NUREG-1275

VOl. 11

Operating Experience Feedback

Report -Turbine-Generator
Overspeed Protection Systems

Commercial Power Reactors

Manuscript Completed: October 1994

Date Published: April 1995

H.L. Ornstein

Safety Programs Division

Office for Analysis and Evaluation of Operational Data
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001

STE
DISYRIB~IONOF THISDOWMENT ISUNLIMITEDW
 DISCLAIMER

This report was prepared as an account of work sponsored

by an agency of t h e United States Government. Neither t h e
United States Government nor any agency thereof, nor any
of their employees, make any warranty, express or implied,
or assumes any legal liability or responsibility for t h e
accuracy, completeness, or usefulness of any information,
apparatus, product, or process disclosed, or represents t h a t
its use would not infringe privately owned rights. Reference
herein to any specific commercial. product, processi or
service by trade name, trademark, manufacturer, or
otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by t h e United
States Government or any agency thereof. The views and
opinions of authors expressed herein do not necessarily
state or reflect t h o s e of t h e United States Government or
. any agency thereof.
 DISCLAIMER

Portions of this document may be illegible

in electronic image products. Images are
produced from the best available original
document.

I
 ABSTRACT
This report presents the results of the U.S. higher than previously thought and that the
Nuclear Regulatory Commission's Office for bases for demonstrating compliance with
Analysis and Evaluation of Operational Data NRC's General Design Criterion (GDC) 4,
(AEOD) review of operating experience of "Environmental and dynamic effects design
main turbine-generator overspeed and over- bases," may be nonconservative with respect
speed protection systems. It includes an to the assumed frequency. GDC 4 requires
indepth examination of the turbine overspeed structures, systems, and components impor-
event which occurred on November 9,1991, at tant to safety to be appropriately protected
the Salem Unit 2 Nuclear Power Plant. It also
provides information concerning actions taken against dynamic effects that may result from
by other utilities and the turbine manufac- equipment failures and from events and
turers as a result of the Salem overspeed conditions outside the nuclear power plant. In
event. AEOD's study reviewed operating pro- addition, compliance with GDC 4 may not
cedures and plant practices. It noted differ- have considered fires and flooding associated
ences between turbine manufacturer designs with destructive turbine overspeed events.
and recommendations for operations, main- While turbine overspeed protection is only
tenance, and testing, and also identified part of the criteria for meeting GDC 4 and
significant variations in the manner that compliance may be accomplished in other
individual plants maintain and test their ways, improvements in maintenance and
turbine overspeed protection systems. testing as noted in the study can enhance the
reliability and operability of the main turbine-
AEOD's study provides insight into the generators and their overspeed protection
shortcomings in the design, operation, mainte-
nance, testing, and human factors associated systems, and thus, raise confidence that the
with turbine overspeed protection systems. plants comply with GDC 4 by providing
assurance that turbine overspeed event
Operating experience indicates that the initiator frequency is consistent with
frequency of turbine overspeed events is assumptions.

iii NUREG-1275, Vol. 11

 CONTENTS
Page
ABSTRACT ........................................................................
...
111

EXECUTIVE SUMMARY ........................................................... ix

FOREWORD ...................................................................... xiii
ABBREVIATIONS .................................................................. xv
1 INTRODUCTION .............................................................. 1
2 HISTORICAL REVIEW ........................................................ 1
3 SALEM UNIT 2 OVERSPEED EVENT .......................................... 7
3.1 Description of the Event ..................................................... 7
3.2 Licensee's Response to the Event ............................................. 11
3.3 NRC Responses to the Event ................................................. 15

3.3.1 Immediate Actions .................................................... 15

3.3.2 Longer Term Actions .................................................. 16
3.4 Root Causes of the Event .................................................... 16
3.4.1 Equipment Failure .................................................... 17
3.4.2 Inadequate Preventive Maintenance ..................................... 17
3.4.3 Inadequate Review and Feedback of Operational Experience .............. 17
3.4.4 Inadequate Surveillance Testing ......................................... 17
3.4.5 Human Factors Deficiencies in Front Standard Testing .................... 17
3.4.6 Test Lever ............................................................ 17
4 NUCLEAR INDUSTRY INITIATIVES AFTER THE SALEM UNIT 2
OVERSPEED EVENT .......................................................... 18
4.1 Public Service Electric and Gas Company at Salem Units 1and 2 ................ 18
4.2 Public Service Electric and Gas Company at Hope Creek ........................ 18
4.3 Westinghouse Power Generation Business Unit ................................. 19
4.4 General Electric Power Generation Division .................................... 21
4.5 Nuclear Power Plant Insurers ................................................. 22
4.6 Waterford Unit 3 ............................................................ 23
4.7 Comanche Peak Units 1and 2 and Siemens/Allis Chalmers Turbines ............. 25
4.8 Specialized Turbine Overspeed Protection System Solenoid-Operated Valves ...... 26
5 RECENT OPERATING EXPERIENCE .......................................... 26
5.1 Diablo Canyon .............................................................. 26
5.1.1 Diablo Canyon Unit 1Turbine Overspeed Event (September 12, 1992) ...... 26
5.1.2 Diablo Canyon Unit 2 Test Handle Trip (January 30, 1993) ................. 28
5.2 St. Lucie Unit 2 ............................................................. 30
5.2.1 St. Lucie Unit 2 Turbine Overspeed Event (April 21, 1992) ................. 30

V NUREG.1275. Vol. 11
 CONTENTS (continued)
Page
5.2.2 St. Lucie Unit 2 Spurious Tbrbine Trip During Solenoid-Operated
Valve Testing (July 10. 1992) ............................................ 32
5.3 Big Rock Point .............................................................. 34
5.3.1 Big Rock Point Common-Mode Bypass Valve Failures .................... 34
5.3.2 Big Rock Point Repetitive Failures of the Tbrbine Trip System ............. 34
5.3.3 Big Rock Point Long-Term Unavailability of Emergency
Governor Exerciser .................................................... 38
5.4 Palisades Common-Mode Failure of Six Steam Admission Valves ................. 38
5.5 Comanche Peak Unit 1Inadequate Followup to Tbrbine Overspeed
Protection System Test Failure (May 16. 1992) .................................. 40
6 FINDINGS ..................................................................... 41
6.1 Complacency %ward nrbine Overspeed ...................................... 41
6.2 Testing That Defeats Diversity ................................................ 41
6.3 Nonrevealing Surveillance %sting ............................................. 42
6.4 Inadequate Solenoid-Operated Valve Maintenance .............................. 42
6.5 Electrohydraulic Control System Fluid Quality ................................. 42
6.6 Electrohydraulic Control System Fluid Incompatibility .......................... 44
6.7 Human Factors Deficiencies .................................................. 45
6.8 Surveillance Testing Required By Plant achnical Specifications .................. 45
7 CONCLUSIONS ................................................................ 45
7.1 Missiles .................................................................... 45
7.2 ...................................................
Fires. Explosions. Flooding 46
7.3 Common-Mode Failure Precursors ............................................ 46
7.4 Industj Response to the Salem Unit 2 Overspeed Event ........................ 46
7.4.1 Overview ............................................................. 46
7.4.2 nrbine Manufacturer Actions .......................................... 47
7.4.3 Nuclear Utility Actions ................................................ 47
7.5 ?i.ip Test Lever Human Factors Deficiency ..................................... 47
7.6 Overestimate of Design Life of lhrbine Overspeed Protection System
Components ................................................................ 47
7.7 Nonconservative Probabilistic Assessments .................................... 48
7.8 Bends in Tbrbine Overspeed Protection System %sting ......................... 48
7.9 Procedures for Shutting Off Steam Supply ..................................... 48
7.10 Summary ................................................................... 48
8 REFERENCES ................................................................ : 49

NUREG.1275. Vol. 11 vi
 CONTENTS (continued)
APPENDICES
Page

A LIST OF PLANTS BY SUPPLIER-REACTOR, TURBINE, GENERATOR

B SUMMARY OF SERT REPORT RECOMMENDATIONS
C CUSTOMER ADVISORY LE’ITER 92-02, “OPERATION, MAZNTENANCE,
TESTING OF, AND SYSTEM ENHANCEMENTS TO TURBINE OVERSPEED
PROTECTION SYSTEM’
D AVAILABILITY IMPROVEMENT BULLETIN 9301, “STEAM TURBINE
OVERSPEED PROTECTION SYSTEM”
E HAMMERVALVE
F OPERATION & MAINTENANCE MEMO 108, “MAINTENANCE OF
MAIN STOP VALSES & REHEAT STOP VALVES”

FIGURES

1 W-estimated probability of missile ejection from Salem Unit 2 turbine as a function

of valve test interval ............................................................. 5
2 Schematic of Salem turbine control system prior to November 1991 ................... 9
3 Schematic of Salem type (generic) emergency and overspeed protection control system
prior to November 1991 .......................................................... 10
4 Photograph: Salem Unit 2, showing holes in turbine casing .......................... 12
5 Photograph: Salem Unit 2, showing damage to low-pressure turbine .................. 13
6 Photograph: Salem Unit 2, showing condenser damage.. ............................ 14
7 Proposed improvement of Salem type (generic) emergency and overspeed protection
control system .................................................................. 20
8 Waterford Unit 3 turbine control system........................................... 24
9 Diablo Canyon turbine steam admission valves ..................................... 27
10 Photographs: Salem Unit 2 front standard panel (original and modified) .............. 29
11 St. Lucie block for testing EHC system SOVs independently ......................... 33
12 Big Rock Point-Original hand-trip so1enoi.d valve .................................. 37
l3 Big Rock Point-Replacement hand-trip solenoid valve .............................. 39
14 Cross-sectional drawing of Parker Hannifin SOV MRFN 16MX 0834 ................. 43

vii NUREG-1275,Vol. 11
 CONTENTS (continued)
TABLES
Page
1 Turbine system reliability criteria ................................................. 4
2 U.S. nuclear plant turbine overspeed events ........................................ 6
3 Precursors to the Salem Unit 2 overspeed event ..................................... 8
4 Major modifications made at Salem Units 1and 2 .................................. 18
5 Turbine overspeed protection system enhancements made at Hope Creek .............. 19
6 Big Rock Point failure to trip history before 1992 ................................... 35

NUREG.1275. Vol. 11
...
VI11
 EXECUTIVE SUMMARY

On November 9, 1991, the Salem Unit 2 overspeed events can result in discharges of
nuclear power plant experienced a destructive flammable, explosive fluids, and collateral
turbine overspeed. The event did not result in flooding. The Salem event raised questions
any release of radioactivity or personnel about the adequacy of plant protection from
injury; however, it did cause extensive damage explosions, fires, and flooding which could
to nonsafety-related equipment, and it did result from turbine overspeed events. For-
result in a 6-month outage. Safety-related tunately, the exceptional dedicated fire fight-
equipment needed to cope with an accident or ing group and the "open" turbine building at
shut down the plant was not affected. The Salem helped minimize the effects of the fires
overspeed occurred as a direct result of and explosions which occurred.
simultaneous common-mode failures of three
solenoid-operated valves in the turbine's Although many utilities, including the Salem
overspeed protection system. As a result of licensee, have made recent submittals to the
the event, a comprehensive review and eval- NRC advocating the position that reducing
uation of turbine-generator overspeed protec- the frequency of turbine overspeed protection
tion systems at U.S. light-water reactors was system tests will reduce the likelihood for
performed by AEOD. destructive overspeed events, the turbine
manufacturers have emphasized the necessity
AEOD conducted extensive reviews of the for frequent surveillance testing of turbine
Salem event, its causes, and the corrective overspeed protection systems. However, tur-
actions taken at Salem and at other nuclear bine overspeed protection system testing as
plants, actions taken by major turbine manu- performed at many plants is incapable of
facturers and by the U.S.Nuclear Regulatory revealing the degradation and failure of re-
Commission in response to the Salem event. dundant components as experienced at Salem.
Furthermore, the turbine overspeed protection
system testing required by many nuclear
AEOD's review found that there were many plants' Technical Specifications focuses only
precursors to the Salem overspeed event. on possible sticking of steam admission or
However, before the Salem event, the potential bypass valves and does not address the elec-
for compromising the diverse and redundant trohydraulic control system or its associated
turbine overspeed protection systems resulting hardware.
in a destructive overspeed event was con-
sidered highly unlikely. The manufacturer of As a result of the Salem event, there has been
the Salem Unit 2 main turbine had previously a heightened awareness of the potential for
estimated the likelihood of a turbine missile main turbine overspeed. Many utilities have
ejection event (primarily caused by a turbine modified their turbine overspeed protection
overspeed) to be on the order of to 10" system maintenance and testing practices and
per turbine-year which is well below the NRC the major turbine manufacturers have given
staff's evaluation criteria of 10-5 to 10"per their equipment owners guidance to reduce
turbine-year. However, the point estimate for the likelihood of another destructive turbine
a destructive turbine overspeed event based overspeed event. However, our sample survey
on operating experience (one failure at Salem) found that many plants have not effectively
is much higher, about per turbine-year. implemented the turbine manufacturers'
recommendations.
NRC's concerns for turbine hazards have
historically focused upon large, high energy AEOD performed indepth examinations of
missiles that would damage safety equipment. common-mode equipment failures, and
The Salem event (as well as other events) deficiencies in operating, maintaining and
demonstrated that the vibration from turbine testing turbine overspeed control systems.

ix NUREG-1275, Vol. 11
The root causes of many turbine overspeed Missiles.” These analyses were taken as the
protection system malfunctions were: bases to assure that U.S. light-water reactors
meet the NRC’s requirements that structures,
lack of understanding of the sensitivity of systems and components important to safety
hydraulic oil to contaminants be appropriately protected against the effects
of missiles that could result from equipment
lack of understanding of the limited failures in accordance with the NRC’s General
design life of solenoid-operatedvalves Design Criterion (GDC) 4,“Environmental
and dynamic effects design bases” (US.Code
failure to recognize the need for individ- of Federal Regulations, Title 10, Part 50,
ualized testing of redundant components Appendix A).
failure to provide backups when defeat- The turbine overspeed frequency assumption
ing protective equipment during testing is a part of many plants’ analyses demonstrat-
ing plants meet GDC 4.However, compliance
failure to provide operators with specific with GDC 4 can be demonstrated by analyz-
instructions on how to proceed when a ing missile trajectories and the physical
test anomaly is observed barriers protecting structures, systems, and
components important to safety.
failure to integrate human factors con-
siderations into a highly stressful test The study questions the completeness of plant
environment safety analysis regarding another aspect of
compliance with GDC 4 the issue of damage
Important differences were found among from vibration and discharge of flammable,
turbine manufacturer practices: for example, explosive fluids and collateral flooding which
equipment hardware; physical configuration; can result from turbine overspeed. This issue
and guidance for operations, maintenance, is the subject of another M O D study which
surveillance, and testing of turbine overspeed is currently underway.
protection systems. Significant plant to plant
variations were found in the way turbine The report focuses on deficiencies associated
manufacturer guidance was implemented re- with turbine overspeed protection systems.
garding maintenance, operations, and testing For example:
of turbine overspeed protection systems.
0 common-mode hardware deficiencies
Reviews are provided of the Salem precursor
events (Ginna, Crystal River, and Salem) and steam admission valve failures at
other similar events that have occurred after Diablo Canyon and at Palisades
the Salem overspeed event (events at St. Lucie,
Diablo Canyon, Big Rock Point, and sticking of turbine bypass valves at
Comanche Peak). These recent events indicate Big Rock Point due to solidification
that many of the lessons from the Salem event of Garlock 938 valve packing
have not yet been adequately disseminated
and learned. They are viewed by B O D as incompatibility between hydraulic
precursors to future turbine overspeed events. fluids and electrohydraulic control
system solenoid-operated valves
The Salem overspeed event provides a point
estimate of turbine overspeed failure rate of overestimation of pressure switch
about per turbine-year. NRC accepted design life, etc.
analyses which assumed a maximum turbine
failure rate of lo4 per turbine-year in 0 common-mode testing deficiencies
accordance with Regulatory Guide 1.115,
“Protection Against Low-Trajectory Wbine - methodology

NUREG-1275, Vol. 11 X
 - effectiveness of testing - fluid cleanliness
- defeating diversity and/or redun- Eliminating the aforementioned deficiencies
dancy, “smart testing”
can enhance the reliability and operability of
- human factors the main turbine-generators and their over-
speed protection systems, help reduce the
- procedures frequency of turbine overspeed events, and
thereby raise confidence that the turbine
0 common-mode maintenance deficiencies overspeed protection systems will operate
reliably to assure conformance with assumed
- frequency turbine overspeed initiator frequencies in
Regulatory Guide 1.115and compliance with
- design life GDC 4.
 FOREWORD
This report presents the results of an indepth (2) poor periodic testing of turbine control
examination of the Salem Unit 2 overspeed and protective equipment.
event, subsequent industry initiatives, and
recent operational experience. It reviews The Salem event indicates that the likelihood
details of the event, the root causes and con- of a damaging overspeed event is higher than
tributing causes of the event, precursors, and previously estimated and that the conse-
followup actions taken by the licensee at quences of turbine overspeed can go beyond
Salem Units 1and 2 and its adjacent Hope just missile generation. As a result, the Office
Creek plant. Information about other more for Analysis and Evaluation of Operational
recent events involving turbine overspeed and Data is conducting a parallel study of the
turbine control system malfunctions and safety consequences of catastrophic turbine
actions taken by the Nuclear Regulatory failures, particularly those resulting in fire,
Commission and the U.S. nuclear community flooding, and missiles.
is included.
This document does not contain any new
regulatory requirements. It is being distrib-
uted for information to assist licensees in
The root causes of turbine overspeed were improving performance and enhancing nuclear
found to be (1)poor turbine control and safety by incorporating the lessons learned
protective equipment maintenance and from operating experience.

xiii MJREG-1275, Vol. 11

 ABBREVIATIONS

AEC U.S. Atomic Energy Commission HTS hand-trip solenoid

AEOD Analysis and Evaluation of
Operational Data (NRC's IN Information Notice
Office for) LER Licensee Event Report
AIl3 Availability Improvement LWR light-water reactor
Bulletin [Westinghouse]
AIT Augmented Inspection Team MLEA Main Line Engineering Associates
(NRC) [of Exton, PA]
AST auto stop oil MOV motor-operated valve
ATT automatic turbine testing MSL main steam line

BOP balance of plant NRC U.S. Nuclear Regulatory

Commission
CAL Customer Advisory Letter NRR Nuclear Reactor Regulation (NRC's
[Westinghouse] Office of)
CB containment building
CE Combustion Engineering PG&E Pacific Gas & Electric Co.
PSE&G Public Service Electric and Gas
DEH digital electrohydraulic (control PWR pressurized-water reactor
system) [Westinghouse]
RPS reactor protection system
ED0 Executive Director for Operations
(NRC) SERT Significant Event Review Team
[Salem/PSE&G]
EGE emergency governor exerciser sov solenoid-operated valve
[Big Rock Point]
EHC electrohydraulic control TIL Technical Information Letter
ESFAS engineered safety feature actuation [General Electric]
system TOPS turbine overspeed protection
system
FPL Florida Power and Light Company TS Technical Specification
TSV turbine stop valve
GE General Electric Company
GDC General Design Criterion W Westinghouse Electric Corporation
1 INTRODUCTION S . Bush (Ref. 1) published information about
21 main turbine failures that occurred
throughout the world between 1950 and 1972.
On November 9,1991, a turbine overspeed Bush's paper provides the basis for NRC
event at the Salem Unit 2 nuclear power plant assumptions about turbine failure rates.
caused extensive damage to the turbine, gen-
erator, and main condenser. The turbine over- Fourteen of the 21 failures generated missiles
speed event resulted in a hydrogen explosion that penetrated the turbine casing. Of these
and fire, as well as lube oil fires. 14 events, 9 were caused by manufacturing
defects or design deficiencies in the rotating
Although there was no loss of life or personnel parts and occurred near or at normal operat-
injury, the event resulted in property damage ing speeds. Bush noted that, due to improved
and a 6-month plant shutdown. turbine design and improved manufacturing
techniques, most of these failures would be
At the request of the U.S. Nuclear Regulatory unlikely to recur. The other five overspeed
Commission's (NRC's) Executive Director for events that generated missiles were caused by
Operations (EDO), the NRC Office for Anal- common-mode failures-sticking of steam
ysis and Evaluation of Operational Data control and dump valves. The valves were
(AEOD) expanded its ongoing study of the prone to such failures because of the small
Salem Unit 2 overspeed event in 1992. clearances around the valve stems and the
This report presents the results of an indepth presence of foreign material. The small
clearances were also aggravated by faulty
study of the Salem Unit 2 overspeed event, adjustments, design errors, shop errors, and
subsequent industry initiatives, and recent faulty materials. Information about similar
operational experience. The report reviews main turbine failures appears in a 1973
details of the event, the apparent and root General Electric (GE) mern0.l Of interest is a
causes of the event, precursors, and followup 1970 event in which a low-pressure rotor of a
actions taken by the licensee at Salem Units 1 Mitsubishi turbine undergoing factory testing
and 2 and Hope Creek (an adjacent plant burst at 117 percent of rated speed. An 8-ton
owned by the same utility). The report fragment was thrown eight-tenths of a mile.
includes information about other more recent Details about a significant overspeed event
events involving turbine overspeed and turbine which did considerable damage at Uskmouth
control system malfunctions and describes #5 in the United Kingdom in 1956 are also
actions taken by the NRC, other utilities, germanel. The turbine oversped to 170 per-
manufacturers, and the insurance companies cent of rated speed and burst the low-pressure
that provide liability and property damage rotor. The event was caused by common-mode
coverage to U.S. nuclear power plants. The contamination of the lubrication and hy-
report also delineates actions for improving draulic oil. Fine iron oxide particles which
the reliability of the turbine overspeed resulted from water intrusion in the oil cooler
protection system (TOPS) to reduce the deposited sludge which caused simultaneous
likelihood of experiencing a catastrophic sticking of hydraulic control valves and redun-
turbine overspeed event. dant oil trip valves in the emergency over-
speed system. Bush (Ref. 1) stated that the
2 HISTOMCALREVIEW Uskmouth failure resulted from stuck steam
admission valves which were caused by
lbrbine failures have long been recognized as magnetite buildup.
having the potential for throwing off missiles
that can cause loss of life, extensive damage, Most of the overspeed events described by
long plant outages, and major financial loss. Bush (Ref. 1)occurred at non-nuclear
Many catastrophic turbine failures have 'General Electric Company,W i n e Department, "Memo Re-
occurred because of manufacturing or design p " " - H . thetical Ibrbiine Missiles-Probability of Occur-
defects, as well as from human error. In 1973, rence," rch 14,1973.

1 NUREG-1275, Vol. 11
facilities with high-temperature steam experience and the perceived diversity of
(fir1000 OF). High-temperature steam pro- TOPS (i.e., electronic, mechanical, electro-
moted the buildup of “boiler salts”-that is, hydraulic speed sensors and control fluid
salts or oxides-on the steam admission subsystems), the AEC/NRC concentrated on
valves. The buildup of such foreign materials verification that the steam admission valves
would not be expected at the lower tempera- were not stuck, while overlooking other critical
tures in light-water reactors (LWRs) (-650 OF hydraulic, mechanical, and electrical sub-
steam). In addition, tight control of water system components such as solenoid-operated
chemistry at LWRs reduces the likelihood for valves (SOVs), pressure switches, relays, etc.
common-mode sticking of turbine steam Although NRC Standard Review Plan 10.2
admission valves. In the U.S., early-vintage (Ref. 2) noted that such components needed to
pressurized- water reactors (PWRs) used be testable, the NRC did not require surveil-
phosphate-type secondary-side water treat- lance testing of these components. Plant
ment. The phosphates were found to be a designs were analyzed for turbine failures as a
major cause of turbine steam valve sticking. result of which missiles could penetrate the
Switching from phosphate treatment to containment building (CB) and affect safety
all-volatile treatment reduced the salt buildup systems. To protect against turbine-generated
problems and improved turbine valve relia- missiles, the turbines at many plants were
bility. Bush also noted that the incidence of oriented in a “favorable direction” with the
overspeed events markedly decreased (in axis of rotation perpendicular to the CB so
non-nuclear plants) between 1961and 1972 that turbine-generated missiles would not be
because turbine valves were exercised daily or likely to strike the CB.
weekly during load change tests. Exercising
the valves eliminated the buildup of deposits Using the methodology outlined in Regulatory
in the valve stem guide area. Guide 1.115 (Ref. 3) to show that the likeli-
hood of turbine missiles causing unacceptable
damage to safety-related equipment was less
In the early 1970’s, when Bush wrote his than per turbine-year, licensees were able
paper, experience with main turbine failures to demonstrate that their plants’ main
led to estimates of turbine missile frequency turbine-generators met the NRC’s licensing
of about lo4 per turbine per year. However, requirements of General Design Criterion
Bush’s paper indicated the expectation that (GDC) 4 of Appendix A to Part 50, Title 10 of
technological improvements in manufacturing the Code of Federal Regulations (10 CFR
and testing would reduce the turbine missile pef. 41). The Regulatory Guide 1.115
generation probabilities. The turbines used at methodology is as follows:
most U.S.nuclear plants benefitted from
advancements in manufacturing and inspec- The probability of a turbine missile
tion techniques that were not available for the striking safety-related equipment and
turbines that failed from 1950 through 1972. If causing unacceptable damage is referred
periodic inspections are performed properly to as P4. It is the product of 3 proba-
and defects repaired satisfactorily, catastroph- bilities (i.e., P4 = P1 x P2 x P3)
ic main turbine failures would not be expected PI E probability that a high energy
to occur at U.S. nuclear plants unless there turbine missile will penetrate its
was a turbine overspeed. Because of earlier casing
turbine failure history, the U.S. Atomic
Energy Commission (AEC), its successor P2 probability that the high energy
agency, the NRC, and the licensees focused on turbine missile will strike safety-
steam admission valve operability and diver- related equipment (referred to as
sity of overspeed protection systems (types of the “strike” probability)
speed sensors) as ways of minimizing the
damage to the plants from such credible P3 = probability that the high energy
events. Based upon earlier fossil plant turbine missile strike will cause

NUREG-1275, Vol. 11 2
 unacceptable damage to safety- strike and damage probabilities for favorably
related equipment (referred to as oriented turbines and for unfavorably
the “damage” probability). oriented turbines.
In accordance with Regulatory Guide 1.115,if The turbine system reliability criteria pro-
a licensee could demonstrate P4 to be less vided as guidance in Reference 5 have been
than assuming P1 equals lo4 (based reproduced in Table 1.
upon Bush [Ref. l]),the plant’s main turbine-
generator was considered to have satisfied A 1987 W topical report sponsored by several
GDC 4 turbine missile concerns. Such analy- W turbine ownedb supported relaxing the
ses overlooked vibration-induced fluid leaks frequency with which the turbine steam
(of hydrogen and of lubrication and hydraulic admission valves are exercised. The topical
oils) that could accompany a destructive report estimated the probabilities of turbine
turbine overspeed. missile ejections due to overspeed at the
respective plants. If the November 9, 1991,
A 1987 NRC staff review of Westinghouse overspeed event at Salem Unit 2 is considered,
Electric Corporation (Yl) topical reports on the JYtopical report’s probabilistic assess-
turbine missiles, turbine failures, and turbine ment of turbine missile ejections at Salem
overspeed noted that based upon various Unit 2 can be shown to be nonconservative by
licensing applications, the turbine missile three to five orders of magnitude (see Fig-
“strike and damage probability” (i.e., the ure 1).The assessment is nonconservative and
probability of having a high energy turbine therefore invalid because the turbine and its
missile strike and cause unacceptable damage overspeed protection system were not main-
to safety-related systems) was estimated to be tained and tested in the manner assumed in
between and for unfavorably ori- the analysis. Common-mode errors involving
ented turbinesla, and between lo4 and human factors and equipment could not be
for favorably oriented turbines. The NRC and were not quantified or included in the
staff’s safety evaluation report (Ref. 5) assessment. This issue is discussed in detail in
approved the use of the W topical reports. It Section 7.4 of this report.
provided the foundation for licensing actions
in which the Technical Specification (TS) Several turbine overspeed events have oc-
requirements for turbine overspeed testing curred at U.S. nuclear power plants, although
were relaxed for plants with turbines. the Salem Unit 2 event is the only one known
Reference 5 noted the large uncertainty in the to have generated missiles. TLubine overspeed
likelihood for turbine missile generation: events at U.S. LWRs are listed in Table 2. The
Salem Unit 2 event caused significant damage
. . . depending on the specific and resulted in a 6-month outage. Chapter 3
combination of material properties, of this report provides more details. Appen-
operating environment, and mainte- dix A contains a list of the manufacturers of
nance practices, the P1 (probability main turbines and generators at all U.S.
of turbine missile generation) can LWRS.
have values between lW9to 10-1 per
turbine-year depending on test and At U.S. nuclear power plants, main turbines
inspection intervals. are categorized as balance of plant (BOP)
equipment. However, as noted below, at many
The NRC staff’s safety evaluation report plants the turbine trip function is part of the
(Ref. 5) discouraged the elaborate calculation engineered safety feature actuation system
of the strike and damage probabilities for low- (ESFAS) instrumentation, the safety-related
trajectory turbine missiles. As an alternative it
gave credit of for the product of the IbWestinghouse Electric Corporation (Westinghouse Proprie-
ta Class2) Re ort WCAP-11525, “Probabilistic Evaluation
Imrbines with the axis of rotation parallel to the CB. of%eduction inhrbme Valve %t Frequency,” June 1987.

3 NUREG-1275, Vol. 11
 Table 1 Turbine system reliability criteria*

P1 = 'hrbine missile ejection probability, yrl

~ ~~ ~~~

Favorabiy Unfavorably
Oriented Turbine Oriented Turbine Required Licensee Action

(A) Pi lo4 p1 10-5 This is the general, minimum reliability

requirement for loading the turbine and
bringing the system on line.
(B) 104< p1 10-3 10" P1 < lo4 If this condition is reached during operation,
the turbine may be kept in service until the
next scheduled outage, at which time the
licensee is to take action to reduce P1 to
meet the appropriate A criterion (above)
before returning the turbine to service.
(c) 10-3 < p1 < 10-2 lo4 P1 .e 10" If this condition is reached during operation,
the turbine is to be isolated from the steam
supply within 60 days, at which time the
licensee is to take action to reduce P1 to
meet the appropriate A criterion (above)
before returning the turbine to service.
(D) < PI 10-3 p1 If this condition is reached at any time
during operation, the turbine is to be iso-
lated from the steam supply within 6 days, at
which time the licensee is to take action to
reduce P1 to meet the appropriate A criter-
ion (above) before returning the turbine to
service.

*Reference 5 (NRC safety evaluation of E to ical reports providing probabilistic assessments of turbine failures, turbine overspeed, and
turbine missiles). These criteria provide guiznce for use in determining turbine disc inspections and maintenance and testing schedules
for turbine control and overspeed protection systems.

NUREG-1275, Vol. 11 4
 1 I I I I I I I I. I I I I
I

0
v-
I

!
5
Y

3
2e

I I I I I I I I I I I I I 1

INTERVAL BETWEEN TURBINE VALVE TESTS (months)

Figure 1 JY-estimated probability of missile ejection from Salem Unit 2 turbine

as a function of valve test interval (reproduced with permission from
Westinghouse Electric Corporation)
 Table 2 U.S. nuclear plant turbine overspeed events*

-
Plant Date Maximum turbine speed
Yankee Rowe 1960 (Factory Testing) 120 %
Yankee Rowe** 1960-1980 20 events 111%
San Onofre Unit 1 July 1972 133 %
Davis Besse September 1977 > 111%
Haddam Neck January 1982 > 128 %
D.C. Cook Unit 2 January 1983 > 112%
Crystal River Unit 3 February 1988 103 %
Three Mile Island Unit 1 September 1991 > 109 %
Salem Unit 2*** November 1991 160 %
St. Lucie Unit 2 April 1992 103 %
Diablo Canyon Unit 1 September 1992 104 %
Beaver Valley Unit 1 October 1993 > 111%

*In recent years, several destructive turbine overspeed events have also occurred at U.S.fossil-powered plants.
Events in which turbine s eed exceeded 100 percent but was less than 109 percent are included because they were the
result of operational TO€& equipment malfunctions and some of them are viewed as precursors to more senous
(destructive) overspeed events.
This table should not be construed as being complete since other events may not have been reported.
?)picalv, mechanical overspeed testing at 1 l O F c e n t overspeed isperformed once per fuel cycle and GE turbine
instruction manuals recommend testing every to 12 months and a ter certain maintenance work is performed).
**Yankee Rowe sustained major turbine damage in 1980 (overspeed not involved during that event).
***The Salem Unit 2 event was the only ovenpeed event that generated missiles which penetrated the casing.

function of which is to reduce the potential for after a reactor scram. At some of those plants,
severe overcooling transients and mitigate the the P-4 interlock also provides for a turbine
consequences of steam generator overfill. Be- trip signal on high steam generator level.
cause of concerns about damage from turbine Plants that have TS requirements for periodic
overspeed and turbine missiles, TS of many ESFAS surveillance testing of the turbine trip
plants require that at least one TOPS be oper- function are not required to test each train of
able, that the steam admission valves undergo turbine trip signals independently. In boiling-
periodic test cycling and inspection, and that water reactors (BWRs), the turbine trip fea-
TOPS channels be calibrated periodically. ture is integrally connected to the RPS and
It is important to note that, although the tur- the turbine trip function for BWRs is also an
bine trip system serves an ESFAS function ESFAS feature. In PWRs and BWRs, inspec-
and is linked to the reactor protection system tion and maintenance requirements for main
OIpS), the limiting conditions for operation turbine electrohydraulic control (EHC) or
for the TOPS instrumentation are not in- auto stop oil (AST) systems and for their
cluded in TSs. At all H plants and at some component SOVs, pressure switches, etc.,
PWRs designed by other manufacturers, the associated with turbine trip, are not specific-
P-4 interlock provides for a turbine trip signal ally addressed in plant TSs.

NUREG-1275, Vol. 11 6
As part of their operating licenses, some requires reporting of TS violations and RPS
newer plants such as Seabrook and South actuations. As a result, in many cases the
%xas have committed to adopt turbine LERs provided little, if any, detail about the
maintenance programs recommended by the TOPS anomalies or failures.
turbine manufacturer and based on the manu-
facturer’s missile generation calculations, with
the alternative of period volumetric inspec- 3 SALEM UNIT 2 OVERSPEED
tions of all low-pressure turbine rotors. The EVENT
bases for the Seabrook TS requirements state
that the TOPS prevents the turbine from 3.1 Description of the Event
experiencing an excessive overspeed which
could generate missiles that “could impact Salem Unit 2 is an 1106 W e PWR with a
and damage safety-related components, equip- -
W turbine and a GE generator. On Novem-
ment or structures.” ber 9,1991, while the plant was operating at
100 percent power, the licensee was conduct-
ing a monthly test of turbine mechanical pro-
In contrast, many plants have virtually no TS tective devices (overspeed trip, vacuum trip,
requirements for the main turbines or their low-bearing oil pressure trip, and thrust
overspeed protection systems. bearing trip). In order to perform the test
without causing an unwarranted turbine and
Offsetting the NRC’s limited role in the area associated reactor trip, the testing required
of main turbines and TOPS is the fact that complete isolation of the AST system from the
failures of the main turbine and its associated turbine control or trip function. An operator
systems have the potential to cause significant isolated the AST system by holding the tur-
financial loss and erode public confidence. bine bypass lever (overspeed trip test lever) in
The plants are supposed to be designed so the test position (see Figure 2). Disabling the
that turbine/generator-inducedfailures or AST system defeated the mechanical over-
hazards do not create conditions outside the speed trip and 12 additional remote trip
plants’ safety analyses. However, the AEOD signals. During testing, while the mechanical
staff have observed situations where turbine overspeed trip is disabled, protection against
building hazards could have the potential for overspeed is provided by three redundant
affecting safe plant operation. AEOD is SOVs: ET-20, which is designed to be actu-
studying the issue of turbine building hazards ated on a reactor scram, and OPC 20-1 and
and will publish a special report on the issue OPC 20-2, which are designed to actuate at
soon. turbine speeds of about 103 percent (see
Figure 3).
There were many precursors to the Salem
Unit 2 overspeed event (see Table 3). However, On November 9,1991, the licensee had just
the lessons to be learned from those events successfully completed testing the mechanical
generally went unheeded. In some cases, the protective devices when a momentary
licensees’ reporting of the events focused on (1.5 second) drop in the AST system pressure
the initiating events and did not raise con- occurred. The low AST system pressure
cerns about the overspeed potential. The most caused the interface valve to open and relieve
likely reasons being the main turbine and the electrohydraulicfluid pressure (see Fig-
generator were considered to be nonsafety ure 2). This fluid pressure drop was inter-
BOP items, and the possibility of a destructive preted by the RPS as a turbine trip signal and
turbine overspeed event resulting in missile generated a reactor scram, signaling the
ejection compromising public health and turbine stop valves (TSVs), governor valves,
safety was not considered credible. The pre- reheat stop valves, and intercept valves to
cursor events that were reported in licensee close. The RPS signaled the EHC system to
event reports (LERs) were reported in trip the emergency trip SOX ET-20. However,
accordance with 10 CFR 50.73 (Ref. 4), which ET-20 failed to respond to the demand signal.

7 NUREG-1275, Vol. 11
 Table 3 Precursors to the Salem Unit 2 overspeed event*

Licensee Event
Plant Date Report Number Failure Mode Cause

Ginna April 1985 50-244185-07 'lbrbine failed to trip on reactor trip Mechanical binding of solenoid valve.
when ET-20 solenoid valve failed
to operate on demand.
Crystal River February 1988 50-302188-06 'Ihrbine failed to trip on reactor trip Mechanical binding of solenoid valve.
when ET-20 solenoid valve failed
to operate on demand.
Salem Unit 1 August 1988 50-272188-15 Reactor and turbine trip occurred Clogged AST system supply orifices.
because of low AST pressure during
turbine control system testing.
Salem Unit 1 September 1990 50-272190-30 Reactor and turbine trip was induced Mechanical binding of solenoid
by an erroneous overspeed signal. valves due to sludge and debris.
Followup revealed that OPC 20-1
and OPC 20-2 would not function.
Ginna September 1990 50-244/90-012 'Ihrbine failed to trip on reactor trip Mechanical binding of solenoid valve
because solenoid valve ET-20 failed due to corrosion.
on demand.
Salem Unit 2 October 1991 50-311191-017 Deficiency in the OPC solenoid function Inadequate management control,
test was not satisfactorily resolved oversight, communication, and
before turbine startup. understanding of test results; failure
to follow procedures.
 TRIP-LATCII
MICRO

.-. -- ..---
--
Figure 2 Schematic of Salem turbine control system prior to November 1991
 1
I

TURBINE

I - I
i4!
BtOCK

T-
06
TRIP TRIP HEADER

LUBE OIL
SYSTEM) I--------
I
I
I
'1
I
I
.-------
I

Figure 3 Schematic of Salem type (generic) emergency and overspeed protection

control system before November 1991
The 30-second reverse power protection timer 11seconds after the generator output breakers
started at the time of the trip signal. When the opened, the TSVs reached the open position
1.5-second low AST pressure perturbation (> 90 percent open). At that time, the
cleared, the interface valve closed, the electro- turbine-generator was unloaded (disconnected
hydraulic trip fluid repressurized, and the from the grid) and receiving steam through
TSVs started to reopen. Because the AST the admission valves. The turbine started to
pressure switch 63-3/AST was incorrectly set, overspeed. As the turbine speed approached
the turbine's analog electrohydraulic system 103 percent, the overspeed protection con-
did not detect the initial turbine trip con- troller signalled for SOVs OPC 20-1 and OPC
dition. If 63-3/AST had been set correctly, 20-2 to shift positions to dump electrohy-
and had functioned properly, the analog elec- draulic trip fluid to close the intercept and
trohydraulic system would probably have governor valves to limit the overspeed con-
reduced the governor valve demand to zero dition to 103 percent. However, both SOVs
when the initial AST system pressure drop failed upon demand. The operator at the front
occurred. The analog electrohydraulic system standard panel continued to hold the trip test
could also have prevented the governor valve lever in the test position, disabling the
from reopening by actuating an auto-stop trip. mechanical overspeed trip and the 2O/AST
However, the failure of the 63-3/AST to electrical turbine trip solenoid valve.
actuate allowed the governor valves to reopen
when the AST pressure perturbation cleared. The turbine generator oversped to an
The main generator output breakers opened estimated 2900 rpm (about 60 percent above
as designed (the signal for main generator the design of 1800 rpm). The shaft vibrated
output breakers to open comes from the RPS severely and turbine missiles (blading)
with a 30-second time delay). However, about penetrated the 1-1/4inch-thick carbon steel

NUREG-1275, Vol. 11 10
turbine casing, making two elliptical holes on The RPS functioned per design throughout
one side of the turbine casing. Each hole was the event. The only anomalous behavior
between 15 and 20 inches across (see Fig- . during the post trip period was a drop in Tave
ure 4). There were also two tears 2 to 3 feet requiring main steam line (MSL) isolation.
long at the same axial location on the other The MSL isolation was performed in
side of the turbine. accordance with plant emergency operating
procedures and the plant was brought to cold
Some missiles landed over 100 yards away shutdown without any further thermohydraulic
from the turbine. (Note that the turbine is complications.
located on the roof of an open structure.) One
part of the turbine casing (about 15 inches by At all times during the event, the reactor was
20 inches by 1-l/4 inch thick) flew over the maintained safely shutdown. Safety-related
moisture separator-reheaters, and landed on a systems were not impacted and remained
truck about 40 yards away. The low-pressure operable throughout the event and imme-
turbine was destroyed (see Figure 5). About diately afterwards. There were no radiological
100 condenser tubes were cut by turbine blade releases. The only injury was to a plant secur-
shrapnel, and about 2500 condenser tubes had ity officer who suffered smoke inhalation (the
to be replaced (see Figure 6). No missiles officer did not require hospitalization).
penetrated the CB.

The high shaft vibration caused the mechan- The plant was shut down 6 months for repairs
ical seals from the hydrogen gas system (used with costs estimated at between $100 and $600
for generator field cooling) to fail. The hydro- million.
gen gas was released, and it ignited. There was
a hydrogen explosion and a hydrogen fire. The
generator was severely damaged and it had to 3.2 Licensee's Response to the
be replaced. Event

The vibration broke the generator bearing seal Within 2 hours of the reactor scram, the
oil supply line and the oil was ignited by the licensee convened a Significant Event Review
hydrogen fire. Seal and turbine lube oil spilled 'l3am (SERT). The team's charter was to
into the turbine building basement. assess all relevant aspects of the event to pre-
vent recurrence of similar events. The SERT
effort took 2000 person hours over 4 weeks.
The control room operators secured all the
turbine lube and seal oil pumps which were
feeding the fires. The fire brigade quickly The SERT performed a comprehensive inves-
suppressed the initial lube oil fires. Lube oil tigation of the event. It reviewed sequence-
fire reignitions occurred for several hours but of-events data and conducted functional tests
were quickly extinguished by the licensee's to reconstruct certain aspects of the event
onsite, dedicated fire brigade (the dedicated (e.g., cycled SOVs and turbine valves). The
fire brigade is made up of full time fire SERT also did an indepth review of the
fighters and is shared by Salem and Hope human factors aspects of the event and a
Creek which have a shared protected area). thorough review of testing procedures,
The fire brigade took prompt action to control manufacturer's recommendations, and plant
and extinguish the fires. The automatic fire TSs. The SERT reviewed previous industry
suppression systems actuated as designed. operating experience and worked with the
During the event, there was dense smoke from equipment suppliers and with several labora-
the fires. The turbine's location on an open tories to perform intrusive examination of the
deck rather than in an enclosed building failed equipment. The SERT's and the NRC
minimized the impact of the smoke from the Augmented Inspection Team's (AIT's) deter-
fires. minations of the root causes of the event agree

11 NUREG-1275, Vol. 11
 Figure 4 Photograph Salem Unit 2, showing holes in turbine casing

NUREG-1275, Vol. 11 12
Figure 5 Photograph: Salem Unit 2, showing damage to low-pressure turbine

NUREG-1275, Vol. 11
 Figure 6 Photograph: Salem Unit 2, showing condenser damage

NUREG-1275, Vol. 11 14
closely. Root causes determined by the SERT 0 technical specifications
and AIT appear in Section 3.4 of this report. 0 emergency procedures (including
The SERT reportlCmade 32 recommendations fire fighting)
for corrective action. The recommendations 0 review and feedback of
appear in Appendix B of this report. The first operational experience
six recommendations were categorized by the
licensee as relating to plant design: The final four SERT recommendations related
to personnel. They address human behavior,
evaluation of the turbine protec- human factors that contributed to the over-
tion systems and design speed event, and the corrective actions needed
enhancements to prevent recurrence (e.g., failure to examine
OPC 20-1 and OPC 20-2 testing anomalies
root cause assessment of SOV during the October 20,1991, testing). They
failures and implementation of also address the decision to defer replacement
corrective actions to prevent of Unit 2 SOVs during the spring 1991 “mini-
recurrence outage,” and lessons-learned training regard-
ing the November 1991 overspeed event.
(3) determination of the source of
the foreign material that entered By September 1992, the licensee implemented
the AST system and could have most of the 32 recommendations in the SERT
caused the AST system pressure report, with almost all of the remaining
perturbation recommendations scheduled for completion
before the end of 1992. It is important to note
(4) evaluation of the need for cor- that most of the recommendations applied to
recting human factor deficiencies Salem Unit 1as well as Salem Unit 2. Sec-
at the front standard panel tion 4.1 describes the major hardware, pro-
determination of all sources of cedural, and testing modifications made at the
steam that fed into the turbine Salem plants as a result of the overspeed
which resulted in the overspeed event. In addition, the technical staff at the
event licensee’s adjacent plant, Hope Creek2, has
reviewed the SERT report recommendations
evaluation of the adequacy of for applicability and has taken corrective
AST pressure switch settings action. Section 4.2 of this report summarizes
Hope Creek’s review and the corrective
The next 22 SERT recommendations were actions.
categorized as relating to programs. These
recommendations address adequacy of, and 3.3 NRC Responses to the Event
the need for changes to, programs associated 33.1 Immediate Actions
with
After being notified of the event, the NRC
0 surveillance testing formed an AIT consisting of two Salem
0 maintenance resident inspectors, three regional based
0 human factors enhancements inspectors, and two engineers from NRC
headquarters. The team arrived on site on
0 operator training November 10,1991.
The AIT’s primary tasks were to gather the
‘Tublic Service Electric and Gas Com any, Significant Event facts, determine the root causes, and identi@
Response ’Earn (SERT) R e p “ No.R S!! 91-06, “Salem
Unit 2 ReactorlIlrrbine l h p and lbrbine/Generator Failure 2Hope Creek is a BWR with a GE turbine and enerator. It is
of November 9,1991,” December 20,1991. 5.
located on the same site as Salem Units 1 and

15 NUREG-1275, Vol. 11
potential generic issues. The results of the tion of safety-related equipment”? Also
AIT efforts appear in References 6 and 7. noted was the fact that turbine control
systems affect and are affected by RPS
When the causes of the overspeed event were logic, whereas NRC inspection programs
known, NRC’s generic communications pay little attention to operability and
branch issued Information Notice (IN) 91-83 maintenance of BOP systems.
(Ref. 8) to alert licensees to the details of the
event. The licensees were expected to review In response to the NRC Region I Administra-
the information for applicability to their tor’s letter (Ref. 9), the Associate Director for
plants and consider actions to prevent similar Projects, NRR, noted that according to the
occurrences. NRC’s policy statement on TS improvements,
new Standard Technical Specifications “relo-
33.2 Longer Term Actions cate requirements for turbine overspeed
protection to licensee controlled documents”
Based upon the AIT’s findings, the NRC @e., procedures). In early 1992, NRR reviewed
Region I Administrator recommended to the the Salem Unit 2 turbine overspeed event.
Director of the Office of Nuclear Reactor The review found that the TSs of 18 of 45 W
Regulation (NRR) that the generic concerns plants do not require the ESFAS turbine trip
raised by the Salem Unit 2 overspeed event be function-the P-4 interlock-to be tested. As
evaluated to determine if regulatory action or noted in Chapter 2 of this report, the P-4 in-
generic communications were warranted terlock reduces the potential for severe over-
(Ref. 7). The generic concerns included the cooling transients and events that could lead
following: to steam generator overfill. It appears that the
lack of an adequate test for the P-4 interlock
TS inadequacies regarding TOPS contributed to the Salem overspeed event.
Standard Technical Specifications require The Associate Director for Projects, NRR,
only one TOPS operable and do not ad- noted (Ref. 9) that with regard to the need for
dress redundancy or diversity. In addi- an additional generic communication on
tion, the TSs address only the operability SOVs, IN 91-83 was adequate and that no
of the steam admission valves and do not further generic communications on SOVs
require surveillance of the control system were warranted at that time (February 1992).
and its components (SOVs, pressure It was also noted (Ref. 9) that NRR was
switches, etc.). evaluating the issue of fire vulnerabilities. The
Associate Director for Projects, NRR, noted
SOV failures that the issues concerning BOP equipment
will be covered by the NRC’s maintenance
These failures raise the question of rule (10 CFR 50.65 [Ref. 41).
whether a generic communication is
needed to focus licensee’s attention on 3.4 Root Causes of the Event
TOPS SOVs with regard to application,
design and design life, maintenance, The NRC-AITreport (Ref. 6) and the SERT
quality, and surveillance. reporth were in complete agreement on the
“contributing causal factors” for the Novem-
Turbine generator fires and their effects ber 9, 1991, overspeed event. Sections 3.4.1 to
upon nuclear safety-related equipment 3.4.6 summarize those “contributing causal
f?ctors,” many of which can be viewed as root
BOP equipment causes.

Is enough regulatory attention paid to =Public Service Electric and Gas Com any, Significant Event
BOP equipment and systems that could Response Team ( S E W Report No. R S
! 91-06, “Salem
Unit 2 Reactormrbine Cnip and ’IbrbinelGeneratorFailure
“adversely affect or challenge the opera- of November 9,1991,” December 20,1991.

NUREG-1275, Vol. 11 16
3.4.1 Equipment Failure single failure of either SOY The same
was true for simultaneous surveillance
All three overspeed system SOVs were testing of ET-20 and AST 20. (The tur-
mechanically bound and so could not shift bine manufacturer did not provide any
position on demand. Because of testing guidance for testing of SOVs, individually
inadequacies or human errors, the failures or as a group.)
were not detected by previous testing.
(3) Operators and supervisors allowed tur-
3.4.2 Inadequate Preventive Maintenance bine startup (October 20, 1991) when
surveillance testing indicated malfunc-
The licensee failed to recognize the need tions of the TOPS (OPC 20-1 and 20-2).
for SOV or AST pressure switch preven- They thought that concurrent failure of
tive maintenance. This failure was partly both SOVs was incredible and that
due to the absence of manufacturer or something must have been wrong with
turbine vendor recommendations for their test procedure.
preventive maintenance.
3.4.5 Human Factors Deficiencies in
The licensee failed to perform corrective Front Standard Testing
and preventive SOV maintenance as
identified by Salem Unit 1operating To perform the test, the necessity to hold
experience, in accordance with a pre- the overspeed trip-test lever in an awk-
viously committed to schedule. ward position for about 20 minutes.
Furthermore, there was no positive indi-
3.4.3 Inadequate Review and Feedback of cation to allow the operator to determine
Operational Experience if the overspeed trip-test lever was in the
test or the normal position. In addition,
The licensee failed to recognize or follow up the amount of lever movement needed to
on five precursor events involving turbine take the lever out of the test position was
control systems and SOVs (two events at only about 1inch. The total range of lever
Salem Unit 1, two events at Ginna, and one motion was only 2 inches. Inadvertent
event at Crystal River Unit 3 [see Table 31). movement out of the test position during
testing would result in a reactor scram.
3.4.4 Inadequate Surveillance Testing
Absence of communication between the
Most of the automatic turbine trip signals control room and front standard
and features are bypassed during monthly operator.
testing of the turbine mechanical protec- Absence of turbine speed indication to
tive devices. Turbine overspeed protection the operator at the front standard (a
reverts to a backup system with an elec- tachometer at the front standard had
trically actuated emergency trip SOV been disconnected and abandoned in
(ET-20) and two redundant electrically 1986).
actuated overspeed protection SOVs
(OPC 20-1 and 20-2). However, before 3.4.6 Test Lever
performing the monthly tests, the licensee
did not verify the operability of the emer- Although the SERT report noted that the root
gency trip SOV (ET-20) and failed to cause of the initial reactor scram was foreign
recognize that the overspeed protection material blockage of a reducing orifice in the
SOVs (OPC 20-1 and 20-2) had both AST system, the licensee noted that it could
failed their surveillance tests when they not rule out the possibility that the operator
were performed 3 weeks earlier. holding the test lever at the turbine's front
standard may have allowed the lever to move
Surveillance testing of redundant SOVs slightly, thereby causing the AST system
(OPC 20-1 and 20-2) could not reveal a pressure perturbation.

17 NUREG-1275, Vol. 11
Corrective actions that were taken by the Electric ana Gas Company (PSE&G) formed
licensee at both Salem units are described in a SERT to assess all relevant aspects of the
Section 4.1 of this report. event to prevent similar events. The SERT
thoroughly investigated the root causes of the
event and made 32 recommendations for
corrective action (Section 3.2 and Appendix B
4 NUCLEAR INDUSTRY of this report contain summaries and descrip-
INITIATIVES AFTER THE tions of those recommendations, respectively).
SALEM UNIT 2 OVERSPEED
EVENT The licensee implemented almost all of the
SERT recommendations at Salem Units 1
The Salem Unit 2 overspeed event surprised and 2 before the end of 1992. In addition to
most people in the nuclear industry. As noted committing to implementing the SERT's
in Section 2, a destructive overspeed event at 32 recommendations, the licensee imple-
a U.S. nuclear power plant resulting from mented commitments3 that it had made in
common-mode SOV failures was considered response to the NRC-AIT that investigated
very unlikely. Nonetheless, after being alerted the overspeed event (see Section 3.3 for
to the fact that the event occurred, most of the discussion of the AIT's activities).
persons in the nuclear industry who were
contacted indicated that their organization Table 4 highlights the major hardware, pro-
took positive steps to prevent a recurrence. grammatic, and procedural modifications that
The amount of attention paid to the issue of PSE&G has made at Salem Units 1and 2 as a
turbine overspeed has varied among organiza- result of the overspeed event in accordance
tions. The following sections discuss actions with the SERT's findings and the NRC-AIT's
taken by individual utilities contacted, the findings.
major turbine manufacturers, the NRC, and 4.2 Public Service Electric and Gas
the major U.S. nuclear insurers.
Company at Hope Creek
4.1 Public Service Electric and Gas Hope Creek is a 1067 MWe BWR with a GE
Company at Salem Units 1 main turbine and generator. It is located on
and 2 the same site as Salem Units 1and 2.
As noted in Section 3.2, within 2 hours after
the turbine overspeed event, Public Service 3Some of those commitments overlap SERT recommendations.

Table 4 Major modifications* made at Salem Units 1 and 2

Modifications Made at Salem Units 1 and 2 After the November 9,1991, Overspeed Event

Installed turbine speed indication at the front standard

Improved communication between front standard operator and control room
Installed a backup turbine trip SOV to enable automatic protective turbine trip during testing
Replaced original 20/AST solenoid
Installed a filter in the AST header
Installed a detent handle on the front standard (see Figure 10)
Added an additional AST pressure switch
0 Made system modifications to enable independent, full functional hydraulic operational periodic
testing of all four turbine protection SOVs
*Hardware,programmatic, procedural, etc

NUREG-1275, Vol. 11 18
A few days after the Salem Unit 2 overspeed generic differences between GE and W
event, PSE&G formed a team to perform a designs and guidance.)
lessons-learned review of the Salem Unit 2
overspeed event and assess programs asso- The review team did identify some areas
ciated with the operation, maintenance, and where enhancements to TOPS procedures,
testing procedures for the main turbine at equipment, and testing at Hope Creek would
Hope Creek. The Hope Creek Review Team be appropriate (see Table 5 for a list of the
also assessed the Salem SERT report for most significant items).
applicability to Hope Creek. They also re-
viewed Hope Creek’s operating procedures for As a result of its reviews, the licensee
TOPS relative to the turbine manufacturer’s concluded that the turbine testing at Hope
(GE’s) guidance. Creek had been conducted adequately.

With regard to turbine testing vulnerabilities, 4.3 Westinghouse Power Generation

the review team found that perhaps the most Business Unit
important differences between Salem and
Hope Creek turbine testing are that, at Hope Immediately after the Salem Unit 2 overspeed
Creek, the GE main turbine mechanical event, w’s Salem site representative and
overspeed trip is not bypassed during electri- another W turbine engineer were at the Salem
cal overspeed trip testing and, conversely, the site to gather information and to help PSE&G
electrical overspeed trip is not bypassed investigate the root causes of the event. Subse-
during mechanical overspeed trip testing. quently, at a January 1992 meeting of W
Furthermore, other turbine tri tests do not turbine owners from both nuclear and fossil
!
disable the overspeed trip^^^,^ . Most of the plants, W provided its turbine owners with
GE main turbine control systems used at details of the Salem overspeed event.
nuclear power plants have turbine testing
configurations similar to Hope Creek. (The On February 13,1992, W issued an advisory
differences between design and guidance at to their turbine owners, Customer Advisory
Salem and Hope Creek are indicative of Letter (CAL) 92-02, “Operation, Maintenance,
Testing of, and System Enhancements to Tu-
bine Overspeed Protection System” (reprinted
as Appendix C, courtesy of Westinghouse
R. Thompson, PSEBtG, memorandum
3*J1J. to B. E. Hall,
“Main flrrbine Mp System ’Esting,” November 22,1991. Electric Corporation). CAL 92-02 provided
information about the Salem Unit 2 overspeed
3bJ. J. Hagan, PSEBtG, memorandum to S. LaBruna, “Hope
Creek Review/Actions Associated With Salem Unit I1 event and contained Ys recommendations for
Tbrbine Overspeed Event,” January 27,1992. reducing the potential for another overspeed

Table 5 lbrbine overspeed protection system enhancements made at Hope Creek

TOPS Enhancements Made at Hope Creek After the Salem Unit 2 Overspeed Event
e Increased the frequency for calibrating control system actuation devices
0 Developed a procedure to test circuitry of the backup overspeed trip
e Developed a procedure to perform full functional testing of the turbine control system logic (instead
of partial circuitry tests)
e Implemented tear-down inspections of critical components to ensure no internal contamination,
corrosion, or worn parts in addition to observing component functionality
e Implemented procedures to individually‘testredundant components

19 NUREG-1275, Vol. 11
event. The recommendations addressed opera- valid turbine trip signals during turbine trip
tion, maintenance, and testing of EHC system testing (see Figure 7). It is interesting to note
SOVs, on-line testing of individual EHC that some E turbines had the second 2O/AST
system SOVs, maintaining EHC system fluid as part of their basic design (e.g., Waterford
quality, AST pressure switch settings, AST Unit 3-see Section 4.6).
lube oil system cleanliness, and installation of
reverse power relays (to assure dissipation of In discussions with W4, M O D staff learned
turbine driving steam before opening the main that W had canvassed all its turbine owners
generator circuit breakers). CAL 92-02 also (about 250 fossil and nuclear units) about
made recommendations for improving infor- operating experience with EHC system SOVs
mation available to the operator at the front (Parker Hannifin spool-type SOVs such as the
standard during turbine testing and for ones that had failed at Salem, as well as
improving actions to be taken by operators poppet-type units). About 20 percent of the
during turbine testing. unit owners responded. They stated that there
had been 38 cases of sticking spool pieces in
CAL 92-02 also gave utilities information on the Parker Hannifin SOVs. Ten such events
turbine control system enhancements such as occurred at one single-unit nuclear power
installing coil monitors to check for SOV
circuit continuity, installing a latch-in circuit
for energizing ET20 SOVs, and installing a '%le hone discussion, M. Smith, W,and H. L Ornstein,
second 20/AST to prevent the bypassing of NRZ, September 14,1992, and April 7,1993.

1 1 4,

&e
&lNTEyFACEVALVE

BurLwGENcY

gs,
HP OIL
SUPPLY
- -- 1 I
v
SYSTEM) I-------- _1

ovD\spEED -1

Figure 7 Proposed improvement of Salem type (generic) emergency and

overspeed protection control system

NUREG-1275, VO~.11 20
station. In contrast, none of the owners After a visit by the author to y Power
reported any sticking problems with any of the Generation Business Unit on November 29,
poppet-type valves used? 1994, has embarked on a program to
prepare a new test instruction schedule and
In March 1993, y issued Availability Im- procedure. The new test instructions will be
provement Bulletin (AIB)9301, “Steam Tur- added to all W nuclear turbine customers’
bine Overspeed Protection System” (reprinted instruction books.
as Appendix D, courtesy of Westinghouse
Electric Corporation), which superseded CAL 4.4 General Electric Power
92-02. AIB 9301 expanded upon the original Generation Division
CAT, 9202 recommendations. It reiterated the
importance of on-line testing of individual Examination of technical information pro-
SOVs and it informed owners that hardware vided to owners of General Electric Company
modifications were available that would allow (GE) turbines (Technical Information Letters
individual SOV testing and also permit on-line [TILS],operations, maintenance, and testing
replacement of defective SOVs. The bulletin instructions and manuals, etc.) indicated that
emphasized the importance of assuring GE has routinely provided its turbine opera-
backup or alternate overspeed and trip pro- tors with stringent requirements and recom-
tection during turbine testing and noted the mendations to prevent or minimize the
availability of hardware modifications to likelihood of a turbine overspeed event. GE
provide such redundancy. AIB 9301 also appears to have excelled in providing its
noted the availability of stainless steel poppet- turbine owners with turbine instructions
type SOVs to replace the carbon steel spool- specii’jing what actions to take in the event of
type Parker Hannifin SOVs. In the future, y an unsuccessful test; turbine owners had
will fill orders for spool-type SOVs with not received such guidance.
poppet-type SOVs as like-for-like replace-
ments to mount directly in place of the spool- Over the years, GE’s guidance to its turbine
type SOVs. AIB 9301 recommends that owners has covered most of the areas which
mechanical trip systems like Salem’s low were found to be the apparent or root causes
bearing oil, low vacuum, high thrust, and of the Salem overspeed event as noted in
20/AST trips be tested monthly. PSE&G‘s SERT report and the NRC-AIT
report.
AIB 9301 also recommends that a second Unfortunately, discussions with turbine engi-
20/AST be installed in the system to allow neers at several plants with GE turbines
electrical trips to be effective when the test showed a wide variation in how individual
handle is held. Furthermore, AIB 9301 rec- plants follow GE’s recommendations on
ommends that all units have at least two turbine control systems and their auxiliaries.
independent means of tripping the unit on an For example, turbine engineers at one plant
overspeed. indicated that their plant conscientiously
Regarding maintenance and inspection, C A L adhered to almost all of GE’s guidance.
However, turbine engineers at another plant
92-02 and AIB 9301 both recommend that, if acknowledged that the plant personnel dis-
one SOV sticks, all SOVs should be removed, agree with many of GE’s testing and main-
replaced, or rebuilt, and then retested. Fur- tenance recommendations and, as a result,
thermore, y recommends any SOV rebuilding disregard many GE turbine TOPS and control
should be done ‘‘& by valve manufacturer system recommendations.
approved vendor. [sic]”
After the Salem overspeed event, GE reviewed
its equipment and the guidance it had pro-
%e number of SOVs in nuclear and fossil plants with l3! main vided to users of its equipment. At a meeting
turbines is about 1000-approximately 400 Parker Hannifin
spool- SOVs and 600 of another manufacturer’s poppet-
of GE turbine owners on May 19,1992, GE
types%. presented the results of its assessment of
the Salem event to their customers, noting GE’s existing testing and maintenance
important differences between the W Salem recommendations6a.
design turbine and the GE design turbine. GE
contends that rigorous adherence to guidance 4.5 Nuclear Power Plant Insurers
provided by GE to their turbine owners would
prevent destructive overspeeds like the one at When the author visited nuclear power plants
Salem Unit 2. GE’s guidance emphasizes the to discuss licensee actions in the area of tur-
necessity of: (1)periodically testing the turbine bine overspeed, the issue of nuclear insurers
trip system (testing requirements as described arose. Subsequently, the author had several
in GEK 46527, Revision B, February 19805a, discussions with the major U.S. nuclear
(2) investigating failures that occur during the insurers and visited one.
testing and remedying the failures diligently
(GE’s guidance clearly outlines the actions to The insurers have noted that recent claims
be taken in response to equipment failure), history shows many significant insurance com-
and (3) sequentially tripping the generator. pany payouts for the main turbines and other
The circuitry is designed so that the generator BOP equipment losses. The insurance com-
can be removed from the grid only after the panies readily pointed out that a major reason
turbine is tripped, all main and reheat steam for disproportionate payouts on BOP equip-
flow has been interrupted, and the generator ment is that the NRC does not scrutinize the
is motoring. GE guidance on installation of BOP equipment closely. The insurance com-
control circuitry to assure sequential tripping panies assign staff to each nuclear station.
of the turbine has been available since 1980. The functions of this staff are to work with the
utilities to promote safe plant operation, to
With regard to GE’s longstanding emphasis reduce risk? and to prevent loss. The insurers’
on the need for turbine testing, it is interesting negotiating tools are premium adjustments
to note that in 1975, GE informed its turbine and penalties. Frequently, utilities disagree
ownersSbthat “some customers have discon- with their insurers’ recommendations and, as
tinued testing because of either real or a result, some utilities are willing to take a
imaginary problems of false tripping during premium penalty in lieu of doing what the
such procedures. These false trips must be insurer recommends. For example, during one
corrected and must not be allowed to serve as plant visit, the author learned that the licensee
a reason for not testing, [sic]” had decided not to follow its insurer’s recom-
mendations regarding maintenance and
In discussions with GE,6 AEOD staff learned inspection of the TOPS SOVs. The insurer
that GE reviewed their turbines and TOPS recommended that each trip solenoid valve in
and did not find any areas where equipment, the turbine trip system shall [sic] be removed,
procedures, or guidance need to be modified replaced, or rebuilt and tested per manufac-
to prevent an overspeed event. However GE is turer’s instructions at least every 6 operating
conducting a study to identify ways to reduce years. The licensee felt that performing the
the likelihood of spurious scrams during auto- maintenance at 6-year intervals is unnecessary
matic overspeed testing. It will provide recom- since that station had not had any problems
mendations to utilities for the implementation with those valves. The licensee’s turbine
of specific control system improvements and engineers stated that they had reviewed the
will reiterate the need to comply with issue and determined that from a cost effec-
tiveness standpoint, rather than performing
the maintenance recommended by the insurer,
5‘Y;eneral Electric Com any, Steam ’ibrbine Instructions,
“Periodic Operational%zit Summary,” GEK 46527, Revi-
sion B,February 1980. 6%le hone discussion, S. Abelson, GE, and H. L Omstein,
NRZ November 1,1994.
SbGeneral Electric lkhnjcal Information Letter 769-2
Attachment, “EHC Fluid Systems Valve Tkits,” March 1975. ‘For an insurance com any, “risk” is defined as direct physical
*le hone discussion, S. Abelson, GE, and H. L Omstein, damage, copse uentiardamage resulting from failure, and
NR8,September 22,1994. consequential jamage from transients to other components or
systems.

NUREG-1275, Vol. 11 22
the licensee would pay the additional pre- operators noted Waterford’s willingness to
mium penalty that would be charged if the adopt forthcoming W recommendations for
maintenance was not performed. assuring cleanliness of the AST and EHC
fluid systems.
In discussions with the major insurers in late
1992, the staff learned that, after reviewing the The applicability assessment report noted
Salem overspeed event, the major U.S. nuclear that, like Salem’s, Waterford’s testing proce-
plant insurers were modifying their guidance dures were incapable of detecting a single
and recommendations for operation, mainte- failed SOV (OPC 20-1 or OPC 20-2). Conse-
nance, and testing of turbines and TOPS. quently, the Waterford staff recommended
Since the guidance and recommendations pro- that all five SOVs in the turbine overspeed
vided to the site representatives are proprie- control system be tested independently. The
tary information, this issue is not discussed licensee formulated a procedure to determine
further in this report. the operability of each of the OPC SOVs. The
first independent test of an OPC 20 SOV was
4.6 Waterford Unit 3 performed on February 21,1992%. It revealed
a failed SOV (Parker Hannifin MRFN 16MX
The Waterford Unit 3 plant has a 1075 MWe 0834, the same model valve as the ones that
Combustion Engineering (CE) reactor and a failed at Salem Unit 2). As the Waterford staff
turbine and generator. proceeded to test the second Parker Hannifin
MRFN 16MX 0834 SOY they were @us
After the Salem Unit 2 overspeed event, that it work satisfactorily; otherwise, they
Waterford Unit 3 performed an “applicability would have found themselves in a situation
assessment” of the Salem Unit 2 overspeed similar to that at Salem Unit 2-performing a
event7a.The operators noted that the Water- new test, finding both SOVs failed, suspecting
ford Unit 3 TOPS is very similar to Salem that the SOVs were really operable, and
Unit 2’s but it did have a significant design assuming that the surveillance testing proce-
improvement. As shown in Figure 8, an dure was flawed. The surveillance test of the
additional SOY 20-2/AST to dump AST fluid second OPC SOV at Waterford Unit 3 found
and trip the turbine if a reactor scram or a that it did operate satisfactorily, confirming ‘
valid turbine trip signal is generated by the that the new surveillance testing procedure
AST system (Le., vacuum trip, low bearing oil was not flawed and that the first SOV which
trip, thrust bearing trip) while the turbine’s had been tested had truly failed.
mechanical protective devices are being tested
(and the trip signals are bypassed by the The licensee examined the failed SOV and
operator holding the trip test lever). Conse- sent it to an independent laboratory (Power
quently, the Waterford Unit 3 staff concluded Dynamics, Inc. of Harvey, LA) for additional
that an overspeed event like the one at Salem inspection and failure analysis. The inspection
Unit 2 could be averted by successful and failure analysis7c found that five areas of
operation of the additional 20-2/AST SOY the SOV were degraded. The licensee did not
think that any one area of degradation alone
The applicability assessment report noted was responsible for the failure of the SOV to
that, unlike Salem Unit 2, Waterford Unit 3 shift position on receiving a demand signal.
cleans the AST and EHC system reservoirs However, the cumulative effects were obvious:
before starting up from EACH OUTAGE and
that, in accordance with w’s guidance, the
fullers earth filters in the EHC system are %%terford I11 Nuclear Station, Work Authorization-
No. 01090480, “I\lrbine Electrical Overspeed Speaal ’kit,”
normally in service. Furthermore, the March 2,1992.
ics, Inc., memorandum to
7aEntergyOperations, Operations Support and Assessments
Report 92-005, Februaly 13,1992.
7cM. Shockley, Power
E. Braumer, Enter ”a””rations, Inc, “Failed Parker Valve
Model No. MRFN76& 0834,” August 8,1992.

23 NUREG-1275, Vol. 11
 THRUST BRQ LOW ON PRESS
-1 VACUUM SOLENOID
I
I
ec 1
I
------I
I
I
1 EMERTRP
SOLENOD
*I1
I
I
1
I 1
I
I REMOTE

I
-7 ---- '
I
- 1 AVTOSTOP
OPERATOR
I I RELATCH

I
' I
I
a
- I
TRP
WVERNOR VALVE
i-
II
I - - {INTERFACE
VALVE

TURBINE
Lo8E
ON
ELECTRO-HYDRAULICFLUID SYSTEM AUTO-STOP OIL SYSTEM

Figure 8 Waterford Unit 3 turbine control system

 Frayed electrical wiring-14 of 17 strands (5) A small piece of nonmetallic material
of wire at one termination were frayed. believed to possibly be part of an O-ring
However, no short circuits were found was found in the SOV’s pilot port.
and laboratory testing found the solenoid
able to actuate properly when only three In summary, the licensee postulated that the
strands of wire were connected. most probable cause of failure was “sticking
of the SOV internals due to contamination.”
Three of four O-rings were found ex-
truded and swollen. Incompatibility 4.7 Comanche Peak Units 1 and 2
between the O-rings and the hydraulic and Siemens/Allis Chalmers
fluid or possibly excessive temperatures lbrbines
were suspected as the causes for these
degradations. The licensee didn’t think Comanche Peak Units 1and 2 are 1150 MWe
that the extruded and swollen O-rings W PWRs having Siemens/Allis-Chalmers
-
had blocked any valve ports; however, no main turbines and generators. Unit 1has been
mention was made of the additional operational since 1990. Unit 2 received its
resistance to motion that could have been operating license in 1993.
caused by the swollen O-rings. On learning of the Salem Unit 2 overspeed
event from the NRC (IN 91-83 pef. SI), the
A strainer on the main plunger of the licensee evaluated its turbine generator pre-
SOV was partially obstructed with a ventive maintenance program. Specifically, the
“jelly-like” substance. The licensee noted licensee evaluated the need for establishing
that the same jelly-like substance had periodic preventive maintenance on the SOVs
been previously observed in the EHC in the main turbine’s EHC system and on the
system and the EHC system had been instrumentation required to trip the main
flushed previously to remove the jelly-like turbine. The licensee also evaluated the need
substance. The failed SOV had been to “establish surveillance/operationaltesting”
removed during the previous flushing of EHC system SOVssa. The evaluation noted
operation. It is possible that some of the that the EHC SOVs were not included in any
jelly-like material found on the SOV was preventive maintenance program. Apparently,
residual material that had not been the turbine manufacturer (Siemens/Allis-
thoroughly removed during the flushing Chalmers) did not provide detailed guidance
operation. (The most likely source of the regarding preventive maintenance of SOVs.
jelly-like substance is hypothesized to be
moisture and heating of the Fyrquel EH Comanche Peak uses Fyrquel220 EHC fluid.
fluid [see Section 6.5 of this report]!) The EHC system was supplied with desiccant
drying columns and it appears that rigorous
The laboratory inspection found that the preventive maintenance recommendations for
SOV’s manual override button was stick- the EHC fluid were provided by the turbine
ing. Because of the disassembly process manufacturer in the operations and
in the inspection, the laboratory could not maintenance manual.
determine if the SOVs plunger had been
sticking during the test. The licensee requested that the main turbine
supplier review NRC IN 91-83 and rec-
ommend any corrective actions required at
Comanche Peak. Siemens rovided
information which stateds!l that their turbines
81n a visit to Waterford Unit 3, the author of this report was cannot overspeed for the following reasons:
informed that, early in the life of the plant, the moisture
content of the Fyrquel EH fluid had not met the manufac-
turer’s specifications, causing problems. However, after 8TU. Electric, Industry 0 rating Experience Report, “NRC
implementing an aggressive program to assure the Fyrquel’s Information Notice 91-8F January 6,1992
integri , the license had few, if any, problems with the 8bZ.Racie, Siemens Power Co ration, letter to R. ‘I:Jenkins,
Fyrque?)EH fluid. T U. Electric, March 19,199?Lp

25 NuREG-l275, Vol. 11
 The stop valves on the Siemens units tive maintenance were addressed in a different
cannot reopen until the trip signal has letterga.In that letter, Siemens listed SOVs
cleared and the turbine is manually requiring maintenance every 18 months (full
relatched. disassembly and inspection of all valve and
solenoid assemblies and replacement of all
The Siemens units have redundant elastomers, gaskets, and “other expendables”).
emergency trip SOVs whereas W units Apparently, before 1992, the turbine manufac-
like Salem’s have only one (ET-20). turer had not provided the licensee with
guidance for preventive maintenance on
The Siemens units have a 107 percent turbine control system SOVs.
“Mechanical-HydraulicControl” speed
governor that overrides all other control Siemens emphasized that, to assure proper
signals and closes the control valves. operation of turbine protection devices, all
components of the TOPS must be inspected in
The Siemens units have redundant accordance with the Siemens’ operations
110 percent mechanical trip devices for instruction manual.
the TSVs.
4.8 Specialized Tbrbine Overspeed
During automatic turbine testing (Am,a Protection System Solenoid-
redundant trip circuit is established and the Operated Valves
TSVs will close in response to a valid trip
signal. However, Siemens acknowledged that On a visit to Germany, the author of this
during on-line manual testing of the overspeed report examined an SOV made by Herion and
system, the mechanical and electrical over- used in European fossil unit TOPSs. The
speed trips are bypassed. As a result, during Herion valve has been stated to be very
manual testing there is no mechanical or reliable.1° The SOV has a second coil and
electrical overspeed protection and overspeed slug. On demand, both plungers are supposed
protection is only provided by the operator at to shift. However, if the critical SOV fails to
the front standard. Siemens noted that during shift, the second plunger will activate and hit
manual testing, “overspeed control is in the the stuck plunger like a hammer. Thus came
hands of the expert tester.” the name “hammer valve.” Additional infor-
mation about the hammer valve appears in
Siemens noted that, to eliminate dependence Appendix E.
on the operator during manual testing, a “dual
electronic overspeed protection circuit acting 5 RECENT OPERATING
on two trip solenoids” is to be installed during
the next refueling ~ u t a g e . ~ EXPERIENCE
Siemens also noted that instrumentation re- 5.8 Diablo Canyon
quired for tripping the main turbine is exer- 5.1.1 Diablo Canyon Unit 1 ’hrbine
cised and verified operable with each success- Overspeed Event (September 12,
ful A l T However, if any ATI’ is unsuccessful, 1992)
Siemens must be notified for their “assess-
ment and recommended corrective action.” Diablo Canyon Unit 1is a 1073 MWe JY PWR
Siemens also indicated that all components of with a JY main turbine and generator. On
the TOPS must be inspected in accordance September 12,1992,while the plant was shut-
with the operations instruction manual. ting down, the turbine oversped to 1870 rpm
Siemens’ recommendations for SOV preven- (the design speed is 1800 rpm) (Ref. 10).

98G. Thompson, Siemens Power Corporation, letter to

gGrand Gulf has a similar but not identical turbine control sys- C. Montgomexy,T U. Electric, April 29,1992.
tem. However, its TOPS has the backup electronic overspeed
protection circuitry to prevent an overspeed during front loNofailures to function on demand; however, some minor
panel testing. flange leakage had been recorded (see Appendix E).

NUREG-1275, Vol. 11 26
 The reactor had been tripped, and the turbine 145) both being open resulted in the accelera-
was successfully tripped from the control tion of the turbine to the OPC setpoint of
room panel, closing all TSVs and governor 1854 rpm. The OPC system actuated, closing
valves. Subsequently, the operators relatched the governor valve, MS-1-FCV-141. When the
the turbine, and the low AST pressure switch OPC trip point was reached (1854 rpm), the
(63-2/AST in Yl system drawings [pS-22B in operators also tripped the turbine; nonethe-
Diablo Canyon nomenclature]) failed. (A less, the turbine reached a maximum speed of
similar pressure switch, 63-3/AST was impli- 1870 rpm before the steam supply was cut off.
cated in the Salem Unit 2 and St. Lucie Unit 2
overspeed events, as noted in Sections 3.1 and It is interesting to note that 6 months earlier
on March 22,1992, the licensee shut down
5.2.1 of this report.) The malfunction of Unit 2 because of an inoperable high-pressure
63-2/AST caused the digital electrohydraulic TSY MS-2-FCV-144 (Westinghouse Electric
(DEH) computer to send a signal to open the Corporation-Model #723-5-119). The TSV
governor valves to meet a speed demand of failure was reported in LER 50-323/92-003
1800 rpm. Because of multiple failures in the (Ref. 11). The valve disc separated from its
EHC system, bypass valve steam leaks, EHC swing-arm. In the March 10,1993, revision of
system SOV leaks, and a complicated set of the LER, 50-323/92-003, Rev. 1(Ref. 12), the
evolutions, a main steam stop valve (MS-1- licensee noted that the root cause of the TSV
FCV-145) opened and the governor valves, failure had not yet been determined. This
MS-1-FCV-139, -140, -141, and -142 opened failure is viewed as a precursor to widespread
as well (see Figure 9). The combination of one common-mode failures. There had been
governor valve (MS-1-FCV-141) and its asso- similar failures at other plants. In February
ciated main steam stop valve (MS-1-FCV- 1990, Yl alerted their turbine owners to this
Main Steam

Valves FCV-I42

HP Turbine
I

Valves FCV-I39
FCV-143
stop Valves

Main Steam
Figure 9 Diablo Canyon turbine steam admission valves

27 NUREG-1275, Vol. 11

. _ ,.--.
I it’
,,?, -
type of problem (Operations & Maintenance eventllb revealed that the AST pressure
Memo 108, which is reprinted in Appendix F switch that failed at Diablo Canyon on
of this report, courtesy of W Power Genera- September 12, 1992, did not fall under any
tion Business Unit). This issue is an extremely preventive maintenance program. Preventive
important one because, as the licensee’noted maintenance at Salem Units 1and 2, Beaver
in the LER, “FCV-144 protects the HP Valley Units 1and 2, St. Lucie Units 1and 2,
turbine (SB) (TRB)from overspeed if the Waterford Unit 3, and other plants was
associated turbine governor valve (SB) (FCV) similarly deficient.
downstream of FCV-144 should fail to close
when the overspeed trip or the normal trip 5.1.2 Diablo Canyon Unit 2 Test Handle
mechanism operates.” The licensee noted that, ”kip (January 30,1993)
during the spring 1993 outage, the licensee’s
inspection found other main steam stop valves On January 28,1993, the author of this report
which appeared to have signs of degradation visited Diablo Canyon to review turbine over-
in areas where FCV-144 had failed speed issues and turbine building hazards.
previously.11 While in the turbine building, the author
mentioned to the Diablo Canyon staff that the
The September 12, 1992, overspeed confirmed Diablo Canyon front standard panel was
that all governor valves opening is a credible essentially the same as that of Salem Unit 2 at
event. The similarity with the Salem Unit 2 the time of the overspeed event. The author
overspeed event of November 9, 1991, is rather told the Diablo Canyon staff that the Salem
striking; in both cases, the governor valves SERT report indicated that the team had not
opened or reopened as a result of a failed ruled out the possibility that the operator at
AST pressure switch 63/AST Another im- the front standard panel had inadvertently
portant data point derives from the data on caused the trip by moving the test lever very
turbine control system failure rates in W slightly (about an inch). He also noted the
reports WCAP-1152511a and WCAP-11529 human factors enhancements that Salem had
(Ref. 13). Those reports are probabilistic anal- made after the overspeed event, particularly
yses that were submitted to the NRC in 1987 placement of a stationary handle on the front
to support W turbine owners’ requests to standard. The photographs in Figure 10 show
extend the turbine surveillance testing inter- the original front standard panel and the
vals. The failure rates given in WCAP- modified front standard panel at Salem
1152511afor the 63/AST pressure switches are Unit 2. The new stationary handle in Fig-
higher than the failure rates of all other ure 10 would prevent an inadvertent trip from
turbine control system components listed in operator fatigue during turbine testing (see
that report. The author of this report is not Section 3.4.6). Although NRC and industry
aware of any guidance provided by W to the reports have been written on the Salem
W turbine owners for preventive maintenance
- overspeed event, information on this par-
or change-out of the 63/AST pressure ticular human factors enhancement has not
switches. W guidance for maintenance of been disseminated to industry in any NRC or
these pressure switches is limited to only industry report. The author discussed this
calibrating them as noted in the recently enhancement with the Diablo Canyon staff
provided guidance of CAL 92-02 and AIB during his visit to the plant. Two days after
9301 (Appendices C and D of this report). the author’s visit to Diablo Canyon, Diablo
Not surprisingly, Diablo Canyon’s lessons- Canyon Unit 2 was testing the loss of con-
learned review of the Salem overspeed denser vacuum turbine trip signal, when the
operator who was holding the test lever moved
it slightly, causing a turbine trip and a reactor
“Wephone discussion, C. P. Rhodes, PGLE, and H. L trip from 100 percent power (Ref. 14).
Ornstein, NRC, May 4,1993.
llaWestin house Electric Co ration, (Westinghouse Propri-
etary dass 2) Report WC%-11525, “Probabilistic Evalu-
ation of Reduction in Tbrbine Valve Test Frequency,” June llbJ. Hinds, PGLE, memorandum to M. Angus and T Grebe],
1987. May 5,1992.

NUREG-1275, Vol. 11 28
NUREG-1275, Vol. 11
During the spring 1993 outage, Diablo Canyon tripped, the operator had increased the
Unit 2 installed a stationary handle on the potential for a turbine overspeed event.U
front standard similar to the one that was in-
stalled at Salem Unit 2 (as shown in Fig- The licensee took aggressive action to find the
ure 10). In a May 4,1993,’telephone conversa- root cause of the problem and fin it. The
tion12, the author learned that the licensee was licensee assembled a large multidiscipline
planning to install a stationary handle on the investigation team augmented by W field
Unit 1front standard during the next refueling service.
outage.
Initial troubleshooting found that the ET-20
5.2 St. Lucie Unit 2 SOV had failed to shift position when it
received a valid electrical signal. In addition,
5.2.1 St. Lucie Unit 2 arbine Overspeed the 62/AST-X relay was found to have a loose
Event (April 21,1992) connection on one pin (pin no. 6). Pin no. 6 is
in the direct circuit for all 20/AST trip signals,
St. Lucie Unit 2 is an 839 MWe CE PWR with including the control room trip manual push
a W turbine and generator. On April 21,1992, button, generator lockout, DEH turbine
after a record 502-day run, St. Lucie Unit 2 control system, dc power failure, decreasing
had a manual reactor scram from 12 percent AST pressure, steam generator hi-hi level, low
power. The manual reactor scram should have steam flow anti-motoring trip, and 108 percent
energized the ET-20 SOV and 20 AST electrical overspeed trip.
solenoid resulting in draining of EH fluid,
closing of the steam admission valves, and The investigation team also found relay
tripping of the main turbine. The turbine did 62/AST-X had burned contacts.
not trip. Within 2 seconds of tripping the
reactor, a reactor operator pressed the turbine Either of these two 62/AST-X relay problems
trip button in the control room. The turbine by themselves could have been responsible for
did not trip. Several additional attempts were failure of the turbine to trip when the manual
made to trip the turbine using the control trip push button was pressed in the control
room push button, but such actions were in- room.
effective. Approximately 1minute later, the The licensee a~knowledgedl~~ that the
reactor operator opened the generator output 62/AST-X relay failures could not have been
breakers and closed the main steam isolation detected by St. Lucie’s surveillance program.
valves. Approximately 3 minutes after the As a result of the St. Lucie overspeed event,
reactor scram, a nuclear watch engineer the licensee examined the possibility of testing
tripped the turbine from the front standard by the control room manual turbine trip push
using the emergency trip lever (Ref. 15). Be- button, the 62/AST-X relay, and the 2O/AST
cause the generator output breakers were SOV In an April 29, 1993, telephone discus-
open before the steam supply was shut off, the sion14, licensee engineers indicated that hard-
turbine oversped to 1850 rpm (rated speed is ware modifications and changes to surveil-
1800 rpm)12”. Since the overspeed protection lance testing procedures are being and have
system was set to actuate at 1854 rpm or been made to enable surveillance testing of
3 percent overspeed, the overspeed protection this equipment while the plant is operating.
system was not challenged during this event. The licensee staff also noted that they had
However, by opening the output breakers
before confirming that the turbine had 2
‘melicensee’s LER on this event (Ref. 15 focused on why
the reactor tripped and why the turbine ailed to tri
LER did not mention that the turbine did overspeeftFe
1850 rpm.
1-lephone discussion, C. R Rhodes, PG&E, and H. L 13aD.A. Sa er, FPL, memorandum to NRC, “St. Lucie Unit 2,
Omstein, NRC, May 4,1993. Docket 80. 50-389, Event Date A ril21, 1992, lbrbine
ltip Failure Update,” DASPSL #6b-92, May 14,1992.
lhD. A. Sa er, FPL, memorandum to NRC, “St. Lucie Unit 2,
Docket80. 50-389, Event Date A nl21,1992, lbrbine
?tip Failure Update,” DASPSL #6h-92, May 14,1992. E
l%Ie hone discussion, M. Little and L Batsch, FPL, and
H. Omstein, NRC, April 29,1993.

NUREG-1275, Vol. 11 30
considered installing a redundant AST not interfere with pilot spool motion. Like
solenoid as had been recommended in ET-20, OPC 20-1 and OPC 20-2 were found
CAL 92-02 and AIB 9301 (Appendices C and to have some rust particles which did not
D of this report), but concluded that the affect valve operation. However, unlike ET-20,
redundant 20/AST was unnecessary in view of the OPCs did not have any dirt buildup. The
the other improvements being made, such as OPCs’ internal ports were unrestricted allow-
monthly testing of the 20/AST coil and the ing hydraulic fluid to drain freely when
installation of a turbine trip SOV test and energized. MLEA indicated that the OPCs
maintenance block to allow individual testing were fully operable and did not have symp-
of the ET-20, OPC 20-1, and OPC 20-2 SOVs toms of incipient failure. However, MLEA did
while the plant is on line. (The SOV test and note hard, tenacious corrosion deposits on the
maintenance block is discussed below.) poppets inside ET-20 and both OPC 20
S O V S ~ ~The ~ ,deposits
~. are typical of hydro-
As part of its investigation, the licensee sent lyzed Fyrquel and indicate the presence of
the ET-20, OPC 20-1, and OPC 20-2 SOVs to water. Another important observation noted
an independent laboratory. Those SOVs were in the laboratory report is the fact that the
the same type as the ones that had failed at Parker Hannifin SOVs have extremely tight
Salem Unit 2 in November 1991. The inde- clearances and therefore can be very unforgiv-
pendent laboratory, Main Line Engineering ing with regard to contaminants.
Associates of Exton, PA (MLEA), which per-
formed the investigations of the three Parker The laboratory report highlights the
Hannifin SOVs that were removed from St. unforgiving aspects of the EHC system and
Lucie Unit 2’s EHC system, had performed emphasizes the absolute necessity for
similar investigations on the Salem Unit 2 maintaining EHC system quality. It was
sovs. particularly concerned that particulates of
undetermined origin were present in the
Even though St. Lucie appeared to be doing a ET-20 SOV and that products of Fyrquel
reasonably good job of maintaining the EHC hydrolysis were present in the SOVs even
fluid cleanliness and had replaced the SOVs though
before the record 502-day cycle, the laboratory
found that ET-20 had stuck because particu- (1) the ET-20, OPC 20-1 and OPC 20-2
late matter was blocking ports inside the SOVs were in service for only one fuel
valve. cycle (extended as it may have been to a
record 502 days)
The particulate matter, which was classified as
“dirt,” consisted of fused plastic, weld slag, (2) the licensee has performed EHC fluid
organic fibers, sand, clay, and rust14a. The flushing during each refueling outage
source of the dirt was indeterminate. The flow
of the Fyrquel hydraulic fluid through the (3) the licensee had maintained the hydraulic
SOV pilot ports “...was either blocked or fluid in a manner which met or exceeded
sufficiently occluded by the ‘dirt’ to substan- Y s recommendations
tially reduce the flow of hydraulic oil so that
the main valve would not open” to dump the The author’s discussions with licensee engi-
EHC fluid to initiate the closing of the steam neers during his site visit at the licensee’s
admission valves. MLEA found some rust request during the root cause investigation
particles in the ET-20 SOV’s pilot body and revealed that the dirt and moisture in the
on the pilot spool; however, those particles did Parker Hannifin valves were quite likely
caused by fine particles from new EHC
system filters, Solexsorb filters, which had
14aMainLine En ineering Associates Test Report, “Root malfunctioned and had to be replaced with
Cause Failure fnvestigation for Parker-Hannifin Solenoid
Operated Valves Removed From the EHC System of the St.
Lucie Station Westinghouse lbrbine,” M9000-TR04, ‘?Mephone discussion, J. Mu h ,MLEA, and H. L
June 5,1992. Omstein, NRC,April 30,1%l

31 NUREG-1275, Vol. 11
the original type (fullers earth filters). The new a turbine trip solenoid valve maintenance-test
Solexsorb filters had been installed to reduce block to enable operators to test the ET-20,
moisture, apparently because of previous OPC 20-1, and OPC 20-2 SOVs independ-
moisture problems with the EHC fluid. ently while the plant is on line. The licensee
designed the test and maintenance block. W
After the root cause investigation was con- had been consulted during the block’s design
cluded, the licensee implemented many hard- process.
ware, procedural, and training improvements.
Some of the most noteworthy modifications
and changes made or being made at St. Lucie
Units 1and 2 as a result of the April 21,1992, The test and maintenance block was tested
overspeed event at Unit 2 are listed below: successfully before plant restart. However, on
July 10, 1992, while the plant was on line, the
Modified the procedures and conducted licensee used the test and maintenance block
appropriate training to emphasize the to test ET-20 SOV and, contrary to the
necessity of confirming that the main design, the testing resulted in a reactor scram.
turbine has tripped before opening the The closing of the ET-20 outlet isolation valve
generator output breakers. followed by the successful opening of ET-20
caused a rapid (20 millisecond) pressure decay
Installed a “turbine trip solenoid valve that was interpreted by the RPS as a loss of
maintenance-test block” and key switches load. The licensee noted (Ref. 16) that the
to enable operators to test the ET-20, transient and the resulting reactor scram were
OPC 20-1, and OPC 20-2 SOVs unexpected. The modification had been tested
independently while the plant is on line. before startup; however, because the RPS
pressure switches are not activated until the
Installed continuously energized monitor- reactor reaches 15 percent power, the
ing lights for 20/AST and ET-20, OPC preoperational testing did not provide a
20-1, and OPC 20-2 to verify circuit warning of the unexpected EHC fluid pressure
continuity. spike.
Installed a key switch on the governor
pedestal to allow monthly testing of
20/AST via the 62/AST-X contacts. As a result of the July 10, 1992, reactor scram,
the licensee suspended the EHC SOV monthly
Added a coalescing filter cartridge to the testing until a reliable on-line testing method
EHC system to further reduce moisture could be developed. Subsequently, the licensee
in the EHC Fyrquel system. redesigned the test and maintenance block to
eliminate the pressure pulse (see Figure 11).
The licensee also pursued the issue of replac- The modified test and maintenance block
ing the carbon steel Parker Hannifin SOVs isolates trip functions from the SOV being
(ET-20, OPC 20-1, and OPC 20-2) with tested but remains available for the other two
stainless steel SOVs. W is making such SOVs SOVs, introducing an alternate supply of
available. (See Section 4.3 of this report for a EHC fluid from the EHC supply header. The
discussion of this modification and w’s other alternate fluid supply eliminates the possibility
recommendations.) of feedback to the emergency trip header on
the RPS, thereby eliminating the possibility of
5.2.2 St. Lucie Unit 2 Spurious arbine causing an unwarranted reactor scram. To
Rip During Solenoid-Operated minimize human errors, the SOV testing
Valve Testing (July 10,1992) requires the use of key switches. The revised
test and maintenance block was tested ex-
As noted above, because of the April 21, 1992, tensively at Florida Power and Light Com-
turbine overspeed event, the licensee installed pany’s (FPCs) Manatee fossil plant. In April

NUREG-1275, Vol. 11 32
 CLOSINO INLET ISOLATION VALE ALLOWS TESTlNO OF ASSOCIATED SOLENOID VALVE.
CWSINQBOTH INLET AND O ~ l S O L A l l O N
VALVES ALLOWS ASSOCIATED SOLENOID
VALVE REPLACEMENT wm-l SYSTEM IN OPERATION.

TRIP FLUID
FROM N & FlH
STOP VALVES

mip FLUID
FROM INTERCEPT
& GOV. VALVES
GUAGE PRESSURE
INDICATES SOLENOID
-
VALVE POSITION
LOW VALVE OPEN

I I
t
TO
DRAlN

- WSTlNG BLOCK PIPING

K:===z MAINT,TESTBU)CK

Figure 11 St. Lucie block for testing EHC system SOVs independently

NUREG-1275, Vol. 11
199316,the revised test and maintenance block After the problem with the turbine bypass
was being installed on Unit 1,with Unit 2 isolation valves was discovered, the plant was
installation to be done later (with no on-line shut down on November 1, 1989, so that other
EHC system SOV testing to be performed on valves with Garlock 938 packing could be
Unit 2 until after the installation). examined. Garlock 938 was also used on two ’
motor-operated valves (MOVs) in the core
5.3 Big Rock Point spray system. Examination of the valves in the
core spray system found the packing hard-
Big Rock Point is a 69 MWe BWR with a ened, but the valves still able to function. It
turbine unique among other U.S. LwRs. The was not clear how much longer the Garlock
turbine operates at 3600 rpm and was built by 938 would have had to harden to cause the
the GE, Lynn, MA division. GEs Lynn, MA MOVs to be unable to stroke. The licensee
division no longer makes steam turbines, and noted (Ref. 17) that, after the failures, Garlock
no other similar turbines are in service at US. representatives still supported the use of
nuclear plants. Nonetheless, the failures in the Garlock 938 as an acceptable spacer material.
turbine control system at Big Rock Point are The licensee also noted that Garlock 938 had
very enlightening, and they provide lessons to been used for 40 years as a “severe use” pack-
be learned. ing and had also been used as a spacer at Big
Rock Point from 1987 to 1989. At a recent
53.1 Big Rock Point Common-Mode Air-Operated Valve Users Group Meeting17,
Bypass Valve Failures the author learned that Garlock Corporation
On October 27, 1989, the licensee observed performed extensive laboratory analyses on
common-mode failures of the turbine bypass the hardened Garlock 938, but was unable to
valve (failed to open on an open signal and on conclusively determine the cause of the
October 31, 1989, the turbine bypass isolation failures that had occurred at Big Rock Point.
valve failed to stroke during a test [Ref. 17). 53.2 Big Rock Point Repetitive Failures
The cause of those two failures was the of the lbrbine n i p System
licensee’s use of Garlock 938 packing to re-
pack the valves during turbine maintenance. On June 3, 1992, August 24, 1992, October 5,
Garlock 938 is a compression packing manu- 1992, and February 28, 1993 (Refs. 18 through
factured from aluminum tinsel treated with 21) and August 30, 199217a, the turbine failed
natural rubber cement and die formed, then to trip on demand because the hand-trip
treated with zinc. The packing hardened and solenoid ( H T S ) failed. The HTS’ function is to
was bound to the valve stems, preventing their automatically close the TSV on a reactor
operation. At atmospheric conditions, Garlock scram. The HTS is actuated automatically by
938 is flexible and easy to install. However, it automatic trip signals and can be actuated
becomes hard and brittle when subjected to manually by a push button on a control room
heat and pressure. At Big Rock Point, the panel. The licensee noted1n there had been
Garlock 938 became a tenacious ceramic-like eight failures of the HTS before 1992. (See
material shortly after being subjected to high Tmble 6.)
temperatures and pressures. The Garlock 938
was installed during an outage. The problem On June 3,1992, the turbine failed to auto-
was found during power escalation while the matically trip on a reactor scram (Ref. 18).
plant was at 31 percent power. Conventional
methods for removing the hardened Garlock
938 were unsuccessful. Eventually, it was 17Discussion,H. L Omstein, NRC, and B. D. Crocker,
removed by drilling and using a chisel-an Garlock, Inc., June 3,1993.
operation that took 3-l/2 days to complete. 178ConsumersPower Com any, Deviation Report D-BRP-
92-065, “Failure of Tbrtine HTS to ?tip,” September 2,
1992.
‘”Consumers Power Corn any, Deviation Re rt D-BRP-
”%le hone discussion, L Batsch and M. Little, FPL, and 92-071, “Failure of Tbrhne Stop Valve ( 8 4 2 0 0 ) 21
H. I! Omstein, NRC, April 29,1993. Close,”October 8,1992.

NUREG-1275, Vol. 11 34
 Table 6 Big Rock Point failure to trip history* before 1992

DATE EVENT

04/06/78 The turbine failed to trip from loss of load. Manually tripped stop valve. Replaced
coil.
12/31/84 CV-4200 failed to close on signal from push button, tripped from front standard.
The trip coil was found to have an open winding. Upon inspection, it showed four
score marks corresponding to the location of the mounting screws. Coil replaced.
04/05/85 While shutting down the plant, the turbine stop valve failed to close. Push button
and X-phase failed. Manually tripped from front standard.
The 125 V dc solenoid was found energized and the trip mechanism still latched.
A significant amount of additional force was required to assist the solenoid to trip
the handle latch. Mechanically, there seemed to be a misalignment of the solenoid
(85-MSS-0019).
02/11/86 Push button and Y-phase failed to trip turbine during shutdown. Turbine tripped
from the front standard.
The solenoid was energized during both push button and Y-phase attempts. The
toggle links were still in locked position. The force exerted by the energized coil
was not sufficient to overcome the friction in the mechanical I links
(86-MSS-0011).
07/01/86 lbrbine failed to trip after reactor scram. Push button failed, tripped at front
standard.
Root cause determined to be worn mechanical links and also out of adjustment.
New trip device was installed during 1987 refueling outage (87-TGS-007).
04/08/88 During plant shutdown, the turbine trip failed from the push button, and the
2-phase contacts. This resulted in a 116 OCB trip, but the stop valve failed to
close. Subsequently closed from the front standard.
(1) Broken lead to the solenoid coil, (2) broken wire strands at crimped wire lugs,
(3) aged wires in front standard, (4) broken wire at connection to the arc
suppression capacitor.
07/01/88 During S D , the HTS did not function properly. HTS would not trip and the
continuity light was out.
Bad wiring connection. Installed indicating light in control circuitry. Replaced coil,
armature and solenoid link stud mechanism, also the stud spring was locked to a
position causing the solenoid link bar to twist the toggle links and latch.
07/18/90 During S / D , the HTS did not trip when manual turbine trip push button was
depressed.Tripped using front standard.
Wear in mechanical linkage parts caused misadjustment of solenoid trip latch
causing linkage binding to the point that the solenoid could not pull up the linkage
to release the trip latch.
~~~~

'Direct quotes from Consumers Power Company, Deviation Report D-BRP-92-071, "Failure of Tbrbine Stop Valve (CV-4200) Tb
Close," October 8,1992.

35 NUREG-1275, Vol. 11
Operator attempts to manually trip the tur- could not determine if the lug had contributed
bine using the push button on a control room to the failure. The HTS was replaced with a
panel also failed. Subsequent examination of new one which was provided by the manufac-
the plant data determined that the HTS had turer’s representative. As a result of this
received demand signals and that the HTS experience, the licensee planned to have the
had failed. Approximately 1minute after the HTS manufacturer’s representatives perform
reactor scrammed, a control room operator future adjustments.
found that the generator output breakers were
still closed. He opened the output breakers
and found that the turbine had not tripped; On October 5, 1992, during a plant shutdown,
the stop valve was still open. He pushed the control room operators were unable to trip the
HTS manual trip button in the control room. turbine using the control room push button to
When the push button was found to be in- actuate the HTS (Ref. 20). The generator field
effective, an auxiliary operator was dispatched breaker opened but the TSV did not trip.
to the turbine’s front standard. Using a hand Again, the turbine was tripped manually with
trip lever, the auxiliary operator successfully the hand trip lever at the front standard.
tripped the turbine. Four minutes elapsed
from the reactor scram until the turbine was The manufacturer was contacted about the
successfully tripped. The turbine had the failure. It was believed that the HTS had ex-
potential to overspeed from the time the out- perienced a hydraulic locking. Although there
put breakers were opened until the turbine were traces of oil leaking from the stem and
was tripped (3 minutes). However, because the bushing interface of the HTS, the leak was not
steam admission valves were closing in re- believed to be the cause of the malfunction.
sponse to the original transient18, the turbine The licensee also verified that the hydraulic oil
did not overspeed. was clean.and the failure was not caused by
contaminants or particulates in the oil. The
After plant shutdown, the licensee’s root cause licensee changed out parts of the hydraulic
investigation of the event determined that the system to provide less chance for hydraulic
HTS (manufactured by Ruggles-Klingmann) locking. In addition, the HTS body was
had mechanically bound. The licensee dis- replaced. However, the SOV plunger shaft was
assembled, inspected, readjusted, and success- reused. In order to help keep the HTS SOV’s
fully tested the HTS. piston assembly from sticking, the licensee
On August 24, 1992, the HTS again failed to increased the HTS spring tension.
actuate on demand (Ref. 19). The plant was in
hot standby and the licensee was performing a On February 28, 1993, while shutting down the
pre-turbine startup checkout. The actuation plant, the HTS failed again and the turbine
signal to the HTS was manually initiated from was again shut down with the hand trip lever
the control room panel. The HTS manufac- at the front standard (Ref. 21). The licensee’s
turer’s representative examined the failed root cause failure analysis found that wear on
HTS. He noted that the mechanical linkages the internal parts of the solenoid was causing
(see Figure l2),which were set in accordance the plunger to hang up. The licensee noted in
with the plant’s maintenance instructions, did a March 3,1993, conference call with the NRC
not meet manufacturer’s recommendations. It that after the October 1992 failure, the “top
was suspected that the improper setting had works assembly on the HTS had been re-
caused the mechanical binding. placed, but that the solenoid and shaft had
not been replaced.” Furthermore, the licensee
When electrical tape from the HTS was re- noted that even though the SOV had failed
moved, a terminal lug fell off. The licensee several times before, the SOV’s internals had
never been inspected for wear until Febru-
18Reactorscram on high flw because of a sudden spike in ary 28, 1993. The licensee’s staff noted that
reactor pressure when the initial pressure regulator system
failed. they were pursuing two possible corrective

NUREG-1275, Vol. 11 36
w
4

Figure 12 Big Rock Point- Original hand-trip solenoid valve

actions. For the short term, depending on the valves, four intercept valves, and two reheat
schedule, the licensee would either replace the stop valves performed sluggishly. The valves,
HTS with a refurbished one or replace the which are supposed to close within 1sec-
HTS with another valve of a simpler type ondlga,took almost 2 minutes to close. The
before power ascension (see Figure 13). For management at both Palisades and JY turbine
the long term, the licensee considered modify- division were sensitive to the problem. The
ing the manifold block that housed the HTS licensee’s position was that the plant would
to allow another valve to be added in parallel not be restarted until the problem was fxed.
to the HTS. The extra valve would preclude The licensee initiated an aggressive program
another HTS failure from tripping the turbine. to determine the root cause of the problem
and followed up by taking prompt corrective
53.3 Big Rock Point Long-Term action.
Unavailability of Emergency
Governor Exerciser The problem was suspected to be caused by
flow anomalies in the EHC system or possibly
The emergency governor exerciser (EGE) is a malfunctions of the DEH control system
backup overspeed trip that is integrated into computer or its software.
the turbine control system. It is designed to
trip the turbine if a condition requiring a Initial troubleshooting pointed toward “too
turbine trip occurs while the plant is on line much flow’’ in the trip header or possibly a
and the turbine’s overspeed protection system restriction in a drain line. There was concern
is being tested. (During testing, the turbine’s that the ET-20 might have stuck in an
overspeed protection system is bypassed.) intermediate position.
In Inspection Report 50-l55/92-020 (Ref. 19), In addition to the 41! site representatives, sev-
NRC inspectors noted that the licensee per- eral N field service engineers were dispatched
formed a special test of the EGE indicating to the site, Subsequently, brought special
lights which were not reparable during the equipmentlg to the plant to measure EHC
August 1992 outage. The inspectors also noted system flows and measure system pressures.
that the EGE has not been operable and has Assistance was also provided by 41! personnel
not been used for several years. Consequently, at 9 turbine division headquarters (Orlando,
for several years, the licensee has not tested FL).N personnel performed computer simu-
the overspeed protection system while the lator analyses of the Palisades turbine’s con-
plant was at power. GE strongly recommends trol system. On September 23, 1992, the N
that for the 1800 rpm turbines, the overspeed site representative stated that overall about
control systems be periodically tested during 150 people for the licensee and N were work-
power operation (see Section 4.4).’The ing on the problem, including 20 engineers per
3600 rpm Big Rock Point main turbine has a shift plus 4 engineers at Orlandoa.
backup overspeed device (the EGE), which, if
operable, would provide protection during The 41! site representative noted that the EHC
periodic tests of the TOPS during power system had been reasonably well maintained
operation. at Palisades. The system was clean. It had
been flushed in March 1992, and the ET-20
5.4 Palisades Common-Mode and 20/AG SOVs (equivalent to OPC 20) had
Failure of Six Steam Admission
Valves
18a?: Palmisano, Consumers Power Com any Em loyee Com-
The Palisades plant has one 730 MWe CE munication, memorandum, ‘Turbine butage &date,”
reactor with a W turbine and generator. On October 1,1992.
September 20, 1992, during startup testing, the 196ft x 8 ft x 8 ft EHC system flow analyzer.
plant performed a trip test of the main tur- -1ephone discussion,R. Hunneke, Westin house Palisades
Site Representative,and H. LOrnstein, NSC, Septem-
bine. Six of 16 quick-acting steam admission ber 23,1992.

NUREG-1275, Vol. 11 38
 Pt. Name of Part
Na
SERIES 25
SOLENOID D.C.
EXPLOSION
PROOF

40 Adapter Capscrew
41 Adapter Protector

Figure 13 Big Rock Point-Replacement hand-trip solenoid valve

been refurbished by the manufacturer, Parker factorily in the manual mode. Two weeks later
Hannifin. However, about 3 weeks before the on May 30, 1992 (as required by TS), the
event, the EHC system developed a leak and licensee again tried to perform the TOPS sur-
lost about 50 gallons of fluid. In addition, an veillance testing with the Am, and the same
SOV in the reheat stop valve controls failed. six faults were indicated again. The TOPS
surveillance tests were then conducted satis-
The troubleshooting found EHC flow distri- factorily in the manual mode. As noted in a
bution anomalies, but did not find any spe- letter from Siemens21aand Section 4.7 of this
cific component problem. On the basis of the report, manual testing of the TOPS bypasses
testing and computer analyses, more EHC the TOPS and puts the responsibility for
fluid drain lines and orifice plates were added avoiding a destructive overspeed solely on the
to enhance turbine control valve operation. operator.
Postmaintenance testing demonstrated sig-
nificant improvement in the performance of On June 3, 1992, the plant experienced a
the valves that had exhibited sluggish scram which was unrelated to the turbine
behavior. The repairs were completed on systems. During the outage, turbine control
September 27, 1992, and the plant came on system troubleshooting found the problem to
line the next day. be not the vacuum switch, but a loose wire in
the turbine-generator control cabinet. A sec-
In a communication to station employeesaa, ond loose wire was found in the turbine-
the plant outage manager noted the positive generator control cabinet (Ref. 22). After the
aspects of how the turbine problems were terminals were tightened, the vacuum switch
handled. He noted that the turbine testing was and the ATT worked satisfactorily.
designed “to verify that important turbine
systems are operational and the testing did Three months later, on September 11, 1992, a
identi@ the problem.” Furthermore, he noted systems engineer determined that one of the
that it was fortunate that the problem was loose wires on the turbine-generator control
corrected before the plant was on line. “If the cabinet had disabled one train of the P-4
problem had occurred and been undetected, interlock actuation relay (which trips the
we could have had a turbine overspeed on a turbine on a reactor scram) and the same
subsequent trip.” train of the P-14 interlock actuation relay
(which trips the turbine on high steam gener-
5.5 Comanche Peak Unit 1 ator level). The disabled P-4 and P-14 inter-
Inadequate Followup to Turbine lock actuation relays are listed in the ESFAS
tables of the Comanche Peak TSs as having
Overspeed Protection System allowable outage times of 48 and 12 hours,
Test Failure (May 16,1992) respectively.
On May 16, 1992, while the reactor was at 100 Although the manufacturer’s assessment of
percent power, the licensee was performing the Comanche Peak TOPS indicates that a
TOPS testing with the ATT (see Section 4.7 destructive overspeed is unlikely, failure of the
for additional information on the A W . The operators at Comanche Peak (as at Salem) to
ATT indicated six faults emanating primarily immediately determine the root cause of a
from pressure and vacuum switches. The TOPS testing anomaly placed the plant in a
licensee concluded that there was a problem vulnerable position, bypassing the TOPS
with the Am21 Since surveillance testing leaving only manual action available to pre-
could not be completed with the Am, TOPS vent a destructive overspeed.
surveillance testing was then performed satis-
In response to AEOD questions about which
208-I: Palmisano, Consumers Power Com any Em loyee Com-
munication, memorandum, ‘“Illrbine gutage &date,” equipment was affected by the second loose
October 1, 1992. terminal, the licensee traced the wiring. In a
*‘Form STA 515-1 regardin May 16,1992, event recorded as 21aZ.Racie, Siemens Power Corporation, letter to R. “I Jenkins,
LER 445192421 (Ref. 227. T U. Electric, March 19, 1992.

NUREG-1275, Vol. 11 40
May 27, 1993, telephone discussion2, the erated missiles. These analyses took credit for
licensee informed AEOD that the second diversity and redundancy in the overspeed
loose wire in the turbine control cabinet protection systems and did not consider the
affected one train (train A) of the generator loss of diversity that may occur when the
lockout relay. This relay sends a trip signal to overspeed protection devices are disabled for
the turbine control system when the generator testing or because of operator error. These
output is disconnected from the grid. (Failure analyses also did not assess correctly
to trip the main turbine when the generator is common-mode failures of the overspeed
disconnected from the grid could lead to an protection system from contaminated oil
overspeed condition.) systems or degraded SOVs and did not
recognize that redundancy could be lost
It is also important to note that the loose because surveillance testing practices could
terminals on the turbine-generator control not detect individual failures of redundant
cabinet were essentially degradations of components (SOVs).
ESFAS. Although the loose terminal, which
was discussed in an LER (Ref. 22), only It is interesting to note that some turbine
affected the A train, the LER also noted that operating manuals did not notify the turbine
there was another loose wire in the same owners of any specific maintenance or
cabinet. In the LER, the licensee noted that replacement requirements for the SOVs of the
cause of the loose wiring was unknown, and overspeed protection system. With the
that it was a generic concern. Furthermore, possible exception of steam dump valve
the licensee noted22athat the loose wire caus- failures, the estimates of the failures of the
ing the inoperable main turbine trip event individual components assumed independence
“could have been a precursor to a critically (no coupling or common-mode contributions).
consequential event.” The analyses implicitly assumed that the
degradation or failure of an individual SOV
would be detected and that the SOV would be
6 FINDINGS replaced or repaired to an as-good-as-new
condition before experiencing a similar failure
6.1 Complacency Toward Turbine or degradation of its redundant backup. This
Overspeed report found industry practice to be incon-
sistent with many of these assumptions.
Until November 9,1991, the likelihood that
missiles from a main turbine overspeed event 6.2 Testing That Defeats Diversity
could penetrate the turbine casing at a U.S.
nuclear plant was considered to be very low: Many plants defeat redundant overspeed
lo4 to per turbine-year according to protective devices when testing turbines and
NRC evaluation criteria (Ref. 5 ) and 10” to TOPS at power. By design, Salem’s monthly
per turbine-year according to manu- testing of the turbine’s mechanical protective
facturers’ analyseszb92k. devices required bypassing most of the auto-
matic turbine trip features and deactivating
Inherent in these analyses were low estimates the turbine’s mechanical overspeed trip.
for main turbine overspeed events which gen- During the tests, overspeed protection relied
only on three SOVs (OPC 20-1, OPC 20-2,
2?121e hone discussion, M. Hanson, Comanche Peak, and
and ET-20).
H. LOrnstein, NRC, May 27,1993
“I:U. Electric, STA-515-1, Category Analysis Worksheet, Until the Salem overspeed event, the concern
October 21,1992. for disabling some of the main turbine’s pro-
ubGeneral Electric Company, Tbrbine Department, “Memo tective devices did not appear to be a signifi-
Report -Hypothetical Tbrbine Missiles-Probability of cant one. However, the event raised the
Occurrence, ’ March 14,1973.
industry’s awareness of this issue (see Chap-
westinghouse Electric Co ration, (!VestinghousePro rie-
ta Class 2) Report W C x l 1 5 2 5 , Probabilistic Evaktion
ter 4). Discussion with some utilities indicated
ofxeduction in Tbrbine Valve ’ k t Frequency,” June 1987. a preference for resolving the concern by

41 NUREG-1275, Vol. 11
performing TOPS testing less frequently. preventive maintenance or the replacement
Many utilities have submitted requests to the interval for SOVs in the main turbine
NRC to relax the frequency of testing as a overspeed control system were rare or
method of reducing the likelihood of a reactor nonexistent before the Salem overspeed event.
trip or an overspeed event.
6.5 Electrohydraulic Control
However, all turbine manufacturers’ manuals System Fluid Quality
recommend frequent turbine testing, with the
most emphatic guidance provided by GE (see The common-mode failures of the OPC 20-1,
Section 4.4). A more prudent approach would OPC 20-2, and ET-20 SOVs at Salem Unit 2
be to perform the testing with a provision to were caused by degradation of Fyrquel EHC
override any TOPS bypass if a condition fluid. Most other U.S. LWRs use the same
arises in which a turbine trip is needed. Many EHC fluid; therefore they are vulnerable to
plants have such backup overspeed protection; similar degradations and common-mode fail-
however, many plants have not installed or ures. Fyrquel EHC is a fire-resistant hydraulic
enabled such equipment, which is available fluidU developed by Stauffer Chemical Com-
from the turbine manufacturers. pany with Electric Power Research Institute
support. Subsequently, the Stauffer Chemical
Company sold its Fyrquel interests to AKZO
6.3 Nonrevealing Surveillance Chemicals, Inc., which is the primary supplier
Testing of Fyrquel. Fyrquel is a phosphate ester fluid
Salem was not the only plant to use the prac- with little tolerance to water. Water intrusion
tice of testing two SOVs in a parallel arrange- (e.g., from atmospheric moisture) causes
ment so that failure of either valve was unde- hydrolysis of Fyrquel EHC at temperatures of
tected if the other valve worked. The issue,of about 150 O F . In addition, phosphate esters
inadequate testing of redundant SOVs was are incompatible with certain plastics, neo-
raised by AEOD in 1991 in Reference 23 with prene, Buna-N, and polychloroprene rubber.
regard to diesel generator air-start systems. It When in contact with hot surfaces (e.g.,
was learned from discussions with major U.S. > 250 OF), Fyrquel can form solid gelatin-like
turbine suppliers and personnel at other U.S. particles. Moisture entrainment in Fyrquel can
nuclear plants that their surveillance testing of cause hydrolysis and particulate formation to
redundant SOVs in the TOPS was done just begin at lower temperatures. Fyrquel EHC is
like that at Salem, and that failure of a heavier than water; therefore, undissolved
redundant valve would not have been detected water rises to the top surface in Fyrquel
if the other SOV worked successfully (see systems.
Chapter 4).
The Ginna plant had similar problems with
6.4 Inadequate Solenoid-Operated another phosphate ester hydraulic fluid,
Valve Maintenance Houghton Safe-1120. In 1985 (Ref. 24 and
1990 (Ref. 25 and Report FPI-91-101Aa), the
The issue of inadequate SOV maintenance is main turbine at Ginna failed to trip on a
not unique to main TOPS or to the Salem reactor scram due to corroded SOVs. The
plant. In Reference 23, AEOD presented spools inside S0Vs2 in the main TOPS (ET-
many cases where the SOVs are “unrecog- 20 and OPC-20s) had corroded most likely
nized” piece-parts and, as such, are not from water, which, being less dense, rested on
adequately addressed in operations and
maintenance instructions for the larger =Not nonflammable-it will bum if heated to a high enough
temperature.
equipment which they serve. With regard to uaFailure Prevention, Inc., Report FF’I-91-101, “Root Cause
main turbines, discussions with personnel at Investigation of Parker Hannifin Relief Valve EX-20 in the
numerous plants and a review of some lhrbine Electrehydraulic Control System,” Revision 1,
January 17,1991.
manufacturers’ operations and maintenance 24ParkerHannifin SOVs (same model as the one that failed at
manuals confirmed that instructions for Salem Unit 2).

NUREG-1275, Vol. 11 42
top of the hydraulic fluid. When contami-
nated, the Parker Hannifin SOV illustrated in
Figure 14 had the Fyrquel-water interface near
the arrow. Corrosion took place in that area.
The Ginna plant also found the Houghton
Safe-1120 to be incompatible with the elasto-
meric parts of the Parker Hannifin SOVsXa.
EHC fluid contamination can cause corrosion
of system components, causing moving parts
to bind and can generate particles that can
migrate and cause blockage.
Other contamination scenarios that have been
observed are hydrolysis of the hydraulic fluid
and hydraulic fluid attack of incompatible
material; in both cases particles are formed
that bind moving parts or cause system
blockage.
Failure to continuously maintain the integrity
of the EHC system and of the EHC fluid has
compromised main TOPS causing failures and
loss of diversity, or redundancy at Ginna,
Salem Units 1and 2, and St. Lucie Unit 2.
Discussions with personnel at many plants
indicated a wide range of plant practices with

f
regard to EHC fluid and EHC system main-
tenance. Many plants with W main turbines
originally had meager maintenance and mon-
itoring programs, but troublesome or costly
experiences heightened their sensitivity to the
importance of maintaining EHC systedfluid s )L SUBJECT
integrity. As a result of their experiences, in :ORROSIOF
most cases, the plants tightened up their EHC
fluidkystem maintenance.
Point Beach, a two-unit station with Y main
turbines, implemented a rigorous EHC fluid/
system maintenance and surveillance program
and has had reliable EHC system perform- U

ance (Ref. 26).

Figure 14 Cross-sectional drawing of
Plants with GE main turbines have received Parker Hannifin SOV MRFN
more stringent, detailed guidance regarding 16MX 0834
EHC fluidhystems than have plants with
other manufacturers’ turbines. As a result, the
24aFailurePrevention, Inc., Report FPI-91-101, “Root Cause plants with GE main turbines may have a
Investigation of Parker Hannifin Relief Valve ET-20 in the higher degree of awareness of the importance
”brbine Electro-hydraulic Control System,” Revision 1, of maintaining EHC systedfluid integrity.
January 17,1991.

43 NUREG-1275, Vol. 11
However, discussions with turbine engineers W has provided some documents to owners of
during a visit to a site with GE turbines its main turbines, and its service bulletins
revealed that they were performing minimum have provided information about EHC system
maintenance on the EHC system and had not experiences. However, a complete review of
yet observed any problems. It should be noted the W turbine operations and maintenance
that the EHC systems of GE turbines and manuals at the St. Lucie station indicated that
newer W systems have certain design features the W manuals did not alert the turbine owner
that help retain EHC fluid integrity (e.g., des- to the seriousness of the consequences of
iccant air dryers on the air inlet and full-flow degraded EHC system fluids.
filters that the turbine manufacturer recom-
mends be changed out quarterly). The impor- 6.6 Electrohydraulic Control
tance of maintaining the EHC system fluid is System Fluid Incompatibility
spelled out very clearly in many operations
manuals and technical letters that GE has The EHC fluids most widely used for main
provided to the turbine purchasers. For turbine control systems are aggressive phos-
example, Technical Information Letter 796-2, phate esters, and are incompatible with many
circa 197524b,states: commonly used elastomers. Laboratory
analysis of the Parker Hannifin SOVs that
The EHC fluid must [sic] be kept failed at Salem found that the Fyrquel EHC
free of both solid particles as well as fluid had attacked the Buna-N O-rings, that
chemical impurities to insure the pieces of the O-rings had been dislodged, and
free operation of critical control that this debris caused the SOVs spool pieces
overspeed protection devices. to bindm.
Technical Information Letter 877, circa Similarly, the failure of the main turbine to
197Sm, states: trip at Ginna in 1985 and 1990 involved fail-
ures of ET-20. In both events, ET-20 was
EHC Fluid Ouality corroded. The 1990 failure was caused in part
by debris from a degraded rubber gasket. The
Fluid quality, which encompasses debris lodged between the SOV’s spool piece
solid particle cleanliness as well as and its housing, helping to bind the spool
proper chemical makeup is of utmost piece. The gasket material, a chlorinated
importance. Solid particle contami- rubber, was “chemically attacked” by the
nation may lead to one or more EHC fluid, Houghton Safe-1120, which like
control devices malfunctioning. In Fyrquel EHC is also a phosphate ester fluid.
either of these cases, this can lead to Failure Prevention Inc. noted* that the
a possible overspeed event. This has Parker Hannifin SOVs (MRFN16MX 0834)
been previously brought to your used at Ginna contained chlorinated rubber
attention in our Technical Informa- gaskets which were not compatible with phos-
tion Letter (TIL) 769, ‘EHC Fluid phate ester hydraulic fluids. Note that the
Systems Valve Tests’ dated March Parker Hannifin SOVs that had failed at
1975 and TIL 796, ‘Water Contami- Salem (MRFN 16MX 0834) were designated
nation of EHC Fluid Through EHC as ET-20, OPC 20-1, and OPC 20-2 and were
Coolers’ dated December 1975. the same model valve as the ones that had
2 4 d P ~ b Service
li~ Electric and Gas Com any, Si nificant Event
Response Ram ( S E W Report No. &R 91-%6, “Salem
Unit 2 Reactorrnrbine ?tip and TbrbinelGenerator Failure
24bGeneralElectric, Tkchnical Information Letter 796-2, of November 9,1991,” December 20,1991, p. 19.
“Water Contamination of EHC Fluid Through the EHC
Coolers,” Attachment I. 24eFailurePrevention, Inc., Report FPI-91-101, “Root Cause
Investigation of Parker Hannifin Relief Valve ET-20 in the
*%enera1 Electric, Rchnical Information Letter 877, “EHC Tbrbine Electrehydraulic Control System,” Revision 1,
Hydraulic Power Unit.” January 17,1991.

NUREG-1275, Vol. 11 44
failed at Ginna. (At Ginna, they were referred manual testing, requires an operator to hold
to as ET-20,20/AG-1, and 20/AG-2.) the trip lever during overspeed trip testing to
prevent a reactor trip. In contrast, the testing
6.7 Human Factors Deficiencies of the GE TOPS does not require an operator
to hold a trip lever to prevent a reactor trip.
The procedures for testing the turbine over- On GE systems and some newer W systems,
speed control systems at Salem on Novem- the operators perform overspeed trip testing
ber 9,1991, suffered from several human from the control room using simple panel
factors deficiencies. One of the most obvious switches.
deficiencies was that the front standard panel
design required an operator to hold the 6.8 Surveillance Testing Required
overspeed trip test lever in an awkward posi- by Plant Technical
tion for a long period of time during testing Specifications
(20 to 30 minutes). As noted in Section 3.4.6,
the Salem SERT report did not rule out the The turbine overspeed events reported in
possibility that the operator at the front Spencer Bush’s study (Ref. 1)focused NRC
standard was fatigued and he could possibly attention on steam admission valve failures as
have triggered the overspeed event by allowing the weakest link in the TOPS. As a result the
the test lever to move slightly. Moving the test TOPS surveillance testing requirements, which
lever by about 1inch or less could have were included in many (but not all) plant TSs,
resulted in an AST pressure perturbation were limited to verification of steam ad-
which could have initiated the event. The front mission valve motion, on the premise that
standard at Salem (and all other plants with successful motion of the admission valves was
W turbines visited by the author) had no indicative of TOPS operability. It was not
convenient detent or locking mechanism to recognized that common-mode failures of the
show the operator that the trip lever was in EHC system and its redundant components
the correct position or also allow the operator could prevent the TOPS from performing its
to switch hands if one hand got tired without protective function. Consequently, TSs do not
risking a turbine trip. Failure to keep the lever require surveillance testing or detailed exam-
in the proper position would also result in a ination of the TOPS control system and
reactor trip. The front standard at Salem (and associated piece part components.
at all other plants with W turbines visited by
the author) had prominent signs emphasizing
the trip vulnerability associated with the test
7 CONCLUSIONS
lever. 7.1 Missiles
Another human factors deficiency, the ab- NRC GDC 4 of Appendix A to 10 CFR Part
sence of a tachometer visible to the operator 50 (Ref. 4) requires, in part, that “structures,
at the front standard could have affected the systems and components important to safety
Salem overspeed event. The presence of a shall . . . [be] appropriately protected against
functioning tachometer visible to the operator dynamic effects, including the effects of
at the front standard could have warned the missiles, pipe whipping, and discharging fluids

-
operator to release the trip lever to activate that may result from equipment failures . . . .”
the mechanical overspeed trip. (The SERT Regulatory Guide 1.115 (Ref. 3) states that
report estimated that, during the event, the “failures that could occur in large steam
turbine accelerated by 100 rpmhecond. A turbines of main turbine-generator sets have
tachometer would have provided several sec- the potential for producing large high-energy
onds during which the operator could have missiles.” In addressing turbine missiles, the
terminated the overspeed condition.) NRC has accepted probabilistic analyses that
showed the probability of unacceptable
It is interesting to note that the W TOPS, like damage from turbine missiles to be less than
the Siemens/Allis Chalmers TOPS during or equal to 1chance in 10 million per plant-
yearz. Operating experience has shown that failure mechanisms leading to simultaneous
many utilities are not operating, maintaining, failures are the most likely contributors to
or testing their turbine-generators in accord- turbine overspeed events. Chapter 2 describes
ance with the reliability and safety analyses common-mode precursor events prior to the
that had been accepted by the NRC as the Salem overspeed event and Chapter 5
bases for meeting GDC 4. Because of describes recent common-mode events. The
deficiencies in operation, maintenance, and similarities of the events in Chapters 2 and 5
testing, the TOPSs may be several orders of indicate that despite the efforts of industry
magnitude less reliable than estimated by W. groups to communicate the lessons of the
and as a result, the likelihood for having a Salem turbine overspeed event, corrective
turbine overspeed event and, therefore, the actions by some licensees have not eliminated
risks from turbine overspeed may have been these avoidable events. Common-mode factors
underestimated. identified in this report which could contrib-
ute to the potential for turbine overspeed
7.2 Fires, Explosions, Flooding include:
NRC’s concerns about turbine hazards had (1) testing methods which do not detect exist-
been primarily focused on large, high-energy ing failures of pressure switches and
missiles. The Salem Unit 2 overspeed event redundant SOVs
demonstrated for the first time at a U.S.
nuclear plant that discharges of hydrogen and (2) degraded EHC and lube oil which can
lubrication oil during a turbine overspeed prevent proper operation of TOPS SOVs,
event can result in explosions and fires. It turbine control valves, TSVs, etc.
appears that risks from explosions, fires, and
collateral flooding were not considered in an (3) system design with a single pressure
integrated manner in previous licensee analy- switch, failure of which defeats redundant
ses and NRC reviews of turbine overspeed backup overspeed protection
events. Acknowledging the Salem overspeed
event, its precursors, and the subsequent (4) lack of a replacement program for SOVs
operating events described in Chapter 5, and which may fail due to material incom-
recognizing that the hazards of “discharging patibility, fluid contamination, etc.
of fluids” such as hydrogen and lubrication oil
from turbine-generators are hazards specific- (5) lack of a replacement program for
ally noted in GDC 4, it appears that this issue pressure switches which may fail due to
needs to be addressed further. Examination of aging effects
many plants’ licensing documents and safety
analyses indicates that the concomitant (6) steam admission valves identified by
hazards have not been addressed. The issue of licensees as exhibiting common-mode
turbine building hazards is the subject of failure characteristics
another M O D special study which is
currently under way. 7.4 Industry Response to the Salem
7.3 Common-Mode Failure Unit 2 Overspeed Event
Precursors 7.4.1 Overview
Main turbines are usually protected from The Salem Unit 2 overspeed event resulted in
overspeed by redundant systems: a primary significant financial losses to the utility and its
mechanical device, usually supplemented by insurers. However, the event had the positive
redundant electromechanical or electrohy- effect of making the nuclear community more
draulic devices. Consequently, common-mode aware of TOPSs, which, at many plants, had
=NRC pidance regarding turbine missiles and turbine system previously been taken for granted (see
reliabdity criteria are describedin Section 2. Sections 4.2, 4.6, and 4.7).

NUREG-1275, Vol. 11 46
7.4.2 Turbine Manufacturer Actions (5) guidance for .control room and equipment
operators to respond to test anomalies
As a result of the Salem Unit 2 overspeed
event, the major U.S. turbine manufacturers Implementation of selected improvements to
reexamined their TOPS. They provided their operations and maintenance practices for
customers with recommendations for hard- TOPS could provide a cost-effective means to
ware testing and for maintenance modifi- achieve higher system reliability and improved
cations or improvements to minimize the capacity factor.
likelihood of similar overspeed events (see
Sections 4.3 and 4.4). However, some of the 7.5 n i p Test Lever Human Factors
manufacturers’ recommendations are Deficiency
incomplete (see Sections 4.4 and 5.1.1).
The overspeed trip test lever on the front
standard panel of W turbines is difficult to
7.4.3 Nuclear Utility Actions hold in position during testing and has been
identified as a contributing causal factor for
On the basis of information received from the the Salem turbine overspeed event. Inadvert-
NRC, the Institute of Nuclear Power Opera- ent movement of the test lever has also been
tions, the turbine manufacturers, and the identified as the cause of an inadvertent
insurers, U.S. LWR owners reviewed the reactor trip at Diablo Canyon Unit 2. Based
Salem Unit 2 overspeed event and its implica- on those findings, the Salem and Diablo
tions for their plants. In many cases, the Canyon licensees have modified the test
utilities did a conscientious job of evaluating handle to prevent inadvertent movement of
their plants. Most of the plants canvassed the test lever. Although this appears to be an
have changed their TOPS testing and mainte- inexpensive and effective modification to
nance practices. Many plants have initiated reduce the likelihood of a turbine transient
actions to make hardware modifications. during TOPS testing, we are not aware that
However, in the sample examined, the reviews this simple modification has been adopted by
done by two utilities were less detailed and other licensees.
problems remained (see Sections 5.3.2,5.3.3,
and 5.5.1). 7.6 Overestimate of Design Life of
Tbrbine Overspeed Protection
In the past, both W and GE have issued System Components
recommendations for operations and main-
tenance to improve TOPS reliability. Based on Operating experience shows that the 63/AST
a review of those recommendations and the pressure switches used in W turbine control
lessons learned from operating experience, systems may require periodic replacement
individual manufacturer’s recommendations rather than just the periodic adjustment
may be lacking in the following specific areas: suggested by in AIB 9301. Three turbine
overspeed events support this conclusion: (1)
(1) individual testing of redundant valves and Salem Unit 2, November 9, 1991; (2) St. Lucie
other components Unit 2, April 21, 1992 (Section 5.2.1); and (3)
Diablo Canyon Unit 1,September 12, 1992
(Section 5.1.1). Data in the W topical report
(2) purification and monitoring practices for on turbine overspeed, WCAP-11525za,
EHC fluid indicates that pressure switch 63/AST had the
highest failure frequency of any part in the W
(3) replacement and refurbishment recom- TOPS.
mendations for vulnerable components
=awestinghouse Electric Co ration, (westin house Pro rie-
(4) methods to achieve effective operability tary Class 2)Repop WCS-11525,“Proba%ilisticEvafua-
tion of Reduction in lbrbine Valve l b t Frequency,” June
of TOPS during system tests 1987.

47 NUREG-1275, Vol. 11
7.7 Nonconservative Probabilistic new condition” when they are found to have
Assessments failed or are in a degraded condition.
For many plants, turbine manufacturers’ rec- 7.8 Rends in nrbine Overspeed
ommendations for TOPS testing intervals% Protection System Testing
and turbine inspection intervals include in
their basis the probabilistic analyses of over- Testing to verify TOPS operability which de-
speed events (Chapter 2). The Salem Unit 2 tects existing component failures while main-
overspeed event and other recent operating taining effective overspeed protection during
events demonstrate that the analysis is not the test would reduce the likelihood of an
conservative when compared with the actual overspeed event leading to turbine destruc-
operating experience. tion and its potential safety consequences.
However, current plant testing focuses on the
For Salem Unit 2 (assuming monthly valve TS requirement to test steam admission valve
exercise tests as presented in WCAP-11525 motion. Some licensees have enhanced their
and shown in Figure 1of this report), W testing practices following the Salem event;
estimated the probability of a missile ejection others have not.
to be about 2 x per year. The point
estimate for a missile ejection from a W Hardware modifications would be necessary,
turbine at a U.S. nuclear plant is 1.25 x in most cases, to establish the facility to test
per year (with a 90 percent confidence interval individual SOVs in the TOPS. FPL (St. Lucie
having a 5.9 x upper bound and a 6.4 x plant), in cooperation with W, has modified
lower bound). The estimate is based on their TOPS by installing a test and mainte-
the Salem Unit 2 overspeed event with an nance block to facilitate testing of individual
experience base of about 800 turbine years at SOVs. Subsequent St. Lucie SOV testing
U.S. nuclear plants with W turbines. Thus the caused a spurious turbine trip as a result of
WCAP-11525 estimate is lower by a factor of short-duration EHC system pressure spikes;
about 6 x lo3 (it is U300th of the 90 percent the test and maintenance block has been
confidence interval lower bound). further modified to eliminate such spurious
trips.
As noted in Chapter 6, some of the reasons
for the nonconservatism are the utilities’ 7.9 Procedures for Shutting Off
operating, testing, and maintenance practices. Steam Supply
The probabilistic analyses assume sound
maintenance, operation, and testing of the Several events before and after the Salem
turbine control systems. The analyses do not Unit 2 event indicate the value of plants
account for common-mode.failures resulting having clear, written procedures and operators
from inadequate maintenance of the EHC and being trained to assure that the steam supply
AST systems, pressure switches, and SOVs; is cut off to the main turbine before the
inadequate testing which could not reveal generator output breakers are opened (Big
equipment failures which had resulted in loss Rock Point, Section 5.3.2; St. Lucie Unit 2
of redundancy; loss of diversity caused by Overspeed Event, Section 5.2.1). In addition,
testing deficiencies; human errors such as premature relatching can cause certain
failing to believe unfavorable test results; turbine control systems to reopen the steam
inadequate procedures which do not provide admission valves (Diablo Canyon Unit 1,
guidance about actions to be taken upon Section 5.1.1).
observing a failure; and failure to restore
degraded or used components to “as-good-as 7.10 Summary
Based on the Salem destructive overspeed
event and other precursor events, the fre-
26Ts requirements addressing frequency of exercising steam quency of overspeed events is much higher
admission valves. than that generally assumed in vendor

NUREG-1275, Vol. 11 48
analyses which were used to show compliance 8 REFERENCES
with Regulatory Guide 1.115and GDC 4. A
destructive turbine overspeed event has the
potential to cause damage because of turbine 1. Spencer H. Bush, “Probability of Damage
missiles, fires, explosions, and consequential to Nuclear Components Due to Turbine
flooding. These concomitant effects have not Failure,” Nuclear Safety, Vol. 14, No. 3,
received attention. However, compliance with May-June 1973.
GDC 4 may be accomplished in other ways
than preventing a destructive turbine over- 2. U.S. Nuclear Regulatory Commission,
speed. For example, if the turbine building NUREG-0800, Standard Review Plan
contains no equipment needed for safe shut- 10.2, Revision 2, “Turbine Generator,”
down and the surrounding structures can be July 1981.
shown to be protected from missiles, fires,
explosions, and flooding from a destructive 3. U.S. Nuclear Regulatory Commission,
overspeed event, then compliance with GDC 4 Regulatory Guide 1.115, “Protection
would be achieved. In such a case, the issue of Against Low-Trajectory Turbine
the quality of the TOPS is primarily a com- Missiles,” Revision 1,July 1977.
mercial issue. However, failure of the TOPS
could result in challenges to plant safety 4. US.Code of Federal Regulations, Title 10,
systems. “Energy,” U.S. Government Printing
Office, Washington, D.C., revised
periodically.
B O D currently is performing a study of tur-
bine building hazards. That study will evaluate 5. U.S. Nuclear Regulatory Commission,
the hazards from hydrogen, lubricating oils, letter from C.E. Rossi to J.A. Martin,
and flammable EHC fluids associated with a Westinghouse Electric Corporation,
turbine failure. Potential flooding of important ‘Approval for Referencing of Licensing
equipment by water used for fire suppression Topical Reports WSTG-1-P, May 1981,
and water used for cooling turbine-generator ‘Procedures for Estimating the Proba-
subsystems will be included. Effects of smoke biIity of Steam Turbine Disc Rupture
will also be considered. From Stress Corrosion Cracking,’ March
1974, ‘Analysis of the Probability of the
It was generally believed that GDC 4 was met Generation and Strike of Missiles From a
based on the low frequency of destructive tur- Nuclear Turbine,’ WSTG-2-P, May 1981,
bine overspeed events. That belief contributed ‘Missile Energy Analysis Methods for
in part to past regulatory decisions. This study Nuclear Steam Turbines,’ and WSTG-3-P,
does not, by itself, negate those decisions, July 1984, ‘Analysis of the Probability of a
because GDC 4 may still be met due to other Nuclear Turbine Reaching Destructive
considerations such as the physical arrange- Overspeed,”’ February 2, 1987.
ment of the plant. The need for NRC and
licensees to readdress their bases for com- 6. U.S. Nuclear Regulatory Commission,
pliance with GDC 4 will be addressed after Inspection Report 50-311/91-81, Salem
the study of turbine hazards has been Nuclear Generating Station Unit 2,
completed. January 7, 1992.
7. T T Martin, U.S. Nuclear Regulatory
Beyond the issue of GDC 4, the implementa- Commission, memorandum to T E.
tion of efforts to address the concerns raised Murley, “Consideration of Generic Issues
in this report can result in enhanced operation Resulting From AIT Findings Relative to
of the TOPS and will likely result in large the Catastrophic Failure of the Salem
financial benefits because of improved system Unit 2 Turbine-Generator,” January 27,
operation. 1992.
8. U.S. Nuclear Regulatory Commission, 17. Consumers Power Company, Licensee
Information Notice 91-83, “Solenoid- Event Report 50-155/89-009, Big Rock
Operated Valve Failures Resulted in Point Plant, January 9,1990.
Turbine Overspeed,” December 20, 1991.
18. Consumers Power Company, Licensee
9. J. G. Partlow, U.S. Nuclear Regulatory Event Report 50-155/92-010, Big Rock
Commission, memorandum to T T Point Plant, July 2, 1992.
Martin, “Region I Request for NRR
Evaluation of Generic Issues Relating to 19. U.S. Nuclear Regulatory Commission,
the Salem Unit 2 Turbine Overspeed Inspection Report 50-15992-020, Big
Event (TAC No. M82696),” February 25, Rock Point Nuclear Plant, September 18,
1992. 1992.
10. Pacific Gas and Electric Company, 20. U.S. Nuclear Regulatory Commission,
Licensee Event Report 50-0275/92-018, Region III Daily Report, October 5, 1992.
Revision 1,Diablo Canyon Unit 1,
February 8,1993. 21. U.S. Nuclear Regulatory Commission,
Region III Daily Report, March 1, 1993.
11. Pacific Gas and Electric Company,
Licensee Event Report 50-323/92-003, 22. TU. Electric, Licensee Event Report
Diablo Canyon Unit 2, April 20, 1992. 50-445/92-021, Comanche Peak Steam
12. Pacific Gas and Electric Company, Electric Station Unit 1, October 12, 1992.
Licensee Event Report 50-323/92-003,
Revision 1,Diablo Canyon Unit 2, 23. U.S. Nuclear Regulatory Commission,
March 10, 1993. NUREG-1275, “Operating Experience
Feedback Report-Solenoid Operated
13. Westinghouse Electric Corporation, Valve Problems,” Vol. 6, February 1991.
(nonproprietary)Report WCAP-11529,
“Probabilistic Evaluation of Reduction in 24. Rochester Gas and Electric Company,
Turbine Valve Test Frequency,” June 1987. Licensee Event Report 50-244/85-007,
R. E. Ginna Nuclear Power Plant, May 6,
14. U.S. Nuclear Regulatory Commission, 1985.
Region V; Daily Report, February 1,1993.
25. Rochester Gas and Electric Company,
15. Florida Power and Light Company, Licensee Event Report 50-244/90-012,
Licensee Event Report 50-389/92-001, R. E. Ginna Nuclear Power Plant,
Revision 1, St. Lucie Unit 2, June 29, 1992 October 26, 1990.
16. Florida Power and Light Company, 26. Gene Wellenstein, “The Picture of
Licensee Event Report 50-389/92-005, St. Health,” The Nuclear Professional, Vol. 7,
Lucie Unit 2,August 7,1992. No. 4, Fall 1992.

NUREG-1275, Vol. 11 50
 APPENDIX A
LIST OF PLANTS BY SUPPLIER-REACTOR, TURBINE, GENERATOR
 APPENDIX A
LIST OF PLANTS BY SUPPLIER--REACTOR, TURBINE, GENERATOR

REACTOR TURBINE GENERATOR

PLANT SUPPLIER SUPPLIER SUPPLIER

ANoUNIT1 B&W -
W -
W
AN0 UNIT2 C-E GE GE
BEAVER VALLEY UNIT 1 -
W -
W -
W
BEAVER VALLEY UNIT 2 x -
W -
W
BIG ROCK POINT GE GE GE
BRAIDWOOD UNIT 1 -
W W
- -
W
BRAIDWOOD UNIT 2 -
W W
- -
W
BROWNS FERRY UNIT 1 GE GE GE
BROWNS FERRY UNIT 2 GE GE GE
BROWNS FERRY UNIT 3 GE GE GE
BRUNSWICK UNIT 1 GE GE GE
BRUNSWICK UNIT 2 GE GE GE
BYRON UNIT 1 -
W -
W -
W
BYRON UNlT 2 W
- -
W w
CALLAWAY W
- GE GE
CALVERT CLIFFS UNIT 1 C-E GE GE
CALVERT CLIFFS UNIT 2 C-E GE GE
CATAWBA UNIT 1 -
W GE GE
CATAWBA UNlT 2 -
W GE GE
CLINTON GE GE GE
COMANCHE PEAKUNIT 1 -
W A-S A-S
COMANCHE PEAK UNIT 2 x A-S AS
COOK UNIT 1 x GE GE
COOK UNIT 2 -
W BB BB
COOPER GE -
W -
W
CRYSTAL RIVER UNIT 3 B&W -
W -
W

A-1 NUREG-1275, Vol. 11

 REACTOR TURBINE GENERATOR
PLANT SUPPLIER SUPPLIER SUPPLIER

DAWS BESSE B&W GE GE

DIABLO CANYON UNIT 1 -
W W
- M!
DIABLO CANYON UNIT 2 M! -
W M!
DRESDEN UNIT 2 GE GE GE
DRESDEN UNIT 3 GE GE GE
DUANE ARNOLD GE GE GE
FARLEY UNIT 1 -
W -
W M!
FARLEY UNIT2 Y -
W M!
FERMI GE GEC GEC
FITZPATRICK GE GE GE
FORT CALHOUN C-E GE GE
GINNA -
W -
W M!
GRAND GULF GE A-S A-S
HADDAM NECK -
W -
W M!
HATCH UNIT 1 GE GE GE
HATCH UNIT 2 GE GE GE
HOPE CREEK GE GE GE
HARRIS Y M! M!
INDIANPOINTUNIT2 M! Y GE
INDIANPOINTUNIT3 M! M! JY
KEWAUNEE IY M! M!
LASALLEUNITl GE GE GE
LAsALLEUNIT2 GE GE GE
LIMERICK UNIT 1 GE GE GE
LIMERICK UNIT 2 GE GE GE
MAINEYANKEE C-E M! IY
MCGUIREUNITl M! M! M!
MCGUIREUNIT2 M! M! M!

NUREG-1275, Vol. 11 A-2

 REACTOR TURBINE GENERATOR
PLANT SUPPLIER SUPPLIER SUPPLIER

MILLSTONE UNIT 1 GE GE GE
MILLSTONE UNIT 2 C-E GE GE
MILLSTONE UNIT 3 -
W GE GE
MONTICELLO GE GE GE
NINEMILEPOINTUNIT1 GE GE GE
NINE MILE POINT UNTT 2 GE GE GE
NORTH ANNA UNIT 1 -
W W
- -
W

NORTH ANNA UNIT 2 -

W -
W -
W
OCONEE UNIT 1 B&W GE GE
OCONEE UNIT 2 B&W GE GE
OCONEE UNIT 3 B&W GE GE
OYSTER CREEK GE GE GE
PALISADES C-E -
W -
W
PALO VERDE UNIT 1 C-E GE GE
PALO VERDE UNIT 2 C-E GE GE
PALO VERDE UNIT 3 C-E GE GE
PEACH BOTTOM UNIT 2 GE GE GE
PEACH BOTTOM UNIT 3 GE GE GE
PERRY UNIT 1 GE GE GE
PILGRIM GE GE GE
POINT BEACH UNlT 1 -
W -
W -
W

POINT BEACH UNIT 2 E -

W -
W
PRAIRIE ISLAND UNIT 1 -
W -
W -
W

PRAIRIE ISLAND UNIT2 E -

W -
W
QUAD CITIES UNIT 1 GE GE GE
QUAD CITIES UNIT 2 GE GE GE
RIVER BEND GE GE GE
ROBINSON UNIT 2 E -
W E

A-3 NUREG-1275, Vol. 11

 REACTOR TURBINE GENERATOR
PLANT SUPPLIER SUPPLIER SUPPLIER

SALEM UNIT 1 W
- -
W -
W
SALEM UNIT 2 W
- w
- GE
S A N ONOFRE UNIT 1 W
- -
W -
W
S A N ONOFRE UNIT 2 C-E GEC GEC
S A N ONOFRE UNIT 3 C-E GEC GEC
SEABROOK -
W GE GE
SEQUOYAH UNIT 1 W
- -
W -
W
SEQUOYAH UNIT 2 -
W -
W W
-
SOUTH TEXAS UNIT 1 w -E -
W
SOUTH TEXAS UNIT 2 -
W -
W W
-
ST LUCIE UNIT 1 C-E -
W -
W
ST LUCIE UNIT 2 C-E W
- W
-
SUMMER W
- GE GE
SURRY UNIT 1 W
- W
- W
-
SURRY UNIT 2 -
W -
W W
-
SUSQUEHANNA UNIT 1 GE GE GE
SUSQUEHANNA UNIT 2 GE GE GE
THREE MILE ISLAND UNIT 1 B&W GE GE
TROJAN W
- GE GE
TURKEY POINT UNIT2 -
W -
W -
W
TURKEY POINT UNIT 3 -
W -
W -
W
VERMONT YANKEE GE GE GE
VOGTLE UNIT 1 -
W GE GE
VOGTLE UNIT 2 W
- GE GE
WATERFORD UNIT 3 C-E -
W -
W
mUNIT2 GE -
W -
W
WOLF CREEK -
W GE GE
YANKEE ROWE -
W -
W -
W

NUREG-1275, Vol. 11 A4
 REACTOR TURBINE GENERATOR
PLANT SUPPLIER SUPPLIER SUPPLIER
-

ZION UNlT 1 -
W W/with BB -
W
1OW pressure
turbine stages
ZION UNIT 2 -
W Wwith BB -
W
low pressure
turbine stages

A-S Allis-ChalmersKiemens
BB Brown Boveri
B&W Babcock & Wilcox
C-E Combustion Engineering
GE General Electric
GEC English Electric
YY Westinghouse

A-5 NUREG-1275, Vol. 11

 APPENDIX B
SUMMARY OF SERT REPORT RECOMMENDATIONS
 SUMMARY OF SERT REPORT RllCOMMl3NDATIONS*

1. Plant Design dure(s). Address identified short-

comings associated with failure to
a. Evaluate the turbine protection implement the 1990 LER commit-
systems for design enhancements. ment to change out the Unit 2
solenoid valves (e.g., require docu-
b. Complete detailed root-cause mentation of commitment
assessment of solenoid failures and modifications).
implement corrective actions to
prevent recurrence. d. Implement independent full func-
tional, hydraulic operational
C. Determine source of orifice foreign periodic testing of the four turbine
material and implement appropri- protection solenoid valves.
ate corrective actions.
e. Review present priority of plans for
d. Evaluate the need for design RCM to address the Salem main
changes to the front standard to turbine and support systems in
address identified human factors light of this event, and make
deficiencies, and initiate as changes as necessary.
required.
f. Evaluate the need for a License
e. Finalize engineering analysis to Change Request to clarify %chnical
determine all origins of steam flow Specification 3/4.3.4 “nirbine
energy which resulted in the turbine Overspeed Protection.”
overspeed event, and place final
report of this analysis in the SERT g. Review technical specification sur-
file for this event. veillance testing methodologies to
ensure no other instances of failure
f. Evaluate the AST pressure switch to test components independently
settings for adequacy for protection exist, which could involve Technical
as well as control functions. Specificationviolations or reduc-
tions in protective functions
2. Programs redundancy.
a. Perform a matrix review of turbine
multi-trip and other secondary h. Review the process of Bchnical
plant components to assure ade- specification license change
quate testing. requests to determine why LCO
3/4.3.4 was not clarified when it was
b. Establish and complete routine last amended. Identi@actions to
calibration cycles for AST pressure prevent recurrence.
switches.
i. Re-evaluate the basis for 30 day
C. Review Administrative Controls for front standard testing as specified
commitment tracking and revise by vendor; implement less frequent
applicable administrative proce- testing if justifiable.

j. Work with Operations and Com-

‘Direct quotations from Public Sexvice Electric and Gas Com- puter Engineering to implement a
n ,Significant Event Res me %m (SEW Report No.. program to save an optimal set of
g k 9 l - 0 6 , “Salem Unit 2 g c t o r m r b i n e ltip and Th-bmel
Generator Failure of November 9,1991,” December 20,1991. SPDS and P-250 data for future
 use during event evaluation, sep- trip industry events, and other
arate from the AD-16 program. lessons learned, to the nuclear
industry via INPO.
k. Revise the turbine front standard
test procedure (OP III-1.3.3, prior U. Evaluate 10 CFR Part 21
to the next test performance for notification for solenoid valve
either Unit. Review for inclusion failures.
Human Factors Report comments.
V. Continue implementation of
1. Incorporate discussion of operation Nuclear Department programs
of Steam Dumps, MSlOs and EHC including:
during Unit Trip Events into opera-
tor training.
Reaching Our Vision
m. Re-emphasize to all Emergency
coordinators that EP procedures Commitment Management
and Attachments are not stand
alone documents. Reliability Centered
Maintenance
n. Assess AOP-Fire-1 midance con-
cerning operation of lequipment Salem Revitalization
involved in or contributing
- to a fire,
and revise as needed. Work Standards Practices
0. Enhance training on de-escalating 3. Personnel
events and use of procedure EPIP
405. a. Plant Management is to assure
behaviors/actions during the
P. Revise ECG Attachments 1,2 10/20/91startup are understood
and 3 with recommended and appropriate corrective actions
enhancements. taken.
q. Revise AOP-Fire-1, FRS-1-001,
EPIP 202 and EGG Attachment 8 b. Reinforce and clarify Standing
to better address offsite assistance Night Order Book Policies with all
requests. SROs on shift.

r. Revise the Initial Contact Message C. Review the decision-making

Form Attachments 2 and 3 to associated with the deferral of the
enhance guidance in terminating Unit 1LER commitment to replace
events. Unit 2 solenoid valves “during the
next outage of sufficient duration,”
S. Provide refresher training on pager and take corrective actions as
activation to primary and appropriate.
secondary communicators.
d. Develop and present a communi-
t. Communicate the inadequate cations program on this event,
prioritization of turbine failure to emphasizing lessons learned.

NUREG-1275, Vol. 11 B-2

 APPENDIX C
CUSTOMER ADVISORY LETTER 92-02,
“OPERATION, MAINTENANCE, TESTING OF, AND SYSTEM
EHNANCEMENTS TO TURBINE OVERSPEED
PROTECTION SYSTEM”*

*Reprinted with permission of Westinghouse Electric Corporation. \

 DISCLAIMER OF WARRANTIES
AND UMITATION OF UABltlTY

THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATIONS, OR

WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF
MERCHANTABILITY OR FlTNESS FOR A PARTICULAR PURPOSE, OTHER THAN
THOSE SPECIFICALLY SET OUT IN ANY EXISTING CONTRACT BETWEEN THE
PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT STATES THE
ENTIRE OBLIGATION OF SELLER. THE CONTENTS OF THIS DOCUMENT SHALL NOT
BECOME PART OF OR MODIFY ANY PRIOR OR EXISTING AGREEMENT,
COMMITMENT, OR RELATIONSHIP.

The information recommendations and dwcriptions in this document am bared on

Westinghouse's expsrlence and judgment with rapact to this equipnnntb o p e d o n
and maintenance. THIS INFORMATION SHOULD NOT BE CONSIDERED AS ALL
INCLUSIVE OR COVERING ALL CONTINGENCIES. If further informatlon is mqulred,
Westlnghouse ElecMc Corporation should be consulted.
NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS
FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING
FROM THE COURSE OF DEAUNG OR USAGE OF TRADE, ARE MADE REGARDiNG
THE INFORMATION, RECOMMENDATIONS, OR DESCRIPTIONSCONTAINED HEREIN.
In n o event will Westinghouse be responsible to the user in contract, in tort (Including
negligence), strict liability or otherwise for any special, indirect, Incidental, or
consequential damage or loss whatsoever, including but not limited to damage to or
IOU of urn of equipment, piant, or power system; cod or capftai; IOUof profits or
revenues; cost of replacement power; addltional expenses in tho use of axisting
power facilities; or claims against the user by its customers, retuttrng from use of th.
Information, recommendations, or descriptions contained herein.

NUREG-1275, Vol. 11
 CAL 9292
Page 1 of 7

CUSTOMER ADVISORY LETTER

92-02
REASON FOB ADVISORY
Recently a nuclear unit experienced an overspeed incident. Investlgatlon indicated that the incident nuv
have been partially due to malfunctioning EH dump solenoid valves. Subsequent to this incident, other
reports of incidents of sticking EH dump solenoid valves have been received

The solenoid valves involved were Parker-Hannafin Manatrol solenoid valves 20/0PG1 and 20/0PC-2
(overspeed protection controller) and 20/ET (EmergencyM p solenoid valves) used with ElectmHyd~aulic
(EH)control systems. The above three solenoid valvea are located on a machined block on the right side of
the pedeml. In another arrangement there are Four 20/AST (Auto Stop Trip) solenoid valves and two
2O/OPC solenoid valves on a machined block on the right side of the pedestal, Refer to Figures 1and 2.
ADVISORY INFORMATION
To reduce the potential for a unit overspeed incident, thla Advisory provides operation, maIntensnce and
testing recommendations for all control system solenoid valves, as well as available enhancements to the
control system.

TUEBINE OVEBSPEED OPEBATIONCAN RESULT IN DAMAGE TO

OR DESTRUCTION OF EQUIPMENT AND PROPERTY, AND/OR
PEBSONAL INJUBY OB DEATH. PEBFOEM PERIODIC
JUINTENANCE AND TESTING OF OVEBSPEED PROTECTION
SYSTEMS AND ADHERE TO BECOMMENDED PBACTICES TO
REDUCE POTENTIAL FOB THIS OCCUBBENCE.
2.1 Operrtlon, Maintenance and Testing Becornmendatlons
21.1 Remove,replace or rebuld and thentesteach solenoid Mhre at each major unit outage or
in accordancewith valve manufacturer's recommendations. Valves should be rebuilt
by valve manufacturer approved vendor. Spare valves in stock should be rebunt In
accordance with valve manufacturer'srecommendationsto maintainadequate combined
operation and shelPlife.

21.2 VedQ that all pressure switches used to indicate a turbine trip condition (autastop oil
pressure) are set at the same pressure level per instruction Book information. Thls
permits resetting the turbine control syatem to a Mpped condtlon simultaneously with
notiflation of aturbine Mp to the steam supply system

21.3 Maintain EH fluid temperature and cleanliness within recommended specifications.

Refer to OMM 120 and Instruction Book Vuiiy that EH fluid tubing is not buried in
hulation or exposed to hot turbine parts (Refer to AIB 8102). This will reduce varnish
deposits on close clearance parts such as solenoid valves, Moog valves and.rellef vahres
and clogglng of drain hes, The recommended operating temperature for the EH fluid k i
100°Fto 130°F.
21.4 Westlnghouse recommends the use of autostop oil presrmre level to indicate the latched
or Mpped condition of the turbine. It b recognized that some users may use valve limit
switches for thb purpose. If so,the hnlt switches at the closed end of tht valve should
b e d

c-1 NUREG-1275, Vol. 11

--. --
..IC,
.I
.-
CAL 92-02
Page 2 of 7

2.l.5 Test trip weight by simulation (oil test) monthly per inshumions in the unit Instruction Book
2.1.6 Test 2Q/ETsolenoid valve trip on each startup to verify this valve is opening and closing. If
any of the 20/0PC, 20/ET or 20/AST solenoid valves does not operate due to sticking, all
solenoid valva are to be removed, replaced or rebuilt and then retested.

2.L7 Test each 20/0PC solenoid valve (or AGG on some units) Individually on each startup to
verify valve is opening and closing. Thts may require installation of a test switch. If any of
the 20/0FC, 2O/ET or 2WAST solenoid valves does not operate due to sticking, all solenoid
valves are to be removed, replaced or rebuilt and then retested.

2.1.8 Use revem power relays in the circuit for opening the main generator circuit breaker as
recommended in OMMOBB. This allows turbine driving steam to be dissipated prior to
opening the breaker.

2.1.9 Follow testing and maintenance practices for steam non-return valves per ANSYASME
StandardsTDP-1 and TDP-2 'Recommended Prsctices for the Preventionof Water Damage to
Steam Turbines Used for Electric Power Generation" This will reduce the possibility for
uncontrolled flashlngsteam Mvingthe unit to overspeed.
2.1.10 When conductlngperiodic frip tests at the front pedestaz the front pedestal operator must be
in constant contact with the control room to permit receipt of any tripping instructions.
The front pedestal operator ie to have visual access to indications of unit speed and autostop
oil pressure via tachometerpressure gauge or other turbine Mp status.
The frontpedestal operator is to release the test &e if turbine trip OCCUIS or if indications
of a unit ovenspeed are receivd
2.1.11 To reduce the potential for a momentsty drop in autostop oil pressure durjng trip testing, the
cleanliness of the autostop lube oil should be maintained to reduce possibility of oWke
clogging. (Refer to OMM 072 and OMM 106).

2.1.12 Report failures of any of the above solenoidvahres to Westinghouse.

The recommendations contained in Section 2.1 of this Advisory are to be implemented at your earliest
opportunityand thereafter at the recommended intervals.

2.2 System Enhrncemente

The following control system enhancements are provided for your consideration for reducing the
potential for a unit overspeed incident.

2.21 Install coil monitorsto check for cirmit continuityof tripping solenoids.

2.2.2 Modiry trip system to energize all available valve test solenoids simultaneouslywith trip
solenoids. This would provide an &mate path for getting valves closed.

On units with EH controllers,the exis-

2.2.3
-
overspeed trfp. CAUTION ON AN AEH U",
110%rated speed contact can be used to initiate an
A SINGLE SPEED CHANNEL IS USED
TO ENEBGIZE THIS CONTACT. W B E F O R E , A SINGLE HIGH FAIL- COULD
CAUSEA TRIP.
2.24 Install a latch-in circuit to energize 2 0 m solenoid valves. Some plants have a separate
electric trip to energize 20/ET other than that used for 20/ASl'. If the signal is removed &om

NUREG-1275, Vol. 11 c-2

 CAL 92-02
Page 3 of 7

the 20m solenoid valve, the 20/ET will allow reestablishingthe high pressure fluid. If
the paralIe1 path which energizes the 20/AST did not function, the steam valves could
reopen creating a potential for overspeed. To maIntah the unit in a &@pedcondition
from an external signal tothe 2 0 m , a latcbin rew is recommended

2.2.6 On units with mechanical trip smtems, one 20/AST is standard. During trip testing at the
front pedestal,this solenoid is made ineffective, A second 2 W . (style 387A99MH)Z) can
be instalIed on the HP oil supply side of the test handle to d o w electrical trips to be
effective even when the test handle is held, Refer to Figure 3.

2.2.6 Install a pressure switch (style 889C416015) in the main (shaft) oiI pump discharge to
detect an averspeed condition.This feature would be most beneficial for customers who
desire an alternate electrical overspeed protection ChanneL This pressure switch could
be set at a level equivalent to 11296 rated speed to initiate a W i n e txip. To avoid an
inadvertent trip, a 2 out of 3 scheme should be used.

2.2.7 On 1M)# and 300# systems, add a load drop anticipator system to immediately close the
governor and interceptorvalves on breaker opening, The valves would stay closed u na
the steam flow drops to a reIatively low level.

2.2.8 To reduce the possibility of tripping the unit during testing of the trips at the front
pedestal, install a pressure gauge on the trip block side (mechanical trip system) of the
test handle. See Agures 3 and 4. The operator should verifv that autostop pressure has
been reestablished before releasing the test handle,.

The recommendations contained in Section 2.2 can be implemented at the next opportunity to complete the
Scope.

The recommendations contained in sections 2.2.1, 2,2.2, 2.2.6 and 2.2.8 apply to ail units. The
recommendations in 2.2.3 and 2.2.4 apply to EH systems. The recommendationcontained in 2.2.6 applles to
300#EH systemswith MEi trlp supplied prior to 1962.

If additional information relative to or cIarification of these recornendations is required, contact your

local Technical Servfce Manager or Generation Specialist.
CAL 92-02
Page 4 of 7

EMERGENCY AND OVERSPEED

PROTECTION CONTROLLER
SYSlEM
(EXISTING)

FIGURE 1

NUREG-1275, Vol. 11 C-4

 CAL 92-02
Page 5 of 7

EMERGENCYAND OVERSPEED
PROTECTION CONTROLLER
SYSTEM

n
(EXISTING)
I
I

1A
a EMERGENCYTRIP HEADER
TRIP
INTERFACEVALVE

LUBE OIL
SYSTEM)

FIGURE 2.
CAL 92-02
Page 6 of7

EMERGENCY AND OVERSPEED

PROTECTIONCONTROLLER
SYSTEM
(PROPOSED)

-
I I / +
TURBINE
Pro osed
CRaNp7
/ I

u]F
T-
TRIP HEADER

HPOIL
SUPPLY
rdEE

FJGURE 3.

NUREG-1275, VO~.
11 C-6
 CAL 9242
Page 7 of 7

EMERGENCYAND OVERSPEED
PROTECTION CONTROLLER
SYSTEM
(PROPOSED)
I
w

EMERGENCYTRIP HEADER

SYSTEM)

- 20-4
-- 20-3

It

FIGURE 4.

c-7 NUREG-1275, Vol. 11

 APPENDIX D
AVAILABILITY IMPROVEMENT BULLETIN 9301,
“SYSTEM TURBINE OVERSPEED PROTECTION SYSmM”*

‘Reprinted with permission of Westinghouse Electric Corporation.

 DISCLAIMER OF WARRANTIES
AND LIMITATIONOF LIABILITY

THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATIONS, OR

WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OTHER THAN
THOSE SPECIFICALLY SET OUT IN ANY EXISTING CONTRACT BETWEEN THE
PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT STATES THE
ENTIRE OBLIGATION OF SELLER. THE CONTENTS OF THIS DOCUMENT SHALL NOT
BECOME PART OF OR MODIFY ANY PRIOR OR EXISTING AGREEMENT,
COMMITMENT, OR RELATIONSHIP.

The information recommendations and descriptions in this document are based on

Westinghouse's experience and judgment with respect to this equipment's operation
and maintenance. THIS INFORMATION SHOULD NOT BE CONSIDERED AS ALL
INCLUSIVE OR COVERING ALL CONTINGENCIES. If further information is required,
Westinghouse Electric Corporation should be consulted.

NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS

FOR A PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING
FROM THE COURSE OF DEALING OR USAGE OF TRADE, ARE MADE REGARDING
THE INFORMATION, RECOMMENDATIONS, OR DESCRIPTIONS CONTAINED HEREIN.
In no event will Westinghouse be responsible to the user in contract, in tort (including
negligence), strict liability or otherwise for any special, indirect, incidental, or
consequenttal damage or loss whatsoever, including but not limited to damage to or
loss of use of equipment, plant, or power system; cost or capital; loss of profits or
revenues; cost of replacement power; additional expenses in the use of existing
power facilities; or claims against !he user by its customers, resulting from use of the
information, recommendations, or descriptions contained herein.
 AIB 9301
Page 1 Of 16

AVMJABILITYIMPROVEMEXTBWTIN
9301
1. REASON FOB BULLETIN

In February 1992, Customer Advisory Letter 92-02was issued as a result of an overspeed incident on a
nuclear unit The overspeed incident was partially due to malfunctioning EH dump solenoid valves.
The solenoid valves involved were Parker-Hannifin Manatrol solenoid valves 20/0PC1 and 20/0PC-2
(overspeed protection controller) and 2O/ET Wergency Trip solenoidvahres) usedwith Electro-Hydraulic
@ €Isystems.
control ) The above three solenoidvalves are located on a machined block on the right side of
the pedestal. In another arrangement there are four 2O/A!3T (Auto Stop Trip) solenoid valves and two
2WOW solenoidvalves on a machined block on the right side of the pedestal. Refer to F'igures 1and 2.
Two configurations of valvk have been used. The Parker-Hannifin valves use a spool type solenoid
operated pilot valve. The other configurationuses a poppet type solenoid operat& pilot valve. O€ about
lo00 solenoid valva in use for the above functions, 4096 use the spool type pilot valve. During the past
year, several incidents of spool valve sticking have been reported. No incidents of sticking have been
reported for the poppet type valves. On investigationit became apparent that the key to reliable operation
of either solenoid vdve configuration, but especially of the spool type design, is periodic testing. On units
with the three solenoid valve arrangement, this can only be done when the unit is off-line. On units with
four 20/AST and two 20/0F'C valves, only the 2 0 f . valves can be tested on-line. None of the solenoid
valves can be replaced on-line.
C o n c m n t with the investigation of the aforementioned incident, a number of complementary actions
were taken thatincluded but are not limited to the following
Survey of users solicitingvalve and system performancefeedback
A thorough engineeringreappraisal of overspeed protection systems.
In depth discussionswith variousvalve manufacturersto obtain their inputs.
An investigationof dump vaIve orifice sizing, related to slow (greater than 0.5 seconds) reheat
stophmterceptorvalve closure during offIine tests.

2. AVAILABILITY IMPROVEMENT INFOFWATION

Because of the serious nature of excessive overspeed, Westinghouse recommends system redundancies
and on-line testing capabilities. Several of the following configuration specific recommendations are
reiterations of those contained in CAL, 92-02.
k UNITS %TlTXEH CONTROL SYSTEMS
1. A s a minimum, modify units with two 2WOPC (AGG)and one 20/ET solenoid valves to
pennit on-line testing, This could also allow on-line replacement.
a One method of accomplishing on-linetesting is to install a test block between the
present solenoid valves and the large machined block. (Refer to Figures 3 and 4).
This test block can be used to individually test the solenoid valves on-line and
could also allow on-line maintenance. For units with spooI type pilot valves, ttds
block can be sandwiched in with little effort. For units with solenoid valves that
screw into the main block, a new block would be required. This method minimizes
the modifications needed but requires local testing. Other methods could be used
which range from coming off-line to test to remote testing capability involving
blocking solenoid valves and pressure transducers.
b. Install a push button panel aaacent to the solenoidvalves to pemd on-line testing
of each solenoid valve when done locally. Additional instrumentation will be
needed if done remotely.
c. Test thevalves monthly using appropriateInstruction Leaflet requirements.

D-1 NUREG-1275, Vol. 11

AIB 9301
Page 2 of 16

2. As a minimum,modify units with an electrical trip system and having two 20/0PC and four
20/AST solenoid valves to allow for on-line testing of 20/0PC valves. This could also allow
on-line replacement of valves.
a One method of accomplishing on-line testing is to install a test block between the
present 20/0PC solenoid valves and the large machined block. (Refer to Figures 3
and 4 ). This test block can be used to individually test the solenoid valves on-line
and could also allow on-line maintenance. For units with spool type pilot valves,
this block can be sandwiched in with little effort For units with solenoid valves
that screw into the main block, a new block would be required. This method
minimizes the modifications needed but requires local testing. Other methods
could be used which range from coming off-line to test to remote testing capability
involving blocking solenoid valves and pressure transducers. Test the valves
monthly using appropriateInstruction Leaflet requirements
b. Installa push button panel adjacent to the solenoid valves to permit testing each
solenoid valve when done locally. Additional instrumentation will be needed if
done remotely.
c The four 20/AST solenoid valves can presently be tested in pairs, not individually.
Install a push button panel aGacent to the solenoid valves to allow individual
testing of these valves. It is suggested that a test block be installed for each
solenoid valve to allow on-line maintenance of these valves. Test the valves
monthly usingappropriateInstruction Leaflet requirements.
3. Remove, replace or rebuild and then test each OPC, ET and AST solenoid valve in the EH
lines at each m@orunit outage in accordancewith valve manufacturer's recommenda,tions.
Spare valves in stock for five yeacs or more should be rebuilt prior to being placed in
operation. VaIves should be rebuilt QI& by valve manufacturer approvedvendor.
4. Verify that all pressure switches used to indicate a turbine trip condition (autostop oil
pressure) are set at the same pressure level per Instruction Book information. This
permits resetting the turbine control system to a tripped condition simultaneously with
notification of a turbine trip to the steam supply system
5. hfahtain EH fluid temperature and cleanliness within recommended specifications. (Refer
to OMM 120 and Instruction Book). Verify that EH fluid tubing is not buried in insulation
or exposed to hot turbii parts (Refer to AIB 8102). This will reduce vamish deposits on
close clearance parts such as solenoid valves, Moog valves and relief valves and clogging
of drain lines. The recommendedoperating temperaturefor the EH fluid is 100°F to 130°F.
Refer to 1.L 12504290 'Care, Handling & Application of Control System Fluid" for
appropriatesafety precautions.
6. InstaJl a latch-in (sed-in) circuit to energize 20ET solenoid valves. (Refer to Figure 6).
Some plants have a separate electric trip to energize 20ET other than that used for 2WAST.
If the signal is removed fiom the 2OET solenoid valve, the 2O/ET win allow reestablishing
the high pressure fluid. If the paralrel path which energizes the 2WAST did not function,
the steam valves could reopen creating a potential for overspeed. A latch-in circuit will
maintain the unit in a tripped condition when the 20/ET solenoid receives an external
signal.

7. Test each 20/0PC (or AGG) and each 20/AST or 20/ET solenoid valve individuallyon each
startup. If any valve does not operate due to sticking, all solenoid valves should be
removed, replaced or rebuilt and then retested.

8. For all valve actuators equipped with a three inch dump valve, inspect the orifice which
limits the flow of fluid from the high pressure header to the emergency trip header to verify
thatthe diameter is 0.031 inches or less. Other valve actuators. equipped with the 7/8inch
dump valve, do not requjre thii inspectionas they do not have this orifice. Figure G shows
NUREG-1275, Vol. 11 D-2
 AIB 9301
Page 3 of 16

a fluid diagram for actuators equipped with both types of dump valves. Figures 7 and 8
show an exploded outline of typicalvalve actuators equjpped with the'7/8 and 3inch dump
valves (respectively).

The orifice to be inspected (on valve actuators equipped with the three inch dump valve) is
located most commonly in the orifice plate that is sandwiched between the machined
block and the test solenoid valve, as shown in Figure 8. If the orifice diameter fs greater
than 0.031 inches, it is recommended thatit be replaced with another having the 0.031 inch
diameter. Some valve actuaton equipped with the three inch dump valve do not have an
orifice plate and instead the orifice was drilled into the machined block underneath the
test solenoid valve; for this configuration, if the orifice diameter is greater than 0.031
Inches,it is recommended that an orifice plate be added having an orifice diameter of 0.031
inches,as shown in Figure 8 (the drilled orifice in the machined block should be left as is).
0. Insped and verify that the vented drain he@), which return fluid to the EH Reservoir
from the emergency trip header interface diaphragm valve and emergency trip control
block connections (located at 'the governor pedestal), are of the proper size; 1.00 inch OD
by 0.120 inch wall thicknesstubing.
Also verif'y that the vented drain Iine(s) are located and adequately protected against a
possible mishap which could cause a reduction in the flow capacity of these line(s). It
should be noted that current Westinghouse practice calls for two independent, full
capacity vented drain lies to be run to the EH Reservoir in parallel in order to help
minimize this risk Additionally, a cross-tie between the two vented drain lines near their
connections to the interface diaphragm valve and emergency trip control block is also
recommended.
10. Poppet type solenoid valves will be furnished when replacemenVsparesolenoid valves are
ordered. They are a direct replacement for the spool type valves with regards to form, fit
and function and will mount directly in place of spool type valves (Refer to Figure 4).
Westinghouse Style 8822A848001is replaced by 8075949002.
B. UNITSWITHMECHANICALTBIPSYSTEMS
1. On units with mechanical trip systems,one PO/AST is standard. During trip testing at the
b n t pedestal, this solenoid is made ineffective. A second 20/AST should be installed on
the HP oil supply side ofthe test handle to allow electrical trips to be effective even when
the test handle fs held (Refer to Figure 9).
2. In addition to testlng the low bearing oil, low vacuum and high thrust trips devices on a
monthly basis, the trip solenoid 20/AST in the mechanical trip device assembly should be
tested monthly using appropriate Instruction Leaflet requirements Caution should be.
exercised when making this test to assure that other p h t tripping circuits are not
involved.
3. At each maor outage, visually inspect and manually manipulate the trip assembly
mechanisn to detect any worn parts, loose pins, ruptured bellows or sticking mechanism
Repair as needed.
c. uNrrs~MEcHANrcALEYDRAuLIccoNTBoLsYsTEMs
It is recommended that these units have as a minixnm
1. An auxiliary governor which will take action to arrest atibine speed to a value below the
trip set point Thls hctfon may be called a pre-emergencygovernor.

D-3 NUREG-1275, Vol. 11

AIB 93M
Page 4 of 16

2. A load drop anticipator to assist in preventing reaching the overspeed trip point on a
sudden loss of load On 300 psig control systems, a solenoid valve would divert control oil
from governor and interceptor valve sewornotom to drain On I5opsig control systems, a
solenoid vaIve would admit high pressure oil to the governor and interceptor valve control
oil header. Either configuration will cause the governor and interceptor valves to close.
The essence of this feature is shown in Figure 10.
D. ALLUNITS

1. Use reverse power relays in the circuit for opening the main generator circuit breaker as
recommended in OMM092. This allows turbine driving steam to be dissipated prior to
opening the breaker.

2. Westinghouse recommends the use of autostop oil pressure level to indicate the Iatched or
tripped condition of the turbine. It is recognized that some users may use valve limit
switches for this purpose. If so,the limit switches at the closed end of the valve should be
used.
3. Test the trip weight by simulation (oil test) monthly per instructions in the unit Instruction
Book
4. Follow testing and maintenance practices for steam non-return valves per ANWASME
Standards TDP-1 and TDP-2"RecommendedF'ractices for the Prevention of Water Damage
to Steam Turbines Used for Electric Power Generation" This will reduce the possibility
for uncontrolled flashing steam driving the unit to overspeed.
5. When conducting periodic trip tests at the front pedestal, the front pedestal operator must
be in constant contact with the control room to permit receipt of any tripping instructions.
6. The front pedestal operator is to have visual access to indications of unit speed and
autostop oil pressure via tachometer, pressure gauge or other taubiie trip stam.

7. The front pedestal operator is to release the test valve if a turbine trip occurs or if
indications of a unit overspeed are received.

a To reduce the potential for a momentary drop in autostop oil pressure during trip testing,
the cleanliness of the autostop lube oil should be maintahed to reduce the possibility of
oflice clogging. (Refer to OMM 072 and OMM 106).

9. It is recommended that ELUunits have at least two independent means of tripping the unit
on overspeed. TNS should consist of the overspeed trip weight channel plus one or more
of the following:

a One electrical speed sensing channel

b. Pressure switches sensing shaft driven oil pump output pressure (Ei& 11)

c Tpro out of threeelectrical speed sensing channek (Fig. 12)

A means of functional testing on-line is to be incorporated regardless of the methods

ChOSen

10. To reduce the possibility of tripping the unit during testing of the trips at the front
pedestal, installa pressure gauge on the trip block side (mechanical trip system) of the test
handle. Refer to Figures 1and 2. The operator should verify that autostop pressure has
beenreestablished before releaslngthe test handle.

NUREG-1275, Vol. 11 D-4

 AIB 9301.
Page 5 ot 16

EMERGENCY AND OVERSPEED

PROTECTION,CONTROLLER
SYSTEM

CUBE OIL
SYSTEM)

FIGURE 1

D-5 11
NUREG-1275, VO~,
AIB9301' '

Page 6 of16

EMERGENCYAND OVERSPEED
PROTECTION CONITROLLER
SYSTEM

f
EMERGENCY TRIPXEADER

ONTERFACE VALVE

LUBEOIL
SYSTEM)

9 1

I
HEADER

FIGURE 2

NUREG-1275, Vol. 11 D-6

 AIB 9301
Page 7 of 16

SOLENOID VALVE ADAPTER

SPRING RETURN
HAMU
l VALVE
BUTTON EX I STING
ORIFLCE CIRCUIT

L This arrangementdoes not apply to:

a Manifoldblocks with cartridge valves mounted directly m the block. For these
units, a new manifold block and solenoidvalva arc requhi.
b. The solenoid valves designated 20/AST on manifold blocks with 6 valves.
Presently, 20-1/ASTthomugh20-4/AST valves can be tested online but not
replaced online. New solenoid valves and an alteration to the manifoldwould
be required in order to p e d on line replacement.
II. For remote testing, a variation of the above arrangement could be made by:
a. Replacing the manual valve with a normally open solenoidvalve.
b. Adding a pressure transmitter and receivet to nad the gauge pressure,

c. Adding a solenoid valve test panel in the control room

FIGURE 3
AIB 9301
Page 6 of 16

SOLENOID VALVE ADAPTER

PARXER-HANNIFIN
SOLENOID VALVE
REMOVE EXISTING PLUG

47
REPLACE WITH ROOT VALVE
AND GAUGE

POPPET S m L E
SOLENOID BLOCK

L,------- OR
I
I
1

SPRING RETURN
NORMAWLY OPEN
BALL VALWE

FIGURE 4

NUREG-1275, Vol. 11 D-8

 AIB 9301
Page 9 of 16

LATCH IN OF 20/ET
+
63/AST CUSMHEB
c TRIP CONTACT
RESET

63/AST CLOSES ON LOSS OF AUTOSTOP OIL PRESSURE

-
I
0

2O/ET OPENS TO DUMP HIGH PRESSURE EMERGENCY TRIP LINE

The original intent of the 63/AST-2O/ET circuit was to provide a redundant path to the
diaphragm valve. Practice has indicatedthat many utilitiesenergize 20ET directly as a
redundant path to 2O/AST. As presently configured, there is no latch in circuit to keep 20ET
energized. The circuit above is recommended to keep 20/ET energizeduntil an operator
purposely resets the circuit.
AB 9301
Page 10 of 16

VALVE ACTUATOR Wl"H 718" DUMP VALVE

(not affected; for reference only)

WSH-TVPE
CIUNDER

VALVE ACTUATOR WlTH 3'' DUMP VALVE

-7 sffacted orifice vw EI~ERCU~

TRIP L M

FlGURE 6
mAm
sum
INTERCEPTOR
VALVE

NUREG-1275, Vol. 11 D-10

 AIB 9301
Page 11 Of16

VALVE ACTUATOR WITH 718" DUMP VALVE

(not affected; for reference onIy)

MACHINED
1 BLOCK

FIGURE 7

D-11 NUREG-1275, Val: 11

AIB 9301
Page 12 of 16

VALVE ACTUATOR WITH 3" DUMP VALVE

(d=0.03lmm8x)

FIGURE 8

NUREG-1275, Vol. 11 D-l2

 AB 9301
Page 13 of 16

MECHANICAL TRlP SYSTEM

t
I

TURBINE
TRIP VALVE CLOSURE SYSTEM
BLOCK

-4!
i

06
TRIP

Change

FIGURE 9
A1B 9301
Page 14 of 16

LOAD DROP ANTICIPATOR

1 1 R1

I
7-
%SURE

T SWxTCB

Installation
1. Install a pressure switch to use as a measure of steam flow. A convenient location is in the
crossover pipe. Calibrate the pressure switch to close at a pressure equivalent to 30% or
greater of rated flow.

2. Install a solenoid valve in the control fluid he.

1. Unit operating above 30% load with drop anticipator (LDA) pressure switch closed and the
main breaker contact open.

2. Main breaker opens closing contract B. LDA contact remains closed.

3. Relay R1 picks up and energizescontrol oil solenoid valve. This in turn closes governor
and interceptor valves.
4. Steam flow reduces and LDA pressure switch opens.

5. Control oil pressure restored and normal governing function controls speed.

FIGURE 10

NUREG-1275, Vol. 11 D-14

 AB 9301
Page 15 of 16

OIL PRESSURE SWITCH llRRANCPfENT

SHAFT DRIVEN OIL

PUKP OUTLET

One relatively easy way to add a backupoverspeedprotectioncircuit is to take advantage of the

shaft driven oil pump pressute variation with shaft speed. Using 2 out of 3 logic reduces the
chance of tripping due to a single switch failure.

Due to variations from unit to unit, the output pressure needs to be checked for each unit at the
overspeed trip level.

A normally closed contact from each pressure switch can be set to open above 95% speed and
used to indicate a switch failure in the closed direction.
The pressure switches can be isolated and removed for calibrationchecking while online.
Calibrationshould be done a minimumof once a year using a dead weight tester.

FIGURE 11
AB 9301
Page 16 of 16

TWO OUT OF THREE ELECTRICAL

SPEED SENSING CHANNELS

4e 4
CHANNEL NO. 1 CHANNEL NO.? CHANNEL N0.3

1
DIGITAL SPEED DIGITAL SPEED DIGITAL SPEED
TACI-UREIAY TACWREIAY TACWREUY
NO. 1 NO. 2 NO. 3

I
a3 OVERSPEEO
LOGIC (NORMAL)
OVERSPEE0
LOGIC
(ELNATED)
LOSS OF SPEEO
SENSING LOGICi
FIGURE 12

NUREG-1275, Vol. 11 D-16

 APPENDIX E
HAMMER VALVE
 HAMMERVALVE

As noted in Section 4.3., the author of this Control for Compact Drives for Turbine
study examined an SOV which is used in Valves,” by E. Kloster, explain in detail how
European fossil-unit TOPS systems. The valve the valve works. In response to the author’s
undergoes long periods of inactivity but must inquiries about the hammer valve’s reliability,
function properly when called upon to dump the enclosed June 10, 1993, letter from
EHC system hydraulic fluid. The enclosed N. Schauki of Siemens Nuclear Power
technical articles; “Herion Directional Control Services, Inc., notes that the hammer valve has
Valve q p e 5203468 for Hydraulic Safety functioned on demand with 100-percent
Control Systems Inoperative for Long Periods success. However, some minor flange leakages
Under Pressure,” by A. Hoeger, and “Trip had been recorded.

NUREG-1275, Vol. 11
 HERION directional ccsntron valve type 5203468
for hydraulic safetycontrol systems inoperative
for long periods under pressure" AdOtfHoegBf

S p l or scat-type d i i o n a l contra1 'Ihii "hammer action" frees the con-function of tho armature in rolenoid
valves subjected to hydraulicpressure tralpiston,therctumrprin~~nmove @) istodlschargc the breakawayim
for lengthy periodstend to sufferfrom the piston to position @). The sole pact.
pG;ton sticking. This means that it is
no longer possible to change thestate
of the valve. b u e ,the switching
forces are not sufficient to f r
e e the
jammed piston. This is particularly
critical if switching is performed by a
spring or hydraulic pressure, DI, these
arcagentswhichurertastaticforceon
the piston. Tests and c ~ s ehiitorits
have shown that a blow with a ham-
mer on the casing of a valve with a
jammed piston is enough to free the
piston, a feat which static force done
could not aaomplish.
In safety contra1 bysLcms, the safety
dindional control valve must be
switched by the rctum springif power
fails.lhere must benoquestionofthe
pistonjamming.

TheHERION typcS?O3468 valvewas

developed for reliabte switching even
whenthepistonisjammedafteralong
periodof inoperatioh

A device designed to jerk Lhe sticking

piston free is mounted on the clec-
tromagnetically actuated spool valve
with rcturn spring.

This deviccconsistsofamagnetlccoil,

iir
a solenoid armature and a compres-
sion spring. The armatun is of a de-
sign whirb ndnrulatcs the oil when
the valve is switched.

If theimpact solenoid(a) is cnergizcd,

the piston moves against the force of
the return spring to
wben the solenoid (ar:L!%
&zed, the return spnng pusher the
piston back to position 0).That is the
method of operation when the piston
does not stick in the "solenoid (a)
energized" position.

Salewid (a) and solehoid(b) arc both

energizedat thesametime.?hearma-
wrc of solenoid @) pretensions the
spring insolenoid (b). When solenoid
(a) is de-energized, solenoid (b) is
also rietnergized. In this way, the ar-
mature is pushed toward position (a)
by the spring in solenoid (b). As it
moves, the armature travels through
the space A and strikes the control
piston if it has stuck. HERION valve vpe 5203468

*Reprinted with permission of Herion-Werke KG.

NUREG-1275, Vol. 11 E-2

 Trip control for compact drives
for turbine valves* Gnst Kloster. Kraftwelk UnbnAG

In the speed or output controlsystem Inordertocontrol thesteamforces by The control speeds required for nor-
of a steam turbiie, irregularities arc means of the valves, high contro1 mal dosed-loop or open-loop opera-
compensated via the turbine control fonts must be made avaiIabIe with tions of the control drives are insuffi-
system by adjusting the steam inlet short control times. Thf. coupled dent for extreme turbiie failure
valve. This enables the flow of steam with the requirement for high posi- modes,such as a full-load shutdown
to be matched to output require- tioningaccuracyof thecontrolvalvcs. or an ovenpced trip. A considerably
ments. In order to provide protection can be achieved only by means of hy- shorter control time is nexsary in
against impermissibleoperatingstatcs draulic drives. Instead of die other- t h e cases in order to prevent imper-
of the turbiic-generator set, such as wise customary central control-fluid missible ovenpeeding of the turbiie-
ovenpecd resulting from the failure supply system to the valves via pipes, generatorsect Thecompactdrivcs for
of control valva to dose, the series- aseparate oiIsupply (pump, filterand controI and trip valves arc therefore
conncctcd trip valves are provided accumulator) is incorporated in each provided with a fast speed which CM-
withacontrolsystem whichdosesthe drive. These are designed for a high bles acontroltime inthedodagdtec-
valves when triggered. The protective operatingpressurcandareofmmpact tion of 150 rns to be achieved.
signal also acts on the control valve, dimensions (Figure 1). Electrical sig- One precondition for such short clos-
thus incorporating redundancy into nal and supply lines are fed to the ing times is that the actuatingfor& in
thesafety system. compact drive. To act as a drive for the dosing direction be applied by a
the control valves, this is actuated by pre-loaded spring, in thiscaseaspring
The new turbine control system has an electrohydraulicservovalvevia an disk in other words, dosure must be
been designed to use eIectridty for electrical position control loop. The effected without any auxiliaryenergy.
signal processing, signal transmission switching drive to cantrol the trip The valve is o p e d by the actuating
and as an auxiliary powersource. The valve asanopen/closedvalveis.onthe piston which the03 pressure movesin
advantages are high processing and other hand, driven by a solenoid-ac- only one direction. Again. this princi-
transmission speeds and short delay tuated control valve via the control ple allows the stipulated short delay
times. system. times to be realized (Figure 2).

I
*Reprinted with permission of Herion-Werke KG.
 Energy storage by springs is at0 re the turbine, the diredion of failure example if the oil supply tails (“de-
quired for another reason: to protect must always be towad a d ~for ” eaergize to trip” pdnaple).

R p e 2 Hydraulicsystem of wntpuct dn‘ve

-
rapid- dosing control unir schema& view

ctosuespring

Impactsolenold

F i e 3 Poppet valveand dirccfional control valve

wi(himpactsoltn0id
FromContrdcylinder

NUREG-1275, Vol. 11 E4
To initiate the trip procedure, prqs- present, a sceondsolenoid valve isfit- LikeallthepartSfntheEontrolsystem
sure beneath the piston must be re- ted to the oppositeside; when tripped of the compact drivt, thesolenoidval-
duced and the volume of oildriven by by spring force, the armature of thii ves are ais0 subject to particularly
spring forceinto the oil reservoir. This solenoid strikes against the control high deanlines requirements.
b attained by the rapid opening of an slide ('impactsolenoid").Thii impact
integrated c o n e l system (Figure 3). produces an additional breakaway
When these valvqsopen foratrip, they p S e (Fqpre 3). The trip procedure is executed at in-
connect the cylinder with the reservoir
Even with hi& ambienttemperatures tervals of approx. 14 days in the
parallel to the electrohydraulicservo- and wide voltage tolerances, direc- course of the testing of the turbine
valve (control drive) or el- tional control valves with impact sol- protection system by an automatic
magnetic control valve (openlclosed enoids (=hammer vaIves") have test system
drive). adequatelylarge rcserycs of actuating Figurt4showsgmphsforrbipproce-
As shown above, a failure, which is to force in the dosing direction, short duke, m d with an exptrimental
say, the nondosure of a controlvalve, dosing times with small tolerances drive. Theseshowtripdgnals. control
leads to overspeed. Redundancy is and low leakage-oil rates. This is at- pressure downstream of the impact
therefore required, i s . trip and tained by precise balancing of the solenoid, control fluid pressure, the
controlvalvesareconnectedinpairsin dost-tolerancc spring with the sol- prtssurcbelowtheconvolpiston,rnd
series in a valve combination. Further enoids and similarly close tolerances the control piston travel asa function
redundancy is achieved by the parallel in clearancc. of time.
connection of two integrated control
systems (Figure 2).
Tiip
Each of these is able to handle the
closing operation by virtue of the fad
that, with over-dimensioned valves
and large duct cr~sssections,the
seriesconnected orifice is dimen-
sioned for the short dosing time.
The hydraulicfluid reacheseach pop-
pet valve separately via a directional
control valve actuated electrically by
the control system (Figure 2). The
poppet valves arc standard-installa-
tion elements with piston guide,
known as two-way poppet valves or
cartridge valves. With the control or
openlclosed drive open and cylinder
pressure applied beneath ,the vahe
cone, they are held dosed by the con-
trol pressurewhich thesolenoid valve
builds up above the cone. The so!-
enoids are energizedin opcration, de-
energized for a trip, the control pres-
sure is dissipated, the poppet valvcs
arc opened by cylinderpressure. The
decnergizc to close principle applies
to the solenoidvalves aswell, in other
words, if the electricalsupplyfails the
turbine valves close.
The solenoid valvcs selected are of
slidedesign, in order to ensure that no
scaling problems are encountered 100%
during tong periods in service. Slide Actuating
valves are subjected to fiictional pistontravd
forces and also adhesivcforccs i€they
remain for considerable periods in
one position. The HERION solenoid
valves have been developed to ensure 0%
that they can be tripped retiably by
spring force, even after a long
standstill period. To increase the re-
liability of the closing action even
when unexpected adhesive forces are figure 4 Graphsofa qui& closure
 SIEMENS

June 10, 1993

National Regulatory Commission

Mail Stop.9715
Washington, DC 20555

Attention: Or. Ornstein

Dear Dr. Ornstein:

Subject: Exoerience with "Hammer Solenoids Valves" from Herion

-
According t o the information we received from Mr. Gebauer at Siemens KWU in Miilheim,
there were no functional problems encountered with the "Hammer Solenoid Valves" from
Herion. In some cases minor flange leakages were observed. The leakage was overcome by
replacing the gaskets at scheduled maintenance. The functionability of the "Hammer Solenoid
Valves" has been 100% ensured to date (April 93).

Attached t o this letter please find a fax t o S-KWU with the above statement and a reference
list showing the power plants which have the "Hammer Solenoid Valves", the start-up date
and the number ofinstalled "Hammer Solenoids." As far as Iwas informed, some information
about the valves has already been sent t o you last year. If you have any questions, please
call me at 615/499-1718.

Best regards, A

.-
Valve Services

Attachments

Siemens Nuclear Power Services, Inc.

5959 Shallowlord Road. Suite 531 Chattanooga. TN 37421 EL: (615) 499-0461 FAX: (615) 894-2456

NUREG-1275, Vol. 11 E-6

I-
1

r
 REFERENCE LIST

for

-
Herion 4/2 "Hammer Solenoid Valves"

Selonoid Tvpc E l 146 M: NG6

Power Plant Commercial Number of Number of

Operation Actuators "Hammer Solenotds"
Start

KW Heyden 4 04.87 24 48
Kendal 1 04.88 24 48
1 Kendal2 10.89 24
-~ ~

48
11 Kendal3 I 10.90~~
I
~_______ ~
24 I ~
48
Kendal4 09.91 24 48
Kendal5 Under 24 48
Construction
Kendal6 24 48
KW Walsum B1.9 05.88 14 28
Megalopolis 4 09.91 14 28
Steag KW lierne 4 07.89 12 24
SWM KW Nord 81.2 08.91 12 24
HKW Moabit Block A 1 1.89 12 24
Fynsvaerket Block 7 04.91 8 16
Haapavesi 08.89 a 16
Simmering 3 04.92 8 16

Total: 232 464

NUREG-1275, Vol. 11 E-8

 APPENDIX F
OPERATION & MAINTENANCE MEMO 108,
"MAINTENANCE OF MAIN STOP VALVES & R E B A T STOP V'WS'*

*Reprinted with permission of Westinghouse Electric Corporation.

 DISCLAIMER OF WARRANTIES
AND LIMITATION OF LIABILITY

THERE ARE NO UNDERSTANDINGS, AGREEMENTS, REPRESENTATION& OR WARRANTIES,

EXPRESSOR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITYOR FITNESS FOR A
PARTICULAR PURPOSE, OTHER THAN THOSE SPECIFICALLY SET OUT IN ANY EXISTING
CONTRACT BETWEEN THE PARTIES REGARDING THIS EQUIPMENT. ANY SUCH CONTRACT
STATESTHE ENTIRE OBUGATION OF SELLER. THE CONTBNTSOF THIS DOCUMENT SHALL

-
NOT BECOME PART OF OR MODIFY ANY PRIOR OR CXISTMG AGREEMENT, COMMXTMBNT,
OR REWTIONSHIP.

Tho inlbrmntion ncwrmrnd8tfonr md drrariptIoar fn tht documant baud on Wostinghourr'8

rxparfrnco and Judgment with rrrpclct to thlr oquiparrnt'r opontloa and r d a k a m c o . THIS
INFORMATION SHOULD NOT BE CONSIDERED AS ALL INCLUBIVL OR COVERING ALL
CONTINGENCIES. If further informrtlon la n q u W W d n g h - Elwtric Corporadon should b.
conrulbd

NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF FITNESS FOR A

PARTICULAR PURPOSE OR MERCHANTABILITY, OR WARRANTIES ARISING FROM THE
COURSE OF DEALIN0 OR USAGE OF TRADE, ARE MADE REGARDING THE INFORMATION,
RECOMMENDATIONS, OR DESCRIPTIONS CONTAMED HEREIN. Ia no rvrat will Woutin#hww
bo rarponsiblr Lo thr u u r in conLncC in tort (includSngnrgilgrnco), rlriot U.bSUty or othrrwiu for m y
r p . o i 4 Sndincl, I n c M r n h or corurquontW damage or IOU Whatumnr, SncludSng but not Ifnitad (0
d r m y o to or lolr of w. of equipmrnt, plmt, 01 power ryrkm; coat or. capital: iorr of profib or
nvrnuor: coat of nplacarnrat p o r e 6 d d l h r l rxpoaur io t b uw d oxirttag powor fmufthkr;or
cldmr agdnrt the u w r by ita curtolllrra, nrultiag from u w of tha iaforrp.ttOrq rocommradationr, o r
dorcriptionrconhinod h m i n .
 OPERATION & MAINTENANCE MEMO
108
1 REASON FOR MEMO
Incidents of clappers of main steam stop valves having come loose and separating from
the clapper arm have been reported. This occurrence completely disarms the safety
backup feature of the stop valve.
High levels of vibration of the clapper valve resulting from improper back seat of the
clapper to the internal stop, combined with inadequate staking (peening) of the retaining
pins, can provide the conditions which may result in the pins coming out and eventual
clapper separation. Engineering evaluation of the few incidents compared to the
thousands of years of successfuloperating history of this type of valve and evaluation of
the assembly requirements confirms that proper assembly and maintenance of these
valves is essential to the performance of their function as a safety backup valve in the
inlet features.
2 OPERATION AND MAINTENANCE lNFORMA7lON
Implementation of the following recommendations, consisting of verifying the conditon of
the stop valve and, where required, instituting corrective action, should minimize the
potential for separation of the clapper from the clapper arm d u e to loose and vibrating
parts. These recommendations should be implemented in compliance with the stop
valve assembly procedures.
2.1 Verification of Stake, Nut to Retaining Pins
Remove the stop valve cover and inspect the stake (peening) of the clapper valve
nut over the retaining pins. Requirements for position of. pins and location and
amount of staking are shown on Figure 1. If necessary, take correctivke action to
a -
establish proper staking. Staking (peenin ) is to be done hot (!500°F min tOOO°F
max) with a peening tool having a 0.12 Inc spherical radius tip.
Contact your Westinghouse Representative for further details of the inspection
procedures, of the peening requiremenidacceptance criteria and, if restaking is
necessary, of the staking procedures.
2.2 Verification of 8ack Seat
Verify that the clapper valve stem properly back seats against the .internal stop
when the servo motor (or actuator) is in the prescribed wide-open, full-stroke
position. Refer to Figure 2. Verification of proper back seat should be established
by the "blue' method. If required, corrective action should be instituted per Reheat
Stop Valve Assembly Procedures Drawing to establish proper valve stem back seat
and recheck by the "blue' method.
2.3 Verify Belleville Washer Setting
Proper setting of the Belleville washer is critical to the proper operation of the valve.
Following the ffeld setting instructions provided in Figure 2, reset the 6elleville
washers to the required position while the valve is hot.

F-1 NUREG-1275, Vol. 11

OMM 108
Page 2 of 4

2.4 Document the results of the verification checks and actions taken per Paragraphs
2.1,22, and 2.3.
Contact your local Technical Services Manager if additional information relative to or
clarification of the recommendations in this Memo is required.

NUREG-1275, VOI.11 F-2

 Page 3 ot 4
STAKE PIHS

T 2 HOLES FOR .500 PINS

STAKE HUF O V E R A
PIN 4 PLACES.

ENLARGED VIEW "X"

NOTE: PfH MIST 8E SEAXD TO
m
SUFFICIMT OEPM BELOW
HUT ASSORE AoEQUATE
STAKE.

m0 OF PIH VIM TAPPED

HOLB.

FHtARGEil VIM *Y*

PEE?? ACCEPTANCE CRITERIA

UWC€PTABtE ~CCEmAslE
IHsuFFIC1EMfY omm mAl
DEfOrnMETAL MTtOuQi
cnw5l

LIQUID PENETRANT
INSPECT DEFORMED
METAL.
-t- I I

F-3 NUREG-1275, Vol. 11

OMM lot)
Page 4 of 4

A
51
52
BELLVILLE
NASHERS

PEEN TO RETAIN 53
54
55

FIELB SRTIN6 tN!XRUCTIONS

WITH STOP VALVE HOT AND WIDE OPEN. COMPRESS*
BELLEVILLE UAASHERS (IT. 54) BY USE OF AOJUSTING
SCREU (IT. 51) UNTIL STOP VALVE JUST STARTS TO
MOVE IN THE UOSED OIRECtION, THEN BACK OFF
ADJUSTING SCRM 60. LOCK WITH NUT (IT. 52)

AT ASSEWY CHECK THAT CLAPPER VALVE IS 8ACK-SEAtED

AGAIHST STOP WHEN IN OPEN POSITIOH AND T M T SERVO
BACK STROKE IS MINTAINEP,
SEAT

FIGURE 2

NUREG-1275, Vol. 11 F-4

 NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER
(2-80) (Asslgned by NRC, Add Vol.,
NRCM 1102, Supp., Rev., and Addendum Num-
3201, 3202 BIBLIOGRAPHIC DATA SHEET bers, If any.)
(SeeInstructions on the reverse)
1 NUREG-1275, Vol. 11
1 '
2. TITLE AND SUBTITLE

I
3. DATE REPORT PUBLISHED
Ouerating Eherience Feedback Reuort-Tbrbine-Generator Oversuec '
Protectio; Syitems MONTH
April

I Comm
iercial Power Reactors

5. AUTHOR(S)
I
4. FIN OR GRANT NUMBER

6. TYPE OF REPORT
H. L. Ornstein Technical

1950-1994

- .
E. PERFORMING ORGANIZATION NAME AND ADDRESS (If NRC, provlde Dlvlslon, Offlce or Reglon, U.S. Nuclear Regulatory Commlsslon, and
malllng address: If contractor, provlde name and malllng address.)

Safety Programs Division

Office for Analysis and Evaluation of Operational Data
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001
0. SPONSORING ORGANIZATION -NAME AND ADDRESS (If NRC, type "Same as above"; If contractor, provlde NRC Dlvlslon, Offlce or Reglon,
U.S. Nuclear Regulatory Commlsslon, and malllng address.)

Same as 8 above.

10. SUPPLEMENTARY NOTES

11, ABSTRACT (200 words or less)

The report presents the results of the U.S. Nuclear Regulatory Commission's Officefor Analysisand Evaluation of Opera-
tional Data (AEOD) review of operating experience of main turbine-generator overspeed and overspeed protection sys-
tems. AEOD's studyprovidesinsight into the shortcomingsin the design, operation, maintenance,testing, and human fac-
tors associatedwith turbineoverspeed protectionsystems.It includesan indepth examinationof the turbineoverspeed event
that occurred on November 9,1991, at the Salem Unit 2 Nuclear Power Plant. It also providesinformation concerning ac-
tions taken by other utilities and the turbine manufacturersas a result of the Salem overspeed event. =OD's study re-
viewed operating procedures and plant practices. It noted differencesbetween turbine manufacturer designs and recom-
mendations for operations, maintenance,and testing, and alsoidentified significantvariations in the manner that individual
plants maintain and test their turbine overspeed protection systems.

12. KEY WORDS/DESCRIPTORS (List words or phrases that will asslst researchers In locatlng the report.) 13. AVAILABILITY STATEMENT
Unlimited
nrbine, overspeed (OPC), electrohydraulic system, EHC, missile, control system,
Regulatory Guide 1.115, RG 1.115, General Design Criterion 4, GDC 4, turbine- 14. SECURITY CLASSlFlCATlOh

generator, Salem-2, solenoid valve, solenoid operated valve, SOV,common mode (This Page)

failure, admission valve, bypass valve, OPC, ET, governor, hammer, AST,SEm, Unclassified
front standard, hand trip, precursor, TIL,fire, flood, vibration, AlT CAT-, ATB (This Report)
Unclassified
15. NUMBER OF PAGES

16. PRICE

1 I
NRC FORM 335 (2-89)