ML18038B063

From kanterella
Jump to navigation Jump to search
Final Accident Sequence Precursor Analysis - Turkey Point Nuclear Generating Station (Unit 3), Loss of 3A 4kV Vital Bus Results in Reactor Trip, Safety System Actuations, and Loss of Safety Injection Function (LER 250-2017-001) - Precursor
ML18038B063
Person / Time
Issue date: 02/12/2018
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
C. Hunter
References
IR 05000250/2017002, IR 05000250/2017008, LER-250-2017-001 50-250
Download: ML18038B063 (12)
v  d  e


Text

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Turkey Point Nuclear Loss of 3A 4kV Vital Bus Results in Reactor Trip, Safety System Generating Station, Actuations, and Loss of Safety Injection Function Unit 3 LER: 250-2017-001 Event Date: 3/18/2017 IRs: 05000250/2017008 and CCDP = 3x10-6 05000250/2017002 Plant Type: Westinghouse 3-Loop Pressurized-Water Reactor (PWR) with Dry, Ambient Pressure Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst: Reviewer: Contributors: Approval Date:

Chris Hunter Ian Gifford N/A 02/12/2018 EXECUTIVE

SUMMARY

On March 18, 2017, at approximately 11:07 a.m., the Turkey Point, Unit 3 reactor tripped due to a trip of the reactor coolant pumps (RCPs) caused by a high-energy arc fault (HEAF) on the 4.16 kilovolt (kV) safety-related alternating current (AC) bus 3A. The site declared an Alert because of smoke in switchgear room 3A. Auxiliary feedwater (AFW) actuated as expected due to low steam generator (SG) level. Operators closed the main steam isolation valves, per emergency operating procedures, and used SG atmospheric dump valves for decay heat removal. Each unit has two high-head safety injection (HHSI) pumps, which are shared between the two units. Both Unit 4 HHSI pumps were out of service for maintenance at the time of event. This maintenance combined with the failure of bus 3A resulted in three of the four HHSI pumps being unavailable.1 Both Unit 4 HHSI pumps were restored at 1:36 p.m. on March 18th.

This event was modeled as a loss of 4.16 kV bus 3A initiating event with the Unit 4 HHSI pumps unavailable due to maintenance. Given the modeling assumptions used in this analysis, the conditional core damage probability (CCDP) was calculated to be 3x10-6. For most Westinghouse PWRs, a similar event often results in a CCDP greater than 10-5, with the results dominated by the loss of AFW and feed-and-bleed cooling from (postulated) random failures of the opposite train(s) or loss of RCP seal cooling scenarios with a subsequent seal failure resulting in a loss-of-coolant accident (LOCA).2 However, Turkey Point has some unique plant design features that mitigate the risk of this event. The most notable is that each units safety-related direct current (DC) buses have battery-charging capability from both units. This is important because the three turbine-driven AFW pumps (also unique to Turkey Point), remain available during a postulated loss of all safety-related AC power.3,4 In addition, SG level 1 The high-pressure injection safety function can be fulfilled by one HHSI pump.

2 Results are based on calculations using the SPAR models of other Westinghouse 3- and 4-loop plants that include a loss of safety-related AC bus initiating event.

3 Turkey Point is the only PWR that has a three turbine-driven AFW pump configuration. All other plants have a combination of motor- and turbine/diesel-driven pumps.

4 For most PWRs, operators have the capability for continued operation of turbine-driven AFW pump(s) after battery depletion, and this action is often credited in PRAs (including some SPAR models). However, there is variance among risk analysts on the likelihood of success for blind feeding the SGs and reaching a safe/stable end state given the potential for underfill/overfill.

1

LER 250-2017-001 indication could be maintained throughout the most severe postulated event. Turkey Point also has a nonsafety-related standby SG feedwater system available to provide inventory makeup to the SGs. Another key plant feature is the installation of N9000 Flowserve RCP seals, which substantially decrease the risk of RCP seal failures given a loss of all seal cooling/injection.

On the other hand, some plant design features increase the risk for this event. The most notable is that the main generator powers the safety-related AC buses, which renders these buses vulnerable to failure of the feeder circuit breakers to open. These postulated breaker failures result in the applicable safety-related bus(es) being deenergized, with the operators unable to align alternate power sources [e.g., emergency diesel generator (EDG), alternate transformer]. Another negative feature is that the safety- and nonsafety-related buses share the same cubicle for the respective trains. Therefore, a fault (such as a HEAF) results in a loss of all safety- and nonsafety-related power for the affected train. These negative design features are mitigated by the positive elements previously noted.

Subsequent inspections by the NRC identified two licensee performance deficiencies and two unresolved issues (URIs). The performance deficiencies were due to the licensee failure to (1) implement adequate fire watches following a HEAF on 4.16 kV safety related bus 3A, which resulted in inadequate fire detection capability in switchgear room 3B for approximately 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />, and (2) incorporate appropriate instructions to prevent foreign material from entering nearby electrical equipment when installing Thermo-Lag insulation. Both findings were determined to be Green (i.e., very low safety significance).

EVENT DETAILS Event Description. On March 18, 2017, at approximately 11:07 a.m., the Turkey Point, Unit 3 reactor tripped due to a trip of the RCPs caused by a HEAF on the 4.16 kV safety-related AC bus 3A. The site declared an Alert because of smoke in switchgear room 3A. Operators closed the main steam isolation valves, per emergency operating procedures. AFW actuated as expected due to low SG level. In conjunction with AFW, the SG atmospheric dump valves were used for decay heat removal. EDG 3A automatically started; however, it did not load onto bus 3A due to the bus lockout caused by the HEAF. Operators secured EDG 3A at 1:32 p.m. on March 18th. The reactor was stabilized in Mode 3, while Unit 4 remained operating at 100 percent power. The loss of the 3A 4kV bus required a plant shutdown to Mode 5 (cold shutdown) in accordance with technical specifications (TS). The plant entered Mode 5 at 12:50 p.m. on March 19th.

The Unit 4 HHSI pumps were out of service for maintenance at the time of event. As result of this maintenance and the unavailability of 4.16 kV bus 3A, three of the four HHSI pumps were unavailable (i.e., only the Unit 3 train B pump remained available). Both Unit 4 HHSI pumps were restored at 1:36 p.m. on March 18th.

Additional information is provided in licensee event report (LER) 250-2017-001 (Ref. 1) and inspection report (IR) 05000250/2017008 (Ref. 2).

Cause. The direct cause of the HEAF in 4.16 kV safety-related bus 3A was foreign material in the reactor coil cubicle. The root cause was determined to be an inadequate Thermo-Lag insulation installation procedure, which did not address control of foreign material nor provide precautions for controlling airborne debris fibers generated during installation of insulation.

2

LER 250-2017-001 MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.5 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the March 18, 2017, event. No windowed events or concurrent degraded operating conditions were identified.

In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program. The special inspection (as documented in IR 05000250/2017008) revealed four URIs. Specifically, inspectors identified issues concerning the following:

  • The licensees procedures and practices for accounting for risk on the opposite unit with equipment removed from service (URI 05000250/2017008-02).
  • The potential failure of the licensee to properly control the spread of airborne particulates generated from the installation of Thermo-Lag insulation material on cable trays and conduits inside the 4.16 kV switchgear room 3A (URI 05000250/2017008-03).
  • Potential discrepancies between the licensees design documentation and the installed configuration of busses inside the reactor coil cabinet (URI 05000250/2017008-04).

Subsequent inspections [as documented in IR 05000250/2017002 (Ref. 3)] revealed two licensee performance deficiencies associated with URIs05000250/2017008-01 and 05000250/2017008-03. Specifically, the licensee failed to (1) implement adequate fire watches following a HEAF on 4.16 kV safety-related bus 3A, which resulted in inadequate fire detection capability in switchgear room 3B for approximately 28 hours3.240741e-4 days <br />0.00778 hours <br />4.62963e-5 weeks <br />1.0654e-5 months <br />, and (2) incorporate appropriate instructions to prevent foreign material from entering nearby electrical equipment when installing Thermo-Lag insulation. Both findings were determined to be Green (i.e., very low safety significance). The other two URIs remain open. LER 250-2017-001 was closed in IR 05000250/2017002.

Analysis Type. A test/limited use version of the Turkey Point Nuclear Generating Station standardized plant analysis risk (SPAR) model, created on January 18, 2018, was used for this initiating event analysis. The key model changes in this test/limited used model include the following:

  • Revised RCP seal modeling given the installation of N9000 Flowserve RCP seals,
  • Modification of HHSI pump success criterion requiring only one-of-four pumps (instead of two) to mitigate small and medium LOCAs, and
  • Crediting turbine-driven AFW pumps or the standby SG feedwater pumps to achieve a safe/stable end state for loss of all safety-related AC power scenarios (assuming no LOCA) with available safety-related DC power, which either unit can supply.

5 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date.

3

LER 250-2017-001 SPAR Model Modifications. The following modifications were required for this initiating event assessment:

  • In ASP analyses, recovery credit for EDG failures is limited to cases where event information supports credit for EDG recovery. Therefore, the DGR-02H (diesel generator recovery in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) top event (including applicable event tree branching) was eliminated from the station blackout (SBO) event tree. The modified SBO event tree is shown in Figure A-3.
  • To prevent risk contributions from certain anticipated transient without scram (ATWS) cut sets that do not apply to this assessment, the complement basic event OEP-VCF-LP-CLOPT (consequential loss of offsite powertransient) was inserted under gate RPS-1 (electrical failures) in the RPS (reactor protection system fault tree).

An ATWS is only possible during a consequential loss of offsite power (LOOP) if the rods fail to insert into the reactor (i.e., they are mechanically stuck). The modified RPS fault tree is shown in Figure B-1.

  • During the event, nonsafety-related AC bus 3C remained energized and, therefore, the motor-driven standby SG feedwater pump was available to provide inventory makeup to the SGs. This pump would also be available for the dominant (postulated) scenarios in this analysis (i.e., loss of all safety-related 4.16 kV power). To ensure that credit for this pump is provided in this analysis, basic events HE-LOOP (house eventloss of offsite power initiating event has occurred) and HE-LOSP-3C (loss of division 3C offsite power flag) were deleted from the ACP-3C-AC (Turkey Point 3 and 4 PWR B division 3C AC power system) fault tree. The modified ACP-3C-AC fault tree is shown in Figure B-2.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

  • This analysis models the March 18, 2017, reactor trip at Turkey Point Nuclear Generating Station, Unit 3 as a loss of bus 3A initiating event (IE-LOACB-3A) due to the HEAF on the 4.16 kV safety-related bus 3A.6 Therefore, the probability for IE-LOACB-3A was set to 1.0; all other initiating event probabilities were set to zero.
  • Basic events HPI-MDP-TM-4P2154A (HHSI MDP 4-P215A unavailable due to maintenance) and HPI-MDP-TM-4P215B (HHSI MDP 4-P215B unavailable due to maintenance) were set to TRUE because both pumps were unavailable due to maintenance at the time of the event. Note that the Unit 4 HHSI pumps were restored in approximately 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Therefore, recovery credit for these pumps may be warranted for certain accident sequences (i.e., scenarios in which sufficient time is available to operators for recovery). However, the applicable accident sequences [e.g., stuck-open power-operated relief valve (PORV)] for this analysis have a core uncovery time of less than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />; therefore, no recovery credit for the Unit 4 HHSI pumps is provided.
  • Basic events BAT-MDP-TM-P3B (boric acid pump 3B out due to test or maintenance) and HPI-MDP-TM-3P215B (HPI MDP 3-P215B unavailable due to test or maintenance) were set to FALSE because the TS prohibit rendering these pumps unavailable due to testing/maintenance while the Unit 4 HHSI pumps were undergoing maintenance.
  • Basic event ACP-XHE-XM-CLRBKR (operator fails to clear breaker) was set to TRUE because if breaker 3AB02 had failed open, operators would have been unable to align 6 The event tree associated with the loss of 4.16 kV safety-related bus 3A was not used in this analysis because this event tree assumes that feedwater and the condenser heat sink are available. Feedwater and the condenser heat sink were unavailable during the March 18th event.

4

LER 250-2017-001 alternate power sources to supply safety-related bus 3B.7 Given the short time period for the dominant scenarios in this analysis (i.e., 1-2 hours), there would likely not be sufficient time for maintenance/troubleshooting activities to repair the failure. In addition, repair/troubleshooting activities are not typically credited in ASP analyses.

ANALYSIS RESULTS CCDP. The CCDP for this analysis is calculated to be 3.22x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feedwater or loss of condenser heat sink, whichever is greater. This CCDP equivalent for Turkey Point, Unit 3 is 6.0x10-7. Therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequence is LAC3A sequence 13-16-22 (CCDP = 2.30x10-6), which contributes approximately 71 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figures A-1 through A-4 in Appendix A.

Sequence CCDP Percentage Description Loss of safety-related bus 3A initiating event; successful reactor trip; subsequent loss of bus 3B results in a loss of all safety-related AC power; AFW LAC3A 13-16-22 2.30E-6 71.4% succeeds; a PORV fails to reclose resulting in a LOCA; all HHSI pumps are unavailable due to no electrical power (Unit 3) or maintenance (Unit 4),

which results in core damage Loss of safety-related bus 3A initiating event; successful reactor trip; subsequent loss of bus 3B results in a loss of all safety-related AC power; AFW LAC3A 13-16-20 2.68E-7 8.3% succeeds; RCP seal injection/cooling is lost and a subsequent RCP seal LOCA occurs; all HHSI pumps are unavailable due to no electrical power (Unit 3) or maintenance (Unit 4), which results in core damage Loss of safety-related bus 3A initiating event; successful reactor trip; AFW succeeds; RCP seal injection/cooling is lost and a subsequent RCP seal LOCA occurs due operators failing to trip the RCPs; LAC3A 02-9-05 1.21E-7 3.8%

high-pressure injection succeeds; accumulators successfully inject in the reactor coolant system; secondary-side cooldown fails, and high-pressure recirculation fails resulting in core damage Loss of safety-related bus 3A initiating event; successful reactor trip; AFW succeeds; a PORV fails LAC3A 08 1.18E-7 3.7%

to reclose resulting in a LOCA; high-pressure injection fails resulting in core damage Loss of safety-related bus 3A initiating event; successful reactor trip; subsequent loss of bus 3B LAC3A 13-16-24 1.04E-7 3.2% results in a loss of all safety-related AC power; AFW and standby SG feedwater fail resulting in core damage 7 The SPAR model has a placeholder probability in the base model.

5

LER 250-2017-001 Sequence CCDP Percentage Description Loss of safety-related bus 3A initiating event; reactor LAC3A 14-08 8.45E-8 2.6% trip fails resulting in an ATWS; AFW succeeds; emergency boration fails resulting in core damage Loss of safety-related bus 3A initiating event; successful reactor trip; AFW succeeds; a PORV fails to reclose resulting in a LOCA; high-pressure injection LAC3A 05 8.09E-8 2.5%

succeeds; secondary-side cooldown succeeds, residual heat removal fails, and high-pressure recirculation fails resulting in core damage Loss of safety-related bus 3A initiating event; reactor LAC3A 14-10 5.25E-8 1.6% trip fails resulting in ATWS; AFW succeeds; emergency boration fails resulting in core damage Total 3.22E-6 100.0%

REFERENCES

1. Turkey Point Nuclear Generating Station, "LER 250-2017-001 - Reactor Trip, Auxiliary Feed Water and Emergency Diesel Generator 3A Actuations, Loss of Safety Injection Function, and Completion of Technical Specification Required Shutdown, dated May 16, 2017 (ADAMS Accession No. ML17136A372).
2. U.S. Nuclear Regulatory Commission, Turkey Point Nuclear Generating Station - NRC Reactive Inspection Report 05000250/2017008 and 05000251/2017008, dated May 12, 2017 (ADAMS Accession No. ML17132A258).
3. U.S. Nuclear Regulatory Commission, Turkey Point Nuclear Generating Station - NRC Integrated Inspection Report 05000250/2017002, 05000251/2017002, dated August 11, 2017 (ADAMS Accession No. ML17223A012).

6

LER 250-2017-001 Appendix A: Key Event Trees LOSS OF AC BUS 3A REACTOR PROTECTION OFFSITE ELECTRICAL FEEDWATER SYSTEMS PORVS ARE CLOSED RCP SEAL COOLING HIGH PRESSURE INJECTION FEED AND BLEED IS SECONDARY COOLING COOLDOWN (PRIMARY & RESIDUAL HEAT REMOVAL HIGH PRESSURE # End State SYSTEM POWER MAINTAINED UNAVAILABLE RECOVERED SECONDARY) RECIRCULATION (Phase - CD)

IE-LOACB-3A RPS OEP FW PORV LOSC FTF-LOSC HPI-S FAB SSCR SSC RHR HPR FTF-RECIRC 1 OK 2 LOSC 3 OK 4 OK 5 CD 6 OK 7 CD 8 CD 9 OK 10 OK 11 CD 12 CD 13 LOOPPC 14 ATWS 15 CD Figure A-1. Turkey Point Loss of 4.16kV Safety-Related Bus 3A Event Tree A-1

LER 250-2017-001 LOSS OF OFFSITE POWER REACTOR PROTECTION EMERGENCY POWER AUXILIARY FEEDWATER PORVS ARE CLOSED RCP SEAL COOLING HIGH PRESSURE INJECTION FEED AND BLEED IS OFFSITE POWER RECOVERY OFFSITE POWER RECOVERY COOLDOWN (PRIMARY & RESIDUAL HEAT REMOVAL HIGH PRESSURE # End State INITIATOR (PLANT- SYSTEM MAINTAINED FAILS UNAVAILABLE IN 2 HRS IN 6 HRS SECONDARY) RECIRCULATION (Phase - CD)

CENTERED)

IE-LOOPPC RPS EPS FTF-SBO AFW PORV LOSC FTF-LOSC HPI FAB OPR-02H OPR-06H SSC RHR HPR FTF-RECIRC 1 OK 2 LOOP-1 LOSC-L 3 OK 4 OK 5 CD AFW-L 6 OK HPI-L PORV-L 7 CD 8 OK 9 CD HPR-L 10 CD HPI-L 11 OK 12 CD FAB-L 13 OK AFW-L 14 CD HPR-L 15 CD FAB-L 16 SBO 17 ATWS 18 CD Figure A-2. Turkey Point Plant-Centered LOOP Event Tree A-2

LER 250-2017-001 EMERGENCY POWER AUXILIARY FEEDWATER TURKEY POINT 3 & 4 PWR B CONTROLLED BLEEDOFF REACTOR COOLANT RCP SEAL INTEGRITY FAILURE OF STANDBY SG OFFSITE POWER RECOVERY # End State PORVS/SRVS CHALLENGED ISOLATED SUBCOOLING MAINTAINED MAINTAINED FEEDWATER SYSTEM FAILS IN 2 HRS (Phase - CD)

DURING SBO EPS FTF-SBO AFW-B FTF-SBO PORV-B FTF-SBO CBO RSUB RCPSI SSGFP OPR-02H 1 OK 2 OK RCPSI01 3 SBO-4 OPR-02H 4 SBO-1 RCPSI01 5 CD OPR-01H 6 OK 7 OK RCPSI02 8 SBO-4 OPR-02H 9 SBO-1 RCPSI02 10 CD OPR-01H 11 OK 12 OK RCPSI03 13 SBO-4 OPR-02H 14 SBO-1 RCPSI03 15 CD OPR-01H 16 OK 17 OK RCPSI04 18 SBO-4 OPR-02H 19 SBO-1 RCPSI04 20 CD OPR-01H 21 SBO-2 22 CD OPR-01H 23 SBO-3 24 CD OPR-01H Figure A-3. Modified Turkey Point SBO Event Tree A-3

LER 250-2017-001 MANUAL CONTROL AFW CONDENSATE STORAGE DEPRESSURIZE SGS LATE POWER RECOVERY # End State TANK REFILL LONG-TERM (Phase - CD)

<DUMMY-FT> AFW-MAN CST-REFILL-LT SG-DEP-LT PWR-REC 1 OK 24 hrs SG-DEP-LT2 2 CD CST-REFILL-LT1 3 OK Tcu or 24 hrs SG-DEP-LT2 4 CD 5 OK 6 OK CST-REFILL-LT1 Tcu or Tcst empty 7 CD 8 OK Tcu or 24 hrs SG-DEP-LT1 9 CD 10 CD SG-DEP-LT1 Figure A-4. Turkey Point SBO-4 Event Tree A-4

LER 250-2017-001 Appendix B: Modified Fault Tree REACTOR PROTECTION SYSTEM RPS ELECTRICAL FAILURES RPS FAILS DUE TO EARTHQUAKE CCF OF 10 OR MORE RCCAS FAIL TO DROP RPS-1 RPS-EQ Ext RPS-CRM-CF-RCCAS 1.21E-06 ELECTRICAL FAILURES Complement of: CONSEQUENTIAL Complement of: HOUSE EVENT -

LOSS OF OFFSITE POWER - LOSS OF OFFSITE POWER IE HAS TRANSIENT OCCURRED RPS-2 OEP-VCF-LP-CLOPT 9.95E-01 HE-LOOP True Figure B-1. Modified Turkey Point RPS Fault Tree B-1

LER 250-2017-001 TURKEY POINT 3 & 4 PWR B DIVISION 3C AC POWER SYSTEM ACP-3C-AC DIVISION C AC POWER 4160V BUS 3C FAILS ACP-BAC-LP-3C 2.29E-05 Figure B-2. Modified Turkey Point ACP-3C-AC Fault Tree B-2

Retrieved from "https://kanterella.com/w/index.php?title=ML18038B063&oldid=1952325"