Text

Forwards Preliminary ASP Analysis of Conditions Discovered at Plant on 950802 & Reported in Encl LERs 50-335/96-004 50-335/95-005 & 50-335/95-006,for Review & Comment
	ML17228B495
Person / Time
Site:	Saint Lucie
Issue date:	05/16/1996
From:	Wiens L; NRC (Affiliation Not Assigned)
To:	Plunkett T; FLORIDA POWER & LIGHT CO.
References
	NUDOCS 9605210273
	Download: ML17228B495 (50)
	v • d • e

~g RE00

0

Cy

0O

Ith0

< 10".

Event Description

On August

1, 1995, thc National Hurricane Center predicted hurricane force winds from thc passage of

Hurricane Erin near thc St. Lucic site. Both units were shut down and cooled down to an average temperature

of 350'F to allow for enhanced

stcam generator

heat removal capability with a steam-driven

auxiliary

feedwater (AFW) pump, and a storm crew was stationed on-site to support potential recovery efforts.

Enclosure

1

4

LER Nos. 335/95-004, -005, -006

Hurricane Erin made landfall approximately 20 miles north ofthe site, and maximum wind speed on-site was

less than 45 mph. The Unusual Event that had been declared because ofthe hurricane was terminated at 0542

on August 2, 1995, and a decision was made to return both units to service.

At 0805, while Unit 1 was in Mode 3 with an RCS pressure of 1550 psia, RCP 1A2 middle seal cavity

pressure was observed to be approximately equal to RCS pressure; an indication that the lower seal stage had

failed. A decision was made to "restage" the leaking seal - increasing the differential pressure across it by

sequentially depressurizing the seal cavities from top to bottom.

During the restaging evolution, the RCP middle stage failed and the upper and vapor stage degraded.

The

licensee attributed these failures to the performance of the restaging procedure at RCS temperatures

above

200'F and on a rotating pump.

Twenty minutes aAer control room indication of the failed middle stage, at

1810 on August 2, 1995, operators began to cool down and depressurize

the RCS. At 1840, RCP 1A2 was

secured.

By'2018 on August 2, 1995, reactor cavity leakage had increased to about 2 gpm.

This leakage decreased

the next day due to the ongoing RCS cooldown and depressurization.

The RCP 1A2 seal was subsequently

replaced, as was the RCP 1A1 seal (due to degraded performance).

During the RCS depressurization

and cooldown on August 3, 1995, the PORVs were also stroke tested.

No

increase

in acoustical flow indication was

observed.

Because of apparent

inconsistencies

with other

indications, the problem was initially attributed to the acoustic monitors, and further PORV testing was

planned following replacement of the RCP seals.

On August 9, 1995, the PORVs were again tested with

unsatisfactory results, first at 260 psia, then in Mode 4 at 320 psia and with SDC secured, and finally at an

RCS pressure of475 psia.,

The problem with both PORVs was caused by the improper installation of the main disc guides following

overhaul during the 1994 fall refueling outage and by inadequate post-maintenance

testing before returning

the valves to service (only a seat leakage test was performed).

J

LER Nos. 335/95-004, -005, -006

With both PORVs inoperable, Limiting Condition for Operation (LCO) 3.4.13 required the unit to be

depressurized

and a vent path established within 24 h. A cooldown and depressurization was begun.

At0018 on August 10, 1995, with the unit at 278'F and 261 psia, the 1A LPSI pump was started to place the

SDC system in service to continue the cooldown.

Shortly after starting the pump, pressurizer

level and

letdown flow were observed to be decreasing.

Since no annunciations

associated with RCS leakage were

reccivcd, no increases in reactor cavity sump flowor waste management

system sump levels and tanks werc

detected,

and no leakage was observed

in thc LPSI pump rooms and other auxiliary building areas,

the

operators concluded that the unexpected mismatch between charging and letdown flow was the result of the

RCS cooldown.

At 0105, the 1B LPSI pump was started and the remaining steps in the SDC normal

operating procedure were completed.

At 0215 on August 10, 1995, water was discovered to bc accumulating in the auxiliary building pipe tunnel.

Both trains of SDC were secured (decay heat removal was provided by thc steam generators).

Pressurizer

level and charging/letdown flow werc observed to be stable, indicating that the leakage had stopped.

The

floor dram isolation valves to the safeguards

pump room sump were found to be closed.

When these valves

were subsequently opened, high sump level annunciated.

Thc safcguards pump room sump isolation valves

had been stroke-tested in preparation for Hurricane Erin, and some of the seven valves controlled by a single

switch had failed to close.

Following trouble-shooting efforts thc control switch had been left in the close

position.

At 0611 on August 10, 1995, thermal relief valve V3439 was dctcrmined to have been the cause of the

leakage.

This valve is located in LPSI pump discharge piping that is common to both trains.

During the

event, the operating pressure ofthe SDC system immediately followingLPSI pump start was within the relief

valve's lift-prcssure range, resulting in the valve opening.

The SDC system operating pressure

remained

above the reliefvalve reseat pressure, which prevented the valve from closing. Approximately 4000 gal was

discharged over the almost 2-h period that the valve was open.

t

~i

I I

LER Nos. 335/95-004, -005, -006

Three and one-half hours after the relief valve leakage was identified both trains of the SDC system were

removed from service for 22 h in order to replace the valve. RCS temperature was increased to 305'F, where

the PORV Technical Specification was not applicable.

Decay heat was removed using the steam generators,

thc only source of decay heat removal at that point.

Following replacement of the relief valve, both SDC

trains were restored to operable status and the RCS was cooled down and depressurized to repair the PORVs.

Three other reportable events occurred within the same time frame as the events described above.

These

events, which would not be selected as precursors, arc summarized below in order to provide a more complete

picture ofthe situation at St. Lucie 1 during the August 1995 time period.

While RCS temperature was being decreased

on August 2, 1995, in response to the failed RCP seal, the main

steam isolation signal (MSIS) block permissive annunciators alarmed and were acknowledged by an operator.

That operator did not refer to the annunciator summary procedure but concluded that blocking MSIS was not

required since all valves that would have been affecte by an MSIS actuation were already in their actuated

positions.

The shift technical advisor subsequently

questioned whether MSIS should be'blocked, but the

annunciator procedure was again not consulted.

Six minutes after thc block permissive annunciated, MSIS

actuated and was then blocked and reset.

On August 11, 1995, the train A containment spray header flowcontrol valve, FCV-07-1A, failed its stroke

test and was declared inoperable.

Since repair of the valve was expected to take a significant length oftime,

the valve was instead placed in its safeguard position (open), and repair was deferred until the next refueling

outage.

On August 16, 1995, a Unit 1 heatup was begun and the SDC system was secured.

Unspecified

maintenance

on the LPSI system

delayed

performance of the emergency

core cooling system

venting

procedure until 1756 on August 17, 1995, when the RCS was at 532'F and 1550 psia. As part ofthc venting

procedure, the 1A LPSI pump was started and used to circulate refueling water tank (RWT) water through

the SDC warmup line. The SDC heat exchanger inlet and outlet valves were then opened to circulate water

through the heat exchanger.

Because FCV-07-1A was open, this provided a direct path from the RWT to thc

"A" containment spray header.

Three minutes later, at 1806, the control room reccivcd high reactor cavity

leakage

annunciation,

multiple containment fire alarms,

and rapidly increasing

containment

sump flow

~p

LER Nos. 335/95-M4, -005, -M6

indication, and entered the off-normal operating procedure for excessive RCS leakage.

The 1A LPSI pump

was stopped,

the flow path through the spray header identified, the SDC heat exchanger isolation valves

closed, and the venting procedure exited.

Approximately 10,000 gal of borated water was sprayed into the

containment.

The containment fire detection system malfunctioned during the event; 90% ofthe containment

smoke detectors either alarmed or faulted.

In addition, an electrical ground occurred on one safety injection

tank sample valve [Ref. 4].

On August 28, 1995, with the unit in Mode 5 with an RCS temperature ofaround 120'F and an RCS pressure

'f

250 psia, high pressure safety injection (HPSI) header stop valve V-3656 was opened and HPSI pump 1A

was started to support an inscrvicc leak test ofheader reliefvalve V-3417. This valve is the HPSI equivalent

of the LPSI relief valve that opened on August 10, 1995.

HPSI pump operation is prohibited at RCS

temperatures below 236F. Allfour HPSI injection valves were shut and disabled at the time, so the RCS was

not affected [Ref. 5].

Additional Event-Related Information

The PORVs provide thrcc functions at St. Lucie: (1) low temperature overpressure protection (LTOP) when

the RCS is below 305'F and not vcntcd, (2) RCS pressure reliefabove normal operating pressure to minimize

challenges to the pressurizer code safety valves, and (3) a bleed path for "once through cooling," (feed and

bleed) in the event that secondary-side

decay heat removal is unavailable.

The LPSI system at St. Lucie provides injection for large- and medium-break

loss-of-coolant

accidents

(LOCAs). The system is secured at the start ofthe recirculation phase and the HPSI pumps are realigned and

used to provide RCS makeup from the containment

sump.

The LPSI system also provides decay heat

removal during normal plant shutdowns.

Either LPSI pump can bc used to circulate reactor coolant through

a shutdown heat exchanger, returning it to the RCS via thc low-prcssure injection header.

I

1 I

LER Nos. 335/95-004, -005, -006

Modeling Assumptions

The combined event has been modeled as (1) an unavailability of both PORVs from the time St. Lucie

1

returned to power followingits Fall 1994 refueling outage, (2) a potential RCP seal LOCA resulting from the

two failed seal stages, and (3) a 22 h unavailability of the SDC system for decay heat removal.

The failure

of the operator to block the MSIS, inadvcrtcnt spray-down of the containmcnt, and HPSI pump start at low

temperature, while problematic, did not substantially impact core damage sequences

and were not addressed.

discovered on August 3, 1995. During this period (approximately 5840 h), the PORVs were unavailable for

both pressure relief and for feed and bleed.

To reflect the unavailability for feed and bleed, basic events for

failure ofthe valves to open, PPR-SRV-CC-1 and PPR-SRV-CC-2, were set to TRUE.

The ASP models do not specifically address failure of relief valves to open for pressure relief; a sufficient

number of valves are assumed

to open to prevent overpressure.

Since the.two PORVs were failed, the

pressurizer code safety valves (SVs) would have been demanded in the event ofhigh RCS pressure.

Because

SVs cannot be isolated, failure of an open valve to close would result in an unisolatable small-break LOCA.

The potential for the SVs to be challenged instead of the PORVs was rcflcctcd in the model by setting the

basic events for failure ofthe PORVs to close (PPR-SRV-00-1 and PPR-SRV-00-2) to FALSE and adding

a basic event (PPR-SRV-00-SRVS) to represent the potential that an open SV willfail to close.

The rclicfvalve challenge rate used in thc model was not revised to reflect the fact that the SVs would bc

challenged on high RCS pressure

instead of the PORVs.

The SV liftpressure

is 100 psi greater than thc

PORV liftpressure, and fewer transients are expected to reach this pressure.

This should result in fewer SV

challenges

and therefore

a lower challenge

rate.

Unfortunately, because

PORVs

are usually available,

operational data on SV challenges docs not exist. Thc significance ofimpacted sequences

(primarily transient

sequences

5, 7, and 8 in Fig. 1), is thcrcfore potentially overestimated

in the analysis.

However, these

sequences

do not significantly contribute to the overall results even with the conservative SV challenge rate.

0

4'

LER Nos. 335/95-004, -005, -006

P ten 'al R

P seal LOCA. The seal on RCP 1A2 could have degraded further and failed, resulting in a small-

break LOCA. The probability of a small-break LOCA, given the degraded seal, was estimated from Byron-

Jackson RCP seal data in Tables 4 and B-3 ofNUREG-1275, Vol. 7 [Ref. 6]. These tables list actual RCP

seal degradations

(such

as the failure of a stage or increased

controlled bleed-off fiow) in which plant

operation was allowed to continue for some period oftime in accordance with operating procedures.

Most ofthe data in Tables 4 and B-3 ofRef. 6 were from the Nuclear Plant Reliability Data System (NPRDS)

and excluded the names of the plants at which the events occurred.

However, data was listed for Arkansas

Nuclear One (ANO), Units

1 and 2. This data was compared with the seal histoty data included for these two

units in Appendix A of Ref. 6 to determine the fraction of events in Tables 4 and B-3 that were unrelated to

thc seal degradation

observed during this event primarily seal degradations

caused

component cooling

water transients, weld cracks, and cnd-of-life failures.

Approximately one-third of the ANO degradations

were determined to be unrelated to this event. Assuming this fraction is applicable to all ofthe data in Tables

4 and B-3, 25 instances ofseal degradation have occurred which appear to be relevant to the failure observed

during this event and in which RCP operation continued.

None of these

25 instances

proceeded

to a

'atastrophic seal failure.'sing a Chi-square approach'ith zero observed seal failures in these 25 demands,

a probability of 0.028 is estimated for a subsequent

RCP seal failure and a small-break LOCA, given an

observed seal degradation (stage failure).

The probability of a small-break LOCA resulting from further degradation ofthe RCP 1A2 seal was reflected

in the ASP model by revising basic event 1E-SLOCA to 0.028.

Consistent with the analysis of the failed

PORVs, PPR-SRV-CC-1 and PPR-SRV-CC-2 were set to TRUE to reflect the unavailability of the PORVs

1 Onc catastrophic seal failure was included in Table B-3, but was excluded from the set ofseal degradations relevant to this event. That

event occurred at ANO l and followed a LOOP and a deliberate isolation ofseal injection during a test.

2 Thc usc ofa Chi-square distribution, a standard approach to estimate failure probabilities for small numbers ofcvcnts, is dcscribcd in

Chapter 5 ofNUREGICR-2300, PRA Proc'edures Guide.

LER Nos. 335/95-004, -005, -006

for feed and bleed cooling, and PPR-SRV-00-1

and PPR-SRV-00-2

werc set to FALSE to reflect the

unavailability ofthe PORVs for pressure relief.'

unavailabili f r 22 h. During the 22 h that the SDC system was removed from service to repair failed

thermal relief valve V3439, the only source of decay heat removal was via the steam generators,

since feed

and bleed was unavailable due to the failed PORVs.

The analysis for this case assumed that both motor-

driven AFW pumps were availablc for usc, and that ifboth failed, RCS heatup would allow use ofthe turbine-

driven AFW pump as well. The analysis also assumed that the AFW system had been returned to its pre-

initiation state prior to the discovery of the stuck-open relief valve and that component failure probabilities

applicable following a typical reactor trip from power were applicable in this situation as we11.4

The LPSI system was removed from service nine days'aflcr St. Lucie was shut down for hurricane Erin, when

decay heat was approximately one-eighth of its nominal post-trip value.

This lower decay heat level would

substantially extend the time available to recover the AFW system, ifit failed, and eliminate the requirement

to provide an alternate AFW suction source, since the CST would not bc expected to be emptied during thc

22-h LPSI unavailability. This was reflected in the model by reducing the probability ofnot recovering AFW

as described in the following paragraph, setting the basic event representing

the failure of the operator to

provide an alternate water source upon depletion ofthe CST, AFW-XHE-XA-CST2,to FALSE, and utilizing

a 22-h mission

time.'hc

ASP models utilize a probability of 0.26 for failing to rccovcr an initiallyfailed AFW system within

about 0.5 h following a reactor trip from power (basic event AFW-XHE-NOREC).

Assuming the time

available to recover AFW is proportional to the decay heat load, 4 h would be available ifAFW had failed

3

~

Since high RCS pressure would not exist followinga postulated small-break LOCA, model changes were not actually rcquircd to reflect

thc unavailability ofthe PORVs for prcssure relief.

This is most likelyconservative since at least sornc ofthe AFW components had recently opcratcd and non4emand, standby failures

would thcreforc not substantially contribute to these component failure probabilities.

Certain basic events in the ASP models address both failure to start and failure to run. The probabilities for these basic events werc not

revised to reflec thc 22-h mission time. This has!css than a 2 pcrccnt impact on these basic event probabilities.

'A

LER Nos. 335/95-M4, -005, -M6

during the LPSI relief valve repair. AFW-XHE-NOREC was revised to 0.12 to reflect this greater recovery

time. This value is the demand-related AFWnonrecovery probability developed in Faulted Systems Recovery

Experience, NSAC-161 [Ref. 7] (Fig. 3.1-2) at 2 h, the longest nonrecovery duration addressed

in that

document.

This probability is conservative for 4 h, but consistent with the data-based

approach summarized

in NUREG/CR-4834, Vol. 2 [Ref. 8], the data in Fig. 3.1-2 ofRef. 7 was not extrapolated.

The probability that AFW would have failed during the 22-h that the SDC system was removed form service

is estimated to be 3.0 > 10'sing the St. Lucie ASP model modified as described above. Ifthe AFW system

had failed, the condensate system could have been used for SG makeup.

In addition, ifthe AFW system had

failed when initiallydemanded following isolation ofthc SDC system (failure at this time is more likelythan

failure following a successful demand), the SDC system could have been returned to service with the leaking

relief valve until the AFW system had been restored to operation.

The probability that both of these

alternatives would fail is estimated to be well below 0.03, which reduces the overall conditional probability

for the 22-h SDC unavailability to less than 1.0

>< 10~, thc truncation limit for documentation in the ASP

program.

Because the conditional probability for thc 22-h SDC unavailability is estimated to be less than 1.0

x 10, it was not analyzed further.

Analysis Results

The conditional core damage probability (CCDP) estimated for this event is 1.3

>< 10

. About 95% of the

CCDP is contributed by the unavailability of the PORVs. Thc remaining 5% of the CCDP is associated with

a postulated RCP seal LOCA initiating event.

Only the conditional assessment of thc unavailability of the

PORVs is discussed below. The dominant core damage sequence, highlighted as sequence number 21 on the

event tree in Fig. 1, contributes about 41% to the conditional probability estimate and involves:

~

a postulated reactor trip during the 5840 h period that the PORVs were unavailable,

~

nonrecoverable failures ofMFW and AFW, and

~

ability to feed and bleed is lost due to thc unavailability ofthe PORVs.

The second highest core damage sequence, which contributes about 20% of the CCDP, is similar to sequence

number 21 on Fig. 1, but involves a postulated LOOP instead ofa transient.

Sequence

16 involves:

LER Nos. 335/95-004, -005, -006

~

a successful reactor trip given a loss-of-offsite power with emergency power available,

the AFW system fails,

operators successfully recover offsite power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and

ability to feed and bleed is lost due to the unavailability ofthe PORVs.

Definitions and probabilities for selected basic events are shown in Table l. The conditional probabilities

associated with the highest probability sequences for the condition assessment

are shown in Table 2. Table

3 lists the sequence logic associated with the sequences

listed in Table 2. Table 4 describes the system names

associated with the dominant sequences

for the condition assessment.

Minimal cut sets associated with the

dominant sequences for the condition assessment

are shown in Table 5.

AuxiliaryFeedwater

Arkansas Nuclear One

LCO

Accident Sequence Precursor

Conditional Core Damage Probability

Condcnsatc Storage Tank

High Pressure Safety Injection

LimitingCondition for Operation

Loss-of-Coolant Accident

LOOP

Loss-of-Offsite Power

LPSI

Low Pressure Safety Injection

LTOP

Low Temperature Overpressure Protection

Main Fecdwater

Main Steam Isolation Signal

Reactor Coolant Pump

Reactor Coolant System

Refueling Water Tank

10

+<

p~

I 4

LER Nos. 335/95-004, -005, -006

PORV

Power Operated Relief Valve

Station Blackout

Safety Valve

References

1. LER 335/95-004, Rev. 0, "Hurricane Erin at St. Lucie," August 27, 1995.

2. LER 335/95-005, Rev. 0, "Pressurizer Power Operated ReliefValves (PORV) Inoperable due to Personnel

Error," August 22, 1995.

3. LER 335/95-006, Rev. 0, "Loss of Reactor Coolant Inventory through a Shutdown Cooling Relief Valve

due to Lack ofDesign Margin," August 22, 1995.

4. LER 335/95-007, Rev. 0, "Inadvertent Containmcnt Spray via 1A Low Pressure

Safety Injection Pump

while Venting the Emergency Core Cooling System During Startup duc to Inadequate Procedure," August

27, 1995.

5. LER 335/95-008, Rev. 0, "High Pressure

Safety Injection Pump Operation During Plant Conditions Not

Allowed by Technical Specifications due to Personnel Error," September 27, 1995.

6. Operating Experience Feedback Report - Experience ivith Pump Seals Installed in Reactor Coolant Pumps

Manufactured. by Byron Jackson,

L.G. Bell and P.D. O'Reilly, NUREG-1275, Vol. 7, U.S. Nuclear

Regulatory Commission, September

1992.

7. Faulted

Systems

Recovery

Experience,

H.R.

Booth,

F.J.

Mollerus,

and

J.L.

Wray, NSAC-161,

Nuclear Safety Analysis Center, May 1992.

8. Recovery Actions in PRAfor the Risk Methods Integration and Evaluation Program (RMEP), Volume

2: Application ofthe Data-Based Method, D.W. Whitehead, NUREG/CR-4834, Vol. 2, Sandia National

Laboratories, 1987.

11

, U

O

IE TRANS

AUXILIARY

FEEDWA

SYSTEM

MAIN

FEEDWA

SYSTEM

HQH

PRESSURE

INJECDON

FSS

RECOVER

RCS

RESIDUAL

S~r

COOLDOWN

HEAT

COOU

USINO

REMOVAL

DECAYI%AT

HOH

REMOVAL

UQNS CSR

SEQS

END

STATE

A

O

OI

DOA

C

8

DO

8

g

O~

tPf

pr4

CD

I

CD

'

CD

OK

CD

OK

10

12

13

CD

OK

CD

14

15

OK

CD

16

CD

17

18

OK

CD

21

CD

22 T

ATWS

'Ir~

aT TOE

~OAER

REISE

TEKEOCA

a'L

aTRTE

Khan

TCCOVERT

WIORT

T MARS

aTRIE

AECOVPII

WITTRT

S I@LIRE

anna

~Owlet

TEED A

RETD

COOPO

T ~ O

DECAY

tlfAT

RDAOYK

IISTTO

CSR

SEQ ¹

END

STATE

2

3

4

5

e

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

2e

27

28

29

30

31

32

33

34

35

38

37

38

39

40

41

42

OK

CD

OK

CO

CD

OK

CO

OK

CO

CD

OK

CD

CO

OK

CO

OK

CO

OK

CO

OK

CO

OK

CO

OK

CO

CD

CO

CD

335/95 - 004, - 005, - 006

~P

~ '

LER Nos. 335/95-004, -005, -006

Table 1. Definitions and probabilities for selected basic events for

LER Nos, 335/95-004, -005, -006

Event

name

AFW-MOVEF-SGALL

AFW-PMP<F-ALL

AFW-TDP-FC-IC

AFW-XHE-NOREC

AFW-XHFrNOREC-EP

AFW-XHE-NOREC-L

AFW-XHE-XACST2

AFW-XHE-XANST2E

AFW-XHE-XANST2L

EPS-DGNZF-AB

EPS-DGN-FC-DGA

EPS-DGN-FC-DGB

EPS-XHE-NOREC

HPI-MDPZF-ALL

HPI-MOVNF-DISAL

Description

Common Cause Failure ofall

Stcam Generator Motor-

Operated Valves

Common Cause Failure ofall

AFW Pumps

AFWTurbine Driven Pump IC

Fails

Operator Fails to Recover AFW

System

Operator Fails to Recover AFW

During a Station Blackout

Operator Fails to Rccovcr AFW

During LOOP

Operator Fails to Initiate Backup

Water Source

Operator Fails to Initiate Backup

Water Source During a Station

Blackout

Operator Fails to Initiate Backup

Water Source During a LOOP

Common Cause Failure ofDiesel

Generators

Dicscl Generator A Failures

Diesel Generator B Failures

Operator Fails to Recover

Emergency Power

Common Cause Failure ofHPI

Motor-Driven Pumps

Common Cause Failure ofall

HPI Injection Valves

Base

probability

5.5 E405

1.7 FA04

3.2 E402

2.6 E401

3.4 E401

2.6 E401

1.0 E403

1.6 E403

4.2 E402

8.0 E401

1.0 E404

5.5 E405

Current

probability

5.5 E405

1.7 E404

I

3.2 E402

2.6 E401

3.4 E401

2.6 E401

1.0 E403

1.6 E403

4.2 E402

8.0 E401

1.0 FA04

5.5 E405

Type

Modified

for this

event

No

14

I

LER Nos. 335/95-004t -005r -006

Table 1. Definitions and probabilities for selected basic events for

LER Nos. 335/95-004, -005, -006

Event

name

HPI-TNK-FC-RWST

MFW-SYS-TRIP

MFW-XHE-NOREC

OEP-XHE-NORECAH

OEP-XHE-NOREC-BD

OEP-XHE-NOREC-SL

PCS-PSF-HW

PCS-XHE-SM-SG

PPR-SRV<C-I

PPR-S

ROC-2

PPR-SRV<O-SBO

PPR-SRV<O-TRAN

PPR-SRV~PRVI

PPR-SRV-OO-PRV2

PPR-SRV~-SRVS

RCS-MDP-LK-SEALS

Description

RWST and Water Supply Valve

Failures

Main Fccdwatcr System Trips

Operator Fails to Rccovcr Main

Fecdwatcr

Operator Fails to Recover Offsite

Power Within 6 Hours

Operator Fails to Recover Offsite

Power Bcforc Batteries Are

Dcplcted

Operator Fails to Recover Offsite

Power (Seal LOCA)

Hardware Failures Causing

Failure to Dcprcssurizc

Operator Fails to Initiate RCS

Dcprcssurization

PORV I Fails to Open on

Demand

PORV 2 Fails to Open on

Demand

PORVs Open During SBO

PORVs Open During Transient

PORV I Fails to Reclose After

Opening

PORV 2 Fails to Reclose AAer

Opening

At Least Onc Safety Valve Fails

to Reclose AIter Opening

RCP Seals Fail Without Cooling

and Injection

Base

probability

2.7 E406

2.0 E401

3.4 E401

5.7 E402

1.1 E402

6.0 E401

1.0 E405

4.0 E404

2.0 E403

1.0 E+000

4.0 E402

2.0 E403

0.0 E&00

3.4 E402-

Current

probability

2.7 E406

2.0 E401

3.4 E401

5.7 E402

1.1 E402

6.0 E401

1.0 E405

4.0 E404

1.0 E&00

1.0 EK00

1.0 E&00

4.0 E402

0.0 E&00

9.0 E402

3.4 E402

Type

TRUE

FALSE

Modified

for this

event

No

Ycs

No

Ycs

Yes

Ycs

No

15

~Q

LER Nos. 335/95-004, -005, -006

Table 2. Sequence conditional probabilities for LER Nos. 335/95-004, -005, -006

Event tree

name

TRANS

Sequence name

21

16

40

30

39

05

41

23

32

21

06

Conditional core

damage

probability

(CCDP)

5.1 E-005

2.6 E-005

1.9 E-005

4.4 E-006

3.9 E-006

2.5 E-006

2.4 E-006

1.5 E-006

Contribution

40.8

21.3

15.7

3.5

3.1

1.9

1.2

TRANS

08

Total (all sequences)

1.3 E-006

1.2 E-004

1.0

16

LER Nos. 335/95-004, -005, -006

Table 3. Sequence logic for dominant sequences for LER Nos. 335/95-004, -005, -006

Event tree name

TRANS

LOOP

SGTR'OOP

LOOP

SGTR

TRANS

Sequence name

21

-16

40

30

39

05

41

.

23

32

21

06

08

Logic

/RT, AFW, MFW, F&B

/RT-L, /EP, AFW-L,/OP-6H,

F&B-L

/RT-L, EP, /AFW-L,PORV-

SBO, PRVL-RES

/RT-L, EP, /AFW-L,/PORV-

SBO, SEALLOCA, OP-SL

/RT-L, EP, /AFW-L,PORV-

SBO, /PRVL-RES,

SEALLOCA, OP-SL

/RT, /AFW-SGTR, /HPI, RCS-

SG

/RT-L, EP, AFW-L-EP

/RT-L, EP, /AFW-L,/PORV-

SBO, /SEALLOCA,OP-BD

/RT-L, EP, /AFW-L,PORV-

SBO, /PRVL-RES,

/SEALLOCA,OP-BD

/RT-L, /EP, AFW-L,OP-6H,

F&B-L

/RT, /AFW-SGTR, HPI

/RT, /AFW, PORV, PORV-

RES, HPI

17

LER Nos. 335/95-004, -005, -006

Table 4. System names for LER Nos. 335/95-004, -005, -006

System name

AFW

AFW-L

AFW-L-EP

AFW-SGTR

EP

F&B

F&B-L

HPI

MFW

OP-6H

OP-BD

OP-SL

PORV

PORV-RES

PORV-SBO

PRVL-RES

RCS-SG

RT

RT-L

SEALLOCA

Logic

No or Insufficient AFW Flow

No or Insufficient AFW Flow During LOOP

No or Insufficient AFW Flow During Station Blackout

No or Insufficient AFW Flow During a Stcam

Generator Tube Rupture

Failure ofBoth Trains ofEmer'gency Power

Failure to Provide Feed and Bleed Cooling

Failure ofFeed and Bleed Cooling During a LOOP

No or Insufficient Flow from HPI System

Failure ofthe Main Feedhvater System

Operator Fails to Recover Offsite Power Within 6 h

Operator Fails to Recover Offsite Power Before

Batteries are Depleted

Operator Fails to Recover Offsite Power (Seal LOCA)

PORVs Open During Transient

PORVs Fail to Reseat

PORVs Open During Station Blackout Event

PORVs and Block Valves Fail to Reclose [Electric

Power (EP) succeeds]

Failure to Lower RCS Pressure to Less Than the Steam

Generator ReliefValve Setpoint

Reactor Fails to Trip During Transient

Reactor Fails to Trip During LOOP

RCP Seals Fail During LOOP

18

E.

lg;

'IE

LER Nos. 335/95-004, -005, -006

Table 5. Conditional cut sets for higher probability sequences for

LER Nos. 335/95-004, -005, -006

Cut set

No.

Percent

Contribution

Conditional

Probability'ut sets

TRANS Sequence

21

80.2

4.1 E-005

AFW-XHE-NOREC,AFW-XHE-XAZST2,MFW-SYS-TRIP,

MFW-XHFNOREC

14.2

7 2 E pp6

AFW-PMP-CF-ALL,AFW-XHE-NOREC, MFW-SYS-TRIP,

MFW-XHE-NOREC

4.4

LOOP Sequence

16

2.2 E-006

2.

E 005

AFW-MOV-CF-SGALL,AFW-XHE-NOREC, MFW-SYS-TRIP,

MFW-XHE-NOREC

79.0

14.0

44

2 1 E P05

AFW-XHE-XAZST2L,AFW-XHE-NOREC-L

3.6 E-006

AFW-PMP4F-ALL,AFW-XHE-NOREC

1

1 E PP6

AFW-MOVCF-SGALL,AFW-XHE-NOREC-L

LOOP Sequence 40

52.4

47.6

LOOP Sequence 30

52.4

47.6

LOOP Sequence 39

52.4

47.6

1.9 E-005

1.0 E-005

9.0 E-006

4.4 E-006

2.3 E-006

2.1 E-006

2.3 E-006

2.1 E-006

EPS-DGN-FC-DGA, EPS-DGN.FC-DGB, EPS-XHE-NOREC,

PPR-SRV<O-SBO, PPR-SRV~SRVS

EPS-DGNZF-AB, EPS-XHE-NOREC, PPR-SRVZO-SBO,

PPR-SRV~SRVS

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHF NOREC,

RCS-MDP-LK-SEALS, OEP-XHE-NOREC-SL

EPS-DGN-CF-AB, EPS-XHE-NOREC, RCS-MDP-LK-SEALS,

OEP-XHE-NOREC-SL

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHE-NOREC,

PPR-SRVZO-SBO, RCS-MDP-LK-SEALS, OEP-XHE-NOREC-SL

EPS-DGN4:F-AB, EPS-XHE-NOREC, PPR-SRVNO-SBO,

RCS-MDP-LK-SEALS, OEP-XHE-NOREC-SL

19

'l

j 4I,

t

~I

LER Nos. 335/95-004, -005, -006

Table 5. Conditional cut sets for higher probability sequences for

LER Nos. 335/95-004, -005, -006

Cut set

No.

Percent

Contribution

Conditional

Probability'ut sets

SGTR Sequence 05

97.6

39E nn6

3.8 E-006

PCS-XHE-XM-SG

2.4

9.4 E-008

PCS PSF HW

LOOP Sequence

41

50.2

45.5

2.5 E-006

1.3 E-006

1.1 E-006

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHE-NOREC,

AFW-TDP-FC-lC, AFW-XHE-NOREC-EP

EPS-DGNZF-AB, EPS-XHE-NOREC, AFW-TDP-FC-lC,

AFW-XHE-NOREC-EP

1.6

1.4

LOOP Sequence 23

52.4

4.0 E-008

3.5 E-008

2.4 E-006

1.3 E-006

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHE-NOREC,

AFW-XHE-XAZST2E,AFW-XHE-NOREC-EP

EPS-DGNZF-AB, EPS-XHE-NOREC, AFW-XHE-XACST2E,

AFW-XHE-NOREC-EP

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHE-NOREC,

OEP-XHE-NOREC-BD

47.6

1

1 E PP6

EPS-DGNZF-AB, EPS-XHE-NOREC, OEP-XHE-NOREC-BD

LOOP Sequence 32

52.4

47.6

LOOP Sequence

21

79.0

14.0

44

2.4 E-006

1.3 E-006

1.1 E-006

1.5 E-006

1.2 E-006

2.1 E-007

6.6 E-008

EPS-DGN-FC-DGA, EPS-DGN-FC-DGB, EPS-XHE-NOREC,

PPR-SRV-CO-SBO, OEP-XHE-NOREC-BD

EPS-DGN4F-AB, EPS-XHE-NOREC, PPR-SRVZO-SBO,

OEP-XHE-NOREC-BD

AFW-XHE-NOREC-L,AFW-XHE-MST2L,

OEP-XHE-NORECAH

AFW-PMP-CF-ALL,AFW-XHE-NOREC-L,

OEP-XHE-NORECAH

AFW-MOV-CF-ALL,AFW-XHE-NOREC-L,

OEP-XHE-NORECAH

20

pC

W

LER Nos. 335/95-004, -005, -006

Table 5. Conditional cut sets for higher probability sequences for

LER Nos, 335/95-004, -005, -006

Cut set

No.

Percent

Contribution

Conditional

Probability'ut sets

SGTR Sequence 06

62.7

1.

9 4 E PP7

HPI-MDPZF-ALL

34.7

1.7

TRANS Sequence 08

5.2 E-007

2.6 E-008

HPI-MOV-CF-DISAL

HPI-TNK-FC-RWST

62.7

34.7

1.7

RCP Seal LOCA

Total (all sequences)

8.2 E-P07

PPR sRvzo-TRAN PPR sRY4chsvRs

HPI MDP cF ALL

4 5 E PQ7

PPR-sRY4o-TRAN, PPR-sRv-oo-svRs,

HPI-Mov-cF-DIsAL

2 2 E PQ8

PPR-sRvco-TRAN, PPR-sRv-oo-svRs,

HPI-TNK-Fc-RwsT

5.9 E-006

1,

E 004

a. 'he conditional probability for each cut sct is determined by multiplying the probability that the

portion ofthe sequence that makes the precursor visible (e.g., the system with a failure is demanded) will

occur during the duration ofthe event by the probabilities ofthe remaining basic events in the minimal

cut set. This can be approximated by 1 - e', whcrc p is determined by multiplying the expected number

ofinitiators that occur during the duration ofthe event by the probabilities ofthe basic events in that

minimal cut set. The expected number ofinitiators is given by At, where A, is the frequency ofthe

initiating event (given on a per hour basis), and t is the duration time ofthe event (in this case, 5840 h).

This approximation is conservative for precursors made visible by the initiating event. The frequencies

ofinterest for this event are: A~, = 4.0 x 10 /h, A~p = 1.4 x 10'/h, and Amra = 1.63 x 10 /h.

21

') 4

i

'~)l

GUIDANCE FOR LICENSEE REVIEW OF

PRELININARY ASP ANALYSIS

Backgr ound

The preliminary precursor

analysis of an operational

event that occurred at

your plant has

been provided for your review.

]his analysis

was performed

as

'

part of the NRC's Accident Sequence

Precursor

(ASP)

Program.

The

ASP

Program

uses probabilistic risk assessment

techniques

to provide estimates

of

operating

event significance

in terms of the potential for core

damage.

The

types of events

evaluated

include actual initiating events,

such

as

a loss of

off-site power

(LOOP) or loss-of-coolant

accident

(LOCA), degradation

of plant

conditions,

and safety equipment failures or unavailabilities that could

increase

the probability of core

damage

from postulated

accident

sequences.

This preliminary analysis

was conducted

using the information contained

in the

plant-specific final safety analysis report

(FSAR), individual plant

examination

(IPE),

and the licensee

event report

(LER) for this event.

Nodeling Techniques

The models

used for the analysis of 1995

and

1996 events

were developed

by the

Idaho National

Engineering

Laboratory (INEL).

The models were developed

using

the Systems Analysis Programs for Hands-on

Integrated Reliability Evaluations

(SAPHIRE) software.

The models

are

based

on linked fault trees.

Four types

of initiating events

are considered:

(1) transients,

(2) loss-of-coolant

accidents

(LOCAs), (3) losses

of offsite power

(LOOPs),

and (4) steam

generator

tube ruptures

(PWR only).

Fault trees

were developed

for each top

event

on the event trees to

a supercomponent

level of detail.

The only

support

system currently modeled is the electric power system.

The models

may be modified to include additional detail for the systems/

components

of interest for a particular event.

This may include additional

equipment or mitigation strategies

as outlined in the

FSAR or IPE.

Probabilities

are modified to reflect the particular circumstances

of the

event being analyzed.

Guidance for Peer

Review

Comments regarding

the analysis

should address:

Does the "Event Description" section accurately describe

the event

as it

occurred?

Does the "Additional Event-Related

Information" section provide accurate

additional

information concerning

the configuration of the plant

and the

operation of and procedures

associated

with relevant

systems?

Does the "Hodeling Assumptions" section accurately describe

the modeling

done for the event?

Is the modeling of the event appropriate for the

events that occurred or that

had the potential to occur under the event

conditions?

This also includes

assumptions

regarding the likelihood of

equipment

recovery.

Enclosure

2

NJ

JJ

Appendix

H of Reference

I provides

examples of comments

and responses

for

Criteria for Evaluating

Comments

Hodifications to the event analysis

may be made

based

on the comments that

you'rovide.

Specific documentation will be required to consider modifications to

the event analysis.

References

should

be

made to portions of the

LER, AIT, or

ML17228B495

Text

Navigation menu

Search