ML19198A335
| ML19198A335 | |
| Person / Time | |
|---|---|
| Site: | Grand Gulf  |
| Issue date: | 07/12/2019 |
| From: | Christopher Hunter Office of Nuclear Regulatory Research |
| To: | |
| Chris Hunter 415-1394 | |
| References | |
| LER 416-2018-010-01 | |
| Download: ML19198A335 (12) | |
Text
{{#Wiki_filter:1 Final ASP Program Analysis - Reject Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Grand Gulf Nuclear Station Reactor Manual Scram due to Main Steam Bypass Stop and Control Valve Drifting Open Event Date: 12/12/2018 LER: 416-2018-001-01 CCDP = 8x10-7 IR: 05000416/2018050 Plant Type: General Electric Type 6 Boiling-Water Reactor (BWR) with a Mark III Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power) Analyst: Reviewer: Contributors: Approval Date: Christopher Hunter Felix Gonzalez N/A 7/12/2019 EVENT DETAILS Event Description. On December 12, 2018, Grand Gulf Nuclear Station was operating at 100 percent power when main control room operators identified an increase in reactor power and a simultaneous decrease in generated megawatts due to an unexpected opening of main steam bypass stop and control valve A. The turbine control valves started to close (per design) due to the increase in steam flow. Operators reduced power and attempted to manually close main steam bypass stop and control valve A but were unsuccessful as the valve continued to open. Operators successfully initiated a manual reactor scram and closed the main steam isolation valves (MSIVs) to control the reactor coolant system (RCS) cooldown rate and maintain reactor pressure. Reactor pressure control was maintained by manual cycling the safety relief valves (SRVs). After the reactor scram, control rod drive (CRD) pump B unexpectedly tripped due to low suction pressure and high differential pressure. Operators successfully manually started CRD pump A. Due to the loss of feedwater caused by the closure of the MSIVs, operators manually started the reactor core isolation cooling (RCIC) system. However, although the pump successfully started, operators were unable to establish injection flow and, therefore, prepared to manually start high-pressure core spray (HPCS) to recover reactor water level. Just prior to the start of HPCS, RCIC began injecting into the reactor due to the reactor pressure decrease caused by the manual opening of an SRV. HPCS was run for approximately 1 minute until operators secured the system. However, injection flow from both the RCIC and HPCS systems resulted in reactor water level being established high in the prescribed control band. When the SRV was subsequently reopened by operators for reactor pressure control, reactor water level increased to the Level 8 set point resulting in an isolation of the steam supply to RCIC. Operators restored RCIC when reactor water level returned to the specified range. A plant cooldown was successfully completed to Mode 4 using the SRVs, RCIC, and the condensate system. Additional information is provided in licensee event report (LER) 416-2018-010-01 (Ref. 1) and inspection report (IR) 05000416/2018050 (Ref. 2).
LER 416-2018-010-01 2 Cause. The direct cause of this event was a failed linear variable differential transformer in the actuator for the main steam bypass stop and control valve A. The licensee root cause also determined that existing procedures for turbine electro-hydraulic control did not provide guidance to manually swap a failed controller to an auxiliary controller and, therefore, allowing operators to close the main steam bypass stop and control valve A. MODELING SDP Results/Basis for ASP Analysis. The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.1 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the December 12th event. No windowed events or concurrent degraded operating conditions were identified. In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program. The special inspection (as documented in IR 05000416/2018050) revealed two Green (i.e., very low safety significance) findings. The first finding was associated with the licensees failure to ensure that the simulator demonstrated expected plant response to operator input and conditions to which it has been designed to respond. Specifically, simulator fidelity negatively impacted operator performance during response to the December 12th reactor scram when operators performed a manual start of the RCIC system and failed to establish sufficient system discharge pressure to achieve injection flow to the reactor. A detailed risk evaluation was performed that resulted in an increase in core damage frequency of approximately 9x10-7 per year, which constitutes a finding of very low safety significance (Green). The second finding was associated with the licensees failure to address the cause and correct a condition associated with post-scram CRD pump trips as required for adverse conditions in accordance with plant procedures. This finding was screened out (i.e., no detailed risk evaluation was performed) using Inspection Manual Chapter 0609, Appendix A, The Significance Determination Process for Findings at Power, because the license performance deficiency did not result in a loss of system function for a significant period. The LER remains open. Analysis Type. An initiating event analysis was performed using the test/limited use standardized plant analysis risk (SPAR) model for Grand Gulf Nuclear Station created on June 19, 2019. This event was modeled as a recoverable loss of condenser heat sink. SPAR Model Modifications. The following modifications were required for this initiating event assessment: Although CRD pump B, running at the time of the reactor scram, tripped due to low suction pressure and high differential pressure, operators could have restarted the pump shortly thereafter.2 To allow for this credit, the CRD-B-RUN (CRD pump train B is unavailable) fault tree was modified by moving existing basic events CRD-MDP-FR-PUMPB (CRD pump B fails to run) and CRD-XHE-XM-ERROR (operator 1 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlapped the initiating event date. 2 Maximized CRD flow with both pumps is a sufficient source of high-pressure inventory makeup to the reactor.
LER 416-2018-010-01 3 fails to align CRD for enhanced flow) under new AND gate CRD-B-RUN-1 (CRD pump B fails to run), which was inserted under the existing top gate.3 The modified CRD-B-RUN fault tree is shown in Figure B-1 of Appendix B. Operators failed to manually increase the RCIC pump discharge pressure to a level sufficient to provide injection at higher reactor pressure, but the RCIC pump was successfully started manually and injected when an SRV was opened for pressure control. This limitation on injection for RCIC is only applicable for a manual start of the pump in manual mode of operation. This mode of operation is not currently modeled in existing RCIC fault tree logic. Therefore, new AND gate RCI-MANUAL (operators fail to control RCIC after manual start) was inserted under existing gate RCI-2 (RCIC pump train is unavailable). Two new basic events were inserted under RCI-MANUAL. The first basic event, RCI-TDP-MANUAL (operators fail to manually control RCIC), represents the operators starting the pump in manual mode of operation and failing to initially inject adequate flow to the reactor. The second basic event, RCI-XHE-RECOVER (operators fail to recover RCIC injection), represents the ability of operators to determine that the initial action to manually inject to the reactor with RCIC was unsuccessfully and subsequently restore adequate injection by increasing the pump discharge pressure to allow injection at high reactor pressures. These two new basic events were set to IGNORE.4 This modified fault tree is shown in Figure B-2 of Appendix B. Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment: The probability of IE-LOCHS (loss of condenser heat sink) was set to 1.0 due to the reactor scram and subsequent closure of the MSIVs. All other initiating event probabilities were set to zero. Although operators manually closed the MSIVs to control the RCS cooldown rate and maintain reactor pressure, the condenser heat sink (including required support systems (e.g., circulating water, condensate) remained available throughout the event. Therefore, credit for recovery of the condenser heat sink is warranted. PCS-XHE-XL-LOCHS (power conversion system recovery fails during LOCHS) was set to a screening value of 0.1.5 Basic event CRD-MDP-FR-PUMPB was set to TRUE because the pump tripped after the reactor scram. This trip was caused by a system operating characteristic where the pump suction pressure decreases momentarily following a scram due to increased system flow to refill the hydraulic control unit accumulators and reduced reactor pressure. NRC inspectors identified that Grand Gulf, unlike other Entergy plants, did not install a time delay on the low suction pressure trip signal to prevent undesired pump trips from occurring. Operating experience showed that similar CRD pump trips had occurred; however, licensee corrective actions were unsuccessful at preventing future 3 Basic event CRD-XHE-XM-ERROR is also located under the top gate of the CRD fault tree. This event can either be deleted or kept in; the analysis results are the same regardless. 4 Setting a basic event to IGNORE, along with the associated fault tree changes, allows risk evaluations to be performed in the ECA module without changing the base SPAR model results. 5 NUREG-1792, Good Practices for Implementing Human Reliability Analysis, provides that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator human failure events (HFEs).
LER 416-2018-010-01 4 failures. The licensee plans to implement a time delay for a low suction pressure trip signal to prevent these post-scram CRD pump trips. Basic events CRD-MDP-AP-RUNB (CRD pump B is running, pump A is in standby) and CRD-MDP-AP-RUNA (CRD pump A is running, pump B is in standby) were set to TRUE and FALSE, respectively. These basic events set the running/standby pump configuration for the applicable CRD fault tree. Credit for the operators restarting CRD pump B after the pump trip was covered under existing basic event CRD-XHE-XM-ERROR, which models the maximization of CRD flow using both pumps. The probability for this basic event was changed to a screening value of 0.1 (from the nominal probability of 2x10-2) to account for the unexpected trip of CRD pump B. The human error probability (HEP) of the dependent HFE CRD-XHE-XM-ERROR1 was set to 0.2 to account for increased independent probability of HFE CRD-XHE-XM-ERROR.6 During the event, operators successfully started RCIC in manual mode operation and adjusted RCIC discharge pressure approximately 23 psi higher than reactor pressure. However, when no injection flow was indicated at this differential pressure, operators did not proceed any further with implementing the RCIC system procedures. Basic event RCI-TDP-MANUAL was set to TRUE due to the initial failure of operators to establish injection to the reactor. When operators opened an SRV for reactor pressure control, RCIC began injecting when reactor pressure decreased to 963.5 psig. Following the initial failure to achieve RCIC injection flow (and except for the Level 8 trip), the RCIC system was subsequently operated to maintain reactor vessel level. To account for the operators recovery of RCIC injection, basic event RCI-XHE-RECOVER was evaluated using SPAR-H (Ref. 3 and Ref. 4); see Appendix C for additional information. The HEP for RCI-XHE-RECOVER was calculated to be 3x10-2. Dependency. It is typical SPAR model practice to leverage the licensee probabilistic risk assessment (PRA) results for dependency considerations between HFEs. Specifically, dependency between applicable HFEs in the SPAR model is only considered if licensee PRA cut sets indicate that some level of dependency exists. There are several HFE combinations in which the Grand Gulf SPAR model accounts for dependency (e.g., the HFE combination of ADS-XHE-XM-MDEPR and CRD-XHE-XM-ERROR described in footnote 5). The key HFE combinations in the preliminary results of this analysis were reviewed to determine if new HFE combinations were present due to the addition of the new HFE RCI-XHE-RECOVER and the moving of HFE CRD-XHE-XM-ERROR. A notable combination of these two HFEs along with HFE ADS-XHE-XM-MDEPR was identified in some dominant cut sets. The dependency between ADS-XHE-XM-MDEPR (operator fails to initiate reactor depressurization) and CRD-XHE-XM-ERROR is already accounted for in the base SPAR model. 6 The base SPAR model assumes a dependency for the HFE pair ADS-XHE-XM-MDEPR (operator fails to initiate reactor) and CRD-XHE-XM-ERROR. The level of dependency was determined to moderate by the licensee. This dependency level is used in the base SPAR model and has not been modified for this ASP analysis. However, the dependent HEP for CRD-XHE-XM-ERROR1 increases from 0.14 to 0.2 because the independent HEP for CRD-XHE-XM-ERROR increased from 0.02 to 0.1 per the formulas derived from technique for human error-rate prediction (THERP).
LER 416-2018-010-01 5 The postulated failure of operators to recover RCIC would likely be driven by complications experienced during the event (i.e., the operators not realizing the pump was injecting at lower pressures and securing the pump thinking it was failed) and, therefore, not due to lack of understanding of the need for inventory makeup to the reactor (given the postulated failure of HPCS). Therefore, it is not believed there would be strong dependency between HFEs RCI-XHE-RECOVER and ADS-XHE-XM-MDEPR. However, a screening approach of using a minimum joint HEP of 10-5 was used for HFE combination of RCI-XHE-RECOVER, ADS-XHE-XM-MDEPR, and CRD-XHE-XM-ERROR present in the same cut sets. A new basic event, JHEP-MINIMUM (joint HEP minimum), was created with a failure probability 10-5 and a new post-processing rule was inserted into the existing dependency rules: elsif RCI-XHE-RECOVER*ADS-XHE-XM-MDEPR*CRD-XHE-XM-ERROR then DeleteEvent = ADS-XHE-XM-MDEPR; DeleteEvent = CRD-XHE-XM-ERROR; DeleteEvent = RCI-XHE-RECOVER; AddEvent = JHEP-MINIMUM; ANALYSIS RESULTS CCDP. The conditional CCDP for this analysis is calculated to be 8.5x10-7. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater. This CCDP equivalent for Grand Gulf Nuclear Station is 4.5x10-7.7 Therefore, this event is a not a precursor. Dominant Sequence. The dominant accident sequence is loss of condenser hear sink sequence 72 (CCDP = 6.6x10-7), which contributes approximately 78 percent of the total internal events CCDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1 of Appendix A. Sequence CCDP Percentage Description LOCHS 72 6.62x10-7 78.1% Loss of condenser heat sink initiating event occurs; successful reactor trip; RCIC and HPCS fail; reactor depressurization fails; and enhanced CRD flow fails resulting in core damage LOCHS 75-54-09-17 3.40x10-8 4.0% Loss of condenser heat sink initiating event occurs; successful reactor trip; a consequential loss offsite power (LOOP) occurs; emergency diesel generators (EDGs) fail resulting in a station blackout (SBO); HPCS fails, but RCIC succeeds; operators fail to recover alternating current power to the safety related buses prior to core damage (approximately 8 hours)8 7 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor. 8 This sequence is potentially conservative given credit for FLEX mitigation strategies is not provided. The crediting of FLEX would have a minimal impact on the overall results of this analysis.
LER 416-2018-010-01 6 Sequence CCDP Percentage Description LOCHS 76-08 2.44x10-8 2.9% Loss of condenser heat sink initiating event occurs; reactor protection system (RPS) fails resulting in an anticipated transient without scram (ATWS); recirculation pumps are successfully tripped; recirculation pumps are successfully tripped; the SRVs successfully open; and standby liquid control succeeds; operators successfully inhibit ADS; low-pressure coolant injection is successful; and operators fail to maintain reactor water level resulting in core damage LOCHS 75-54-10-27 2.34x10-8 2.8% Loss of condenser heat sink initiating event occurs; successful reactor trip; a consequential LOOP occurs; EDGs fail resulting in an SBO; RCIC and HPCS fail; operators fail to recover alternating current power to the safety related buses prior to core damage (approximately 30 minutes) LOCHS 75-51 2.02x10-8 2.4% Loss of condenser heat sink initiating event occurs; successful reactor trip; a consequential LOOP occurs, but the EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization fails; and enhanced CRD flow fails resulting in core damage LOCHS 75-54-12-19 1.69x10-8 2.0% Loss of condenser heat sink initiating event occurs; successful reactor trip; a consequential LOOP occurs; EDGs fail resulting in a SBO; a stuck open relief valve results in a small loss-of-coolant accident; and RCIC and HPCS fail resulting in core damage LOCHS 76-35 1.53x10-8 1.8% Loss of condenser heat sink initiating event occurs; RPS fails resulting in an ATWS; recirculation pumps are successfully tripped; the SRVs successfully open; and standby liquid control fails resulting in core damage LOCHS 77 1.29x10-8 1.5% Loss of condenser heat sink initiating event occurs; RPS fails resulting in an ATWS; and a consequential LOOP is assumed to result in core damage LOCHS 76-37 1.23x10-8 1.5% Loss of condenser heat sink initiating event occurs; RPS fails resulting in an ATWS; and recirculation pumps fail to trip resulting in core damage
LER 416-2018-010-01 7 REFERENCES
- 1. Grand Gulf Nuclear Station, "LER 416-2018-010 Reactor Manual Scram due to Main Steam Bypass Stop and Control Valve Drifting Open, dated February 8, 2019 (ADAMS Accession No. ML19192A062).
- 2. U.S. Nuclear Regulatory Commission, Grand Gulf Nuclear Station - NRC Special Inspection Report 05000416/2018050, dated March 29, 2019 (ADAMS Accession No. ML19088A335).
- 3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).
- 4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).
LER 416-2018-010 A-1 Appendix A: Key Event Tree Figure A-1. Grand Gulf Loss of Condenser Heat Sink Event Tree IE-LOCHS LOSS OF CONDENSER HEAT SINK RPS REACTOR PROTECTION SYSTEM OEP FAILURE OF OFFSITE POWER TO 'E' BUSES SRV SRV'S CLOSE HCS HPCS RCI RCIC SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS CRD CRD INJECTION (2 PUMPS) CDS CONDENSATE INJECTION IS UNAVAILABLE LPI LOW PRESSURE INJECTION (LPCS OR LPCI) VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS SDC SHUTDOWN COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION IS UNAVAILABLE End State (Phase - CD) 1 OK 2 OK 3 OK 4 OK 5 OK LI00 6 CD 7 OK LI04 8 CD 9 OK 10 OK 11 OK LI00 12 CD 13 OK LI04 14 CD 15 OK 16 OK 17 OK 18 OK 19 OK LI00 20 CD 21 OK 22 CD 23 OK 24 OK 25 OK 26 OK LI00 27 CD 28 OK LI08 29 CD 30 OK SD1 31 OK CS1 32 OK 33 OK LI00 34 CD 35 OK LI11 36 CD 37 CD 38 OK 39 OK 40 OK LI00 41 CD 42 CD 43 CD 44 OK 45 OK 46 OK 47 OK 48 OK LI00 49 CD 50 OK 51 CD 52 OK 53 OK 54 OK 55 OK 56 OK LI00 57 CD 58 OK LI08 59 CD 60 OK SP1 61 OK SD1 62 OK CS1 63 OK 64 OK LI00 65 CD 66 OK LI11 67 CD 68 CD 69 OK 70 OK LI13 71 CD 72 CD P1 73 1SORV P2 74 2SORVS 75 LOOPPC 76 ATWS 77 CD
LER 416-2018-010 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified CRD-B-RUN Fault Tree
LER 416-2018-010 B-2 Figure B-2. Modified LCS-MDP-SS Fault Tree
LER 416-2018-010 C-1 Appendix C: Evaluation of Key HFEs Evaluation of RCI-XHE-RECOVER (operators fail to recover RCIC injection). Definition Operators successfully provide RCIC injection at higher reactor pressures after initial attempt failed. Description and Event Context Operators initiated RCIC in manual control mode of operation and increased the pumps discharge pressure; however, no injection flow was achieved. When operators opened an SRV to control reactor pressure, RCIC began injection when reactor pressure decreased below 963.5 psig. Without subsequent operator action, RCIC injection flow would cycle as an SRV opened on low-low set mode at 1103 psig and closed at 926 psig. This cycling of the SRV would continue if the core remained covered. Inspectors determined that RCIC would have injected for approximately one-third of the time, which would extend the time to core damage. Multiple cues would be present to the operators to recover RCIC injection flow at higher reactor pressures. Operator Action Success Criteria Operators successfully increase RCIC discharge pressure to allow for injection at higher reactor pressures. Key Cue(s) No RCIC injection flow initially, but subsequent injection at lower reactor pressure (963.5 psig). Procedural Guidance Procedure 04-1-01-E51-1, Reactor Core Isolation Cooling System, Revision 139, Attachment VI. Diagnosis/Action This HFE only contains both diagnosis and action activities. PSF Multiplier Diagnosis/Action Notes Time Available 0.01 / 1 Once operators realize that the RCIC pump discharge pressure was not sufficient to support injection at higher reactor pressure, it would only take only a few minutes (at most) to adjust the manual controller to allow for injection at the top of the reactor pressure control band. The time to core uncovery, assuming no operator action with intermittent RCIC injection flow during the dominant (postulated) scenario. However, it is estimated that core damage would not occur within 1 hour. The nominal time for diagnosis is estimated to take 5 minutes. Since at least 50 minutes would be available for diagnosis, which is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive (i.e., x0.01). Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal (i.e., x1). See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE. Stress 2 / 2 The PSF for diagnosis and action stress is set to High (i.e., x2) because the dominant (postulated) scenario involves the failure of all high-pressure injection systems and manual depressurization and, therefore, recovery of RCIC is required to prevent core damage.
LER 416-2018-010 C-2 PSF Multiplier Diagnosis/Action Notes Complexity 2 / 1 The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to contend with multiple equipment unavailabilities and concurrent actions/multiple procedures during the dominant (postulated) scenario. In addition, there was an indication issue associated with the RCIC governor valve increasing the complexity. These added complexities are associated with the diagnosis component of this PSF and, therefore, the action PSF for complexity is set to Nominal (i.e., x1). Procedures 5 / 5 During the event, operators correctly implemented procedures to start RCIC in manually mode of operation. However, operators stopped performing procedure steps when an expected system response (i.e., injection flow) was not observed. The procedures did not indicate the required RCIC pump discharge pressure to provide injection for specified range of reactor pressures. In addition, manually starting RCIC in automatic controller mode of operation would have avoided this problem. Given these procedural limitations, the PSF for diagnosis and action procedures is set to Available, but Poor (i.e., x5). Experience/Training 10 / 1 The reason for the initial failure of operators to successfully increase RCIC pump discharge pressure to allow for injection at high reactor pressures was largely due to their experience/training in the plant simulator. Specifically, the plant simulator modeled the initiation of RCIC injection flow at an indicated pressure difference of approximately 10 psig. During the event, operators adjusted RCIC discharge pressure approximately 23 psi higher than reactor pressure. When no injection flow was indicated at this differential pressure, operators did not proceed any further with implementing the RCIC system procedures (i.e., no further adjustment to the flow controller was made). Given that simulator training was the main driver for the initial operator error, the diagnosis PSF for experience/training is set to Low (i.e., x10). It is not expected that the poor simulator fidelity would affect the action component for this PSF and, therefore, is set to Nominal (i.e., x1). Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal (i.e., x1). The HEP is calculated using the following SPAR-H formula: HEP = (Product of Diagnosis PSFs x Nominal Diagnosis HEP) + (Product of Action PSFs x Nominal Action HEP) = (2 x 0.01) + (10 x 0.001) = 3x10-2 Therefore, the human error probability for RCI-XHE-RECOVER was set to 3x10-2.}}