold the trip test lever in the test position, disabling the ‘mechanical overspeed trip and the 20/AST electrical turbine trip solenoid valve. ‘The turbine generator oversped to an estimated 2900 rpm (about 60 percent above the design of 1800 rpm). The shaft vibrated severely and turbine missiles (blading) penetrated the 1-1/4 inch-thick carbon steelturbine casing, making two elliptical holes on one side of the turbine casing, Each hole was between 15 and 20 inches across (see Fig- ure 4). There were also two tears 2 to 3 feet long at the same axial location on the other side of the turbine, Some missiles landed over 100 yards away from the turbine, (Note that the turbine is located on the roof of an open structure.) One part of the tarbin casing (about 15 inches by inches by 1-1/4 inch thick) flew over the moisture separator-reheaters, and landed on a truck about 40 yards away. The low-pressure turbine was destroyed (see Figure 5). About 100 condenser tubes were cut by turbine blade shrapnel, and about 2500 condenser tubes had to be replaced (see Figure 6). No missiles penetrated the CB. ‘The high shaft vibration caused the mechan- ical seals from the hydrogen gas system (used for generator field cooling) to fail. The hydro- gen gas was released, and it ignited. There was a hydrogen explosion and a hydrogen fire. The generator was severely damaged and it had to be replaced. The vibration broke the generator bearing seal oil supply line and the oil was ignited by the hydrogen fire, Seal and turbine lube oil spilled into the turbine building basement, ‘The control room operators secured all the turbine lube and seal oil pumps which were feeding the fires. The fire brigade quickly the initial lube oil fires. Lube oil ions occurred for several hours but were quickly extinguished by the licensee's onsite, dedicated fire brigade (the dedicated fire brigade is made up of full time fire fighters and is shared by Salem and Hope Creek which have a shared protected area), ‘The fire brigade took prompt action to control and extinguish the fires. The automatic fire suppression systems actuated as designed, During the event, there was dense smoke from the fires, The turbine's location on an open deck rather than in an enclosed building minimized the impact of the smoke from the fires. ul ‘The RPS functioned per design throughout the event, The only anomalous behavior uring the post trip period was a drop in Taye requiring main steam line (MSL) isolation. The MSL isolation was performed in accordance with plant emergency operating procedures and the plant was brought to cold shutdown without any further thermohydraulic complications. Atall times during the event, the reactor was maintained safely shutdown. Safety-related systems were not impacted and remained operable throughout the event and imme- diately afterwards. There were no radiological releases. The only injury was to a plant secur- ity officer who suffered smoke inhalation (the officer did not require hospitalization). The plant was shut down 6 months for repairs with cots estimated at between $100 and $00 ion. 3.2. Licensee’s Response to the Event Within 2 hours of the reactor seram, the licensee convened a Significant Event Review ‘Team (SERT). The team’s charter was to assess all relevant aspects of the event to pre- ‘vent recurrence of similar events. The SERT effort took 2000 person hours over 4 weeks. The SERT performed a comprehensive inves- tigation of the event. It reviewed sequence- ofevents data and conducted functional tests to reconstruct certain aspects of the event (€g, cycled SOVs and turbine valves). The SERT also did an indepth review of the human factors aspects of the event and a thorough review of testing procedures, manufacturer's recommendations, and plant TSs. The SERT reviewed previous industry operating experience and worked with the equipment suppliers and with several labora- tories to perform intrusive examination of the failed equipment. The SERT’s and the NRC Augmented Inspection ‘Team's (ATT’s) deter- minations of the root causes of the event agree NUREG-1275, Vol. 11 =Figure 4 Photograph: Salem Unit 2, showing holes in turbine casing NUREG-1275, Vol. 11 RFigure 5 Photograph: Salem Unit 2, showing damage to low-pressure turbine B NUREG-1275, Vol. 11Figure 6 Photograph: Salem Unit 2, showing condenser damage NUREG-1275, Vol. 11 “4closely. Root causes determined by the SERT and AIT appear in Section 3.4 of this report. ‘The SERT report!© made 32 recommendations for corrective action. The recommendations appear in Appendix B of this report. The first. six recommendations were categorized by the licensee as relating to plant design: (i) evaluation of the turbine protec- tion systems and design enhancements 2) root cause assessment of SOV failures and implementation of corrective actions to prevent recurrence (3) determination of the source of the foreign material that entered the AST system and could have caused the AST system pressure perturbation (4) evaluation of the need for cor- recting human factor deficiencies at the front standard pane! (5) determination of all sources of steam that fed into the turbine which resulted in the overspeed event © evaluation of the adequacy of AST pressure switch settings ‘The next 22 SERT recommendations were categorized as relating to programs. These recommendations address adequacy of, and the need for changes to, programs associated with surveillance testing ‘maintenance human factors enhancements operator training "pul Secs Het nd Gus Company, Sgszat Event ‘Und 2 Reactor/lusbing Ip and Ticbine/Genetaior Fallre ‘of November 9, 191," Desember 20, 1991. technical specifications emergency procedures (including fire fighting) review and feedback of operational experience ‘The final four SERT recommendations related to personnel. They address human behavior, human factors that contributed to the over- speed event, and the corrective actions needed to prevent recurrence (e.g., failure to examine OPC 20-1 and OPC 20-2 testing anomalies during the October 20, 1991, testing). They also address the decision to defer replacement of Unit 2 SOVs during the spring 1991 “mini- outage,” and lessons-learned training regard- ing the November 1991 overspeed event. By September 1992, the licensee implemented most of the 32 recommendations in the SERT report, with almost all of the remaining recommendations scheduled for completion before the end of 1992. It is important to note that most of the recommendations applied to Salem Unit 1 as well as Salem Unit 2. Sec- tion 4.1 describes the major hardware, pro- cedural, and testing modifications made at the Salem plants as a result of the overspeed event. In addition, the technical staff at the licensee's adjacent plant, Hope Creek’, has reviewed the SERT report recommendations for applicability and has taken corrective action. Section 4.2 of this report summarizes Hope Creek's review and the corrective actions. 3.3 NRC Responses to the Event 3.3.1 Immediate Actions After being notified of the event, the NRC formed an AIT consisting of two Salem resident inspectors, three regional based inspectors, and two engineers from NRC headquarters. The team arrived on site on November 10, 1991, ‘The AIT’s primary tasks were to gather the facts, determine the root causes, and identify lope Creek a BWR with OE tubing and generator. Tis foosted on the same se as Salem Units | and NUREG-1275, Vol. 11potential generic issues. The results of the AIT efforts appear in References 6 and 7. When the causes of the overspeed event were known, NRC’s generic communications branch issued Information Notice (IN) 91-83 (Ref. 8) to alert licensees to the details of the event. The licensees were expected to review the information for applicability to their plants and consider actions to prevent similar ‘occurrences. 3.3.2 Longer Term Actions Based upon the AIT’s findings, the NRC Region I Administrator recommended to the Director of the Office of Nuclear Reactor Regulation (NRR) that the generic concerns raised by the Salem Unit 2 overspeed event be evaluated to determine if regulatory action or generic communications were warranted (Ref. 7). The generic concerns included the following: © TS inadequacies regarding TOPS Standard Technical Specifications require only one TOPS operable and do not ad- Gress redundancy or diversity. In addi- tion, the TSs address only the operability of the steam admission valves and do not require surveillance of the control system and its components (SOVs, pressure switches, etc). © SOV failures ‘These failures raise the question of whether a generic communication is needed to focus licensee’s attention on TOPS SOVs with regard to application, design and design life, maintenance, quality, and surveillance. ©. Turbine generator fires and their effects upon nuclear safety-related equipment © BOP equipment Is enough regulatory attention paid to BOP equipment and systems that could “adversely affect or challenge the opera- NUREG-1275, Vol. 11 16 tion of safety-related equipment”? Also noted was the fact that turbine control systems affect and are affected by RPS logic, whereas NRC inspection programs pay little attention to operability and maintenance of BOP systems. In response to the NRC Region I Administra- tor’s letter (Ref. 9), the Associate Director for Projects, NRR, noted that according to the NRC's policy statement on TS improvements, new Standard ‘Technical Specifications “relo- cate requirements for turbine overspeed rotection to licensee controlled documents” (.e., procedures). In early 1992, NRR reviewed the Salem Unit 2 turbine overspeed event. ‘The review found that the TSs of 18 of 45 W plants do not require the ESFAS turbine trip function—the P-4 interlock—to be tested. As noted in Chapter 2 of this report, the P-4 in- terlock reduces the potential for severe over- cooling transients and events that could lead to steam generator overfill. It appears that the lack of an adequate test for the P-4 interlock contributed to the Salem overspeed event. ‘The Associate Director for Projects, NRR, noted (Ref. 9) that with regard to the need for an additional generic communication on ‘SOVs, IN 91-83 was adequate and that no further generic communications on SOVs were warranted at that time (February 1992). Twas also noted (Ref. 9) that NRR was evaluating the issue of fire vulnerabilities. The Associate Director for Projects, NRR, noted that the issues concerning BOP equipment will be covered by the NRC’s maintenance rule (10 CFR 50.65 [Ref. 4]. 3.4 Root Causes of the Event ‘The NRC-AIT report (Ref. 6) and the SERT report™ were in complete agreement on the “contributing causal factors” for the Novem- ber 9, 1991, overspeed event, Sections 3.4.1 to 3.4.6 summarize those “contributing causal factors,” many of which can be viewed as root causes. of Noenberd, DO Deter 201i.3.4.1 Equipment Failure All three overspeed system SOVs were mechanically bound and so could not shift position on demand, Because of testing inadequacies or human errors, the failures were not detected by previous testing. 3.4.2. Inadequate Preventive Maintenance (1) The licensee failed to recognize the need for SOV or AST pressure switch preven- tive maintenance. This failure was partly due to the absence of manufacturer or turbine vendor recommendations for preventive maintenance, Q) The licensee failed to perform corrective and preventive SOV maintenance as identified by Salem Unit 1 operating experience, in accordance with a pre- viously committed to schedule, 3.43 Inadequate Review and Feedback of Operational Experience The licensee failed to recognize or follow up on five precursor events involving turbine control systems and SOVs (two events at Salem Unit 1, two events at Ginna, and one event at Crystal River Unit 3 [see Table 3)). 3.4.4 Inadequate Surveillance Testing (1) Most of the automatic turbine trip signals and features are bypassed during monthly testing of the turbine mechanical protec- tive devices. Turbine overspeed protection reverts to a backup system with an elec~ trically actuated emergency trip SOV (ET-20) and two redundant electrically actuated overspeed protection SOVs (OPC 20-1 and 20-2), However, before performing the monthly tests, the licensee did not verify the operability of the emer- gency trip SOV (ET-20) and failed to recognize that the overspeed protection SOVs (OPC 20-1 and 20-2) had both failed their surveillance tests when they were performed 3 weeks earlier. (2) Surveillance testing of redundant SOVs (OPC 20-1 and 20-2) could not reveal a 7 single failure of either SOV. The same vwas true for simultaneous surveillance testing of ET-20 and AST 20. (The tur- bine manufacturer did not provide any ‘guidance for testing of SOVs, individually or as a group.) Operators and supervisors allowed tur- bine startup (October 20, 1991) when surveillance testing indicated malfunc- tions of the TOPS (OPC 20-1 and 20-2). They thought that concurrent failure of both SOVs was incredible and that something must have been wrong with their test procedure, 3.45 Human Factors Deficiencies in Front Standard Testing (1) To perform the test, the necessity to hold the overspeed trip-test lever in an awk- ward position for about 20 minutes. Furthermore, there was no positive indi- cation to allow the operator to determine if the overspeed trip-test lever was in the test or the normal position. In addition, the amount of lever movement needed to take the lever out of the test position was only about 1 inch, The total range of lever ‘motion was only 2 inches. Inadvertent movement out of the test position during testing would result in a reactor scram. @ Q) Absence of communication between the control room and front standard operator. Absence of turbine speed indication to the operator at the front standard (a tachometer at the front standard had been disconnected and abandoned in 1986). 3.4.6 Test Lever Although the SERT report noted that the root cause of the initial reactor scram was foreign material blockage of a reducing orifice in the AST system, the licensee noted that it could not rule out ‘the possibility that the operator holding the test lever at the turbine’s front standard may have allowed the lever to move slightly, thereby causing the AST system pressure perturbation. ® NUREG-1275, Vol. 11Corrective actions that were taken by the licensee at both Salem units are described in Section 4.1 of this report. 4 NUCLEAR INDUSTRY INITIATIVES AFTER THE SALEM UNIT 2 OVERSPEED EVENT ‘The Salem Unit 2 overspeed event surprised ‘most people in the nuclear industry. As noted in Section 2, a destructive overspeed event at a US. nuclear power plant resulting from common-mode SOV failures was considered very unlikely. Nonetheless, after being alerted to the fact that the event occurred, most of the persons in the nuclear industry who were contacted indicated that their organization took positive steps to prevent a recurrence, ‘The amount of attention paid to the issue of turbine overspeed has varied among organiza- tions. The following sections discuss actions taken by individual utilities contacted, the major turbine manufacturers, the NRC, and the major U.S. nuclear insurers. 4.1 Public Service Electric and Gas Company at Salem Units 1 and 2 As noted in Section 3.2, within 2 hours after the turbine overspeed event, Public Service Electric andi Gas Company (PSE&G) formed a SERT to assess all relevant aspects of the event to prevent similar events, The SERT thoroughly investigated the root causes of the event and made 32 recommendations for corrective action (Section 3.2 and Appendix B of this report contain summaries and descrip- tions of those recommendations, respectively), The licensee implemented almost all of the SERT recommendations at Salem Units 1 and 2 before the end of 1992, In addition to committing to implementing the SERT's 32 recommendations, the licensee imple- ‘mented commitments? that it had made in response to the NRC-AIT that investigated the overspeed event (see Section 3.3 for discussion of the AIT’s activities). ‘Table 4 highlights the major hardware, pro- grammatic, and procedural modifications that PSE&G has made at Salem Units 1 and 2 as a result of the overspeed event in accordance with the SERT’s findings and the NRC-AIT’s findings. 4.2, Public Service Electric and Gas Company at Hope Creek ‘Hope Creek is a 1067 MWe BWR with a GE main turbine and generator. It is located on the same site as Salem Units 1 and 2. 3Some of those commitments overlap SERT recommendations, ‘Table 4 Major modifications* made at Salem Units 1 and 2 Modifications Made at Salem Units 1 and 2 After the November 9, 1991, Overspeed Event Replaced original 20/AST solenoid Installed a filter in the AST header ‘Added an additional AST pressure switch testing of all four turbine protection SOVs Installed turbine speed indication at the front standard Improved communication between front standard operator and control room Installed a backup turbine trip SOV to enable automatic protective turbine trip during testing Installed a detent handle on the front standard (see Figure 10) Made system modifications to enable independent, full functional hydraulic operational periodic ‘Hardware, programmatic, procedural, es. NUREG-1275, Vol. 11AA few days after the Salem Unit 2 overspeed event, PSE&G formed a team to perform a lessons-learned review of the Salem Unit 2 overspeed event and assess programs asso- ciated with the operation, maintenance, and testing procedures for the main turbine at Hope Creek. The Hope Creek Review Team also assessed the Salem SERT report for applicability to Hope Creek. They also re- viewed Hope Creek's operating procedures for ‘TOPS relative to the turbine manufacturer's (GE's) guidance, With regard to turbine testing vulnerabilities, the review team found that perhaps the most important differences between Salem and Hope Creek turbine testing are that, at Hope Creek, the GE main turbine mechanical overspeed trip is not bypassed during electri- cal overspeed trip testing and, conversely, the electrical overspeed trip is not bypassed during mechanical overspeed trip testing. Furthermore, other turbine trip tests do not disable the overspeed trips°*, Most of the GE main turbine control systems used at nuclear power plants have turbine testing configurations similar to Hope Creek. (The differences between design and guidance at Salem and Hope Creek are indicative of 34 R, Thompson, PSEAG, memorandum to BB, Ha "hain Turbine Ihip Sytem Testing,” November 32, J. Hagan, PSEAG, memorandum fo $, LaBrana, “Hope pow/Actions Associated With Salem Unit It ‘Tubine Overspeed Brent” January 27, 1992. cs generic differences between GE and W designs and guidance.) ‘The review team did identify some areas where enhancements to TOPS procedures, equipment, and testing at Hope Creek would be appropriate (see Table 5 for a list of the most significant items). As a result of its reviews, the licensee concluded that the turbine testing at Hope Creek had been conducted adequately. 4.3 Westinghouse Power Generation Business Unit ‘Immediately after the Salem Unit 2 overspeed event, W’s Salem site representative and another W turbine engineer were at the Salem site to gather information and to help PSE&G investigate the root causes of the event, Subse- quently, at a January 1992 meeting of W turbine owners from both nuclear and fossil plants, W provided its turbine owners with details of the Salem overspeed event, On February 13, 1992, W issued an advisory to their turbine owners, Customer Advisory Letter (CAL) 92-02, “Operation, Maintenance, and System Enhancements to Tur- bine Greropecd Protection System” (reprinted as Appendix C, courtesy of Westinghouse Electric Corporation). CAL 92-02 provided information about the Salem Unit 2 overspeed event and contained W's recommendations for reducing the potential for another overspeed ‘Table 5 Turbine overspeed protection system enhancements made at Hope Creek ‘TOPS Enhancements Made at Hope Creek After the Salem Unit 2 Overspeed Event ¢ Increased the frequency for calibrating control system actuation devices © Developed a procedure to test cizcuitry of the backup overspeed trip © Developed a procedure to perform full functional testing of the turbine control system logic (instead of partial circuitry tests) ¢ Implemented tear-down inspections of critical components to ensure no intemal contamination, corrosion, or worn parts in addition to observing component functionality © Implemented procedures to individually test redundant components NUREG-1275, Vol. 11event, The recommendations addressed opera- tion, maintenance, and testing of EHC system SOVs, on-line testing of individual EHC system SOVs, maintaining EHC system fluid quality, AST pressure switch settings, AST lube oil system cleanliness, and installation of reverse power relays (to assure dissipation of turbine driving steam before opening the main generator circuit breakers), CAL 92-02 also made recommendations for improving infor- mation available to the operator at the front standard during turbine testing and for improving actions to be taken by operators during turbine testing. CAL 92-02 also gave utilities information on turbine control system enhancements such as installing coil monitors to check for SOV circuit continuity, installing a latch-in circuit for energizing ET20 SOVs, and installing a second 20/AST to prevent the bypassing of Proposed nge- TURBINE TRIP BLOCK HP OIL SUPPLY_1_J valid turbine trip signals during turbine trip testing (see Figure 7). It is interesting to note that some W turbines had the second 20/AST as part of their basic design (e.g., Waterford Unit 3—see Section 4.6). In discussions with W‘, AEOD staff learned that W had canvassed all its turbine owners (about 250 fossil and nuclear units) about operating experience with EHC system SOVs (Parker Hannifin spool-type SOVs such as the nes that had failed at Salem, as well as, poppet-type units). About 20 percent of the ‘unit owners responded. They stated that there had been 38 cases of sticking spool pieces in the Parker Hannifin SOVs. Ten such events occurred at one single-unit nuclear power “ixlephone discossion, M. Smith, W, and H, L. Ornstein, NRG, September 14, 1992, and Apel 7, 1993 Figure 7 Proposed improvement of Salem type (generic) emergency and ‘overspeed protection control system NUREG-1275, Vol. 11 20station. In contrast, none of the owners reported any sticking problems with any of the poppet-type valves used.> In March 1993, W issued Availability Im- provement Bulletin (ATB) 9901, “Steam Tur- jine Overspeed Protection System” (reprinted as Appendix D, courtesy of Westinghouse Electric Corporation), which superseded CAL 92-02, ATB 9301 expanded upon the original CAL 92-02 recommendations. It reiterated the importance of on-line testing of individual SOVs and it informed owners that hardware modifications were available that would allow individual SOV testing and also permit on-line replacement of defective SOVs. The bulletin emphasized the importance of assuring backup or alternate overspeed and trip pro- tection during turbine testing and noted the availability of hardware modifications to provide such redundancy. AIB 9301 also noted the availability of stainless steel poppet- type SOVs to replace the carbon steel spoo!- type Parker Hannifin SOVs. In the future, W will fill orders for spool-type SOVs with poppet-type SOVs as like-for-like replace- ‘ments to mount directly in place of the spool- type SOVs. AIB 9301 recommends that mechanical trip systems like Salem’s low bearing oil, low vacuum, high thrust, and 2O/AST trips be tested monthly. AIB 9301 also recommends that a second 20/AST be installed in the system to allow electrical trips to be effective when the test handle is held. Furthermore, ATB 9301 rec- ‘ommends that all units have at least two independent means of tripping the unit on an overspeed. ‘Regarding maintenance and inspection, CAL 92-02 and ATB 9301 both recommend that, if one SOV sticks, all SOVs should be removed, replaced, or rebuilt, and then retested. Fur- thermore, W recommends any SOV rebuilding should be done “only by valve manufacturer approved vendor. [sic]” ike number of SOV in nuclear and fos ‘turbines i about 1000 approximately 4 spooktype SOVs and 600 ‘pe: fants with WE main parker Hannifin ‘another manufacturer's poppet- 2 After a visit by the author to W Power Generation Business Unit on November 29, 1994, W has embarked on a program to prepare a new test instruction schedule and procedure. The new test instructions will be added to all W nuclear turbine customers’ instruction books. 4.4 General Electric Power Generation Division Examination of technical information pro- vided to owners of General Electric Company (GE) turbines (Technical Information Letters [TILs}, operations, maintenance, and testing instructions and manuals, etc.) indicated that GE has routinely provided its turbine opera- tors with stringent requirements and recom- mendations to prevent or minimize the likelihood of a turbine overspeed event. GE appears to have excelled in providing its turbine owners with turbine instructions specifying what actions to take in the event of an unsuccessful test; W turbine owners had not received such guidance. Over the years, GE's guidance to its turbine owners has covered most of the areas which ‘were found to be the apparent or root causes of the Salem overspeed event as noted in PSE&G's SERT report and the NRC-AIT report. Unfortunately, discussions with turbine engi- neers at several plants with GE turbines showed a wide variation in how individual plants follow GE’s recommendations on turbine control systems and their auxiliaries. For example, turbine engineers at one plant indicated that their plant conscientiously adhered to almost all of GE’s guidance. However, turbine engineers at another plant acknowledged that the plant personnel dis- agree with many of GE’s testing and main- tenance recommendations and, as a result, disregard many GE turbine TOPS and control system recommendations. After the Salem overspeed event, GE reviewed its equipment and the guidance it had pro- vided to users of its equipment. At a meeting of GE turbine owners on May 19, 1992, GE presented the results of its assessment of NUREG-1275, Vol. 11the Salem event to their customers, noting important differences between the W Salem design turbine and the GE design turbine, GE contends that rigorous adherence to guidance provided by GE to their turbine owners would prevent destructive overspeeds like the one at Salem Unit 2. GE’s guidance emphasizes the necessity of: (1) periodically testing the turbine trip system (testing requirements as described in GEK 46527, Revision B, February 1980°, (2) investigating failures that occur during the testing and remedying the failures diligently (GE's guidance clearly outlines the actions to be taken in response to equipment failure), and (3) sequentially tripping the generator. ‘The circuitry is designed so that the generator can be removed from the grid only after the turbine is tripped, all main and reheat steam flow has been interrupted, and the generator is motoring. GE guidance on installation of control circuitry to assure sequential tripping of the turbine has been available since 1980. With regard to GE’s longstanding emphasis on the need for turbine testing, it is interesting to note that in 1975, GE informed its turbine owners that “some customers have discon- tinued testing because of either real or imaginary problems of false tripping during such procedures. These false trips must be nd must ni reason for not testing, [sic]” In discussions with GE, AEOD staff learned that GE reviewed their turbines and TOPS and did not find any areas where equipment, procedures, or guidance need to be modified to prevent an overspeed event. However GE is conducting a study to identify ways to reduce the likelihood of spurious scrams during auto- matic overspeed testing. It will provide recom- mendations to utilities for the implementation of specific control system improvements and will reiterate the need to comply with General Blecric Company, Steam Turbine Instructions, “Periodic Operational Test Summary” GEK 46527, Rete sion B Febery 198 ‘General Eectrc Technical Information Letter 769-2 ‘Afachment, “EHC Fu Stems Wake Tesi” March 1975, “Blephone dsusion 5, Abelion, GE, and H. L Onsen, , September 22, 1994, NUREG-1275, Vol. 11 GE's existing testing and maintenance recommendations®, 4.5 Nuclear Power Plant Insurers When the author visited nuclear power plants to discuss licensee actions in the area of tur- bine overspeed, the issue of nuclear insurers arose. Subsequently, the author had several discussions with the major U.S. nuclear insurers and visited one. ‘The insurers have noted that recent claims history shows many significant insurance com- pany payouts for the main turbines and other BOP equipment losses. The insurance com- panies readily pointed out that a major reason ior disproportionate payouts on BOP equip- ment is that the NRC does not scrutinize the BOP equipment closely. The insurance com- panies assign staff to each nuclear station. ‘The functions of this staff are to work with the utilities to promote safe plant operation, to reduce risk,’ and to prevent loss. The insurers’ negotiating tools are premium adjustments and penalties. Frequently, utilities disagree with their insurers’ recommendations and, as a result, some utilities are willing to take a premium penalty in lieu of doing what the insurer recommends, For example, during one plant visit, the author learned that the licensee had decided not to follow its insurer's recom- mendations regarding maintenance and inspection of the TOPS SOVs. The insurer recommended that each trip solenoid valve in the turbine trip system shall [sic] be removed, replaced, or rebuilt and tested per manufac- turer’s instructions at least every 6 operating years. The licensee felt that performing the maintenance at 6-year intervals is unnecessary since that station had not had any problems with those valves. The licensee's turbine engineers stated that they had reviewed the issue and determined that from a cost effec- tiveness standpoint, rather than performing the maintenance recommended by the insurer, “Teephone discussion, $. Abelson, GE, and H. L. Ors NRG, November 1, 1954 “Foran insurance company, “risk” i defined as direct physical damage, consequential damage resting from failure, and sonseguclia damage rom faints oer components or ‘golem.the licensee would pay the additional pre- mium penalty that would be charged if the maintenance was not performed. In discussions with the major insurers in late 1992, the staff learned that, after reviewing the Salem overspeed event, the major U.S. nuclear plant insurers were modifying their guidance and recommendations for operation, mainte- nance, and testing of turbines and TOPS. Since the guidance and recommendations pro- vided to the site representatives are proprie- tary information, this issue is not discussed further in this report, 4.6 Waterford Unit 3 ‘The Waterford Unit 3 plant has a 1075 MWe. Combustion Engineering (CE) reactor and a W turbine and generator. After the Salem Unit 2 overspeed event, Waterford Unit 3 performed an “applicability assessment” of the Salem Unit 2 overspeed event"®, The operators noted that the Water- ford Unit 3 TOPS is very similar to Salem Unit 2's but it did have a significant design improvement. As shown in Figure 8, an additional SOV, 20-2/AST to dump AST fluid and trip the turbine if a reactor scram or a valid turbine trip signal is generated by the AST system (ie., vacuum trip, low bearing oil trip, thrust bearing trip) while the turbine’s mechanical protective devices are being tested (and the trip signals are bypassed by the operator holding the trip test lever). Conse- quently, the Waterford Unit 3 staff concluded that an overspeed event like the one at Salem Unit 2 could be averted by successful operation of the additional 20-2/AST SOV. The applicability assessment report noted that, unlike Salem Unit 2, Waterford Unit 3 cleans the AST and EHC system reservoirs before starting up from EACH OUTAGE and that, in accordance with W’s guidance, the fullers earth filters in the EHIC system are normally in service. Furthermore, the “entergy Operations, Operations Support and Assessments Repo 92 O03, Febuary 13, 2 operators noted Waterford’s willingness to adopt forthcoming W recommendations for assuring cleanliness of the AST and EHC fluid systems. The applicability assessment report noted that, like Salem's, Waterford’s testing proce- dures were incapable of detecting a single failed SOV (OPC 20-1 or OPC 20-2). Conse- quently, the Waterford staff recommended that all five SOVs in the turbine overspeed control system be tested independently. The licensee formulated a procedure to determine the operability of each of the OPC SOVs. The first independent test of an OPC.20 SOV was performed on February 21, 1992. It revealed a failed SOV (Parker Hannifin MREN 16MX 0834, the same model valve as the ones that failed at Salem Unit 2), As the Waterford staff proceeded to test the second Parker Hannifin MREN 16MX 0834 SOV, they were anxious that it work satisfactorily; otherwise, they ‘would have found themselves in a situation similar to that at Salem Unit 2—performing a new test, finding both SOVs failed, suspecting that the SOVs were really operable, and assuming that the surveillance testing proce- dure was flawed. The surveillance test of the second OPC SOV at Waterford Unit 3 found that it did operate satisfactorily, confirming that the new surveillance testing procedure was not flawed and that the first SOV which had been tested had truly failed. ‘The licensee examined the failed SOV and sent it to an independent laboratory (Power Dynamics, Inc. of Harvey, LA) for additional inspection and failure analysis. The inspection and failure analysis” found that five areas of the SOV were degraded. The licensee did not think that any one area of degradation alone was responsible for the failure of the SOV to shift position on receiving a demand signal, “However, the cumulative effects were obvious: ‘ateford HIT Nuclear Station, Work Authorization 'No, 01090480, "Turbine Hletieal Overspeed Special Test” ‘March 2, 1992. 1. Shockley, Poner Dynamics, Ine, memorandum to E Brauer Ent ions, Tl, “Faled Parker Valve ‘Model No- 0834," August &, 1992, NUREG-1275, Vol. 11raqsis joxyuo9 auqany €37UN PIOHOVEMA g aad WBLSAS 110 dols-o1ny WAA8AS GIM OINYUGAHOULOTTS ei i SIONTIOS gu wuNNOVA SSRJTOMOT UB STEAL NUREG-1275, Vol. 11(1) Frayed electrical witing—14 of 17 strands of wire at one termination were frayed. However, no short circuits were found and laboratory testing found the solenoid able to actuate properly when only three strands of wire Were connected. (2) Three of four O-rings were found ex- truded and swollen. Incompatibility between the O-rings and the hydraulic fluid or possibly excessive temperatures were suspected as the causes for these degradations. The licensee didn’t think that the extruded and swollen O-rings had blocked any valve ports; however, no ‘mention was made of the additional resistance to motion that could have been caused by the swollen O-rings. @) A:strainer on the main plunger of the SOV was partially obstructed with a “jelly-like” substance. The licensee noted that the same jelly-like substance had been previously observed in the EHC system and the EHC system had been flushed previously to remove the jelly-like substance. The failed SOV had been removed during the previous flushing operation, It is possible that some of the jelly-like material found on the SOV was residual material that had not been thoroughly removed during the flushing operation, (The most likely source of the jelly-like substance is hypothesized to be moisture and heating of the Fyrquel EEL fluid [see Section 6.5 of this report] 8) (4) The laboratory inspection found that the SOV’s manual override button was stick- ing. Because of the disassembly process in the inspection, the laboratory could not determine if the SOVs plunger had been sticking during the test. Tas it 19 Waterford Unit 3, the author ofthis report mas informed tha, early inthe Hie ofthe plant, the moxture content ofthe Farquel EH fia had ot met the manulac- {ters specenton,cing prcblere Hower afer Implementing an sggrenive program to asure the Fyequel’s nop tbe teense had foe any problems wih te Fyrguel EH fui (S) A small piece of nonmetallic material believed to possibly be part of an O-ring was found in the SOV’s pilot port. In summary, the licensee postulated that the ‘most probable cause of failure was “sticking of the SOV internals due to contamination.” 4.7 Comanche Peak Units 1 and 2 and Siemens/Allis Chalmers Turbines Comanche Peak Units 1 and 2 are 1150 MWe W PWRs having Siemens/Allis-Chalmers main turbines and generators. Unit 1 has been operational since 1990. Unit 2 received its ‘operating license in 1993. On learning of the Salem Unit 2 overspeed event from the NRC (IN 91-83 [Ref. 8}), the licensee evaluated its turbine generator pre- ventive maintenance program. Specifically, the licensee evaluated the need for establishing periodic preventive maintenance on the SOVs in the main turbine’s EHC system and on the instrumentation required to trip the main turbine. The licensee also evaluated the need to “establish surveillance/operational testing” of EHC system SOVs®, The evaluation noted that the EHC SOVs were not included in any preventive maintenance program. Apparently, the turbine manufacturer (Siemens/Allis- Chalmers) did not provide detailed guidance regarding preventive maintenance of SOVs. Comanche Peak uses Fyrquel 220 EHC fluid. ‘The EHC system was supplied with desiccant drying columns and it appears that rigorous preventive maintenance recommendations for the EHIC fluid were provided by the turbine ‘manufacturer in the operations and ‘maintenance manual, ‘The licensee requested that the main turbine supplier review NRC IN 91-83 and rec- ‘ommend any corrective actions required at Comanche Peak. Siemens provided information which stated® that their turbines cannot overspeed for the following reasons: EU. Best 7 experince Repo "NRC Tndoaation Notes 1-00 Tana 1088 4 Race, Siemens Pomer Corporation, letter oR. Jenkins, Fos Bene March 3, NUREG-1275, Vol. 11(J) The stop valves on the Siemens units cannot reopen until the trip signal has cleared and the turbine is manually telatched, (2) The Siemens units have redundant emergency trip SOVs whereas W units like Salem's have only one (ET-20). @) The Siemens units have a 107 percent “Mechanical-Hydraulic Control” speed governor that overrides all other control signals and closes the control valves. (4) The Siemens units have redundant 110 percent mechanical trip devices for the TSVs. During automatic turbine testing (ATT), a redundant trip circuit is established and the ‘TSVs will close in response to a valid trip signal. However, Siemens acknowledged that during on-line manual testing of the overspeed system, the mechanical and electrical over- speed trips are bypassed. As a result, during ‘manual testing there is no mechanical or electrical overspeed protection and overspeed protection is only provided by the operator at the front standard. Siemens noted that during manual testing, “overspeed control is in the hands of the expert tester.” ‘Siemens noted that, to eliminate dependence on the operator during manual testing, a “dual electronic overspeed protection circuit acting on two trip solenoids” is to be installed during the next refueling outage.? Siemens also noted that instrumentation re- quired for tripping the main turbine is exer- cised and verified operable with each success- ful ATT. However, if any ATT is unsuccessful, Siemens must be notified for their “assess- ment and recommended corrective action.” Siemens also indicated that all components of the TOPS must be inspected in accordance with the operations instruction manual, Siemens’ recommendations for SOV preven- Grand Gulf hata similar but not identical turbine control s- tem, However, is TOPS has the Backup electronic orerspecd Drotection cicutry fo prevent sn overspeed during font nel testing. NUREG-1275, Vol. 11 tive maintenance were addressed in a different letter”. In that letter, Siemens listed SOVs requiring maintenance every 18 months (full disassembly and inspection of all valve and solenoid assemblies and replacement of all elastomers, gaskets, and “other expendables”). Apparently, before 1992, the turbine manufac- turer had not provided the licensee with guidance for preventive maintenance on turbine control system SOVs. ‘Siemens emphasized that, to assure proper operation of turbine protection devices, all components of the TOPS must be inspected in accordance with the Siemens’ operations instruction manual. 4.8 Specialized Turbine Overspeed Protection System Solenoid- Operated Valves On a visit to Germany, the author of this report examined an SOV made by Herion and used in European fossil unit TOPSs, The Herion valve has been stated to be very reliable.!0 The SOV has a second coil and slug. On demand, both plungers are supposed to shift. However, if the critical SOV fails to shift, the second plunger will activate and hit the stuck plunger like a hammer. Thus came the name “hammer valve.” Additional infor- mation about the hammer valve appears in Appendix E. 5 RECENT OPERATING EXPERIENCE 5.1 Diablo Canyon 5.1.1 Diablo Canyon Unit 1 Turbine Overspeed Event (September 12 1992) Diablo Canyon Unit 1 is a 1073 MWe W PWR with a W main turbine and generator. On September 12, 1992, while the plant was shut- ting down, the turbine oversped to 1870 rpm (the design speed is 1800 rpm) (Ref. 10). %G, Thompson, Siemens Power Corporation, letter to Montgomery, EU Eleste, Apal 29, 1992 "No failures to function on demand; however, ome minor flange leakage had been recorded (exe Appendix E).‘The reactor had been tripped, and the turbine was successfully tripped from the control room panel, closing all TSVs and governor valves. Subsequently, the operators relatched the turbine, and the low AST pressure switch (63-2/AST in W system drawings [PS-22B in Diablo Canyon nomenclature) failed. (A similar pressure switch, 63-3/AST was impli- cated in the Salem Unit 2 and St. Lucie Unit 2 overspeed events, as noted in Sections 3.1 and 52.1 of this report.) The malfunction of 63-AST caused the digital electrohydraulic (DEH) computer to send a signal to open the governor valves to meet a speed demand of 1800 rpm, Because of multiple failures in the EHC system, bypass valve steam leaks, EHC system SOV leaks, and a complicated set of evolutions, a main steam stop valve (MS-1- FCV-145) opened and the governor valves, MS-1-FCV-139, ~140, ~141, and ~142 opened as well (see Figure 9). The combination of one governor valve (MS-1-FCV-141) and its asso- ciated main steam stop valve (MS-1-FCV- 145) both being open resulted in the accelera- tion of the turbine to the OPC setpoint of 1854 rpm. The OPC system actuated, closing the governor valve, MS-1-FCV-141. When the OPC trip point was reached (1854 rpm), the operators also tripped the turbine; nonethe- less, the turbine reached a maximum speed of 1870 rpm before the steam supply was cut off. Itis interesting to note that 6 months earlier ‘on March 22, 1992, the licensee shut down Unit 2 because of an inoperable high-pressure ‘TSV, MS-2-FCV-144 (Westinghouse Electric Corporation—Model #723-J-119). The TSV failure was reported in LER 50-323/92-003 (Ref, 11), The valve disc separated from its Swing-arm, In the March 10, 1993, revision of the LER, 50-323/92-003, Rev. 1 (Ref, 12), the licensee noted that the root cause of the TSV failure had not yet been determined. This failure is viewed as a precursor to widespread common-mode failures. There had been similar failures at other plants, In February 1990, W alerted their turbine owners to this Main Steam Stop X vaives FOV-145 FCV-146 Fev-141 Control[ LC ]vaves — Fev-142 FeV-140 FCOV-144 Stop Contro! [ Cd |vaives FCV-139 FOV-143 S/ Valves Main Steam Figure 9 Diablo Canyon turbine steam admission valves 21 NUREG-1275, Vol. 11type of problem (Operations & Maintenance Memo 108, which is reprinted in Appendix F of this report, courtesy of W Power Genera- tion Business Unit). This issue is an extremely important one because, as the licensee noted in the LER, “FCV-144 protects the HP turbine (SB) (TRB) from overspeed if the associated turbine governor valve (SB) (FCV) downstream of FCV-144 should fail to close when the overspeed trip or the normal trip mechanism operates.” ‘The licensee noted that, uring the spring 1993 outage, the licensee's inspection found other main steam stop valves which appeared to have signs of degradation in areas where FCV-144 had failed previously. The September 12, 1992, overspeed confirmed that all governor valves opening is a credible event. The similarity with the Salem Unit 2 overspeed event of November 9, 1991, is rather striking; in both cases, the governor valves opened or reopened as a result of a failed AST pressure switch 63/AST. Another im- portant data point derives from the data on turbine control system failure rates in W reports WCAP~115251!4 and WCAP-11529 (Ref. 13). Those reports are probabilistic anal- yses that were submitted to the NRC in 1987 to support W turbine owners’ requests to extend the turbine surveillance testing inter- vals. The failure rates given in WCAP. 11525118 for the 63/AST pressure switches are higher than the failure rates of all other turbine control system components listed in that report. The author of this report is not aware of any guidance provided by W to the W turbine owners for preventive maintenance or change-out of the 63/AST pressure switches. W guidance for maintenance of these pressure switches is limited to only calibrating them as noted in the recently provided guidance of CAL 92-02 and AIB 9301 (Appendices C and D of this report). Not surprisingly, Diablo Canyon’s lessons- earned review of the Salem overspeed ‘elephone diseusion, C.E Rhodes, PGE, and 8. 1. Ornstein, NRE, May 4, 1995. ‘MawWestinghouse Electric Corporation, (Westinghouse Prop lary Class 2) Report WAP “11335, "Probab Evo gh of Redaction Tra Veet Frequency "Tune NUREG-1275, Vol. 11 event! revealed that the AST pressure switch that failed at Diablo Canyon on September 12, 1992, did not fall under any preventive maintenance program. Preventive maintenance at Salem Units 1 and 2, Beaver Valley Units 1 and 2, St. Lucie Units 1 and 2, Waterford Unit 3, and other plants was similarly deficient. 5.1.2 Diablo Canyon Unit 2 Test Handle ‘Trip (January 30, 1993) On January 28, 1993, the author of this report visited Diablo Canyon to review turbine over- speed issues and turbine building hazards. ‘While in the turbine building, the author mentioned to the Diablo Canyon staff that the Diablo Canyon front standard panel was essentially the same as that of Salem Unit 2 at the time of the overspeed event. The author told the Diablo Canyon staff that the Salem SERT report indicated that the team had not tuled out the possibility that the operator at the front standard panel had inadvertently caused the trip by moving the test lever very slightly (about an inch). He also noted the human factors enhancements that Salem had made after the overspeed event, particularly placement of a stationary handle on the front standard. The photographs in Figure 10 show the original front standard panel and the modified front standard panel at Salem Unit 2. The new stationary handle in Fig- ure 10 would prevent an inadvertent trip from operator fatigue during turbine testing (sce Section 3.46). Although NRC and industry reports have been written on the Salem overspeed event, information on this par- ticular human factors enhancement has not been disseminated to industry in any NRC or industry report. The author discussed this enhancement with the Diablo Canyon staff during his visit to the plant. Two days after the author's visit to Diablo Canyon, Diablo Canyon Unit 2 was testing the loss of con- denser vacuum turbine trip signal, when the ‘operator who was holding the test lever moved it slightly, causing a turbine trip and a reactor trip from 100 percent power (Ref. 14). ‘UBL Hipds PG&E, memorandum to M. Angus and T Grebe, ay 5, 1992.(parrpout pur yeuyS]20) aued pavpurys yuosy z WU we[eg :sqdesBojoyg OT AN3hy PaO reariQ NUREG-1275, Vol. 11During the spring 1993 outage, Diablo Canyon Unit 2 installed a stationary handle on the front standard similar to the one that was in- stalled at Salem Unit 2 (as shown in Fig- ure 10), In a May 4, 1993, telephone conversa- tion’, the author learned that the licensee was planning to install a stationary handle on the Unit 1 front standard during the next refueling outage. 5.2 St. Lucie Unit 2 5.2.1 St. Lucie Unit 2 Turbine Overspeed Event (April 21, 1992) St. Lucie Unit 2is an 839 MWe CE PWR with a W turbine and generator. On April 21, 1992, after a record 502-day run, St. Lucie Unit 2 had a manual reactor scram from 12 percent power. The manual reactor scram should have energized the ET-20 SOV and 20 AST solenoid resulting in draining of EH fluid, closing of the steam admission valves, and tripping of the main turbine. The turbine did not trip. Within 2 seconds of tripping the reactor, a reactor operator pressed the turbine trip button in the control room. The turbine did not trip. Several additional attempts were made to trip the turbine using the control. room push button, but such actions were in- effective. Approximately 1 minute later, the reactor operator opened the generator output, breakers and closed the main steam isolation valves. Approximately 3 minutes after the Teactor scram, a nuclear watch engineer tripped the turbine from the front standard by using the emergency trip lever (Ref. 15), Be- cause the generator output breakers were open before the steam supply was shut off, the turbine oversped to 1850 rpm (rated speed is, 1800 rpm)!8, Since the overspeed protection system was set to actuate at 1854 rpm or 3 percent overspeed, the overspeed protection system was not challenged during this event, However, by opening the output breakers before confirming that the turbine had ‘Plephonedscusion, CB Rhodes, PGA, and H. L ‘Grate, NRC, May'4, 1993. ™D. Sues EPL pemorandu io NRG “St, Lacie Unit 2, ‘Docket No 30-389, ven Date ApS, 1992 Turbine ‘ip Flore Update” DASPSL 4007-92, May 14,1593 NUREG-1275, Vol. 11 30 tripped, the operator had increased the potential for a turbine overspeed event.3 ‘The licensee took aggressive action to find the root cause of the problem and fix it. The licensee assembled a large multidiscipline investigation team augmented by W field service. Initial troubleshooting found that the ET-20 SOV had failed to shift position when it received a Valid electrical signal. In addition, the 62/AST-X relay was found to have a loose connection on one pin (pin no. 6). Pin no. 6 is in the direct circuit for all 20/AST trip signals, including the control room trip manual push button, generator lockout, DEH turbine control system, de power failure, decreasing AST pressure, steam generator hi-hi level, low steam flow anti-motoring trip, and 108 percent electrical overspeed trip. ‘The investigation team also found relay 62/AST-X had burned contacts. Either of these two 62/AST-X relay problems by themselves could have been responsible for failure of the turbine to trip when the manual trip push button was pressed in the control. room. The licensee acknowledged’** that the G2/AST-X relay failures could not have been detected by St. Lucie’s surveillance program, As a result of the St. Lucie overspeed event, the licensee examined the possibility of testing the control room manual turbine trip push button, the 62/AST-X relay, and the 20/AST SOV. In an April 29, 1993, telephone discus- sion'4, licensee engineers indicated that hard- ware modifications and changes to surveil- lance testing procedures are being and have been made to enable surveillance testing of this equipment while the plant is operating. ‘The licensee staff also noted that they had ‘Pte cese's LER on this event (Ref 15) foruted on wy thereat tipped and why the arbine fed fo tp. TS LEEW didnot menon thet fe bine id verpel to 1830 pm ‘DA. Suger, FPL, memorandum to NRG, “St, Lace Unit 2, Docket No. 30-85; ent Date pi af, 1992, Tuine ‘ip Flue Update" DAS/PSL 4097-92" May 14,1998 Mpa 1H one dscusion, M, Lite and L. Basch, FPL, and ‘Ornstein, NRC, April 29, 1995,considered installing a redundant AST solenoid as had been recommended in W CAL 92-02 and ATB 9301 (Appendices C and D of this report), but concluded that the redundant 20/AST was unnecessary in view of the other improvements being made, such as monthly testing of the 20/AST coil and the installation of a turbine trip SOV test and ‘maintenance block to allow individual testing of the ET-20, OPC 20-1, and OPC 20-2 SOVs while the plant is on line, (The SOV test and maintenance block is discussed below.) ‘As part of its investigation, the licensee sent the ET-20, OPC 20-1, and OPC 20-2 SOVs to an independent laboratory. Those SOVs were the same type as the ones that had failed at Salem Unit 2 in November 1991. The inde- pendent laboratory, Main Line Engineering Associates of Exton, PA (MLEA), which per- formed the investigations of the three Parker Hannifin SOVs that were removed from St. Lucie Unit 2's EHC system, had performed similar investigations onthe Salem Unit 2 Vs. Even though St, Lucie appeared to be doing a reasonably good job of maintaining the EHC fluid cleanliness and had replaced the SOVs before the record 502-day cycle, the laboratory found that ET-20 had stuck because particu- late matter was blocking ports inside the valve. The particulate matter, which was classified as “aire” consisted of fused plastic, weld slag, organic fibers, sand, clay, and rust, The source of the dirt was indeterminate, The flow of the Fyrquel hydraulic fluid through the ‘SOV piiot ports “..was either blocked or sufficiently occluded by the ‘dirt’ to substan- tially reduce the flow of hydraulic oil so that the main valve would not open” to dump the EHC fluid to initiate the closing of the steam admission valves. MLEA found some rust particles in the ET-20 SOV’s pilot body and ‘on the pilot spool; however, those particles did Line Engineering Associates Test Report, “Root ‘Cause Failure Investigation for Parker-Hannifin Solenoid perc Vas Reed Fron the FHC Sef the St [ek Staion Westinghouse Tring” MOOO)-TROM, Tine 3, 31 not interfere with pilot spool motion, Like ET-20, OPC 20-1 and OPC 20-2 were found to have some rust particles which did not affect valve operation. However, unlike ET-20, the OPCs did not have any dirt buildup. The OPCs’ internal ports were unrestricted allow- ing hydraulic fluid to drain freely when energized. MLEA indicated that the OPCs were fully operable and did not have symp- toms of incipient failure. However, MLEA did note hard, tenacious corrosion deposits on the poppets inside ET-20 and both OPC 20 SOVs!#15, The deposits are typical of hydro- lyzed Fyrquel and indicate the presence of water. Another important observation noted in the laboratory report is the fact that the Parker Hannifin SOVs have extremely tight clearances and therefore ean be very unforgiv- ing with regard to contaminants. ‘The laboratory report highlights the unforgiving aspects of the EHC system and emphasizes the absolute necessity for maintaining EHC system quality. It was particularly concerned that particulates of undetermined origin were present in the ET-20 SOV and that products of Fyrquel hydrolysis were present in the SOVs even though (1) the BT-20, OPC 20-1 and OPC 20-2 ‘SOVs were in service for only one fuel cycle (extended as it may have been to a record 502 days) the licensee has performed EHC fluid flushing during each refueling outage the licensee had maintained the hydraulic fluid ina manner which met or exceeded W's recommendations ® @ The author's discussions with licensee engi- neers during his site visit at the licensee's request during the root cause investigation revealed that the dirt and moisture in the Parker Hannifin valves were quite likely caused fine particles from new EHC ters, Solexsorb filters, which had ‘malfunctioned and had to be replaced with ‘etephone discussion, Murphy, MEA, a8 1.1. ‘Orastein, NRC, Apti 30, 1 NUREG~1275, Vol. 11the original type (fullers earth filters). The new Solexsorb filters had been installed to reduce moisture, apparently because of previous moisture problems with the EHC fluid, After the root cause investigation was con- cluded, the licensee implemented many hard- ware, procedural, and training improvements. Some of the most noteworthy modifications and changes made or being made at St. Lucie Units 1 and 2 as a result of the April 21, 1992, overspeed event at Unit 2 are listed below: © Modified the procedures and conducted appropriate training to emphasize the necessity of confirming that the main turbine has tripped before opening the generator output breakers. Installed a “turbine trip solenoid valve maintenance-test block” and key switches to enable operators to test the ET-20, OPC 20-1, and OPC 20-2 SOVs independently while the plant is on line. Installed continuously energized monitor- ing lights for 20/AST and ET-20, OPC 20-1, and OPC 20-2 to verify circuit continuity. © Installed a key switch on the governor pedestal to allow monthly testing of 20/AST via the 62/AST-X contacts. © Added a coalescing filter cartridge to the EHC system to further reduce moisture in the EHC Fyrquel system. ‘The licensee also pursued the issue of replac- ing the carbon steel Parker Hannifin SOVs (ET-20, OPC 20-1, and OPC 20-2) with stainless steel SOVs. W is making such SOVs available. (See Section 4.3 of this report for a discussion of this modification and W’s other Tecommendations.) 5.2.2 St, Lucie Unit 2 Spurious Turbine ‘Trip During Solenoid-Operated Valve Testing (July 10, 1992) As noted above, because of the April 21, 1992, turbine overspeed event, the licensee installed NUREG-1275, Vol. 11 32 a turbine trip solenoid valve maintenance-test block to enable operators to test the ET-20, OPC 20-1, and OPC 20-2 SOVs independ- ently while the plant is on line. The licensee esigned the test and maintenance block. W had been consulted during the block’s design process. ‘The test and maintenance block was tested successfully before plant restart. However, on July 10, 1992, while the plant was on line, the licensee used the test and maintenance block to test ET-20 SOV and, contrary to the sign, the testing resulted in a reactor scram. ‘The closing of the ET-20 outlet isolation valve followed by the successful opening of ET-20 caused a rapid (20 millisecond) pressure decay that was interpreted by the RPS as a loss of load. The licensee noted (Ref. 16) that the transient and the resulting reactor scram were unexpected. The modification had been tested before startup; however, because the RPS pressure switches are not activated until the Teactor reaches 15 percent power, the preoperational testing did not provide a warning of the unexpected EHC fluid pressure spike, As a result of the July 10, 1992, reactor scram, the licensee suspended the EHC SOV monthly testing until a reliable on-line testing method could be developed. Subsequently, the licensee redesigned the test and maintenance block to eliminate the pressure pulse (see Figure 11). ‘The modified test and maintenance block isolates trip functions from the SOV being tested but remains available for the other two SOVs, introducing an alternate supply of EHC fluid from the EHC supply header. alternate fluid supply eliminates the possibility of feedback to the emergency trip header on the RPS, thereby eliminating the possibility of causing an unwarranted reactor scram. To minimize human errors, the SOV testing requires the use of key switches. The revised test and maintenance block was tested ex- tensively at Florida Power and Light Com- pany's (FPL’s) Manatee fossil plant. In AprilCLOSING INLET ISOLATION VALVE ALLOWS TESTING OF ASSOCIATED SOLENOID VALVE. CLOSING BOTH INLET AND OUTLET ISOLATION VALVES ALLOWS ASSOCIATED SOLENOID ‘VALVE REPLACEMENT WITH SYSTEM IN OPERATION. TRPFLUD FROMTV & RR ‘STOP VALVES. TRIP FLUID FROM INTERCEPT” ‘& GOV. VALVES GUAGE PRESSURE INDICATES SOLENOID ‘VALVE POSITION LOW VALVE OPEN HIGH - VALVE CLOSED pe OF fT — 1 Xx ===— NEW PIPWS ' —— pests 100K PPG FROM DEH CONDITIONS MENTE. FLTER SUPPLY HOR. Figure 11 St. Lucie block for testing EHC system SOVs independently 33 NUREG-1275, Vol. 11 |199316, the revised test and maintenance block was being installed on Unit 1, with Unit 2 installation to be done later (with no on-line EHC system SOV testing to be performed on Unit 2 until after the installation). 5.3 Big Rock Point Big Rock Point is a 69 MWe BWR with a turbine unique among other US, LWRs. The turbine operates at 3600 rpm and was built by the GE, Lynn, MA division. GE’s Lynn, MA division no longer makes steam turbines, and no other similar turbines are in service at US. nuclear plants. Nonetheless, the failures in the turbine control system at Big Rock Point are very enlightening, and they provide lessons to be learned, 5.3.1 Big Rock Point Common-Mode Bypass Valve Failures On October 27, 1989, the licerisee observed common-mode failures of the turbine bypass valve (failed to open on an open signal and on October 31, 1989, the turbine bypass isolation valve failed to stroke during a test [Ref. 17). The cause of those two failures was the licensee's use of Garlock 938 packing to re- pack the valves during turbine maintenance, Garlock 938 is a compression packing mant- factured from aluminum tinsel treated with natural rubber cement and die formed, then treated with zinc. The packing hardened and was bound to the valve stems, preventing their operation. At atmospheric conditions, Garlock 938 is flexible and easy to install. However, it becomes hard and brittle when subjected to heat and pressure. At Big Rock Point, the Garlock 938 became a tenacious ceramic-like material shortly after being subjected to high temperatures and pressures, The Garlock 938 was installed during an outage. The problem was found during power escalation while the plant was at 31 percent power. Conventional methods for removing the hardened Garlock 938 were unsuccessful, Eventually, it was removed by drilling and using a chisel—an operation that took 3-1/2 days to complete. “epee deca, L, Basch nd M.Litl, FPL, and BE Ors NRG pet oa Ute NUREG-1275, Vol. 11 34 After the problem with the turbine bypass isolation valves was discovered, the plant was shut down on November 1, 1989, so that other valves with Garlock 938 packing could be examined. Garlock 938 was also used on two motor-operated valves (MOVs) in the core spray system. Examination of the valves in the core spray system found the packing hard. ened, but the valves still able to function. Tt was not clear how much longer the Garlock 938 would have had to harden to cause the MOVs to be unable to stroke, The licensee noted (Ref. 17) that, after the failures, Garlock representatives still supported the use of Garlock 938 as an acceptable spacer material. The licensee also noted that Garlock 938 had been used for 40 years as a “severe use” pack- ing and had also been used as a spacer at Big Rock Point from 1987 to 1989, At a recent Air-Operated Valve Users Group Meeting)’, the author learned that Garlock Corporation performed extensive laboratory analyses on the hardened Garlock 938, but was unable to conclusively determine the cause of the failures that had occurred at Big Rock Point. 5.3.2. Big Rock Point Repetitive Failures of the Turbine Trip System On June 3, 1992, August 24, 1992, October 5, 1992, and February 28, 1993 (Refs. 18 through 21) and August 30, 1992'78, the turbine failed to trip on demand because the hand-trip solenoid (HTS) failed. The HTS’ function is to automatically close the TSV on a reactor scram. The HTS is actuated automatically by automatic trip signals and can be actuated manually by a push button on a control room panel. The licensee noted!” there had been eight failures of the HTS before 1992, (See ‘Table 6.) On June 3, 1992, the turbine failed to auto- matically trip on a reactor scram (Ref. 18). Discusion, WL Orpstein, NRC, and B.D. Crocker, Gatioek, tc, Sine, 1993. ‘"Consuers Power Company, Deviation Report D-BRE- $2063, Palle of Tubing 18 to Mp’ September 2, 1 D-BRP- "Consumers Power Company, Deviation Re in 200) 92-071, “Tallre of Turbin Stop Vave( Close" etober 8, 1992.‘Table 6 Big Rock Point failure to trip history* before 1992 DATE EVENT 04/06/78, ‘The turbine failed to trip from loss of load. Manually tripped stop valve. Replaced coil. 12/31/84 CV--4200 failed to close on signal from push button, tripped from front standard. ‘The trip coil was found to have an open winding. Upon inspection, it showed four score marks corresponding to the location of the mounting screws. Coil replaced. 04/05/85 While shutting down the plant, the turbine stop valve failed to close. Push button and X-phase failed. Manually tripped from front standard. ‘The 125 V de solenoid was found energized and the trip mechanism still latched. A significant amount of additional force was required to assist the solenoid to trip the handle latch. Mechanically, there seemed to be a misalignment of the solenoid (85-MSS-0019). 2/11/86 Push button and Y-phase failed to trip turbine during shutdown. Turbine tripped from the front standard. ‘The solenoid was energized during both push button and Y-phase attempts. The toggle links were still in locked position, ‘The force exerted by the energized coil ‘was not sufficient to overcome the friction in the mechanical I links (86-MSS-0011). 07/0/86 ‘Turbine failed to trip after reactor scram. Push button failed, tripped at front standard. Root cause determined to be worn mechanical links and also out of adjustment, ‘New trip device was installed during 1987 refueling outage (87-TGS-007). 04/08/88 During plant shutdown, the turbine trip failed from the push button, and the Z-phase contacts. This resulted in a 116 OCB trip, but the stop valve failed to close. Subsequently closed from the front standard, (1) Broken lead to the solenoid coil, (2) broken wire strands at crimped wire lugs, @) aged wires in front standard, (4) broken wire at connection to the arc suppression capacitor. 07/01/88 During S/D, the HTS did not function properly. HTS would not trip and the continuity light was out. Bad wiring connection. Installed indicating light in control circuitry. Replaced coil, armature and solenoid link stud mechanism, also the stud spring was locked to a position causing the solenoid link bar to twist the toggle links and latch. 07/18/90 During S/D, the HTS did not trip when manual turbine trip push button was depressed Tripped using front standard Wear in mechanical linkage pars caused misadjustment of solenoid trip latch causing linkage binding to the point that the solenoid could not pull up the linkage to release the trip latch. "Direct quotes from Consumers Power Company, Deviation Report D-BRP-92-071, “Failure of Turbine Stop Valve (CV- ‘Close, October 8, 1992, 00) 35 NUREG-1275, Vol. 11 Ear TOperator attempts to manually trip the tur- bine using the push button on a control room panel also failed. Subsequent examination of the plant data determined that the HTS had received demand signals and that the HTS had failed. Approximately 1 minute after the reactor scrammed, a control room operator found that the generator output breakers were still closed. He opened the output breakers and found that the turbine had not tripped; the stop valve was still open. He pushed the HITS manual trip button in the control room. When the push button was found to be in- effective, an auniliary operator was dispatched to the turbine’s front standard, Using a hand trip lever, the auxiliary operator successfully tripped the turbine, Four minutes elapsed from the reactor scram until the turbine was successfully tripped. The turbine had the potential to overspeed from the time the out- put breakers were opened until the turbine was tripped (3 minutes). However, because the steam admission valves were closing in re- sponse to the original transient!8, the turbine did not overspeed. After plant shutdown, the licensee’s root cause investigation of the event determined that the HTS (manufactured by Ruggles-Klingmann) had mechanically bound. The licensee dis- assembled, inspected, readjusted, and suecess- fully tested the HTS, On August 24, 1992, the HTS again failed to actuate on demand (Ref. 19). The plant was in hot standby and the licensee was performing a pre-turbine startup checkout. The actuation signal to the HTS was manually initiated from the control room panel, The HTS manufac- turer's representative examined the failed HTS. He noted that the mechanical linkages (ee Figure 12), which were set in accordance with the plant’s maintenance instructions, did not meet manufacturer's recommendations. It was suspected that the improper setting had caused the mechanical binding When electrical tape from the HTS was re- moved, a terminal lug fell off. The licensee ‘Reactor seram on high fux because ofa sudden spike in Feicior pressure when he inal reste rept stom NUREG-1275, Vol. 11 36 could not determine if the lug had contributed to the failure. The HTS was replaced with a new one which was provided by the manufae- turer's representative, As a result of this experience, the licensee planned to have the HITS manufacturer's representatives perform future adjustments. On October 5, 1992, during a plant shutdown, control room operators were unable to trip the turbine using the control room push button to actuate the HTS (Ref, 20), The generator field breaker opened but the TSV did not trip. Again, the turbine was tripped manually with the hand trip lever at the front standard, ‘The manufacturer was contacted about the failure. It was believed that the HTS had ex- Perienced a hydraulic locking, Although there ‘were traces of oil leaking from the stem and bushing interface of the HTS, the leak was not believed to be the cause of the malfunction. ‘The licensee also verified that the hydraulic oil was clean.and the failure was not caused by contaminants or particulates in the oil. The licensee changed out parts of the hydraulic system to provide less chance for hydraulic locking. In addition, the HTS body was replaced, However, the SOV plunger shaft was reused. In order to help keep the HTS SOV’s piston assembly from sticking, the licensee increased the HTS spring tension. On February 28, 1993, while shutting down the plant, the HITS failed again and the turbine ‘was again shut down with the hand trip lever at the front standard (Ref. 21), The licensee's oot cause failure analysis found that wear on the internal parts of the solenoid was causing the plunger to hang up. The licensee noted in a March 3, 1993, conference call with the NRC that after the October 1992 failure, the “top works assembly on the HTS had been re- placed, but that the solenoid and shaft had not been replaced.” Furthermore, the licensee noted that even though the SOV had failed several times before, the SOV’s internals had never been inspected for wear until Febru- ary 28, 1993. The licensee's staff noted that they were pursuing two possible correctiveg3z83n2, rstul OF 32s01 aaqea plousjos dixy-puey [emy31Q—ju1og yoy Sq ZT any] S 3 ee: a: 1 oe: @ ws. a 9 ges NUREG-1275, Vol. 11 37actions. For the short term, depending on the schedule, the licensee would either replace the HTS with a refurbished one or replace the HTS with another valve of a simpler type before power ascension (see Figure 13), For the long term, the licensee considered modify- ing the manifold block that housed the HTS to allow another valve to be added in parallel to the HTS. The extra valve would preclude another HTS failure from tripping the turbine. 533 Big Rock Point Long-Term Unavailability of Emergency Governor Exerciser ‘The emergency governor exerciser (EGE) is a backup overspeed trip that is integrated into the turbine control system. It is designed to trip the turbine if a condition requiring a turbine trip occurs while the plant is on line and the turbine’s overspeed protection system is being tested. (During testing, the turbine's overspeed protection system is bypassed.) In Inspection Report 50-155/92-020 (Ref. 19), NRC inspectors noted that the licensee per- formed a special test of the EGE indicating lights which were not reparable during the August 1992 outage. The inspectors also noted that the EGE has not been operable and has not been used for several years. Consequently, for several years, the licensee has not tested the overspeed protection system while the plant was at power. GE strongly recommends that for the 1800 rpm turbines, the overspeed control systems be periodically tested during power operation (see Section 4.4). The 3600 rpm Big Rock Point main turbine has a backup overspeed device (the EGE), which, if operable, would provide protection during periodic tests of the TOPS during power operation, 5.4 Palisades Common-Mode Failure of Six Steam Admission Valves ‘The Palisades plant has one 730 MWe CE reactor with a W turbine and generator. On September 20, 1992, during startup testing, the plant performed a trip test of the main tur- bine, Six of 16 quick-acting steam admission NUREG-1275, Vol. 11 valves, four intercept valves, and two reheat stop valves performed sluggishly. The valves, which are supposed to close within 1 sec- ond!®, took almost 2 minutes to close. The management at both Palisades and W turbine division were sensitive to the problem. The licensee's position was that the plant would not be restarted until the problem was fixed. The licensee initiated an aggressive program to determine the root cause of the problem and followed up by taking prompt corrective action, ‘The problem was suspected to be caused by flow anomalies in the EHC system or possibly malfunctions of the DEH control system computer or its software, Initial troubleshooting pointed toward “too much flow” in the trip header or possibly a restriction in a drain line. There was concern that the ET-20 might have stuck in an intermediate position. In addition to the W site representatives, sev- eral W field service engineers were dispatched to the site. Subsequently, W brought special equipment”? to the plant to measure EHC system flows and measure system pressures. Assistance was also provided by W personnel at W turbine division headquarters (Orlando, FL). W personnel performed computer simu- lator analyses of the Palisades turbine’s con- trol system. On September 23, 1992, the W site representative stated that overall about 150 people for the licensee and W were work- ing on the problem, including 20 engineers per shift plus 4 engineers at Orlando®, ‘The W site representative noted that the EHC system had been reasonably well maintained at Palisades. The system was clean, It had been flushed in March 1992, and the ET-20 and 20/AG SOVs (equivalent to OPC 20) had ‘8 Palmisano, Consumers Pover Company Em ‘munication, memorandum, “Turbine Out October 1, 1952. 396 fix 8 f1x8 ft BHC gptem flow analyzer. * lepton dicuson, R, Hunake,Wesighour Paldes te Representative, and H LOrmstein, NRC, Seplem- ber 23, 1992. " fee Com- age Update”Namo of Part Fe SERIES 25 SOLENOID De. EXPLOSION PROOF Body ‘Stem Piston Spring Spring Retainer & Pin Piston Shaft Tube Piston Shaft “0” Ring ‘Stem Guide Bushing ‘Stem Guide Bushing “O" Ring ‘Stom Gulde Bushing Screws ‘Solenoid Assembly ‘Solenoid Housing Gasket Solenoid Housing Capserew iE 0 | 00] 1] | on] | cof ro] 12 8/8] B/S] 8/8/28 ‘Adapter Cepscrew ‘Adaptor Protector Figure 13 Big Rock Point—Replacement hand-trip solenoid valve 39 NUREG-1275, Vol. 11been refurbished by the manufacturer, Parker Hannifin. However, about 3 weeks before the event, the EHC system developed a leak and lost about 50 gallons of fluid. In addition, an ‘SOV in the reheat stop valve controls failed. ‘The troubleshooting found EHC flow distri- bution anomalies, but did not find any spe- cific component problem. On the basis of the testing and computer analyses, more EHC fluid drain lines and orifice plates were added to enhance turbine control valve operation. Postmaintenance testing demonstrated sig- nificant improvement in the performance of the valves that had exhibited sluggish behavior. The repairs were completed on September 27, 1992, and the plant came on line the next day. In a communication to station employees”, the plant outage manager noted the positive aspects of how the turbine problems were handled, He noted that the turbine testing was designed “to verify that itportant turbine systems are operational and the testing did identify the problem.” Furthermore, he noted that it was fortunate that the problem was corrected before the plant was on line. “If the problem had occurred and been undetected, we could have had a turbine overspeed on a subsequent trip.” 5.5 Comanche Peak Unit 1 Inadequate Followup to Turbine Overspeed Protection System Test Failure (May 16, 1992) ‘On May 16, 1992, while the reactor was at 100 percent power, the licensee was performing ‘TOPS testing with the ATT (see Section 4.7 for additional information on the ATT). The ATT indicated six faults emanating primarily from pressure and vacuum switches. The licensee concluded that there was a problem with the ATT?! Since surveillance testing could not be completed with the ATT, TOPS surveillance testing was then performed satis- "nation neporandunn Tune Bulge Unies Gctober 11952 2*Form STA 515-1 regarding May 16,1992, event recorded as TER 445192021 (et 2, NUREG-1275, Vol. 11 factorily in the manual mode. Two weeks later on May 30, 1992 (as required by TS), the licensee again tried to perform the TOPS sur- veillance testing with the ATT, and the same six faults were indicated again. The TOPS surveillance tests were then conducted satis- factorily in the manual mode. As noted in a letter from Siemens?!* and Section 4.7 of this report, manual testing of the TOPS bypasses. the TOPS and puts the responsibility for avoiding a destructive overspeed solely on the operator. On June 3, 1992, the plant experienced a seram which was unrelated to the turbine systems. During the outage, turbine control system troubleshooting found the problem to be not the vacuum switch, but a loose wire in the turbine-generator control cabinet. A sec- ond loose wire was found in the turbine- ‘generator control cabinet (Ref. 22). After the terminals were tightened, the vacuum switch and the ATT worked satisfactorily. ‘Three months later, on September 11, 1992, a systems engineer determined that one of the loose wires on the turbine-generator control cabinet had disabled one train of the P-4 interlock actuation relay (which trips the turbine on a reactor scram) and the same train of the P-14 interlock actuation relay, (which trips the turbine on high steam gener- ator level). The disabled P-4 and P-14 inter- Jock actuation relays are listed in the ESFAS tables of the Comanche Peak TSs as having allowable outage times of 48 and 12 hours, respectively. Although the manufacturer's assessment of the Comanche Peak TOPS indicates that a destructive overspeed is unlikely, failure of the ‘operators at Comanche Peak (as at Salem) to immediately determine the root cause of a ‘TOPS testing anomaly placed the plant in a vulnerable position, bypassing the TOPS leaving only manual action available to pre- vent a destructive overspeed. In response to AEOD questions about which equipment was affected by the second loose terminal, the licensee traced the wiring. In a 2Z. Race, Siemens Power Cor ration, letter to RT Jenkins, ‘TU. Blecirs, March 19, 19May 27, 1993, telephone discussion”, the licensee informed AEOD that the second loose wire in the turbine control cabinet affected one train (train A) of the generator lockout relay. This relay sends a trip signal to the turbine control system when the generator output is disconnected from the grid. (Failure to trip the main turbine when the generator is disconnected from the grid could lead to an overspeed condition.) Itis also important to note that the loose terminals on the turbine-generator control cabinet were essentially degradations of ESFAS, Although the loose terminal, which was discussed in an LER (Ref. 22), only affected the A train, the LER also noted that there was another loose wire in the same cabinet. In the LER, the licensee noted that cause of the loose wiring was unknown, and that it was a generic concern. Furthermore, the licensee noted” that the loose wire caus- ing the inoperable main turbine trip event “could have been a precursor to a critically consequential event.” 6 FINDINGS 6.1 Complacency Toward Turbine Overspeed Until November 9, 1991, the likelihood that missiles from a main turbine overspeed event could penetrate the turbine casing at a US. ‘nuclear plant was considered to be very low: 10-4 to 10° per turbine-year according to NRC evaluation criteria (Ref, 5) and 10° to 10° per turbine-year cording to manu- facturers’ analyses’ Inherent in these analyses were low estimates for main turbine overspeed events which gen- a gg Sn hayes 2S Cg as er Be ony ti rt Mere ikea esnghoue Flee Co 11583 Srebabigne Eaton ‘Cass 2) Rey of Redston i erbne Save est requengy> Tone 1987 4 erated missiles. These analyses took credit for diversity and redundancy in the overspeed protection systems and did not consider the loss of diversity that may occur when the overspeed protection devices are disabled for testing or because of operator error. These analyses also did not assess correctly ‘common-mode failures of the overspeed protection system from contaminated oil systems or degraded SOVs and did not recognize that redundancy could be lost because surveillance testing practices could not detect individual failures of redundant components (SOVs). Itis interesting to note that some turbine operating manuals did not notify the turbine owners of any specific maintenance or replacement requirements for the SOVs of the overspeed protection system. With the possible exception of steam dump valve failures, the estimates of the failures of the individual components assumed independence (no coupling or common-mode contributions). ‘The analyses implicitly assumed that the degradation or failure of an individual SOV would be detected and that the SOV would be replaced or repaired to an as-good-as-new condition before experiencing a similar failure or degradation of its redundant backup. This report found industry practice to be incon- sistent with many of these assumptions. 6.2. Testing That Defeats Diversity Many plants defeat redundant overspeed protective devices when testing turbines and ‘TOPS at power. By design, Salem's monthly testing of the turbine’s mechanical protective devices required bypassing most of the auto- matic turbine trip features and deactivating the turbine’s mechanical overspeed trip. During the tests, overspeed protection relied only on three SOVs (OPC 20-1, OPC 20-2, and ET-20). Until the Salem overspeed event, the concern for disabling some of the main turbine’s pro- tective devices did not appear to be a signifi- cant one. However, the event raised the industry's awareness of this issue (see Chap- ter 4), Discussion with some utilities indicated a preference for resolving the concern by NUREG-1275, Vol. 11performing TOPS testing less frequently. Many utilities have submitted requests to the NRC to relax the frequency of testing as a method of reducing the likelihood of a reactor trip or an overspeed event. However, all turbine manufacturers’ manuals recommend frequent turbine testing, with the most emphatic guidance provided by GE (see Section 44). A more prudent approach would be to perform the testing with a provision to override any TOPS bypass if a condition arises in which a turbine trip is needed. Many plants have such backup overspeed protection; however, many plants have not installed or enabled such equipment, which is available from the turbine manufacturers. 6.3 Nonrevealing Surveillance Testing Salem was not the only plant to use the prac- tice of testing two SOVs in a parallel arrange- ment so that failure of either valve was unde- tected if the other valve worked. The issue-of inadequate testing of redundant SOVs was raised by AEOD in 1991 in Reference 23 with regard to diesel generator air-start systems. It was learned from discussions with major U.S. turbine suppliers and personnel at other U.S. nuclear plants that their surveillance testing of redundant SOVs in the TOPS was done just like that at Salem, and that failure of a redundant valve would not have been detected if the other SOV worked successfully (see Chapter 4). 6.4 Inadequate Solenoid-Operated Valve Maintenance The issue of inadequate SOV maintenance is not unique to main TOPS or to the Salem plant. In Reference 23, AEOD presented many cases where the SOVs are “unrecog- nized” piece-parts and, as such, are not adequately addressed in operations and maintenance instructions for the larger equipment which they serve. With regard to main turbines, discussions with personnel at numerous plants and a review of some manufacturers’ operations and maintenance ‘manuals confirmed that instructions for NUREG-1275, Vol. 11 42 preventive maintenance or the replacement interval for SOVs in the main turbine overspeed control system were rare or nonexistent before the Salem overspeed event, 6.5 Electrohydraulic Control System Fluid Quality ‘The common-mode failures of the OPC 20-1, OPC 20-2, and ET-20 SOVs at Salem Unit 2 were caused by degradation of Fyrquel EHC fluid, Most other U.S. LWRs use the same EHC fluid; therefore they are vulnerable to similar degradations and common-mode fail- ures, Fyrquel EHC is a fire-resistant hydraulic, fluid”? ‘developed by Stauffer Chemical Com- pany with Electric Power Research Institute support, Subsequently, the Stauffer Chemical Company sold its Fyrquel interests to AKZO Chemicals, Inc., which is the primary supplier of Fyrquel. Fyrquel is a phosphate ester fluid with little tolerance to water. Water intrusion (eg, from atmospheric moisture) causes hydrolysis of Fyrquel EHC at temperatures of about 150 °F. in addition, phosphate esters are incompatible with certain plastics, neo- prene, Buna-N, and polychloroprene rubber. When in contact with hot surfaces (4 >250 °F), Fyrquel can form solid gelatin-like particles. Moisture entrainment in Fyrquel can cause hydrolysis and particulate formation to begin at lower temperatures. Fyrquel EHC is heavier than water; therefore, undissolved water rises to the top surface in Fyrquel systems. ‘The Ginna plant had similar problems with another phosphate ester hydraulic fluid, Houghton Safe-1120, In 1985 (Ref. 24) and 1990 (Ref. 25 and Report FPI-91-101*), the ‘main turbine at Ginna failed to trip on a reactor scram due to corroded SOVs. The spools inside SOVs™ in the main TOPS (ET- 20 and OPC-20s) had corroded most likely from water, which, being less dense, rested on Not nonflammable—it will burn if heated toa high enough Temperature apace Prevetin, In, Report FPI-91-101, "Root Cause Investigation of Packer anmiin Rel Valve E1200 kn the ‘Turbine Electro bydroule Conttol System,” Revision 1, January 17,1991 **Parker Hanlin SOVs (ame mode x the one that fled at ‘Salem Unit 2)top of the hydraulic fluid, When contami- nated, the Parker Hannifin SOV illustrated in Figure 14 had the Fyrquel-water interface near the arrow. Corrosion took place in that area. ‘The Ginna plant also found the Houghton Safe-1120 to be incompatible with the elasto- meric parts of the Parker Hannifin SOVs2*, EHC fluid contamination can cause corrosion of system components, causing moving parts to bind and can generate particles that can migrate and cause blockage. Other contamination scenarios that have been observed are hydrolysis of the hydraulic fluid and hydraulic fluid attack of incompatible material; in both cases particles are formed that bind moving parts or cause system blockage. Failure to continuously maintain the integrity of the EHC system and of the EHC fluid has compromised main TOPS causing failures and loss of diversity, or redundancy at Ginna, Salem Units 1 and 2, and St. Lucie Unit 2. Discussions with personnel at many plants indicated a wide range of plant practices with regard to EHC fluid and EHC system main- tenance, Many plants with W main turbines originally had meager maintenance and mon- itoring programs, but troublesome or costly experiences heightened their sensitivity to the importance of maintaining EHIC system/fluid integrity. As a result of their experiences, in most cases, the plants tightened up their EHC fluid/system maintenance. Point Beach, a two-unit station with W main turbines, implemented a rigorous EHC fluid/ system maintenance and surveillance program and has had reliable EHC system perform- ance (Ref. 26). Plants with GE main turbines have received more stringent, detailed guidance regarding ‘Uerailre Prevention, Inc, Report FPI-91-101, "Root Cause Investigation of Parker Hanna Rei Valve ET-20 fa the ‘Tutbine Flecto.iydraulc Control System,” Revision 1, Sanuary 17,1991, ‘SPOOL SUBJECT ‘To CORROSION Figure 14 Cross-sectional drawing of Parker Hannifin SOV MRFN 16MX 0834 BHC fluid/systems than have plants with other manufacturers’ turbines. As a result, the plants with GE main turbines may have a higher degree of awarenes of the importance of maintaining EHC system/fluid integrity, NUREG-1275, Vol. 11However, discussions with turbine engineers during a visit to a site with GE turbi revealed that they were performing minimum. maintenance on the EHIC system and had not yet observed any problems. It should be noted that the BHC systems of GE turbines and newer W systems have certain design features that help retain EHC fluid integrity (e.g., des- iccant air dryers on the air inlet and full-flow filters that the turbine manufacturer recom- mends be changed out quarterly). The impor- tance of maintaining the BHC system fluid is spelled out very clearly in many operations manuals and technical letters that GE has provided to the turbine purchasers. For example, Technical Information Letter 796-2, circa 1975*, states: ‘The EHC fluid must [sic] be kept free of both solid particles as well as chemical impurities to insure the free operation of critical control overspeed protection devices. ‘Technical Information Letter 877, circa 19784, states: EHC Fluid Quality Fluid quality, which encompasses solid particle cleanliness as well as proper chemical makeup is of utmost importance. Solid particle contami- nation may lead to one or more control devices malfunctioning, In either of these cases, this can lead to a possible overspeed event. This has been previously brought to your attention in our Technical Informa- tion Letter (TIL) 769, ‘EHC Fluid Systems Valve Tests’ dated March 1975 and TIL 796, ‘Water Contami- nation of EHC Fluid Through EHC Coolers’ dated December 1975. General Blecirie Technical Information Letter 796-2, "ater Contamidation of BHC Fluid Through the BHC Coolers" Attachment General Electric, Technical Information Letter 877, “EHC “Hycraulie Power Unit NUREG-1275, Vol. 11 W has provided some documents to owners of its main turbines, and its service bulletins have provided information about EHC system experiences. However, a complete review of the W turbine operations and maintenance manuals at the St. Lucie station indicated that the W manuals did not alert the turbine owner to the seriousness of the consequences of degraded EHC system fluids, 6.6 Electrohydraulic Control System Fluid Incompatibility ‘The EHC fluids most widely used for main turbine control systems are ageressive phos- phate esters, and are incompatible with many commonly used elastomers. Laborat analysis of the Parker Hannifin SOVs that failed at Salem found that the Fyrquel EHC fluid had attacked the Buna-N O-rings, that pieces of the O-rings had been dislodged, and that this debris caused the SOVs spool pieces to bind’, Similarly, the failure of the main turbine to trip at Ginna in 1985 and 1990 involved fail- ures of ET-20. In both events, ET-20 was corroded. The 1990 failure was caused in part by debris from a degraded rubber gasket. The debris lodged between the SOV’s spool piece and its housing, helping to bind the spool piece. The gasket material, a chlorinated rubber, was “chemically attacked” by the EHC fluid, Houghton Safe-1120, which like Fyrquel EHC is also a phosphate ester fluid. Failure Prevention Inc. noted” that the Parker Hannifin SOVs (MREN 16MX 0834) used at Ginna contained chlorinated rubber gaskets which were not compatible with phos- phate ester hydraulic fluids. Note that the Parker Hannifin SOVs that had failed at Salem (MREN 16MX 0834) were designated as ET-20, OPC 20-1, and OPC 20-2 and were the same model valve as the ones that had pb Senet ad Gas Company, Sipsicant Brent UR Reacit/lubine Mp and Rsbine/Goneatr Fare ‘of November 9, 1991," Desember 20, 191, p. 19 ‘eRaiture Prevention, Inc, Report FPI-91-101, “Root Cause Investigation of Parker Hannifin Rei Valve ET-20 inthe ‘Tusbine Fleciro hydraulic Control System,” Revision 1, Janvary 17, 1991,failed at Ginna. (At Ginna, they were referred to as ET-20, 20/AG-1, and 20/AG-2.) 6.7 Human Factors Deficiencies ‘The procedures for testing the turbine over- speed control systems at Salem on Novem- ber 9, 1991, suffered from several human factors deficiencies. One of the most obvious deficiencies was that the front standard panel design required an operator to hold the overspeed trip test lever in an awkward posi- tion for a long period of time during testing (20 to 30 minutes), As noted in Section 3.4.6, the Salem SERT report did not rule out the possibility that the operator at the front standard was fatigued and he could possibly have triggered the overspeed event by allowing the test lever to move slightly. Moving the test lever by about 1 inch or less could have resulted in an AST pressure perturbation which could have initiated the event, The front standard at Salem (and all other plants with W turbines visited by the author) had no convenient detent or locking mechanism to show the operator that the trip lever was in the correct position or also allow the operator to switch hands if one hand got tired without risking a turbine trip. Failure to keep the lever in the proper position would also result in a reactor trip. The front standard at Salem (and at all other plants with W turbines visited by the author) had prominent signs emphasizing the trip vulnerability associated with the test lever. Another human factors deficiency, the ab- sence of a tachometer visible to the operator at the front standard could have affected the Salem overspeed event. The presence of a functioning tachometer visible to the operator at the front standard could have warned the operator to release the trip lever to activate the mechanical overspeed trip. (The SERT report estimated that, during the event, the turbine accelerated by + 100 rpm/second. A tachometer would have provided several sec~ ‘nds during which the operator could have terminated the overspeed condition.) It is interesting to note that the W TOPS, like the Siemens/Allis Chalmers TOPS during manual testing, requires an operator to hold the trip lever during overspeed trip testing to prevent a reactor trip. In contrast, the testing of the GE TOPS does not require an operator to hold a trip lever to prevent a reactor trip. On GE systems and some newer W systems, the operators perform overspeed trip testing from the control room using simple pane! switches. 68 Surveillance Testing Required by Plant Technical Specifications ‘The turbine overspeed events reported in Spencer Bush's study (Ref, 1) focused NRC attention on steam admission valve failures as the weakest link in the TOPS, As a result the TOPS surveillance testing requirements, which were included in many (but not all) plant TSs, were limited to verification of steam ad- mission valve motion, on the premise that successful motion of the admission valves was indicative of TOPS operability. It was not recognized that common-mode failures of the EHC system and its redundant components could prevent the TOPS from performing its protective function, Consequently, TSs do not require surveillance testing or detailed exam- ination of the TOPS control system and associated piece part components. 7 CONCLUSIONS 7.1 Missiles NRC GDC 4 of Appendix A to 10 CFR Part 50 (Ref. 4) requires, in part, that “structures, systems and components important to safety shall... [be] appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids that may result from equipment failures ....” Regulatory Guide 1.115 (Ref. 3) states that “failures that could occur in large steam turbines of main turbine-generator sets have the potential for producing large high-energy missiles.” In addressing turbine missiles, the NRC has accepted probabilistic analyses that showed the probability of unacceptable damage from turbine missiles to be less than or equal to 1 chance in 10 million per plant- 45 NUREG-1275, Vol. 11year’S, Operating experience has shown that many utilities are not operating, maintaining, or testing their turbine-generators in accord- ance with the reliability and safety analyses that had been accepted by the NRC as the bases for meeting GDC 4, Because of deficiencies in operation, maintenance, and testing, the TOPSs may be several orders of magnitude less reliable than estimated by W, and as a result, the likelihood for having a turbine overspeed event and, therefore, the risks from turbine overspeed may have been underestimated, 7.2. Fires, Explosions, Flooding NRC's concerns about turbine hazards had been primarily focused on large, high-energy missiles. The Salem Unit 2 overspeed event demonstrated for the first time at a U.S. nuclear plant that discharges of hydrogen and lubrication oil during a turbine overspeed event can result in explosions and fires. It appears that risks from explosions, fires, and collateral flooding were not considered in an integrated manner in previous licensee analy- ses and NRC reviews of turbine overspeed events. Acknowledging the Salem overspeed ‘event, its precursors, and the subsequent ‘operating events described in Chapter 5, and recognizing that the hazards of “discharging of fluids” such as hydrogen and lubrication oil from turbine-generators are hazards specific- ally noted in GDC 4, it appears that this issue needs to be addressed further. Examination of many plants’ licensing documents and safety analyses indicates that the concomitant hazards have not been addressed. The issue of turbine building hazards is the subject of another AEOD special study which is currently under way. 7.3 Common-Mode Failure Precursors Main turbines are usually protected from overspeed by redundant systems: a primary mechanical device, usually supplemented by redundant electromechanical or electrohy- draulic devices. Consequently, common-mode NRC guidance regarding turbine misiles and turbine sytem relisblty criteria are deserved in Section 2, NUREG-1275, Vol. 11 failure mechanisms leading to simultaneous failures are the most likely contributors to turbine overspeéd events. Chapter 2 describes common-mode precursor events prior to the Salem overspeed event and Chapter 5 describes recent common-mode events. The similarities of the events in Chapters 2 and 5 indicate that despite the efforts of industry groups to communicate the lessons of the Salem turbine overspeed event, corrective actions by some licensees have not eliminated these avoidable events. Common-mode factors identified in this report which could contrib- ute to the potential for turbine overspeed include: (1) testing methods which do not detect exist- ing failures of pressure switches and redundant SOVs (2) degraded EHC and lube oil which can prevent proper operation of TOPS SOVs, turbine control valves, TSVs, ete. (3) system design with a single pressure switch, failure of which defeats redundant backup overspeed protection (4) lack of a replacement program for SOVs which may fail due to material incom- patibility, fluid contamination, etc, (8) lack of a replacement program for pressure switches which may fail due to aging effects © steam admission valves identified by Ticensees as exhibiting common-mode failure characteristics 7.4 Industry Response to the Salem Unit 2 Overspeed Event 7A Overview ‘The Salem Unit 2 overspeed event resulted in significant financial losses to the utility and its insurers, However, the event had the positive effect of making the nuclear community more aware of TOPSS, which, at many plants, had previously been taken for granted (see Sections 42, 46, and 4.7).74.2 Turbine Manufacturer Actions As a result of the Salem Unit 2 overspeed event, the major U.S. turbine manufacturers reexamined their TOPS. They provided their customers with recommendations for hard- ware testing and for maintenance modifi- cations or improvements to minimize the likelihood of similar overspeed events (see Sections 4.3 and 4.4). However, some of the manufacturers’ recommendations are incomplete (see Sections 44 and 5.1.1) 743 Nuclear Utility Actions On the basis of information received from the NRC, the Institute of Nuclear Power Opera- tions, the turbine manufacturers, and the insurers, U.S. LWR owners reviewed the Salem Unit 2 overspeed event and its implica tions for their plants. In many cases, the utilities did a conscientious job of evaluating their plants, Most of the plants canvassed have changed their TOPS testing and mainte- nance practices. Many plants have initiated actions to make hardware modifications. However, in the sample examined, the reviews done by two utilities were less detailed and problems remained (see Sections 532, 5.3.3, and 55.1), In the past, both W and GE have issued recommendations for operations and main- tenance to improve TOPS reliability. Based on a review of those recommendations and the lessons learned from operating experience, individual manufacturer’s recommendations may be lacking in the following specific areas: (1) individual testing of redundant valves and other components 2) purification and monitoring practices for iC fluid (3) replacement and refurbishment recom- mendations for vulnerable components (4) methods to achieve effective operability of TOPS during system tests (8) guidance for control room and equipment Operators to respond to test anomalies Implementation of selected improvements to operations and maintenance practices for ‘TOPS could provide a cost-effective means to achieve higher system reliability and improved capacity factor. 7.8 Trip Test Lever Human Factors Deficiency ‘The overspeed trip test lever on the front standard panel of W turbines is difficult to hold in position during testing and has been identified as a contributing causal factor for the Salem turbine overspeed event. Inadvert- ent movement of the test lever has also been identified as the cause of an inadvertent reactor trip at Diablo Canyon Unit 2. Based ‘on those findings, the Salem and Diablo Canyon licensees have modified the test handle to prevent inadvertent movement of the test lever. Although this appears to be an inexpensive and effective modification to reduce the likelihood of a turbine transient during TOPS testing, we are not aware that this simple modification has been adopted by other licensees. 7.6 Overestimate of Design Life of ‘Turbine Overspeed Protection System Components Operating experience shows that the 63/AST pressure switches used in W turbine control systems may require periodic replacement rather than just the periodic adjustment suggested by W in AIB 9301. Three turbine overspeed events support this conclusion: (1) Salem Unit 2, November 9, 1991; (2) St. Lucie Unit 2, April 21, 1992 (Section 5.2.1); and (3) Diablo Canyon Unit 1, September 12, 1992 ection 5.1.1). Data in the W topical report on turbine overspeed, WCAP-115254, indicates that pressure switch 63/AST had the highest failure frequency of any part in the W ‘TOPS. 2Soeatigghose let Corporation, (Westinghouse Proprc- Tar Chas 3 Hepor WCAbC Ti Cropebate Ereloa. {ote a ibe Vet Pegeney Sone a7 NUREG-1275, Vol. 117.7 Nonconservative Probabilistic Assessments For many plants, turbine manufacturers’ rec- ommendations for TOPS testing intervals? and turbine inspection intervals include in their basis the probabilistic analyses of over- speed events (Chapter 2). The Salem Unit 2 overspeed event and other recent operating events demonstrate that the analysis is not conservative when compared with the actual operating experience. For Salem Unit 2 (assuming monthly valve exercise tests as presented in WCAP-11525 and shown in Figure 1 of this report), W estimated the probability of a missile ejection to be about 2 x 10-7 per year. The point estimate for a missile ejéction from a W turbine at a U.S. nuclear plant is 1.25% 10-3 per year (with a 90 percent confidence interval having a 5.9 x 10° upper bound and a 6.4x 10° lower bound). The estimate is based on the Salem Unit 2 overspeed event with an experience base of about 800 turbine years at US. nuclear plants with W turbines. Thus the WCAP--11525 estimate is lower by a factor of about 6x 10° (it is 1/300th of the 90 percent confidence interval lower bound). ‘As noted in Chapter 6, some of the reasons for the nonconservatism are the utilities’ operating, testing, and maintenance practices. ‘The probabilistic analyses assume sound maintenance, operation, and testing of the turbine control systems. The analyses do not account for common-mode failures resulting from inadequate maintenance of the EHC and AST systems, pressure switches, and SOVs; inadequate testing which could not reveal equipment failures which had resulted in loss of redundancy; loss of diversity caused by testing deficiencies; human errors such as failing to believe unfavorable test results; inadequate procedures which do not provide guidance about actions to be taken upon observing a failure; and failure to restore degraded or used components to “as-good-as, 2ors requirements addressing frequency of exercising steam ‘ison valves ae * NUREG-1275, Vol. 11 new condition” when they are found to have failed or are in a degraded condition. 7.8 Trends in Turbine Overspeed Protection System Testing ‘Testing to verify TOPS operability which d tects existing component failures while mai taining effective overspeed protection during the test would reduce the likelihood of an overspeed event leading to turbine destruc- tion and its potential safety consequences. However, current plant testing focuses on the TS requirement to test steam admission valve motion. Some licensees have enhanced their testing practices following the Salem event; others have not. Hardware modifications would be necessary, in most cases, to establish the facility to test individual SOVs in the TOPS. FPL (St, Lucie plant), in cooperation with W, has modified their TOPS by installing a test and mainte- nance block to facilitate testing of individual SOVs. Subsequent St. Lucie SOV testing caused a spurious turbine trip as a result of short-duration EHC system pressure spikes; the test and maintenance block has been further modified to eliminate such spurious trips. 7.9 Procedures for Shutting Off Steam Supply Several events before and after the Salem Unit 2 event indicate the value of plants having clear, written procedures and operators, being trained to assure that the steam supply is cut off to the main turbine before the generator output breakers are opened (Big Rock Point, Section 5.32; St, Lucie Unit 2 Overspeed Event, Section 5.2.1) In addition, premature relatching can cause certain turbine control systems to reopen the steam admission valves (Diablo Canyon Unit 1, Section 5.1.1). 7.10 Summary Based on the Salem destructive overspeed event and other precursor events, the fre- quency of overspeed events is much higher than that generally assumed in vendoranalyses which were used to show compliance with Regulatory Guide 1.115 and GDC 4. A destructive turbine overspeed event has the potential to cause damage because of turbine 1. missiles, fires, explosions, and consequential flooding, These concomitant effects have not received attention. However, compliance with GDC 4 may be accomplished in other ways than preventing a destructive turbine over- 2 speed, For example, if the turbine building contains no equipment needed for safe shut- down and the surrounding structures can be shown to be protected from missiles, fires, explosions, and flooding from a destructive 3. ‘overspeed event, then compliance with GDC 4 ‘would be achieved. In such a case, the issue of the quality of the TOPS is primarily a com- mercial issue, However, failure of the TOPS could result in challenges to plant safety 4, systems, ry AEOD currently is performing a study of tur- bine building hazards. That study will evaluate 5, the hazards from hydrogen, lubricating oils, and flammable EHC fluids associated with a turbine failure, Potential flooding of important equipment by water used for fire suppression and water used for cooling turbine-generator subsystems will be included, Effects of smoke will also be considered. It was generally believed that GDC 4 was met based on the low frequency of destructive tur- bine overspeed events. That belief contributed in part to past regulatory decisions. This study does not, by itself, negate those decisions, because GDC 4 may still be met due to other considerations such as the physical arrange- ‘ment of the plant, The need for NRC and licensees to readdress their bases for com- 6 pliance with GDC 4 will be addressed after the study of turbine hazards has been completed. 7. Beyond the issue of GDC 4, the implementa- tion of efforts to address the concerns raised in this report can result in enhanced operation of the TOPS and will likely result in large financial benefits because of improved system operation. 49 REFERENCES Spencer H. Bush, “Probability of Damage to Nuclear Components Due to Turbine Failure,” Nuclear Safety, Vol. 14, No. 3, ‘May-June 1973. US. Nuclear Regulatory Commission, NUREG-0800, Standard Review Plan 10.2, Revision 2, “Turbine Generator,” July 1981. US. Nuclear Regulatory Commission, Regulatory Guide 1.115, “Protection ‘Against Low-Trajectory Turbine Missiles,” Revision 1, July 1977. US. Code of Federal Regulations, Title 10, “Energy,” U.S. Government Printing Office, Washington, D.C,, revised periodically. US. Nuclear Regulatory Commission, letter from C.E. Rossi to J.A. Martin, ‘Westinghouse Electric Corporation, “Approval for Referencing of Licensing ‘Topical Reports WSTG-1-P May 1981, ‘Procedures for Estimating the Proba- bility of Steam Turbine Disc Rupture From Stress Corrosion Cracking,’ March 1974, ‘Analysis of the Probability of the Generation and Strike of Missiles From a Nuclear Turbine,’ WSTG-2-P, May 1981, ‘Missile Energy Analysis Methods for Nuclear Steam Turbines,’ and WSTG-3-R, July 1984, ‘Analysis of the Probability of a Nuclear Turbine Reaching Destructive Overspeed,” February 2, 1987. USS. Nuclear Regulatory Commission, Inspection Report 50-311/91-81, Salem Nuclear Generating Station Unit 2, January 7, 1992. ‘ET Martin, U.S. Nuclear Regulatory Commission, memorandum to T. E. Murley, “Consideration of Generic Issues Resulting From AIT Findings Relative to the Catastrophic Failure of the Salem Unit 2 Turbine-Generator,” January 27, 1992, NUREG-1275, Vol. 1110. nL 4 USS. Nuclear Regulatory Commission, Information Notice 91-83, “Solenoid- Operated Valve Failures Resulted in ‘Turbine Overspeed,” December 20, 1991. J. G. Partlow, U.S, Nuclear Regulatory Commission, memorandum to T. Martin, “Region I Request for NRR Evaluation of Generic Issues Relating to the Salem Unit 2 Turbine Overspeed Event (TAC No, M82696),” February 25, 1992. Pacific Gas and Electric Company, Licensee Event Report 50-0275/92-018, Revision 1, Diablo Canyon Unit 1, February 8, 1993, Pacific Gas and Electric Company, Licensee Event Report 50-323/92-003, Diablo Canyon Unit 2, April 20, 1992. Pacific Gas and Electric Company, Licensee Event Report 50-323/92-003, Revision 1, Diablo Canyon Unit 2, March 10, 1993. Westinghouse Electric Corporation, (nonproprietary) Report WCAP-11529, *Probabilistic Evaluation of Reduction in ‘Turbine Valve Test Frequency,” June 1987. USS. Nuclear Regulatory Commission, Region V, Daily Report, February 1, 1993, Florida Power and Light Company, Licensee Event Report 50-389/92-001, Revision 1, St. Lucie Unit 2, June 29, 1992 Florida Power and Light Company, Licensee Event Report 50-389/92-005, St. Lucie Unit 2, August 7, 1992. NUREG-1275, Vol. 11 17. 19. 21. Consumers Power Company, Licensee Event Report 50-155/89-009, Big Rock Point Plant, January 9, 1990. Consumers Power Company, Licensee Event Report 50-155/92-010, Big Rock Point Plant, July 2, 1992. US. Nuclear Regulatory Commission, Inspection Report 50~155/92-020, Big Rock Point Nuclear Plant, September 18, 1992, US. Nuclear Regulatory Commission, Region III Daily Report, October 5, 1992. US. Nuclear Regulatory Commission, Region III Daily Report, March 1, 1993, TU. Electric, Licensee Event Report 50-445/92-021, Comanche Peak Steam Electric Station Unit 1, October 12, 1992. US. Nuclear Regulatory Commission, NUREG-1275, “Operating Experience Feedback Report—Solenoid Operated Valve Problems,” Vol. 6, February 1991. Rochester Gas and Electric Company, Licensee Event Report 50-244/85-007, R.E. Ginna Nuclear Power Plant, May 6, 1985, Rochester Gas and Electric Company, Licensee Event Report 50-244/90-012, R. E, Ginna Nuclear Power Plant, October 26, 1990. Gene Wellenstein, “The Picture of Health,” The Nuclear Professional, Vol. 7, No. 4, Fall 1992,APPENDIX A LIST OF PLANTS BY SUPPLIER—REACTOR, TURBINE, GENERATORAPPENDIX A LIST OF PLANTS BY SUPPLIER—REACTOR, TURBINE, GENERATOR bee REACTOR TURBINE GENERATOR PLANT. SUPPLIER SUPPLIER SUPPLIER ANO UNIT 1 Bw w w ANO UNIT 2 cE GE GE BEAVER VALLEY UNIT 1 Ww WwW Ww BEAVER VALLEY UNIT 2 w w w BIG ROCK POINT GE GE GE BRAIDWOOD UNIT 1 Ww Ww Ww BRAIDWOOD UNIT 2 Ww w w BROWNS FERRY UNIT 1 GE GE GE BROWNS FERRY UNIT 2 GE GE GE BROWNS FERRY UNIT 3 GE GE GE BRUNSWICK UNIT 1 GE GE GE BRUNSWICK UNIT 2 GE GE GE BYRON UNIT 1 w w w BYRON UNIT 2 w Ww Ww CALLAWAY Ww GE GE CALVERT CLIFFS UNIT 1 CE GE GE CALVERT CLIFFS UNIT 2 CE GE GE CATAWBA UNIT 1 w GE GE CATAWBA UNIT 2 w GE GE CLINTON GE GE GE COMANCHE PEAK UNIT 1 Ww AS AS COMANCHE PEAK UNIT 2 w AS AS COOK UNIT 1 w GE GE COOK UNIT 2 w BB BB COOPER GE w w CRYSTAL RIVER UNIT 3 Baw w w Ad NUREG-1275, Vol. 11Sw REACTOR TURBINE GENERATOR PLANT SUPPLIER SUPPLIER ‘SUPPLIER DAVIS BESSE B&W GE GE DIABLO CANYON UNIT 1 Ww Ww w DIABLO CANYON UNIT 2 w Ww w DRESDEN UNIT 2 GE GE GE DRESDEN UNIT 3 GE GE GE DUANE ARNOLD GE GE GE FARLEY UNIT 1 w Ww w FARLEY UNIT 2 Ww Ww w FERMI GE GEC GEC FITZPATRICK GE GE GE FORT CALHOUN CE GE GE GINNA w w w GRAND GULF GE AS AS HADDAM NECK w Ww w HATCH UNIT 1 GE GE GE HATCH UNIT2 GE GE GE HOPE CREEK GE GE GE HARRIS Ww w w INDIAN POINT UNIT 2 w w GE INDIAN POINT UNIT 3 w Ww Ww KEWAUNEE Ww w Ww LA SALLE UNIT 1 GE GE GE LA SALLE UNIT 2 GE GE GE LIMERICK UNIT 1 GE GE GE LIMERICK UNIT 2 GE GE GE MAINE YANKEE CE w Ww MC GUIRE UNIT 1 w w Ww MC GUIRE UNIT 2 Ww w w NUREG-~1275, Vol. 11 A2eee REACTOR ‘TURBINE GENERATOR PLANT SUPPLIER SUPPLIER ‘SUPPLIER, MILLSTONE UNIT 1 GE GE GE MILLSTONE UNIT 2 cE GE GE MILLSTONE UNIT 3 Ww GE GE MONTICELLO GE GE GE NINE MILE POINT UNIT 1 GE GE GE NINE MILE POINT UNIT 2 GE GE GE NORTH ANNA UNIT 1 w w w NORTH ANNA UNIT 2 Ww w w OCONEE UNIT 1 BeW GE GE OCONEE UNIT 2 Baw GE GE OCONEE UNIT 3 B&W GE GE OYSTER CREEK GE GE GE PALISADES CE Ww w PALO VERDE UNIT 1 cE GE GE PALO VERDE UNIT 2 CE GE GE PALO VERDE UNIT 3 CE GE GE PEACH BOTTOM UNIT 2 GE GE GE PEACH BOTTOM UNIT 3 GE GE GE PERRY UNIT 1 GE GE GE PILGRIM GE GE GE POINT BEACH UNIT 1 Ww w w POINT BEACH UNIT 2 Ww w w PRAIRIE ISLAND UNIT 1 w w w PRAIRIE ISLAND UNIT 2 Ww w w QUAD CITIES UNIT 1 GE GE GE QUAD CITIES UNIT 2 GE GE GE RIVER BEND GE GE GE ROBINSON UNIT 2 w Ww Ww A3 NUREG-1275, Vol. 11—————— REACTOR TURBINE GENERATOR PLANT SUPPLIER SUPPLIER SUPPLIER SALEM UNIT 1 w w w SALEM UNIT 2 w w GE SAN ONOFRE UNIT 1 Ww w w SAN ONOFRE UNIT 2 CE GEC GEC SAN ONOFRE UNIT 3 CE GEC GEC SEABROOK Ww GE GE SEQUOYAH UNIT 1 w Ww w SEQUOYAH UNIT 2 w Ww w SOUTH TEXAS UNIT 1 w W Ww SOUTH TEXAS UNIT 2 w Ww w ST LUCIE UNIT 1 cE Ww w ST LUCIE UNIT 2 CE w Ww SUMMER w GE GE SURRY UNIT 1 w w w SURRY UNIT 2 w w w SUSQUEHANNA UNIT 1 GE GE GE SUSQUEHANNA UNIT 2 GE GE GE THREE MILE ISLAND UNIT 1 Baw GE GE TROJAN w GE GE TURKEY POINT UNIT 2 w Ww w TURKEY POINT UNIT 3 Ww w w VERMONT YANKEE GE GE GE VOGTLE UNIT 1 w GE GE VOGTLE UNIT 2 w GE GE WATERFORD UNIT 3 CE Ww Ww ‘WNP UNIT 2 GE w Ww WOLF CREEK w GE GE YANKEE ROWE w w w NUREG-1275, Vol. 11 A4ee REACTOR ‘TURBINE GENERATOR PLANT SUPPLIER SUPPLIER SUPPLIER. ZION UNIT 1 w ‘W/with BB Ww low pressure turbine stages ZION UNIT 2 w Wywith BB w iow pressure turbine stages ee AS Allis-Chalmers/Siemens BB _Brown Boveri B&W — Babcock & Wilcox C-E Combustion Engineering GE General Electric GEC English Electric W Westinghouse AS NUREG-1275, Vol. 11APPENDIX B SUMMARY OF SERT REPORT RECOMMENDATIONSSUMMARY OF SERT REPORT RECOMMENDATIONS* 1. Plant Design a, Evaluate the turbine protection systems for design enhancements. b. Complete detailed root-cause assessment of solenoid failures and implement corrective actions to prevent recurrence, ¢. Determine source of orifice foreign material and implement appropri- ate corrective actions. 4. Byaluate the need for design changes to the front standard to address identified human factors deficiencies, and initiate as required. ¢. Finalize engineering analysis to determine all origins of steam flow energy which resulted in the turbine overspeed event, and place final report of this analysis in the SERT file for this event. £ Evaluate the AST pressure switch settings for adequacy for protection as well as control functions. 2. Programs a, Perform a matrix review of turbine ‘multi-trip and other secondary plant components to assure ade- quate testing. b. Establish and complete routine calibration cycles for AST pressure switches, c. Review Administrative Controls for commitment tracking and revise applicable administrative proce- “Die gatos om bl Seen er wed Gus Com- BaU oi Gh Som Unt? Reactor Abie Ip sud eine! Genersor Failure of November 9, 1991," December 20,1991. dure(s). Address identified short- comings associated with failure to implement the 1990 LER commit- ‘ment to change out the Unit 2 solenoid valves (e.g, require docu- ‘mentation of commitment modifications). Implement independent full fune- tional, hydraulic operational periodic testing of the four turbine protection solenoid valves. Review present priority of plans for RCM to address the Salem main turbine and support systems in light of this event, and make changes as necessary. Evaluate the need for a License Change Request to clarify Technical Specification 3/4.3.4 “Turbine Overspeed Protection.” Review technical specification sur- veillance testing methodologies to ensure no other instances of failure to test components independently exist, which could involve Technical Specification violations or reduc- tions in protective functions redundancy. Review the process of Technical specification license change requests to determine why LCO 3/43.4 was not clarified when it was last amended. Identify actions to prevent recurrence, Re-evaluate the basis for 30 day front standard testing as specified by vendor; implement less frequent testing if justifiable. Work with Operations and Com- puter Engineering to implement a program to save an optimal set of ‘SPDS and P-250 data for future NUREG-1275, Vol. 11use during event evaluation, sep- arate from the AD-16 program. Revise the turbine front standard test procedure (OP IN-13.7), prior to the next test performance for either Unit. Review for inclusion Human Factors Report comments. Incorporate discussion of operation of Steam Dumps, MS10s and EHC during Unit Trip Events into opera- tor training, Re-emphasize to all Emergency coordinators that EP procedures and Attachments are not stand alone documents. Assess AOP-Fire-1 guidance con- cerning operation of equipment involved in or contributing to a fire, and revise as needed. Enhance training on de-escalating events and use of procedure EPIP 405. Revise ECG Attachments 1, 2 and 3 with recommended enhancements. Revise AOP-Fire-1, FRS-1-001, EPIP 202 and EGG Attachment 8 to better address offsite assistance requests. Revise the Initial Contact Message Form Attachments 2 and 3 to enhance guidance in terminating events, Provide refresher training on pager activation to primary and secondary communicators. Communicate the inadequate prioritization of turbine failure to NUREG-1275, Vol. 11 B2 3. a, c trip industry events, and other lessons learned, to the nuclear industry via INPO. Evaluate 10 CFR Part 21 notification for solenoid valve failures. Continue implementation of Nuclear Department programs including: ~ Reaching Our Vision - Commitment Management - Reliability Centered Maintenance - Salem Revitalization - Work Standards Practices Personnel Plant Management is to assure behaviors/actions during the 10/20/91 startup are understood and appropriate corrective actions taken. Reinforce and clarify Standing Night Order Book Policies with all SROs on shift, Review the decision-making associated with the deferral of the Unit 1 LER commitment to replace Unit 2 solenoid valves “during the next outage of sufficient duration,” and take corrective actions as appropriate. Develop and present a communi- cations program on this event, emphasizing lessons learned.APPENDIX C CUSTOMER ADVISORY LETTER 92-02, “OPERATION, MAINTENANCE, TESTING OF, AND SYSTEM EHNANCEMENTS TO TURBINE OVERSPEED PROTECTION SYSTEM”* “Reprinted with permission of Westinghouse Blectric Corporation,DISCLAIMER OF WARRANTIES: AND LIMITATION OF LIABILITY THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATIONS, OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OTHER THAN THOSE SPECIFICALLY SET OUT IN ANY EXISTING CONTRACT BETWEEN THE PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT STATES THE ENTIRE OBLIGATION OF SELLER. THE CONTENTS OF THIS DOCUMENT SHALL NOT BECOME PART OF OR MODIFY ANY PRIOR OR EXISTING AGREEMENT, COMMITMENT, OR RELATIONSHIP. ‘The information recommendations and descriptions in this document are based on Westinghouse's experience and judgment with respect to this equipment's operation and maintenance. THIS INFORMATION SHOULD NOT BE CONSIDERED AS ALL INCLUSIVE OR COVERING ALL CONTINGENCIES. if further information Is required, ‘Westinghouse Electric Corporation should be consulted. NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING FROM THE COURSE OF DEALING OR USAGE OF TRADE, ARE MADE REGARDING ‘THE INFORMATION, RECOMMENDATIONS, OR DESCRIPTIONS CONTAINED HEREIN. In no evant will Westinghouse be responsible to the user in contract, In tort (Including negligence), strict liability or otherwise for any special, indirect, incidental, or ‘consequential damage or loss whatsoever, including but not limited to damage to or loss of use of equipment, plant, or power system; cost or capital; loss of profits or revenues; cost of replacement power; additional expenses in the use of existing power facilities; or claims against the user by its customers, resulting from use of the information, recommendations, or descriptions contained herein. Cail NUREG-1275, Vol. 11CAL 92-02 Page 1 of7 CUSTOMER ADVISORY LETTER 92-02 1 REASON FOR ADVISORY Recently a nuclear unit experienced an overspeed incident. Investigation indicated that the incident may have been partially due to malfunctioning EH dump solenold valves. Subsequent to this incident, other reports of incidents of sticking BH dump solenold valves have been received. ‘The solenoid valves involved were Parker-Hannafin Manatrol solenold valves 20/OPC-1 and 20/0PC-2 (overspeed protection controller) and 20ET (Emergency Trip solenold valves) used with Electro-Hydraulle (ED control systems. The above three solenoid valves are located on a machined block on the right side of the pedestal. In another arrangement there are Four 20/AST (Auto Stop Trip) solenoid valves and two ‘20/0PC solenoid valves on a machined block on the right side of the pedestal. Referto Figures 1 and 2. 2 ADVISORY INFORMATION ‘To reduce the potential for a unit overspeed incident, thls Advisory provides operation, maintenance and testing recommendations for all control system solenold valves, s well as available enhancements to the control system. ‘WARNING ‘TURBINE OVERSPEED OPERATION CAN RESULT IN DAMAGE TO OR DESTRUCTION OF EQUIPMENT AND PROPERTY, AND/OR PERSONAL INJURY OR DEATH. PERFORM PERIODIC MAINTENANCE AND TESTING OF OVERSPEED PROTECTION SYSTEMS AND ADHERE TO RECOMMENDED PRACTICES TO REDUCE POTENTIAL FOR THIS OCCURRENCE. 2.1 Operation, Maintenance and Testing Recommendations 211 Remove, replace or rebulld and then test each solenoid valve at each major unt outage or Inaccordance with valve manufacturer's recommendations, Valves should be rebuilt only by valve manufacturer approved vendor. Spare valves in stock should be rebuilt In accordance with valve manufacturer's recommendations to malntain adequate combined operation and shelf ite, 212 Verity that all pressure switches used to Indleste a turbine trip condition (autostop ofl Pressure) are set at the same pressure level per Instruction Book information. ‘This ‘Permits resetting the turbine control system to a tripped condition simultaneously with notification of aturbine trip tothe steam supply system. 218 Maintain EH fluld temperature and cleanliness within recommended specifications. Refer to OMB 120 and Instruction Book. Verity that EH fluld tubing is not buried in Insulation or exposed to hot turbine parts (Refer to AIB 6102). ‘This will reduce varnish deposits on close clearance parts such as solenald valves, Moog valves and relief valves ind loging of cen Une. The recomended gpecting tamper fr So EH tu is 100°F to 180°F, 214 Westinghouse recommends the use of autostop oll pressure level to indicate the latched oF tripped condition of the turbine. Its recognized that some users may use valve Limit ‘switches for this purpose. If so, the limit switches atthe closed end of the valve should beused, C4 NUREG-1275, Vol. 11CAL 9202 Page 2 of 7 245 236 aur 218 219 212 ‘Test trip weight by simulation (ol|test) monthly per instructions inthe unit Instruction Book. ‘Test 20/ET solenold valve trip on each startup to verify this valve is opening and closing. If any of the 20/0PC, 20/87 of 20/AST solenold valves does not operate due to sticking, all solenold valves are to be removed, replaced or rebuilt and then retested. Test each 20/0PC solenoid valve (or AGG on some units) Individually on each startup to verlty valve is opening and closing. This may require installation of a test switch. If any of the 2UOPC, 20ET or 20/AST solenoid valves does not operate due to sticking, all solenoid valves are to be removed, replaced or rebuilt and then retested. Use reverse power relays in the clrcult for opening the main generator circult breaker as recommended in OMMOS2. This allows turbine driving steam to be dissipated prior to ‘opening the breaker. Follow testing and maintenance practices for steam non-return valves per ANSVASME. Standards TDP-1 and TDP-2 “Recommended Practices for the Prevention of Water Damage to ‘Steam Turbines Used for Electre Power Generation.” This will reduce the possibilty for ‘uncontrolled flashing steam driving the unlt to overspeed. ‘When conducting periodic trp teats at the front pedestal, the front pedestal operator must be ‘n constant contact with the control room to permit receipt of any tipping instructions, ‘The front pedestal operator isto have visual access to indleations of unit speed and autostop oll pressure via tachometer pressure gnuge or other turbine trip status. ‘The front pedestal operator is to release the test valve if turbine trip oceurs or if indications ‘of a unit overspeed are received. ‘To reduce the potential for a momentary drop in autostop oll pressure during trip testing, the cleanliness of the autostop lube oll should be maintained to reduce possibility of orifice clogging. (Refer to OMM 072 and OMIM 106), Report fallures of any ofthe above solenoid valves to Westinghouse. ‘The recommendations contained in Section 2.1 of this Advisory are to be implemented at your earliest ‘opportunity and thereafter atthe recommended intervals, 22 System Enhancements ‘The following control system enhancements are provided for your consideration for reducing the ‘potential for a unit overspeed incident. 221 222 223 NUREG-1275, Vol. 11 Install coll monitors to check for eircut continuity of tipping solenoids. ‘Modlty trip system to energize all available valve test solenoids simultaneously with trip solenoids. This would provide an alternate path for geting valves closed. On units with EH controler, the existing 110% rated speed contact can be used to initiate an overspeed trlp. CAUTION - ON AN AEH UNIT, A SINGLE SPEED CHANNEL IS USED ‘TO ENERGIZE THIS CONTACT. THEREFORE, A SINGLE HIGH FAILURE COULD CAUSE A TRIP, Install a lateh-in circuit to energize 20/ET solenold valves. Some plants have a separate clectrc trip to energlze 20/57 other than that used for 20/AST. If the signal is removed from C2225 226 22.7 228 CAL 9202 Page sot 7 the 2067 solenoid valve, the 20/ET will allow re-establishing the high pressure fluid. If the parallel path which energizes the 20/AST did not function, the steam valves could reopen creating a potential for overspeed. To maintain the unit in a tripped condition from an external signal tothe 20/27, a latin relay is recommended. On units with mechanical trip systems, one 20/AST Is standard. During trip testing atthe front pedestal, this solenoid is made ineffective, A second 2WAST (style 287A905002) can ‘be installed on the HP oil supply side of the test handle to allow electrical trips to be effective even when the test handle is held. Refer to Figure 3, Install a pressure switch (style 6890416015) in the main (shaft) oll pump discharge to detect an overspeed condition. This feature would be most beneficial for customers who desire an alternate electrical overspeed protection channel. This pressure switch could be set at a level equivalent to 112% rated speed to inltiate a turbine trip. To avoid an Inadvertent tip, a2 out of 8 scheme should be used. (On 160# and 300# systems, add a load drop antlcipator system to immediately close the {governor and interceptor valves on breaker opening, ‘The valves would stay closed until the steam flow drops to a relatively low level, To reduce the possibility of tripping the unit during testing of the trips at the front ‘pedestal, install a pressure gauge on the trip block side (mechanical trip system) of the test handle. See Figures 3 and 4. The operator should verify that autostop pressure has ‘been re-established before releasing the test handle. ‘The recommendations contained in Section 2.2 can be implemented at the next opportunity to complete the scope. ‘The recommendations contained in sections 2.2.1, 2.2.2, 2.2.6 and 2.2.8 apply to all units. The recommendations in 2.2.3 and 2.2.4 apply to EH systems. The recommendation contained in 2.2.6 apples to 3004 BH systems with ME trip supplied prior to 1962. If additional information relative to or clarification of these recommendations is required, contact your local Technical Service Manager or Generation Specialist. C3 NUREG-1275, Vol. 11CAL 92-02 Page 4 of7 EMERGENCY AND OVERSPEED PROTECTION CONTROLLER SYSTEM (EXISTING) HP OIL SUPPLY, (FROM LUBE OIL SYSTEM) FIGURE 1 NUREG-1275, Vol. 11 C4CAL 92-02 Page Sof? EMERGENCY AND OVERSPEED PROTECTION CONTROLLER SYSTEM (EXISTING) HP OIL, ‘SUPPLY, (FROM LUBE OIL, SYSTEM) FIGURE 2, cs NUREG-1275, Vol. 11CAL 9202 EMERGENCY AND OVERSPEED PROTECTION CONTROLLER SYSTEM (PROPOSED) Proposed Change 7 TURBINE TRIP BLOCK HP OIL SUPPLY. (FROM LUBE O1L. system ofp ASE prmmrnnnm Proposed Change FIGURE 3. NUREG-1275, Vol. 11 coCAL S202 Page 7 of 7 EMERGENCY AND OVERSPEED PROTECTION CONTROLLER SYSTEM (PROPOSED) FIGURE 4. cr NUREG-1275, Vol. 11APPENDIX D AVAILABILITY IMPROVEMENT BULLETIN 9301, “SYSTEM TURBINE OVERSPEED PROTECTION SYSTEM”* ‘*Reprinted with permission of Westinghouse Electric Corporation.DISCLAIMER OF WARRANTIES AND LIMITATION OF LIABILITY THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATIONS, OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OTHER THAN THOSE SPECIFICALLY SET OUT IN ANY EXISTING CONTRACT BETWEEN THE PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT STATES THE ENTIRE OBLIGATION OF SELLER. THE CONTENTS OF THIS DOCUMENT SHALL NOT BECOME PART OF OR MODIFY ANY PRIOR OR EXISTING AGREEMENT, COMMITMENT, OR RELATIONSHIP. The information recommendations and descriptions in this document are based on Westinghouse's experience and judgment with respect to this equipment's operation and maintenance. THIS INFORMATION SHOULD NOT BE CONSIDERED AS ALL INCLUSIVE OR COVERING ALL CONTINGENCIES. If further information Is required, Westinghouse Electric Corporation should be consulted, NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING FROM THE COURSE OF DEALING OR USAGE OF TRADE, ARE MADE REGARDING ‘THE INFORMATION, RECOMMENDATIONS, OR DESCRIPTIONS CONTAINED HEREIN. Inno event will Westinghouse be responsible to the user in contract, in tort (including negligence), strict llability or otherwise for any special, indirect, incidental, or consequential damage or loss whatsoever, including but not limited to damage to or loss of use of equipment, plant, or power system; cost or capital; loss of profits or revenues; cost of replacement power; additional expenses in the use of existing power facilities; or claims against the user by Its customers, resulting from use of the Information, recommendations, or descriptions contained herein. D-iii NUREG-1275, Vol. 11 —ANB 9301 Page 1 of 16 AVAILABILITY IMPROVEMENT BULLETIN 9301 REASON FOR BULLETIN In February 1992, Customer Advisory Letter 92-02 was issued as a result of an overspeed incident on a ‘nuclear unit, The overspeed incident was partially ue to malfunctioning EH dump solenoid valves. ‘The solenoid valves involved were Parker-Hannifin Manatrol solenoid valves 20/0PC-1 and 20/0PC-2 (overspeed protection controller) and 20/ET (Emergency Trip solenoid valves) used with Bleetro-Hydraulie (BHD control systems. The above three solenoid valves are loeated on a machined block on the right side of the pedestal. In another arrangement there are four 20/AST (Auto Stop Trip) solenold valves and two 20/0PC solenoid valves on a machined block on the right ede of the pedestal. Refer to Figures land 2. ‘Two configurations of valvé3 have been used, The Parker-Hannifin valves use a spool type solenoid operated pllot valve. The other configuration uses a poppet type solenoid operated pilot valve. Of about 1000 solenoid valves in use for the above functions, 40% use the spool type pilot valve. During the past Several incidents of spool valve sticking have been reported. No incidents of sticking have been valves can be replaced oreline. Concurrent with the fnvestigation of the aforementioned incident, a number of complementary actions ‘were taken that included but are not limited tothe following. * Survey of users soliciting valve and system performance feedback ‘+ Athorough engineering reappraisal of overspeed protection systems, ‘Indepth discussions with various valve manufacturers to obtain thelr inputs, ‘+ An investigation of dump valve orifice sizing related to slow (greater than 0.5 seconds) reheat stopfinterceptor valve closure during offline tests. AVAILABILITY IMPROVEMENT INFORMATION Because of the serious nature of excessive overspeed, Westinghouse recommends system redundancies and online testing capabilities. Several of the following configuration specific recommendations are reiterations of those contained in CAL 92.02. A. UNITS WITH EH CONTROL SYSTEMS 1. As a minimum, modify units with two 20/0PC (AGG) and one 20/ET solenoid valves to ermit on-line testing, This could also allow or-line replacement. & One method of accomplishing on-line testing isto installa test block between the resent solenoid valves and the large machined block. (Refer to Figures 3 end 4). ‘This test block can be used to individually test the solenoid valves omline and could also allow online maintenance. For unlts with spool type pilot valves, this ‘block can be sandwiched in with Ite effort. For units with solenoid valves that screw into the main block, anew block would be required. This method minimizes the modifications needed but requires local testing. Other methods could be used ‘which range from coming offline to test to remote teating capability involving. blocking solenoid valves and pressure transducers. 'b, Install a push button panel adjacent tothe solenoid valves to permit online testing of each solenoid valve when done locally. Additional instrumentation will be needed if done remotely, © Test the valves monthly using appropriate Instruction Leaflet requirements, D-1 NUREG-1275, Vol. 11‘ANB 9301 Page 2 of 16. ‘As a minimum, modify unite with an electrical trip system and having two 20/0PC and four 20/AST solenoid valves to allow for omine testing of 20/0PC valves. This could also allow mine replacernent of valves. & One method of accomplishing online testing isto instal atest block between the present 20/0PC solenoid valves and the lange machined block. (Refer to Figures 3 ‘and 4). ‘This test block can be used to individually test the solenoid valves online ‘and could also allow omline maintenance. For units with spool type pilot valves, this block ean be sandiviched in with litle effort. For units with solenoid valves, that eorew into the main block, a new block would be required. ‘This method minimizes the modifications needed but requires local testing. Other methods ‘could be used which range from coming ofFline to test to remote testing capability involving blocking solenold valves and pressure transducers. Test the valves monthly using appropriate Instruction Leaflet requirements, b. Install a push button panel adjacent to the Golenoid valves to permit testing each solenoid valve when done locally. Additional instrumentation will be needed if done remotely. ¢ __ The four 20/AST solenoid valves can presently be tested in pairs, not individually. Install a push button panel adjacent to the solenold valves to allow individual testing of these valves. Tt is suggested that a test block be installed for each solenoid valve to allow on-line maintenance of these valves. Test the valves ‘monthly using appropriate Instruction Leaflet requirements. ‘Remove, replace of rebuild and then test each OPC, ET and AST solenoid valve in the EH lines at each major unit outage in accordance with valve manufacturer's recommendations. Spare valves in stock for five years or more should be rebuilt prior to being placed in operation, Valves should be rebuilt only by valve manufacturer appraved vendor. Verify that all pressure switches used to indleate a turbine trip condition (autostop oi pressure) are set at the same pressure level per Instruction Book information. This permits resetting the turbine control system to a tripped condition simultaneously with notification of a turbine trip to the steam supply system. Maintain EH fuld temperature and cleanliness within recommended specifications. (Refer to OMM 120 and Instruction Book). Verify that HH fluid tubing is not buried in insulation for exposed to hot turbine parts (Refer to AIB 8102). ‘This will reduce vamish deposits on ‘lose clearance parts suchas solenoid valves, Moog valves and relief valves and clogging ‘of drain lines. The recommended operating temperature for the EH fui is 100°F to 130°F. Refer to LL. 1250-4200 *Care, Handling & Application of Control System Fluid” for appropriate safety precautions. Install a latehin (seabin) circu to energize 20/ET solenoid valves. (Refer to Figure 5). ‘Some plants have a separate electric trip to energize 20/57 other than that used for 2AST. [the signal is removed from the 20/BT solenold valve, the 20/ET will allow re-establishing the high pressure uid. If the parallel path which energizes the 20/AST did not function, the steam valves could reopen creating a potential for overspeed. A latehvin eircuit will ‘maintain the unit in a tripped condition when the 20/E7 solenoid receives an external signal. ‘Test each 20/0PC (or AGG) and each 20/AST or 20/ET solenoid valve individually on each startup. If any valve does not operate due to sticking, all solenoid valves should be removed, replaced or rebuilt and then retested. For all valve actuators equipped with a three inch dump valve, inspect the orifice which limits the flow of uid from the high pressure header to the emergency trip header to verily ‘thatthe diameter is 0.031 inches or less. Other valve actuators, equipped with the 7/8 inch ‘dump valve, do not require this inspection as they do not have this orifice. Figure 6 shows NUREG-1275, Vol. 11 D2‘ANB 9901 Page Sof 16 ‘fluid diagram for actuators equipped with both types of dump valves. Figures 7 and 8 show an exploded outline of typical valve actuators equipped with the’7/8 and 3 inch dump valves (respectively). ‘The orifice to be inspected (on valve actuators equipped with the three inch dump valve) is. located most commonly in the orifice plate that Is sandwiched between the machined Dlocic and the test solenoid valve, as shown in Figure 8. Ifthe orifice diameter is greater ‘than 0.081 inches, tis recommended that it be replaced with another having the 0.031 inch diameter. Some valve actuators equipped with the three inch dump valve do not have an orifice plate and instead the orifice was drilled into the machined block underneath the test solenoid valve; for this configuration, if the orifice diameter is greater than 0.031 {nches, itis recommended that an orifice plate be added having an orifice diameter of 0.031 ‘inches, as shown in Figure 8 (the drilled orifice in the machined block should be left asi). 9. Inspect and verify that the vented drain line(s), which return fluid to the EH Reservoir from the emergency trip header interface diaphragm valve and emergency trip control, block connections (located at the governor pedestal), are of the proper size; 1.00 inch OD by 0.120 inch wall thickness tubing. Also verify that the vented drain line(s) are located and adequately protected against a ‘possible mishap which could cause a reduction in the flow capacity of these line(S). It should be noted that current Westinghouse practice calls for two independent, full capacity vented drain lines to be run to the EH Reservoir in parallel in order to help ‘minimize this risk. Additionally, a crossle between the two vented drain lines near thelr connections to the interface diaphragm valve and emergency trip control block is also recommended. 10. Poppet type solenoid valves will be furnished when replacementspare solenoid valves are ordered. ‘They are a direct replacement for the spool type valves with regards to form, fit and function and will mount directly in place of spool type valves. (Refer to Figure 4). ‘Westinghouse Style 48224848001 is replaced by 8073049002. UNITS WITH MECHANICAL TRIP SYSTEMS 1 On units with mechanical trip systems, one 20AST is standard. During trip testing at the front pedestal, this solenoid is made ineffective. A second 20/AST should be installed on the HP oil supply side of the test handle to allow electrical trips to be effective even when ‘the testhandle is held. (Refer to Figure 9). 2 —_Jn.addition to testing the low bearing oi, low vacuum and high thrust trips devices on a ‘monthly basis, the trip solenoid 20/AST in the mechanical trip device assembly should be tested monthly using appropriate Instruction Leaflet requirements. Caution should be exercised when making this test to assure that other plant tripping circuits are not, involved, 3, At each major outage, visually inspect and manually manipulate the trip assembly ‘mechanism to detect any worn parts, loose pins, ruptured bellows or sticking mechanism. Repair asneeded. UNITS WITH MECHANICAL HYDRAULIC CONTROL SYSTEMS: Itis recommended that these units have as a minimum: 1, An auxiliary governor which will take action to arrest tutbine speed to a value below the ‘tip set point. This function may be called a preemergency governor. D3 NUREG-1275, Vol. 11 4AIB 9301 Pago 4 of 16 Alload drop anticipator to assist in preventing reaching the overspeed trip point on a ‘sudden loss of load, On 300 psig control systems, a solenoid valve would divert control oll from govemor and interceptor valve servomotors to drain. On 150psig control ystems, a solenoid valve would admit high pressure oil to the governor and interceptor valve control oll header. Bither configuration will cause the governor and interceptor valves to close. ‘The essence of this feature is shown in Figure 10. D. ALLUNITS 1 10. Use reverse power relays in the circuit for opening the main generator circut breaker as recommended in OMMO92. This allows turbine driving steam to be dissipated prior to ‘opening the breaker. ‘Westinghouse recommends the use of autostop oll pressure level to indicate the latched or ‘tipped condition of the turbine. It is recognized that some users may use valve limit switches for this purpose. Ifso, the imit switches atthe closed end of the valve should be ‘used. ‘Test the trip welght by simulation (ol test) monthly per instructions in the unit Instruction Book. Follow testing and maintenanee practices for steam non-return valves per ANSVASME, Standards TDP-1 and TDP-2 “Recommended Practices for the Prevention of Water Damage to Steam Turbines Used for Electric Power Generation.” This will reduce the possibility for uncontrolled flashing steam driving the unit to overspeed. ‘When conducting periodle trp tests at the front pedestal, the front pedestal operator must bein constant contact with the control room to permit receipt of any tripping instructions. ‘The front pedestal operator is to have visual access to indications of unit speed and ‘antostop oil pressure via tachometer, pressure gauge or other turbine trip status. ‘The front pedestal operator is to release the test valve if a turbine trip occurs oF if indications of a unit overspeed are received. ‘To redince the potential for a momentary drop in autostop oll pressure during tip testing, the cleanliness of the autastop lube oil should be maintained to reduce the possibilty of orifice clogging. (Refer to OMM 072 and OMM 106). It fs recommended that all units have at least two independent means of tripping the unit ‘on overspeed, This should consist of the overspeed trip weight channel plus one or more of the following: One electrical speed sensing channel 1b. Pressure switches sensing shaft driven oil pump output pressure (Fig. 11) € — Twooutof three electrical speed sensing channels (Fig. 12) ‘A means of functional testing on-line is to be incorporated regardless of the methods chosen. ‘To reduce the possibility of tripping the unit during testing of the trips at the front pedestal, install a pressure gauge on the trip block side (mechanical trp system) of the test handle, Refer to Figores 1 and 2, ‘The operator should verify that autostop pressure has, ‘been re-established before releasing the test handle. NUREG-1275, Vol. 11 D4ANB 9301 Pago 5 of 16 EMERGENCY AND OVERSPEED PROTECTION CONTROLLER SYSTEM FIGURE 1 D5 NUREG-1275, Vol, 11‘AIB 9301 Page 6 of 16 EMERGENCY AND OVERSPEED PROTECTION CONTROLLER v FIGURE 2” NUREG-1275, Vol. 11 D6‘AIB 9301 Page 7 of 16 SOLENOID VALVE ADAPTER SPRING RETURN MANUAL VALVE EXISTING ounce) enneutr 20/0rc ORET CS orate o ‘This arrangement does not apply to: &, Manifold blocks with cartridge valves mounted directly in the block. For these units, anew manifold block and solenoid valves are required. b. The solenoid valves designated 20/AST on manifold blocks with 6 valves. Presently, 20-1/AST thorough 20-4/AST valves can be tested online but not replaced online. New solenoid valves and an alteration to the manifold would bbe required in order to permit on line replacement. TL _Forremote testing, a variation of the above arrangement could be made by: a. Replacing the manual valve with a normally open solenoid valve. b, Adding a pressure transmitter and receiver to read the gauge pressure. ©. Adding a solenoid valve test panel in the control room, FIGURE 3 D-7 NUREG-1275, Vol. 11‘ANB 9901 Page 8 of 16 SOLENOID VALVE ADAPTER PARKER-HANNIFIN SOLENOID VALVE REMOVE EXISTING PLUG REPLACE WITH ROOT VALVE ‘AND GAUGE (LET —S POPPET STYLE A+) SOLENOID BLOCK T L--~—~~----ae@ EXISTING MANIFOLD BLOCK FIGURE 4 NUREG-1275, Vol. 11 D-8‘AIB 9901 Page 9 of 16 LATCH IN OF 20/ET + ile lead ‘TRIP CONTACT ese 2o/er R 63/AST = CLOSES ON LOSS OF AUTOSTOP OIL PRESSURE - 20/ET ~ OPENS TO DUMP HIGH PRESSURE EMERGENCY TRIP LINE ‘The original intent of the 63/AST-20/ET circuit was to provide a redundant path to the diaphragm valve, Practice has indicated that many utilities energize 20/ET directly as a redundant path to 20/AST. As presently configured, there is no latch in circuit to Keep 20/ET energized. The circuit above is recommended to keep 20/ET energized until an operator purposely resets the circuit. FIGURE 5 D9 NUREG-1275, Vol. 11‘ANB 6901 Paga 100 16 VALVE ACTUATOR WITH 7/8* DUMP VALVE (aot affected; for reference only) tmp peor ve x MEMEAT STOP save om eaecency th one VALVE ACTUATOR WITH 3" DUMP VALVE puree rUnDER wer ‘suprur NUREG-1275, Vol. 11 D-10AIB 9301 Page 11 of 16 VALVE ACTUATOR WITH 7/8" DUMP VALVE (not affected; for reference only) Machneo atoc ‘yyDRAULIC eYLinoen FIGURE 7 D-11 NUREG-1275, Vol. 11‘AIB 9901 Pago 120 16 VALVE ACTUATOR WITH 3° DUMP VALVE roma Bit sanzoro cy sastoer NALVE. FIGURE 8 NUREG-1275, Vol. 11 D-12ANB $301 Page 13 of 16 MECHANICAL TRIP SYSTEM > VALVE CLOSURE SYSTEM FIGURE 9 D-3 NUREG-1275, Vol. 11‘ANB 9301 Page 14 of 16 LOAD DROP ANTICIPATOR BL MAIN ‘BREAKER RL ‘LDA PRESSURE =P SWITCH ‘CONTROL O1L ‘SOLENOID, RELAY VALVE Installation 1 Install a pressure switch to use as a measure of steam flow. A convenient location is in the crossover pipe. Calibrate the pressure switch to close at a pressure equivalent to 30% or greater of rated flow. 2. Install a solenoid valve in the contro! fluid line. Operation 1, Unit operating above 30% load with drop anticipator (LDA) pressure switch closed and the ‘main breaker contact open. 2. Main breaker opens closing contract B. LDA contact remains closed. 3. Relay RI picks up and energizes control oil solenoid valve. ‘This in tum closes governor and interceptor valves. 4, Steam flow reduces and LDA pressure switch opens. $, Control oil pressure restored and normal governing function controls speed. FIGURE 10 NUREG-1275, Vol. 11 D-14AIB $901 Pago 15 of 16 OL PRESSURE SWITCH ARRANGEMENT SHAFT DRIVEN OIL PUMP OUTLET ‘One relatively easy way to add a backup overspeed protection circuit isto take advantage of the shaft driven oil pump pressure variation with shaft speed. Using 2 out of 3 logic reduces the chance of tripping due to a single switch failure, ‘Due to variations from unit to unt, the output pressure needs to be checked for each unit at the overspeed trip level. Anormally closed contact from each pressure switch can be set to open above 95% speed and used to indicate a switch failure in the closed direction. ‘The pressure switches can be isolated and removed for calibration checking while online, Calibration should be done a minimum of once a year using a dead weight tester. FIGURE 11 D5 NUREG-1275, Vol. 11‘ANB 9301 Page 16 of 16 TWO OUT OF THREE ELECTRICAL SPEED SENSING CHANNELS CHANNEL NO. 1 CHANNEL NO. 2 (CHANNEL NO. 3 LOSS OF SPEED SENSING LOGIC FIGURE 12 NUREG-1275, Vol. 11 D-16APPENDIX E HAMMER VALVE —HAMMER VALVE As noted in Section 43,, the author of this study examined an SOV which is used in European fossil-unit TOPS systems. The valve undergoes long periods of inactivity but must function properly when called upon to dump EHC system hydraulic fluid, The enclosed technical articles; “Herion Directional Control ‘Valve Type 5203468 for Hydraulic Safety Control Systems Inoperative for Long Periods Under Pressure,” by A. Hoeger, and “Trip Et Control for Compact Drives for Turbine Valves,” by E. Kloster, explain in detail how the valve works. In response to the author inquiries about the hammer valve’s relial the enclosed June 10, 1993, letter from N, Schauki of Siemens Nuclear Power Services, Inc., notes that the hammer valve has functioned on demand with 100-percent success. However, some minor flange leakages had been recorded. NUREG-1275, Vol. 11HERION directional control valve type 5203468 for hydraulic safety control systems inoperative for long periods under pressure* Adotonge Spootorseataype decimal contol Ths “hammer eon" trees the eon- —_fonton of th armature in wolensid MMvcsnutjectedotyéraullepresore trolpien,teretomapingcantsove (0) sto Gechage the breakaway ie Ferlengty pecodstendtoreiecfom the piston to potion (O) The sole pace Piston sickng, This scans that fe Fo longer poaletochange estate Of the abe, because the switching fees are ot stl Hee ie fined ptm. Te Sac ching the Paton. Tens and cate Ntores [bse showa that blow wih hae ‘sriched bythe eur prngitpower {il Thetematbeno quesioucrhe piston asing. Pefenemsoutaeen Feledotlopenton ‘A device designed to jerk the scking piston free i mounted on the ele Ermagaetically actuated spool valve wwitkeeumepeng. “Tis deviceconsatsofammagnticcll e pn wick recrulates th oll when ‘Me valve lerwiched. eheimpactsolenold(o)ienerszed, ’ the piston moves aguas the force of Wiese senda Qf deesar bie tb tt ep pu he : Stith fos he pos 14 ihe “elecold @) = ‘ttt Sota (aad elena both TAPS ‘eet nctme ine tears. Se of leo) peenens s ; A spine seed) Whensaenls eDiets Gi deere leon @ Sta iecorge I nway ea ft ped tna pein) Site apg neal Oak one, the sims neh Be eie’A sa cs he contd Buobi arc MERION ve nges8 "Reprinted with permission of Herion-Werke KG. NUREG-1275, Vol. 11 E2Trip control for compact drives for turbine valves* Enet ot Katto Aa Intuespcdorouipscontolzyren Tnovéertocontolthencamforssby Th conta spats equedfor sor fea tring fe micant of the talves hgh contol mal closed of opentoop oper mperssted wate mine conuel foes mc be made wvshe wi ons ofthe contol tease este Sats by adjusting the seem llet shore conl tiers Thi, coupled Sent or etme. tine faa ‘ive Tusensles ine fowofweam wih the roquement for igh post modes such aba ulHload shutdown {ote matted to ouput equie: Uonlngacmeyotthecontolvave, or an ovespend wip. Aconscrabiy tent. nonsrtoprorideprotcion canteasienedoniybymcaesofhy: —sharereanivl tne i neseary Ia Tpleiinpemitlcaretingeate Sve does leo be ote, esceeinode openings Sfikedlnegenntar say och won cena enal conto ad be ovenpeeing ol he ttee trerped reing tom ie fale sppiysstem tothe alvesa pipes, Scotia wives cose, theseres acperce ol aply (pump, Mand omeded tip rales ae provided tcmlaor)itacnporiineach provided witha at speed wich ena Siteconuolsemvbichdoscethe dave. Theat ate dedgaed fora high Usracontalmeintbecouogdics: Maivawientapgered Theproscive opsitagyesemesndsecteonpact dono! Gbmstotealizved oral aso aaron tho contol wave, lnonse (igure). Beals Oneprewondon for auch ort et Er incorporsung redundancy ino tal sed sopely nes me fod toc Sngtneritht the nang forcain thesatey gym, Supa sive, To aetat ave for théeasing deco be epted by & {control valves dhs isactsted by preloncodapring,inthisenten sping “The new turbine conte tea has ibeorvewasa Gc Inoter weds, closure rate fen designed to wo ekctaly for ‘Xlecta wihoutanpsuniiny energy. Sian proeing iol wansmion ving ive to con the tap ‘The vale opna bythe actag Eidastn aly powersoure. The ion wiih sl presure mores ages ace high prosesing and aly one dcetion. Again, this prince tranamiston rpecds and short delay uated contol valve wa the contol ple allows the stipulated shor delay times. fyetem. fimes (0 be realized (Figure 2). ‘Reprinted with permission of Herion-Werke KG. B3 NUREG-1275, Vol. 11of filure example i theo soply as (“de ioe 0 tap prince). Fee Hyteati peter of compect dive ontcvatve a view & Diroctonalconvolyave rapide closing control wait schematic Soevayase CO vs Poppatvatve Fromme sippy eytem Figure 3 Poppet valve and directional control valve Sepa q Fromeortoteyfader NUREG-1275, Vol. 11 E4“To inte the tip procedure, prs- ‘sure beneath the piston must be re duced and the volume of oil driven by_ spring fore foe of reservo. This ‘is attained by the rapid opening of an integrated contol system (Figure 3). ‘When tesevalvesopen foratrp, they comet the eyinder with the reservoit parallel to the electohydralie server valve (control drive) or electro magnetic control valve (open/closed ave). ‘As shown above, a failure, whichis to ‘Sy, the on-closire ofa control valve, leads to overspeed. Redundancy i therefore required, ie. wip and coatel valvesare conneciedia pissin fries in a valve combination. Further redundancy isachieved by the parallel conection of two integrated control systems (Figure 2). Ech of these is able to handle the Sting operation y vin ofthat that, with overdimensioned valves fand’ large duct erosrsections, the ieriescomected orifice i dimen. Sioned forthe shor closing time. ‘heh react skp: 3 valve separately via a direction Eontol vale actuated eloacally by the control system (Rigore 2). The Poppet valves are standardnsala- tion’ elements with piston guide, known as troway poppet valves of carga Wh te conto oe ‘ive open an pressure applied beneath the valve Enne, they sre held dosed by thecon- trol pressure wich the solenoid valve ide up above the cone. The sal ‘enoids re energizzdin operation, de- nergized fra tps the contol pres. fre is dsipted, the poppet valves serene reins rear The Je-energize (0 cose pring to thestlenoi valves aswelljinatet words, ithe electrical supply fs the turbine valescloe. “The solenoid valves selected are of Hide design inorder to ensure that 9 fcallag_ problems sro encountered dling long periods in sevice, Ste ‘alves_are’ Subjected to friional {oroes and alo adhesive forcesif they ‘ernain for considerable periods fn ‘one position. The HERION solenoid ‘alveshave been developed to ensure that they ean be tipped reliably by spring foree, even afta long Sandal petiod. To increase the re- itabitiy of the closing scion even ten tnexpected adhesive forces are present, a second solenoid valveisGt- {ed to the opposite side; when tripped by spring foree, the armature ofthis spun ses suing he coma fe (“impact solenoid"). This i Sces'an_adtonstbreskaway pulse (Figure 3). Even withhigh ambien temperatures End wide wlio toleaacts, dee tional control vaives with impact sol- enoids hammer valves") have adequately large reserves of actuating force in the closing direction, short closing mes with small tolerances and low leakage-oil rates. This is a- tained by precise balancing of the lose-tolerance springs with the sol- cts and sma eose tolerances 100% on Totat say time Figured Grophs ofa quick closure ES Pe gale reg ntecmlasee oldeconpesaee teint Giessen ‘The trip procedure is executed at in- egret eat a sae of sors it cru te tg fe ste tel Eerecompatasgrere shmemeanieten ‘pressure downstream of the impact ag ova fe ore ‘nl ere er cenicomncans Solero vale Contd us NUREG-1275, Vol. 11SIEMENS June 10, 1993 National Regulatory Commission Mail Stop: 9715 Washington, DC 20555 Attention: Dr. Omstein Dear Dr. Ornstein: Subject: Experience with "Hammer Solenoids Valves" from Herion According to the information we received from Mr. Gebauer at Siemens - KWU in Malheim, thére were no functional problems encountered with the "Hammer Solenoid Valves" from Herion. In some cases minor flange leakages were observed. The leakage was overcome by replacing the gaskets at scheduled maintenance. The functionability of the "Hammer Solenoid Valves” has been 100% ensured to date (April 93). Attached to this letter please find a fax to S-KWU with the above statement and a reference list showing the power plants which have the "Hammer Solenoid Valves", the start-up date and the number of installed "Hammer Solenoids.” As far as | was informed, some information about the valves has already been sent to you last year. If you have any questions, please call me at 615/499-1718. Best regards, Dr. Nabil Schauki_—""~ renee Sen and Valve Services nsius67 Attachments Siemens Nuclear Power Services, Inc. ‘5959 Shallowlord Road, Suite 531 Chattanooga, TN 37421 TEL: (615) 499-0961 FAX: (615) 694-2456 NUREG-1275, Vol. 11 E6TELEFAX / TELECOPY Ee an/To ‘Von / From THEN [OSMAo = eS | eee | ozs 4se- 2462 Berea Siemens AG, LA | Errrany Slemens AG, _ KWU entnee Demme | 7OAR [tene[ di Bonnar [me Gbver | Tilonsen | SEE _| basso usin ta | fee, [er ae Bexittr/supject: Bedrichserlahmennen mit wet rentilenr am KPA atana / Navies: . feronit bestivine ich Sh fh os bisher 14. betwen Sirenvern tn, in PA's eingeretiton, Shlanmenmed fas agkomuven sv. Tn Cinrelftle, antretretene deckagen an den Fonssh mel . Hb Benwdficlen (ieee [eaan® Tah ge [te Tozokss | cH ET NUREG-1275, Vol. 11REFERENCE LIST Herion - 4/2 "Hammer Solenoid Valves” for Power Plant Commercial ‘Number of Number of ‘Operation Actuators ‘“Hommer Solenoids” ‘Start KW Heyden 4 04.87 26 48 Kendal 1 04.88 4 48 Kendal 2 10.89 26 48 Kendal 3 10.90 28 48 Kendal 4 09.91 24 48 Kendal 5 ‘Under 24 48 Kendal 6 Construction 24 48 KW Walsum B19 05.88 4 28 Megalopalis 4 09.91 14 28 Steag KW Heme 4 07.88 12 24 'SWM KW Nord 81.2 08.91 2 24 HW Moabit Block A 11.89 12 26 Fynsvaerket Block 7 04.91 a 16 Haapavesi 08.89 8 16 Simmering 3 04.92, 8 16 Total: 232 464 NUREG-1275, Vol. 11APPENDIX F OPERATION & MAINTENANCE MEMO 108, “MAINTENANCE OF MAIN STOP VALVES & REHEAT STOP VALVES”* “Reprinted with permission of Westinghouse Electric Corporation.DISCLAIMER OF WARRANTIES ANDLIMITATION OF LIABILITY ‘THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATIONS, OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OTHER THAN THOSE SPECIFICALLY SET OUT IN ANY EXISTING CONTRACT BETWEEN THE PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT STATES THE ENTIRE OBLIGATION OF SELLER, THE CONTENTS OF THIS DOCUMENT SHALL NOT BECOME PART OF OR MODIFY ANY PRIOR OR EXISTING AGREEMENT, COMMITMENT, OR RELATIONSHIP, ‘The information recommendations and descriptions in thls document are hased on Westin expertence and judgment with respect to this equipment’s operation and maintananci THIS INFORMATION SHOULD NOT BE CONSIDERED AS ALL INCLUSIVE OR COVERING ALL CONTINGENCIES. If further information is required, Westinghouse Electric Corporation should be ‘consulted. NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING FROM THE COURSE OF DEALING OR USAGE OF TRADE, ARE MADE REGARDING THE INFORMATION, RECOMMENDATIONS, OR DESCRIPTIONS CONTAINED HEREIN, In no evant will Westinghouse ‘be responsible to the user in contract in tort (including negligence), atrict Liability of otherwise for any special indiract, incidenial, or consequential damage or loss whatsoaver, including but not limited to damage 10 or loss of use of equipaent, plant, or power system; cost or capital; loan of profits or revenues; coat of replacement power; additional expenses in the use of existing power facilities: oF claims againat the user by its customers, resulting from use of the information, recommendations, or descriptions contained herein. Puli NUREG-1275, Vol. 11Page 1 of OPERATION & MAINTENANCE MEMO 108 1 REASON FOR MEMO Incidents of clappers of main steam stop vaives having come loose and separating from the clapper arm have been reported. This occurrence completely disarms the safety backup feature of the stop valve, High levels of vibration of the clapper valve resulting from improper back seat of the clapper to the intemal stop, combined with inadequate staking (peening) of the retaining pins, can provide the conditions which may result in the pins coming out and eventual Clapper separation. Engineering evaluation of the few incidents compared to the thousands of years of successful operating history of this type of valve and evaluation of the assembly requirements confirms that piper assembly and maintenance of these valvas is essential to the performance of their function as a safety backup vaNe in the inlet features. 2 OPERATION AND MAINTENANCE INFORMATION Implementation of the following recommendations, consisting of verifying the conditon of the stop valve and, where required, instituting corrective action, should minimize tha Potential for separation of the clapper from the clapper arm due to loose and vibrating Parts. These recommendations should be implemented in compliance with the stop valve assembly procedures, 2.1 Verification of Stake, Nut to Retaining Pins Remove the stop valve cover and inspect the stake {peening) of the clapper valve ut over the retaining pins. Requirements for position of. pins and location and amount of staking are shown on Figure 1. if necessary, take corrective action ta establish proper staking, Staking (peaning) is to De done hot (600°F min - 1000°F ‘™max) with a peening tool having a 0.12 inch spherical radius tip. Contact your Westinghouse Representative for further details of the inspection Procedures, of the peening requirements/acceptance criteria and, if restaking is Necessary, of the staking procedures. 2.2. Verification of Back Seat Verify that the clapper valve stem properly back se: ts against the intemal stop when the servo motor (or actuator) is in the prescribed wide-open, full-stroke position, (Refer to Figure 2. Verification of proper back seat should be established by the “blue” method. If required, corrective action should be instituted per Reheat Stop Valve Assembly Procedures Drawing to establish proper valve stem back seat and recheck by the “blue* method. 23 Verify Belleville Washer Setting Proper setting of the Belleville washer is critica! to the proper operation of the valve. Following the field setting instructions provided ure 2, reset the Belleville washers to the required position while the valve is hot. Fl NUREG-1275, Vol. 11omM 108 Page 2 of 4 2.4 Document the resuits of the verification checks and actions taken per Paragraphs 2.4, 22, and 2.3. Contact your local Technical Services Manager if additional information relative to or clarification of the recommendations in this Memo is required. NUREG-1275, Vol. 11 2Page 8ot 4 STAKE PINS ose! 2 HOLES FOR .500 PINS su a PIN 4 PLACES. ENLARGED VIEW "x" NOTE: PIN MIST BE SEATED TO Srriciog oot va ES ‘STAKE. END OF PIN WITH TAPPED HOLE. LIQUID PENETRANT INSPECT DEFORMED ETAL. B3 NUREG-1275, Vol. 11OMM 108, Page 4 of 4 8 BELLVILLE ‘WASHERS PEN TO RETAIN BELLEVILLE WASHER FLELO SETTING INSTRUCTIONS WITH_STOP_VALVE HOT AND WIDE OPEN, COMPRESS. BELLEVILLE WASHERS (IT. 54) BY USE OF ADJUSTING SCREW (IT. $1) UNTIL STOP VALVE JUST STARTS TO MOVE IN THE CLOSED OIRECTION, THEN BACK OFF ADJUSTING SCREM 60° LOCK WITH UT (IT. §2) @ AT ASSEMBLY CHECK THAT CLAPPER VALVE, 1S BACK-SEATED AGAINST STOP WHEN IN OPEN POSITION AND THAT SERVO 1S_MAINTAI! BACK ‘SEAT FIGURE 2 NUREG-1275, Vol. 11 F4ae TE AREER ORE] 7 RT i aes Seo as, STB en Adder Num Sait, sete BIBLIOGRAPHIC DATA SHEET bore any) (Seo Intrutions on the rverso) Ronee a ‘3. DATE REPORT PUBLGHES ENGR GRANT NOVEER SRE OF RESORT ‘Technical TTWCE AND SST Operating Experience Feedback Report—Turbine-Generator Overspeed Protection Systems ‘Commercial Power Reactors 7. PERIOD COVERED (walaahe Oa 1950-1994 ‘5 FERFGRMING ORGANEEATION ~ RANE AND ADDRESS [RNAG, provge Dion, Ofico or Rogan U8, Rison? RagUatary COAATSTON Ad ‘naling adress; Ireorractr, prone aime and maling adress) ree regia Safety Programs Division Office for Analysis and Evaluation of Operational Data U,S, Nuclear Regulatory Com: ‘Washington, DC 20555-0001 3 SPONSORING ORGANIZATION - RANE ANS AODREBS (TNAO, Wo "Game ay Sbove"y Woonvaster, ova NAG Bison, Oilee or Region US. Nuclear Reguletary Commision, and malig eases.) ‘Same as 8 above. Tor SUPPLEMENTARY NOTES Ti: ASSTRAGT (a0 words & Ts) ‘The report presents the results of the U.S. Nuclear Regulatory Commission’s Office for Analysis and Evaluation of Opera- tional Data (AEOD) review of operating experience of main turbine-generator overspeed and overspeed protection sys- ‘tems, AEOD's study provides insight into the shortcomings in the design, operation, maintenance, testing, and human fac- tors associated with turbine overspeed protection systems. It includesan indepth examination of the turbine overspeed event that occurred on November 9, 1991, at the Salem Unit 2 Nuclear Power Plant. It also provides information concerning ac- tions taken by other utilities and the turbine manufacturers as a result of the Salem overspeed event. AEOD's study re- viewed operating procedures and plant practices. It noted differences between turbine manufacturer designs and recom- mendations for operations, maintenance, and testing, and also identified significant variations in the manner that individual plants maintain and test their turbine overspeed protection systems. "2, KEV WORDS/OESCRIPTORS (ict wore or prazes that wl anole roserchers a laeang to epere) ‘Turbine, overspeed (OPC), electrohydraulic system, EHC, missile, control system, Regulatory Guide 1.115, RG 1.115, General Design Criterion 4, GDC 4, turbine- enerator, Salem-2, solenoid vaive, solenoid operated valve, SOV, common mode AVRCASLTY STATEMENT Unlimited Ter SECURITY CLASSFOATION Cee lure, admission valve, bypass valve, OPC, ET, governor, hammer, AST, SERT, Unclassified front standard, hand trip, precursor, TIL, fire, flood, vibration, AIT, CAL, AIB Te inclassifie TE-NONEER OF PAGES NAG FORM ms (9)