ML18066A196

From kanterella
Jump to navigation Jump to search
Final Accident Sequence Precursor Analysis-Waterford(Unit 3) Automatic Reactor Scram Due to the Failure of Fast Bus Transfer Relays to Automatically Transfer Station Loads to Offsite Power on a Main Generator Trip (LER 382-2017-002) Precurs
ML18066A196
Person / Time
Issue date: 03/22/2018
From: Ian Gifford
NRC/RES/DRA/PRB
To:
References
LER 382-2017-002 IR 2017011
Download: ML18066A196 (3)
v  d  e


Text

1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Waterford Steam Electric Station -

Unit 3 Automatic Reactor Scram due to the Failure of Fast Bus Transfer Relays to Automatically Transfer Station Loads to Offsite Power on a Main Generator Trip Event Date: 07/17/2017 LER: 382-2017-002 IR: 05000382/2017011 CCDP= 2x10-5 Plant Type: Pressurized Water Reactor (PWR); Combustion Engineering Two-Loop with a Large, Dry Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% reactor power)

Analyst:

Ian Gifford Reviewer:

Christopher Hunter Contributors:

N/A Approval Date:

03/1/18 EXECUTIVE

SUMMARY

On July 17, 2017, with the Waterford 3 reactor operating at 100 percent power, control room operators received indications of an electrical grid spike during a severe thunderstorm. The isophase bus duct to main transformer B was glowing orange and arcing, causing control room operators to manually trip the main turbine to de-energize main transformer B. Unexpectedly, the transfer of the electrical buses from the unit auxiliary transformer (UAT) to the startup transformer (SUT) did not occur, resulting in a loss of offsite power (LOOP) to the safety and nonsafety electrical buses. Both emergency diesel generators (EDGs) started and loaded their respective safety buses. Emergency feedwater (EFW) automatically actuated to feed the steam generators and was manually controlled by the operators.

This event was modeled as a plant-centered LOOP initiating event. Given the modeling assumptions used in this analysis, the conditional core damage probability (CCDP) was calculated to be 2x10-5. The risk of this event is dominated by station blackout (SBO) scenarios as the result of postulated failures of the EDGs and EFW, with the subsequent failure of operators to recover offsite power. In addition, the risk of the event is significantly affected by the lack of feed-and-bleed cooling capability at Waterford. Sensitivity cases were performed to quantify the risk impacts from modeling uncertainties associated with key assumptions made in this ASP analysis (e.g., recovery of auxiliary feedwater, credit for FLEX generators). In all cases, the resulting CCDP remained above the ASP precursor threshold.

The licensee performed a past operability analysis and determined that the Struthers Dunn relays would not have fulfilled their safety function of transferring safety-related loads to the offsite transmission network from June 2nd until the automatic trip on July 17th. A licensee performance deficiency was identified for an inadequate design change that rendered the fast bus transfer system inoperable. A detailed risk analysis for this condition was performed to support the Significance Determination Process (SDP), resulting in a delta core damage frequency (CDF) of 4.5x10-7 per year, which is a Green finding (i.e., very low safety significance).

EVENT DETAILS

LER 382-2017-002 2

Event Description. On July 17, 2017, at 3:55 p.m., with the Waterford 3 reactor operating at 100 percent power, control room operators received indications of an electrical grid spike during a severe thunderstorm. Operators were dispatched to investigate electrical components in the transformer yard where they reported that the isophase bus duct to main transformer B was glowing orange and arcing. At 4:06 p.m., control room operators manually tripped the main turbine to de-energize main transformer B. In response to the main turbine trip, the main generator automatically tripped and reactor power cutback was initiated. Unexpectedly, the transfer of the electrical buses from the UAT to the SUT did not occur, resulting in a LOOP to the safety and nonsafety electrical buses. All four reactor coolant pumps (RCPs) were de-energized and the reactor automatically tripped due to loss of forced circulation. Both EDGs started and loaded their respective safety buses. EFW automatically actuated to provide inventory makeup to the steam generators. Control room operators took manual control of EFW due to overcooling concerns. Offsite power was restored to the train A and train B safety buses at 6:44 p.m. and 8:01 p.m., respectively. On July 18th at 1:16 a.m., control room operators started the auxiliary feedwater (AFW) pump to feed the steam generators and secured EFW.

The licensee performed a past operability analysis and determined that the Struthers Dunn relays would not have fulfilled their safety function of transferring safety-related loads to the offsite transmission network from June 2nd until the automatic trip on July 17th.

Additional information regarding this event can be found in licensee event report (LER) 382-2017-002 (Ref. 1) and inspection report (IR) 05000382/2017011 (Ref. 2).

Cause. Overheating of the isophase bus duct was caused by the failure of a shunt assembly connection to the phase B bus duct. The failure of the shunt assembly was likely due to a combination of the dynamic response to the grid spike and degraded connections between the shunt assemblies and the bus duct. Failure of the fast bus transfer was caused by an instantaneous time out of the Struthers Dunn 237 series direct current (DC) time delay dropout relays after being exposed to DC coil inductive kick. Additionally, post-modification testing to the Struthers Dunn relay did not exercise the fast bus transfer timing circuitry and, therefore, prevented early detection of the relay failure.

MODELING Basis for ASP Analysis/SDP Results. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.1 A licensee performance deficiency was identified for an inadequate design change that rendered the fast bus transfer system inoperable. Modifications to the fast bus transfer circuitry in May 2017 did not properly account for the increased susceptibility to DC coil inductive kick of electronic devices, and resulted in the licensees inability to maintain offsite power to the 6.9 kilo-volt (kV) and 4.16 kV electrical buses following a trip of the main generator. A detailed risk analysis was performed under the SDP that modeled the failure of the fast bus transfer for the 45-day exposure period. The analysis utilized a condition-specific 2-hour nonrecovery value for offsite power of 7.0x10-3, given that offsite power was always available in the switchyard.

1 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlaps the initiating event date.

LER 382-2017-002 3

The CDP over this exposure period was calculated to be 1.97x10-6, with dominant core damage sequences involving a transient initiating event, failure of fast transfer, failure of the EDGs, and failure of the turbine-driven EFW pump upon battery depletion. The SDP analysis determined that credit should be given for the ability of the FLEX diesel generator to provide power to a vital battery that allows extended operation of the turbine-driven EFW pump. A failure probability of 0.1 was determined using the SPAR-H Human Reliability Analysis Method (Ref. 3 and 4) for the operator actions required to shed DC loads during a SBO; set up, start, and align the FLEX diesel generator; and establish vital battery charging form via the FLEX diesel generator. The final CDF was calculated to be 4.5x10-7 per year, which is a Green finding (i.e., very low safety significance). Additional information regarding this SDP analysis can be found in IR 05000382/2017011.

Analysis Type. An initiating event analysis was performed using the Waterford 3 standardized plant analysis risk (SPAR) model, Revision 8.54, created on December 15, 2017.

SPAR Model Modifications. The following modifications were required for this initiating event analysis:

Typically, the AFW system is assumed to be unavailable during a LOOP because the nonsafety buses are de-energized. However, because offsite power remained available at the switchyard throughout the event, it was determined that operators had sufficient time to recover offsite power and align the AFW pump.2 Therefore, the EFW (emergency feedwater system) fault tree was modified by inserting the AFW (auxiliary feedwater system) fault tree as a transfer under the existing top gate of the EFW (emergency feedwater system) fault tree. In addition, this top gate was changed to AND gate. A new OR gate EFW-1 (failure of EFW) was inserted under the EFW fault tree top gate with all EFW system logic being moved under gate EFW-1. The modified EFW fault tree is shown in Figure A-1.

To model power recovery to the AFW system, the ACP-NSTRNB (nonessential train B AC power) fault tree was modified to include a new AND gate ACP-NSTRNB-LOOP (loss of div. B offsite power with no recovery) inserted under the existing OR gate ACP-NSTRNB (nonessential train B AC power). House event HE-LOOP-B (loss of div.

B offsite power flag) and basic event OEP-XHE-XL-NR01HPC (operator fails to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (plant-centered)) were added under AND gate ACP-NSTRNB-LOOP. The modified ACP-NSTRNB fault tree is shown in Figure A-2.

In ASP analyses, recovery credit for EDG failures is limited to cases where event information supports credit for EDG recovery. Therefore, the DGR-02H (diesel generator recovery in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) top event (including applicable event tree branching) was eliminated from the SBO event tree. The modified SBO event tree is shown in Figure B-1.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

2 The AFW pump is designed to deliver sufficient flow to the steam generators at maximum steam generator pressure, provided that power is available to the pump. Procedural guidance for restoring steam generator inventory with the AFW system is provided in OP-902-006, Loss of Main Feedwater Recovery; OP-902-008, Functional Recovery Procedure; and OP-902-009 Appendix 32, Establishing Main Feedwater.

LER 382-2017-002 4

This analysis models the July 17, 2017, reactor trip at the Waterford Steam Electric Station as a plant-centered LOOP that resulted from failure of the fast transfer system, leaving the safety and nonsafety electrical buses without an offsite power source.

Therefore, the probability for IE-LOOPPC (loss of offsite power initiator (plant-centered))

was set to 1.0; all other initiating event probabilities were set to zero.

The time required to restore offsite power to plant equipment is a significant factor in modeling the risk of core damage given a LOOP. Given that offsite power remained available at the switchyard during this event, the analyst determined that condition-specific 1-and 2-hour nonrecovery probabilities for offsite power are warranted in this case. The SPAR-H Human Reliability Analysis Method was used to estimate nonrecovery probabilities, with key qualitative information for these recovery human failure events (HFEs) and the performance shaping factor (PSF) adjustments required for the quantification of these recovery events provided in Tables 1 and 2.

Table 1. Key Qualitative Information of HFEs for Offsite Power Recovery Definition The definition for these recovery HFEs is the operators failing to restore offsite power to the electrical safety buses within 1 and 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (depending on the sequence) given a LOOP and postulated SBO.

Description and Event Context Depending on postulated failures of the RCP seals (due to unavailability of seal injection/cooling), operators would have between 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to restore power to the safety electrical buses.

Operator Action Success Criteria For successful recovery, operators would have to locally reset lockout relays prior to core uncovery.

Nominal Cues

  • Transformer alarms
  • Breaker alarms
  • EDGs automatically starting
  • RCP trouble alarms
  • Condenser vacuum alarms
  • Loss of control room lighting
  • Extensive loss of various indications
  • Equipment loss of power alarms
  • Tripped breaker indications on the 6.9 kV and 4.16 kV buses
  • Extensive loss of component power available indications Procedural Guidance
  • OP-902-003, Loss of Offsite Power/Loss of Forced Circulation Recovery Procedure
  • OP-902-005, Station Blackout Recovery Procedure
  • OP-902-009 Appendix 12, Electrical Restoration Diagnosis/Action These recovery HFEs contain diagnosis and action components.

Table 2. SPAR-H Evaluation of PSFs for Offsite Power Recovery PSF Multiplier Diagnosis/Action Notes Time Available 1 or 0.01 / 1 The operators would need less than five minutes to perform the action component (i.e., reset the lockout relays). Therefore, the minimum time for diagnosis is approximately 55 minutes. It would take operators approximately 30 minutes to get through the procedures and verify offsite power is fully available. Given these assumptions, the available time for the diagnosis

LER 382-2017-002 5

PSF Multiplier Diagnosis/Action Notes component for 1-hour recovery is assigned as Nominal Time (i.e., x1).

Available time for the diagnosis component for 2-hour recovery is assigned as Expansive Time (i.e., x0.01; time available is >2 times nominal and >30 minutes).

Since sufficient time was available for the action component of the recovery, the available time for the action component for all recovery times is evaluated as Nominal (i.e., x1). See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the postulated SBO.

The PSF for action stress was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

Complexity 2 / 1 The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities and the concurrent actions/multiple procedures during a postulated SBO.

The PSF for action complexity was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

Procedures, Experience/Training, Ergonomic/HSI, Fitness-for-Duty, Work Process 1 / 1 No event information is available to warrant a change in these PSFs (for diagnosis and action) from Nominal for these HFEs.

An HEP evaluated using SPAR-H is calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFsx0.01) + (Product of Action PSFsx0.001)

Therefore, the failure probability for OEP-XHE-NR01HPC (operator fails to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (plant-centered)) was set to 4x10-2 and the failure probability for OEP-XHE-NR02HPC (operator fails to recover offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (plant-centered))

was set to 1x10-3.

ANALYSIS RESULTS CCDP. The point estimate CCDP for this event is 1.8x10-5. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feedwater or the condenser heat sink, whichever is greater. This CCDP equivalent for Waterford is 2.4x10-6. Therefore, this event is a precursor.

LER 382-2017-002 6

Dominant Sequence. The dominant accident sequence is LOOPPC sequence 15-20 (CCDP =

7.67x10-6), which contributes approximately 43 percent of the total internal events CCDP. This sequence is shown graphically in Figures B-1 and B-2 in Appendix B. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table:

Sequence CCDP Percentage Description LOOPPC 15-20 7.67x10-6 42.8%

Plant-centered LOOP initiating event; successful reactor trip; failure of emergency power results in SBO; failure of EFW; and operators fail to recover offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, which results in core damage LOOPPC 14 5.80x10-6 32.3%

Plant-centered LOOP initiating event; successful reactor trip; success of emergency power; and failure of EFW, which results in core damage LOOPPC 15-14-10 4.08x10-6 22.8%

Plant-centered LOOP initiating event; successful reactor trip; failure of emergency power results in SBO; success of EFW; RCP seal integrity is maintained; and operators fail to recover offsite power within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, which results in core damage Key Modeling Uncertainties. The following were identified as key modeling uncertainties associated with this analysis:

Credit for recovery of the AFW system given a LOOP has occurred and (postulated) failure of the EFW system; Credit for continued turbine-driven EFW flow after aligning a FLEX diesel generator to maintain safety-related DC power during a (postulated) SBO; and Credit for EDG repair and recovery during a (postulated) SBO.

Sensitivity analyses were performed to show the effects of these modeling assumptions. The following table provides a brief description of each sensitivity case, including the results and observations:

Description CCDP Notes/Observations The estimated time to core damage following a LOOP and failure of EFW is 1.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> for Combustion Engineering plants. The best estimate analysis for this event assumed that sufficient time was available to restore offsite power and align the AFW system to feed the steam generators. However, any delay in recovery actions could result in core damage during a LOOP and (postulated) failure of the EFW system. A sensitivity analysis was performed to show the effects of eliminating this credit.

7.8x10-5 Similar dominant sequences and cut sets to the best estimate analysis. The CCDP of LOOPPC sequence 14 is increased by a factor of 11. The total CCDP is increased by a factor of four, but still remains below the significant precursor threshold of 1x10-3.

LER 382-2017-002 7

Description CCDP Notes/Observations Credit for continued operation of the turbine-driven EFW pump after battery depletion was not credited in this analysis because of the significant potential for over-or under-filling. However, the lack of credit for this strategy is likely conservative.

To show potential benefit of this action, a sensitivity analysis was performed that credited operation of the FLEX diesel generator to provide charging to the safety-related batteries to allow for extended operation of the turbine-driven EFW pump to a safe/stable end state during a SBO. A screening failure probability of 0.1 was applied to operation of the FLEX diesel generator.

1.4x10-5 Similar dominant sequences and cut sets to the best estimate analysis. Extended operation of the EFW pump beyond the 2-hour battery depletion mitigates the risk when offsite power is not recovered. The CCDP of LOOPPC sequence 15-14-10 is reduced by a factor of ten. The total CCDP is reduced by approximately 20 percent, but still remains above the precursor threshold.

Repair of failed equipment is not typically credited in PRAs. It is questionable that mean time to repair data for EDGs is applicable to postulated SBO scenarios. To show the effects of this credit, a sensitivity analysis was performed crediting EDG repair for 1-hour (0.88) and 2-hour (0.82)

(postulated) SBO scenarios.

1.6x10-5 LOOP sequence 14 remains unchanged, as the results are still dominated by failure of the EFW pumps. The total CCDP is reduced by approximately 6 percent, but still remains above the precursor threshold.

REFERENCES

1. Waterford Steam Electric Station, "LER 382/17-002 - Automatic Reactor Scram due to the Failure of Fast Bus Transfer Relays to Automatically Transfer Station Loads to Off-Site Power on a Main Generator Trip, dated September 18, 2017 (ADAMS Accession No. ML17261B215).
2. U.S. Nuclear Regulatory Commission, Waterford Steam Electric Station, Unit 3 - NRC Special Inspection Report 05000382/2017011, dated December 20, 2017 (ADAMS Accession No. ML17354A690).
3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

LER 382-2017-002 A-1 Appendix A: Fault Tree Modifications Figure A-1: Waterford Modified EFW System Fault Tree EFW EMERGENCY FEEDWATER SYSTEM EFW-1 FAILURE OF EFW EFW-SUCT FAILURE OF EFW SUCTION SOURCE 1.69E-05 EFW-PMP-CF-FR CCF OF EFW PUMPS TO RUN 5.33E-07 EFW-PMP-CF-FS CCF OF EFW PUMPS TO START (PSA BASIC EVENT)

EFW-NOFLOW-F EFW PUMP TRAIN FAILURES Ext EFW-FLOW-SG2 NO EFW FLOW TO STEAM GENERATOR 2 Ext EFW-FLOW-SG1 NO EFW FLOW TO STEAM GENERATOR 1 Ext AFW AUXILIARY FEEDWATER SYSTEM

LER 382-2017-002 A-2 Figure A-2: Waterford Modified Nonessential Train B AC Power Fault Tree ACP-NSTRNB NON-ESSENTIAL TRAIN B AC POWER ACP-NSTRNB-LOOP LOSS OF DIV B OFFSITE POWER WITH NO RECOVERY False HE-LOOP-B LOSS OF DIV B OFFSITE POWER FLAG 3.82E-01 OEP-XHE-XL-NR01HPC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HOUR (PLANT-CENTERED)

Ext SWTCHGR-HVACBAB FAILURE OF SWITCHGEAR ROOM B/AB COOLING 1.86E-06 ACP-TFM-CF-SUT3AB CCF OF STARTUP TRANSFORMERS 3A/3B TO PROVIDE POWER 1.13E-03 ACP-ABT-FC-TRB FAILURE OF FAST BUS TRANSFER FOR TRAIN B 6.07E-05 ACP-TFM-FC-SUT3B FAILURE OF STARTUP TRANSFORMER FROM SWITCHYARD TO 4.16KV BUS 3B2 1.75E-03 ACP-TFM-TM-SUT3B STARTUP TRANSFORMER FROM SWITCHYARD UNAVAIL DUE TO T&M

LER 382-2017-002 B-1 Appendix B: Key Event Trees Figure B-1. Waterford Modified SBO Event Tree SBO-FTF EPS EMERGENCY POWER EFW EMERGENCY FEEDWATER SYSTEM SRV SAFETY RELIEF VALVES NOT CHALLENGED CBO CONTROLLED BLEEDOFF ISOLATED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED RCPSI RCP SEAL INTEGRITY MAINTAINED OPR-02H OFFSITE POWER RECOVERY IN 2 HRS End State (Phase - CD)

EFW-B SRV-B RCPSI01 1

OK 2

SBO-2 RCPSI01 3

SBO-1 OPR-01H 4

CD RCPSI02 5

OK 6

SBO-2 RCPSI02 7

SBO-1 OPR-01H 8

CD RCPSI03 9

OK 10 SBO-2 RCPSI03 11 SBO-1 OPR-01H 12 CD RCPSI04 13 OK 14 SBO-2 RCPSI04 15 SBO-1 OPR-01H 16 CD SRV-B 17 SBO-1 OPR-01H 18 CD EFW-B 19 SBO-1 OPR-01H 20 CD

LER 382-2017-002 B-2 Figure B-2. Waterford Plant-Centered LOOP Event Tree IE-LOOPPC LOSS OF OFFSITE POWER INITIATOR (PLANT-CENTERED)

RPS REACTOR PROTECTION SYSTEM SBO-FTF EPS EMERGENCY POWER EFW EMERGENCY FEEDWATER SYSTEM SRV SAFETY RELIEF VALVES NOT CHALLENGED LOSC RCP SEAL COOLING MAINTAINED HPI HIGH PRESSURE INJECTION OPR-02H OFFSITE POWER RECOVERY IN 2 HRS SSC RCS COOLDOWN USING ADVS SDC SHUTDOWN COOLING RECIRC-FTF HPR HIGH PRESSURE RECIRCULATION CSR CONTAINMENT COOLING End State (Phase - CD)

EFW-L SRV-L 1

OK LOSC-L 2

LOOP-1 SRV-L HPI-L 3

OK 4

OK 5

CD 6

CD 7

OK 8

CD 9

CD HPR-L 10 OK CSR-L 11 CD HPR-L 12 CD HPI-L 13 CD EFW-L 14 CD 15 SBO 16 ATWS 17 CD

Retrieved from "https://kanterella.com/w/index.php?title=ML18066A196&oldid=5017252"