Text

Annendi B

LRN.369-1 B.6 LER No. 346/98-011 Event

Description:

Manual reactor trip while recovering from a component cooling system leak and de-energizing safety-related bus D 1 and nonsafety-related bus D2 Date of Event:

October 14, 1998 Plant:

Davis-Besse 1 B.6.1 Event Summary The Davis-Besse plant was in Mode 1 at 1 00%/o power on October 14, 1998, when a lockout of essential bus D 1, nonessential bus D2, and the station blackout (SBO) diesel generator (DG) occurred.' The bus lockout occurred when an electrician rolled circuit breaker AACDI back into its cubicle after performing preventive maintenance.

As the breaker was rolled back, the metal breaker frame contacted a terminal screw of a time-over-current relay mounted on the cubicle door and actuated the relay. This relay provides backup ground protection for buses D l and D2. Loss of bus D2 caused the loss of condensate pump 1-2 and, as a result, the operators initiated a plant power reduction. Before the lockout of buses Dl and D2, component cooling water pump (CCWP) 1-2 was in operation supplying nonessential loads. When bus D1 was lost, CCWP 1-2 and service water pump (SWP) 1-2 tripped. Tripping of CCWP 1-2 caused CCWP 1-1 to start automatically. The isolation valve that isolates the nonessential component cooling water (CCW) supply from CCWP 1-1 opened after a 30-s time delay. During that delay, no CCW flowed through the RCS letdown coolers resulting in the hot RCS coolant heating up the CCW inside the coolers. When the isolation valve on the pipeline from CCWP-1 to the nonessential CCW header opened, sub-cooled CCW flowed into the RCS letdown coolers causing the steam bubbles in the coolers to collapse. The collapsing of the steam bubbles created a pressure spike that damaged one of the two rupture disks on letdown cooler 1-1. At 1512, personnel restored power to essential buses D I and F 1. (Essential bus F 1 is a 480-V ac bus powered by essential bus D1-a 4160-V ac bus.) At 1523, personnel restarted CCWP 1-2; restarting CCWP 1-2 caused the CCW surge tank level to drop rapidly because of the rapid loss of water from the CCW system through the ruptured disk. This prompted the operators to trip the reactor at 1523. By 1712, operators restored CCW and stabilized the plant. The conditional core damage probability (CCDP) estimated for this event is 1.5 x 10-.

B.6.2 Event Description At 1356, on October 14, 1998, Davis-Besse was operating at 100% power, when a lockout of essential bus D l, nonessential bus D2, and the SBO DG occurred At this time, bus-tie transformer AC was de-energized; this bus tie transformer can provide backup power to essential bus D1. Figure B.6. 1 shows the arrangement of buses D1 and D2 and the associated breakers. After performing routine preventive maintenance on circuit breaker AACD 1, an electrician rolled the breaker back into its cubicle. A misalignment between the floor rail and circuit breaker resulted in the breaker frame contacting a terminal screw; the short actuated the time-over-current relay that provides backup ground protection for buses Dl and D2. The opening of this relay resulted in deenergizing NUREG/CR-4674, Vol. 27 LER No. 346/98-011 Annendix B B.6-1

LER No. 346/98-011 Appendix B nonessential bus D2 and essential bus Dl. The short also resulted in preventing the output breaker for the SBO DG (AD213) from closing. Emergency DG (EDG) 1-2 started on low voltage; however, its output breaker (ADl01) could not close because it was locked out. Operators shut down EDG 1-2 anyway at 1401 because CCW was unavailable to cool the EDG. Because of the lockout of Dl and D2, CCWP 1-2 (powered from bus DI) and condensate pump 1-2 (powered from bus D2) were unavailable. In addition, all normal station lighting (powered from bus D2) was lost. Operators began reducing reactor power to stabilize power at a level within the capacity of the two available condensate pumps. Operators reduced power from 100% to -87% by 1430.

At 1415 (19 min after the bus lockout), operators declared turbine-driven auxiliary feedwater (AFW) pump AFP l-1 operable although it was out of service for testing before the lockout event began.. The capability to inject feedwater into SG 1-1 from AFP 1-2 was lost because essential bus F1 supplies motive power to MOV 3871 and this valve was closed. AFP 1-2 is also a turbine-driven pump.

When the D1/D2 bus lockout occurred, CCWP 1-2 was operating and supplying non-essential CCW loads inside containment (see Fig. B.6.2). Troubleshooting was in progress on the discharge flow indicating switch (FIS1422D) for CCWP 1-1. When the bus lockout occurred and CCWP 1-2 tripped, CCWP 1-1 automatically started. The non-essential isolation valve in CCW Loop 1 (valve 5095) began to open after a 30-s delay. When CCWP 1-2 tripped, the nonessential isolation valve on CCW Loop 2 (valve 5096) received a signal to close; because of the D1/D2 bus lockout, motive power (480-V ac essential bus F 1) was unavailable to close the valves.

During the 30-s delay for the CCW Loop 1 non-essential isolation valve to begin stroking open, no coolant flow was provided to the RCS letdown coolers. Because of the hot reactor coolant flowing through the letdown coolers, the CCW in the coolers turned to steam. When the Loop 1 nonessential isolation valve opened and reinitiated flow to the letdown coolers, the sub-cooled CCW caused the steam pockets to collapse. The resultant pressure spike damaged one of the two rupture disks on letdown cooler 1-1. Alarms received during operation of the containment sump pump along with the low water level in the CCW surge tank indicated a leak of 1-3 x 10' m3/s (2-5 gpm) from the CCW system. Indications were that the leak had started inside containment.

By 1512 (76 mrin after the bus lockout), personnel had fixed the problem in bus cubicle AACD 1. Restoration of power to the electrical buses began thedn Re-energizing 480-V ac essential bus Fl restored power to the CCW Loop 2 non-essential isolation valve. Because of an "open" signal from FIS 1422D and a "close" signal from the breaker interlocks, CCW Loop 2 non-essential isolation valve (valve 5096) started to cycle open and closed.

The valve continued to cycle until CCWP 1-2 was started. At 1517, operators successfully restarted service water pump (SWP) 1-2, followed by the restart of CCWP 1-2 at 1523. Both pumps are powered from essential bus DI. When CCWP 1-2 was started, the CCW surge tank level decreased rapidly. When the water level in the surge tank decreased to 88.9 cm (35 in.) and was still decreasing, operators tripped the reactor and the reactor coolant pumps (RCPs). This generated an automatic start signal to the AFW system. Natural circulation conditions were fully developed -4 min after the RCPs tripped.

Following the reactor trip, the following events occurred: (1) the operators' attempt to start makeup pump 1-2 failed, (2) steam generator (SG) outlet pressure increased because of the closing of the main turbine stop valves, (3) the turbine bypass valves (TBVs) and the atmospheric vent valves (AVVs) opened and the main steam safety valves (MSSVs) lifted in response to the increasing pressure in the secondary system, (4) the MSSVs and the AWs closed as the outlet pressure for the SGs decreased, and (5) the TBVs throttled closed as they attempted to control SG outlet pressure at the post-trip setpoint of -6.86 MPa (995 psig). Following the reactor trip, operators determined that MSSV SP17B7 was not fully closed. By manually reducing the pressure in the main NUREG/CR-4674, Vol. 27 B.6-2 Annendix B

steam system to 6.34 MPa (920 psig), MSSV SP17B7 reseated. While actions were underway to investigate and recover from the loss of CCW to the containment and to recover electrical loads that were lost, the operators also had to initiate actions to reduce steam loads in the secondary system to terminate the overcooling of the reactor coolant system (RCS). Plant operators made preparations to restore CCW to the containment header while leaving CCW to the letdown coolers isolated. At 1712, personnel restored CCW to the containment header thereby providing cooling for the control rod drives and reactor coolant pumps (RCPs). This required operators to open CCW containment isolation valves CC 141 IA and B; these valves functioned as designed to isolate the leak from letdown cooler 1-1. Shortly after that, operators were able to restart RCPs 1-2 and 2-2, restoring forced-RCS coolant flow.

B.6.3 Additional Event-Related Information Essential bus DI and nonessential bus D2 supply power to components necessary for emergency and normal plant operation, respectively. Therefore, loss of power to these buses and the resulting decrease in RCS coolant flow increased the likelihood of a reactor trip. The power reduction started at 1356 from 100% power, and was terminated at 87% at 1430. At 1523, operators tripped the reactor.

The damage to the rupture disk on the RCS letdown heat exchanger worsened when CCWP 1-2 was started after power to bus D1 was recovered. (Power to bus DI was recovered at 1512, or 76 min after the bus lockout.) The water level in the CCW surge tank dropped rapidly as a result of water flowing out the ruptured disk. CCW containment isolation valves CC141 IA and CC141 B functioned as designed to isolate letdown cooler 1-1 within 10 s because of the low water level in the surge tank. Successfully isolating the leak maintained CCW system inventory levels and prevented net positive suction head problems for the CCW pumps. As Fig. B.6.2 shows, successful isolation of these valves not only affects the RCS letdown cooler, it also affects the CCW supply to all of the RCPs and control rod drives. That is, when either valve CC141 IA or valve CC141 lB closes, CCW cooling of the RCP seals will be lost. However, operators can close other valves remotely to allow isolation of the letdown heat exchangers while still providing RCP cooling to the RCP seals.

As shown in Fig. B.6.3, Davis-Besse has two turbine-driven auxiliary feedwater pumps (AFP 1-1 and AFP 1-2).

If essential bus D1 is available, either of these pumps can provide feedwater to either of the steam generators.

However, the loss of power to essential bus DI caused power to be lost to essential bus F1. Bus FI powers motor-operated valve AFW-3871, which is normally closed. Therefore, when bus D1 lost power, the capability to inject feedwater into steam generator SG 1-1 from AFP 1-2 was lost because valve AFW-3871 could not be opened. Although Davis-Besse also has a motor-driven feedwater pump, it was not available because it is powered from bus D2. Hence, if AFP 1-I had failed, the capability of providing feedwater to SG 1-1 would be lost. Without feedwater, the steam supply from SG 1-1 to the turbine-driven AFW pumps would fail. As a result, with bus Fl failed, if AFP 1-1 fails, only SG 1-2 has the capability to supply steam to AFP 1-2. However, as Fig. B.6.3 shows, when bus D1 is failed, MOV 107 (normally closed) cannot be opened and SG 1-2 cannot provide steam to the turbine of AFP 1-2.

In summary, if AFP 1-1 fails when bus D1 is de-energized, then AFP 1-2 will fail because of a lack of steam.

Because the motor-driven feedwater pump is powered from bus D2, all feedwater would be lost.

B.6-3 NIJREG/CR-4674, Vol. 27 B.6-3 Appendix B LER No. 346/98-011 NUREG/CR-4674, Vol. 27

According to Ref 2, when both trains of makeup pumps are available for feed-and-bleed cooling, opening both pressurizer safety valves is adequate to perform the bleed function. The pressurizer pilot-operated relief valve (PORV) is not essential. However, when essential bus Dl lost power, makeup pump 1-2 was not available.

Under that condition, the PORV is essential to perform feed-and-bleed cooling. The pressurizer PORV is powered from Division 2 dc power. When bus Dl is de-energized, Division 2 dc power relies upon the Division 2 battery. When the battery's charge has been depleted, the PORV will fail and, as a result, feed-and-bleed cooling will fail. Therefore, if bus Dl is not recovered before the battery that powers the PORV is depleted, feed and-bleed cooling will fail.

B.6.4 Modeling Assumptions In modeling this event, three scenarios were examined.

Scenario 1 The first scenario was estimated using the standardized plant analysis risk (SPAR)-based model for Davis-Besse.

The following sequence (sequence 20 on Fig. B.6.4) contributed 100% of the CCDP from this scenario:

"* a reactor trip,

"* unavailability of MFW, unavailability of AFW, and loss of high pressure injection (HPI) cooling (also known as feed-and-bleed cooling).

Probability of Reactor Trip (RT)

When buses D I and D2 were lost, the reactor did not automatically trip. However, several systems or system trains that rely on buses Dl or D2 (e.g., condensate pump 1-2, cooling water pump 2, station air compressor, emergency air compressor, and heater drain pump 2) were without power. As a result, the operators had to reduce the power level from 100% to 87% over a 34-min period (from 1356 to 1430). The operators tripped the plant at 1523. The loss of essential and nonessential busses and changing the power level increased the likelihood of a reactor trip. Reference 3 (page 8-12) indicates that there were 10 reactor trips during 148 controlled plant shutdowns. Therefore, a value of 6.8 x 102 (10/148) was used to approximate the increased probability of a reactor trip occurring during this event (IE-TRNS). This is an increase from the base-case value in the SPAR based model for Davis-Besse of 2.7 x 10-4.

Unavailability of MFW (MFW-T)

Reference I notes that de-energizing bus D2 resulted in the loss of power to condensate pump 1-2. Besides this, station air compressor C140 is also powered from bus D2. Moreover, bus F7, which provides power to the emergency air compressor, was unavailable because it is powered by bus D2. One train of the turbine plant cooling water system was without power because bus D2 was without power. In consideration of all these dependencies, it was pessimistically assumed that the reactor trip was caused by the loss of, or a transient in, the N1JREGICR-4674, Vol. 27 B.6-4 LER No. 346/98-011 Appendix B NUREG/CR-4674, Vol. 27 B.6-4

MFW system. Further, with essential bus Dl and nonessential bus D2 de-energized, the MFW system would not be available to remove decay heat after tripping the reactor.

Unavailability of AFW (AFW)

The loss of power to essential bus D I caused power to be lost to essential bus F I. Bus F I powers motor-operated valve AFW-3871, which is normally closed (and was closed when the transient began). Therefore, when bus D1 lost power, the capability to inject feedwater into steam generator SG 1-1 from AFP 1-2 was lost. If AFP 1-I had failed, the capability of providing auxiliary feedwater to SG 1-1 would be lost. Without feedwater, the steam supply from SG 1-I to the turbine-driven AFW pumps would fail.

In addition to the two turbine-driven AFW pumps and one motor-driven feedwater pump, Davis-Besse has another motor-driven feedwater pump-the startup feedwater pump. This pump can back up the AFW system.

This pump was the original "motor-driven feedwater pump," but once the new motor-driven feedwater pump had been installed, it was essentially abandoned in place. Since then, however, the pump has been put back into the plant operating procedures and would be available if needed. It is powered from nonessential bus C2. Its breaker must be racked in, and there are manual isolation valves that must be opened locally. Conversely, the new motor driven feedwater pump can be started from the control room and acts just like an AFW pump. For these reasons, the availability of the startup feedwater pump is lower than that for the new motor-driven feedwater pump.

Therefore, if buses DI and D2 had remained de-energized (i.e., one turbine-driven AFW pump and main feedwater is unavailable), and the other turbine-driven AFW pump failed or was unavailable, the startup feedwater pump could still have been used to provide water to the steam generators.

Loss of HPI (Feed-and-Bleed Cooling) (HPI-COOL)

If steam generator cooling using the AFW and MFW fails, decay heat can be removed by feed-and-bleed cooling.

According to the Davis-Besse individual plant examination (IPE),2 when only one makeup pump train is available, the pressurizer PORV is essential for feed-and-bleed cooling. During this transient, makeup pump 1-2 did not start because essential bus Dl was unavailable, leaving only one makeup train available. The PORV used for feed-and-bleed cooling requires power from Division 2 electrical supply. With essential bus D1 unavailable, the battery charger is unavailable and the battery will be depleted. If the dc electrical loads are not reduced, a typical battery at a nuclear power plant can be expected to last -2 h. During this event at Davis-Besse, the electrical buses Were lost for 76 min. Assuming a mean-time-to-repair (i.e., the time to recover power to the essential bus) of 75 min and an exponential distribution, the probability of failing to recover dc power in 2 h is 2.0 x 10'. Basic event D2N-RECHARGE was added to the SPAR-based model for Davis-Besse to model this failure.

Other likely failure modes for feed-and-bleed cooling include an operator failing to initiate high-pressure injection cooling (HPI-XHE-XM-HPIC), a PORV fails to open on demand (PPR-SRV-CC-PORV), failures in decay heat removal pump train PI 1 (DHR-MDP-FC-P 11), failure of low-pressure injection train 11 discharge motor operated valve DH64 to open (DHR-MOV-FC-DH64), failure of motor-driven charging pump train 1-1 (CVC-MDP-FC-MUl 1), failures in the charging discharge path (CVC-AOV-OC-DIS), and charging train suction valve MU 6405 fails (CVC-MOV-FC-SUC 11).

Avpendix B l.1*1* "Nln "IIAIglQRN! 1 B.6-5 NUTREG/CR-4674, Vol. 27

I dIV. NJ^ lAA/QR..rh-AIppni Scenario 2 The second scenario, as shown in Fig. B.6.5, consists of

"* loss of CCW because of a rupture disk failure in the RCS letdown heat exchanger,

"* failure to isolate the rupture (automatically or via operator action),

"* operator fails to trip the RCPs after the loss of CCW, leading to a seal LOCA.

Loss of CCW aIE-CCW)

Another scenario considered during the modeling of this event was the potential loss of all CCW because of the rupture disk failure in the RCS letdown cooler. The design of the CCW is such that, when the running CCW pump stops and the standby CCW pump starts, steam will form inside the RCS letdown heat exchanger during the 30 s it takes to open the isolation valve from the standby CCW train to its nonessential supply. When bus DI deenergized, CCWP 1-2 tripped. CCWP 1-1 started automatically. Starting the standby CCW pump caused the steam in the letdown heat exchanger to collapse, thereby damaging a rupture disk in the letdown heat exchanger. The resulting isolable leakage was 1-3 x 10' m3/s (2-5 gpm). Subsequently, after personnel recovered electric power and restarted CCWP 1-2, the water level in one side of the CCW surge tank decreased rapidly (the CCW surge tank at Davis-Besse has two sides with a dividing wall between them) and the leak from the damaged rupture disk increased (CCWP 1-2 had been operating prior to the loss of buses DI and D2.) The low water level in the surge tank generated a' signal to close CCW containment isolation valves CC 141 IA and CC141 1B, thereby stopping the flow of CCW to the RCS letdown heat exchanger. The other side of the tank could have been depleted fully only if the operators had failed to isolate the nonessential loads and had aligned CCWP 1-1 to supply them from the second side of the surge tank.

Failure to Isolate the Rupture (ISOLATE)

There are two CCW containment isolation valves (CC 141 IA and CC 141 1B) that receive automatic signals to isolate the nonessential CCW header on a low water level in the surge tank. If a rupture disk failure occurred in the RCS letdown cooler and if both valves failed to isolate the rupture, the water level in the CCW would continue to drain down. Note that valves CC 1411 A and B are redundant isolation valves that receive isolation signals from redundant sources. Further, a low water level alarm for the surge tank will also let the operator know of the need to isolate the tank-as it did during this event. Considering the probabilities of the various failure modes to isolate the nonessential CCW header (the failure of CC 141 IA and B to close, the failure of the redundant automatic signals to isolate the surge tank, the failure of the operator to recognize and intervene in response to a low water level in the surge tank, and the failure of the containment normal sump pump alarms to annunciate),

the common-cause mechanical failure of the two isolation valves to close is dominant. The SPAR-based model for Davis-Besse uses a probability of 2.6 x 10' for the common-cause failure probability of two MOVs failing to close.

Operator Fails to Trip the RCPs (TRIPRCP)

If CCW fails, procedures instruct the operators to trip the RCPs because the failure to trip the RCPs under these conditions will lead to an RCP seal LOCA. In addition, alarms will indicate to the operator if the RCP seal B.6-6 Appendix B 1.15"D NT* "4tJ, K/qlq.nl 1 NUREG/CR-4674, Vol. 27

temperature is too high. Under this transient condition, a probability of 1.0 x 10.' represents an upper bound for the probability of the operator failing to trip the RCPs.4 The probability of an RCP seal LOCA from this sequence is less than 2.6 x 10' [i.e., 2.6 x 10-4 (failure to isolate the ruptured heat exchanger) x 1.0 X 10-3 (operator fails to trip the RCPs)].

Scenario 3 The third scenario, as shown in Fig. B.6.5, consists of

"* loss of CCW because of a rupture disk failure in the RCS letdown heat exchanger,

"* failure to isolate the rupture (automatically or via operator action),

"* the operator successfully trips the RCPs, failure to recover CCW and to restore cooling to the RCP seals before seal damage leads to an RCP seal LOCA, and failure to recover HPI (or makeup) pumps prior to core uncovery.

Loss of CCW (IE-CCW)

When bus D1 deenergized, CCWP 1-2 tripped. CCWP 1-1 started automatically. Starting the standby CCW pump caused the steam in the letdown heat exchanger to collapse, thereby damaging a rupture disk in the letdown heat exchanger. The resulting isolable leakage was 1-3 x 10-' m3/s (2-5 gpm). Subsequently, after personnel recovered electric power and restarted CCWP 1-2, the water level in one side of the CCW surge tank decreased rapidly and the leak from the damaged rupture disk increased. The low water level in the surge tank generated a signal to close CCW containment isolation valves CC 141 IA and CC 1411 B, thereby stopping the flow of CCW to the RCS letdown heat exchanger. The other side of the tank could have been depleted fully only if the operators had failed to isolate the nonessential loads and had aligned CCWP 1-1 to supply them from the second side of the surge tank.

Failure to isolate the rupture (ISOLATE)

There are two CCW containment isolation valves (CC 141 IA and CC 141 IB) that receive automatic signals to isolate the nonessential CCW header on a low water level in the surge tank. If a rupture occurred in the RCS letdown cooler and if both valves failed to isolate the rupture, the water level in the CCW surge tank would continue to drain down. The common-cause mechanical failure of the two isolation valves to close will dominate the failure probability of failing to isolate the rupture. The SPAR-based model for Davis-Besse uses a probability of 2.6 x 10.4 for the common-cause failure probability of two MOVs failing to close.

Operator successfully trips the RCPs (TRIPRCP)

If CCW fails, procedures instruct the operators to trip the RCPs because the failure to trip the RCPs under these conditions will lead to an RCP seal LOCA. In addition, alarms will indicate to the operator if the RCP seal temperature is too high. It is extremely likely that operators will trip the RCPs (probability = 0.997).

B.6-7 NIJREG/CR-4674, Vol. 27 ADvendix B LER No. 346/98-011 B.6-7 NUREG/CR-4674, Vol. 27

LER No. 346/98-011....

Failure to recover CCW prior to RCP seal failure (SEALS)

CCWP 1-3 was the spare pump at the time of the event. This pump can be aligned electrically to either Division I (bus CI) or Division 2 (bus D1). Thus, operators could have aligned CCWP 1-3 as a backup to CCWP 1-1 if it had failed to start, or to CCWP 1-2 after personnel restored power to bus DI. This would have required manually racking in the pump breaker at the 4-kV switchgear and opening two manual isolation valves. Plant procedures cover these actions explicitly and the IPE gives reasonable credit to their success.

There is a procedure for loss of CCW that specifies recovery actions using the spare pump. If CCW is unavailable, the procedure assumes that the makeup pump(s) would fail because of lack of cooling within about 10 miu.

The operators would then have about another 15 nin to restore CCW to the RCP seals if the RCP pumps were not tripped. After that, a seal LOCA would result, and HPI would actuate. The HPI pumps are expected to operate for at least 1 h without CCW. Thus, the operators would have about 1-h and 25 min to restore CCW.

The RCS can be cooled down quite rapidly by AFW. If the operators trip the RCPs as called for by the procedure, the ability to cool down is diminished. With CCW unavailable, there would be no makeup to compensate for water shrinkage in the RCS. Thus, there is a possibility to draw a bubble in the RCS during the cooldown that could interrupt natural circulation through the steam generators. This should not be permanent because natural circulation cooling should be restored as the RCS heats back up; however, it would impede the cooldown efforts. Of course, this is largely a moot point if tripping the RCPs precludes a seal failure.

Without CCW, RCP seal cooling is unavailable. Unavailability of RCP seal cooling may result in an RCP seal failure and a small-break LOCA. In this analysis, the probability of an RCP seal LOCA was assumed to be zero up to 60 min after a loss of seal cooling. Between 60-90 mrin, the probability of an RCP seal LOCA was assumed to increase linearly to 8.3 x 10.2 at 90 min (i.e., 2.8 x 10-3/min). After 90 min, no additional seal failures were assumed to occur. This type of seal failure model is similar to that used in the ASP Program for modeling station blackout sequences.5 Failure to recover HPI (or makeup) pumps prior to core uncovely (HPI/MAKEUP)

At Davis-Besse, the HPI pump bearing oil is cooled by CCW. However, in the event of a loss of CCW, the HPI pumps will not fail immediately. That is, if CCW can be recovered within a reasonable time, failure of HPI and core uncovery can be averted. First, if CCW is lost and not recovered prior to seal failure, a finite time can elapse prior to core uncovery. Information provided in Table 3-11 of the Davis-Besse IPE (basic event UHAMUISE) indicates that -1 h would be available to mitigate this accident before core uncovery occurs. If the operators start the HPI pumps without CCW available (since running the HPI pumps without lube oil cooling is preferred over uncovering the core), the pumps can run for a finite time prior to failure. Considering the uncertainties related to operator actions and timing (e.g., whether the operators would secure the HPI pumps when they automatically start without CCW available, whether one pump will be allowed to run while the other is secured), this analysis assumed 1 h would be available to run the BPI pumps prior to pump failure because of a loss of lube oil cooling.

The combined effect of the time to core uncovery and the time that the HPI pumps can run without lube oil cooling leads to the assumption that there are 2 h available following an RCP seal LOCA with CCW unavailable to recover CCW in order to avoid core damage.

NUREG/CR-4674, Vol. 27 B.6-8 B.6-8 Annendix B NUREG/CR-4674, Vol. 27

Annendix B LRN.369-1 Therefore, the probability of this accident scenario involving (1) the loss of CCW as a result of failing to isolate the heat exchanger (2.6 x 10'), (2) failing to recover component cooling water prior to RCP seal failure, and (3) failing to recover HPI (or makeup) pumps prior to core uncovery, can be calculated as follows:

= 2.6 x 10-4 x f fsL(t) x Pccwr~!

+ 2) dt where, fs(t) is the failure rate for RCP seals at time t and P,,nr(t) is the probability of nonrecovery of CCW at time t. Time t is measured from the time of losing CCW. In this model, fsz,(t) is zero between 0-60 min and 2.8 x I03/min between 60-90 min. When t is greater than 90 min, fsL is zero.

P,,(t) can be modeled using an exponential model (i.e., Pn,,(t) = e-t where I is the failure rate). Recovery of CCW would require manual isolation of the CCW nonessential containment header, refilling the CCW piping and surge tank, venting the system, and potentially realigning the CCW system to allow use of the spare pump.

A review of Table 3-12 in the 1993 IPE submittal for Davis-Besse identified several recovery actions in the 1-4 h and greater than 4 h time frames that are similar to what is required in this case. For these actions, the IPE estimates failure probabilities on the 0.03-0.05 range. Assuming a nonrecovery probability of 0.03 at 4 h will result in X being equal to 0.88 per h or 0.015 per min. Therefore, the probability of this scenario is

= 2.6 x 10-4 X f 2.8 x 10-3 x exp-0.0 146 (t, 120) dt 60

= 1.3 x 10-6.

B.6.5 Analysis Results Three different scenarios were considered. The CCDP associated with scenario 1 (reactor trip followed by loss of steam generator cooling), estimated using the SAPHIRE-based model for Davis-Besse is 1.4 x 10'. The CCDP associated with scenario 2 (loss of CCW followed by the operators failing to trip RCPs leading to a RCP seal LOCA was eliminated because it is below the precursor threshold value of 1.0 x 10'. Scenario 3 (loss of CCW, RCPs tripped, nonrecovery of CCW leading to RCP seal LOCA, and nonrecovery of CCW leading to HPI failure) has a CCDP of 1.3 x 10'. Therefore, the total CCDP is estimated to be 1.5 x 10'. The dominant sequence for this event involves a reactor trip while power is unavailable to buses D l and D2, main feedwater is unavailable, turbine-driven auxiliary feedwater pump TDAFP 1-1 fails, the startup feedwater pump is unable to provide steam generator cooling, and feed-and-bleed cooling fails because of depletion of the Division 2 battery prior to recovery of Division 2 essential bus DI. The dominant sequence, Sequence 20 on Fig. B.6.4, involves B.6-9 NUREG/CR-4674, Vol. 27 B.6-9 LER No. 346/98-011 Annendix B NUREG/CR-4674, Vol. 27

LER~~~~~r Nor4/9-1_

npdw

"* a reactor trip while changing power level,

"* unavailability of main feedwater, failure of turbine-driven AFP l-1 (that fails AFP 1-2 as well because no steam is provided to its turbine),

failure of the motor-driven startup feedwater pump, failure to recover bus D1 before the Division 2 battery is depleted.

Definitions and probabilities for selected basic events for scenario I are shown in Table B.6. 1. The conditional probabilities associated with the highest probability sequences for scenario I are shown in Table B.6.2. Table B.6.3 lists the sequence logic associated with the sequences listed in Table B.6.2. Table B.6.4 describes the system names associated with the dominant sequences for scenario 1. Minimal cut sets associated with the dominant sequences for scenario 1 are shown in Table B.6.5. The CCDPs associated with scenarios 2 and 3 are shown in Table B.6.6, while Table B.6.7 lists the sequence logic associated with the scenarios listed in Table B.6.6. Table B.6.8 provides the definitions and failure probabilities for event tree branch points in Fig. B.6.5.

B.6.6 References

1. LER 346/98-011, "Manual Reactor Trip Due to Component Cooling Water System Leak." November 13, 1998.

2. Davis-Besse Unit 1, Individual Plant Examination, February 26, 1993.

3. J. D. Andrachek, et. al., "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," WCAP-14334-NP-A, Rev. 1, May 1995.

4. A. D. Swain and H. E. Guttmanr, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Application," NUREG/CR-1278, August 1983.

5.

Revised LOOP Recovery and RCP Seal LOCA models, ORNU/LTR-89/1 1, August 1989.

NUREG/CR-4674, Vol.27 B.6-1O NUREG/CR-4674, Vol 27 B.6-10 LER No. 346/98-011 Annpnrlhr 111

LER No. 346/98-011 Fig. B.6. 1 Electrical one-line diagram for Davis-Besse (source: Davis-Besse Nuclear Power Station No. 1 Updated Safety Analysis Report).

Anoendix B B.6-11 NUREG/CR-4674, Vol. 27 Figure removed during SUNSI review.

LER No 346/8-011Annendii B

Fig. B.6.2 Davis-Besse component cooling water system and essential cooling loops (source: Davis-Besse Nuclear Power Station No. 1 Updated Safety Analysis Report).

B.6-12 LER No. 346/98-011 Avvendix B NUREG/CR-4674, Vol. 27 Figure removed during SUNSI review.

Appendix B LER No. 346/98-011 Fig. B.6.3 Davis-Besse auxiliary feedwater and secondary steam relief systems (source: Davis-Besse Nuclear Power Station No. I Updated Safety, Analysis Report).

LER No. 346/98-011 B.6-13 NUREG/CR-4674, Vol. 27 Figure removed during SUNSI review.

0P%

46 0

.0 0

CD 70

"ir LA I

z 0

CA) 0 0o IE - LOSS OF ISOLATE LEAK OPERATOR'S RECOVER CCW RECOVER HPI OR COMPONENT IN RCS LETDOWN TRIP REACTOR COOLING TO MAKEUP BEFORE COOLING WATER COOLER COOLANT PUMPS RCP SEALS CORE UNCOVERY SCENARIO C END IE-CCW ISOLATE TRIPRCP SEALS HPI/MAKEUP STATE OK 1.0 E+00 OK OK ts,.(t) 2.6 E-04cP (02) 3 CD 1.0 E-03 2

CD DAVIS-BESSE, ASP PWR B LOSS OF CCW EVENT TREE w

I

-J C

-4

LER No. 346/98-011 Appendix B Table B.6.1. Definitions and Probabilities for Selected Basic Events for Scenario 1 for LER No. 346/98-011 Modified Event Base Current for this name Description probability probability Type event IE-LOOP Irdtiating Event-Loss of Offsite Power 1.6 E-005 0.0 E+000 No IE-SGTR Initiating Event-Steam Generator Tube 1.6 E-006 0.0 E+O00 No Rupture IE-SLOCA Initiating Event-Small Loss-of-Coolant 2.3 E-006 0.0 E+000 No Accident (SLOCA)

IE-TRANS Initiating Event-General Transient 2.7 E-004 6.8 E-002 Yes ACP-BAC-LP-D1 Division B ac Power 4160-V Bus DI 9.0 E-005 1.0 E+000 TRUE Yes fails ACP-BAC-LP-D2 Division B ac Power 4160-V Bus D2 9.0 E-005 1.0 E+000 TRUE Yes fails AFW-MDP-FC-SUFP Startup Feedwater Pump Fails to Start 3.8 E-003 3.8 E-003 No and Run AFW-TDP-CF-ALL Common-Cause Failure of Auxiliary 3.2 E-003 3.2 E-003 No Feedwater (AFW) Turbine-Driven Trains AFW-TDP-FC-PI 1 Turbine-driven AFW Pump Train P11 3.5 E-002 3.5 E-002 No Failures AFW-XHE-XE-SUFP Operator Fails to Start and Align Startup 1.0 E-00 1 1.0 E-00 1 NEW Yes Feedwater Pump CVC-MDP-FC-MUI 1 Motor-Driven Charging Pump Train 1 3.8 E-003 3.8 E-003 No Failures CVC-AOV-OC-DIS Charging Discharge Path Failures 3.1 E-003 3.1 E-003 No CVC-MOV-FC-SUCI I Charging Train Suction Valve MU 6405 3.0 E-003 3.0 E-003 No Fails D2N-RECHARGE Failure to Recover Division 2 Battery 2.0 E-001 2.0 E-O01 NEW Yes Charger within 2 h DHR-MDP-FC-PI I Decay Heat Removal Pump Train P1 1 4.0 E-003 4.0 E-003 No Failures DHR-MOV-FC-DH64 Failure of Low-Pressure Injection Train 3.0 E-003 3.0 E-003 No II Discharge Motor-Operated Valve DH64 NURIEG/CR-4674, Vol. 27 B.6-16

Appendix B LER No. 346/98-011 Table B.6.1. Definitions and Probabilities for Selected Basic Events for Scenario I for LER No. 346/98-011 (Continued)

B.6-17 NUREG/CR-4674, Vol. 27 Modified Event Base Current for this name Description probability probability Type event HPI-XHE-XM-HPIC Operator Fails to Initiate High-Pressure 1.0 E-002 1.0 E-002 No Injection Cooling MFW-SYS-UNAVAIL Main Feedwater System Unavailable 2.0 E-00 1 1.0 E+000 TRUE Yes PPR-SRV-CO-TRAN Pilot-Operated Relief Valve/Safety 8.0 E-002 8.0 E-002 No Relief Valves (PORV/SRVs) Open During Transient PPR-SRV-CC-PORV PORV Fails to Open on Demand 6.3 E-003 6.3 E-003 No TRANS-20-NREC Trans Sequence 20 Nonrecovery 2.2 E-001 2.2 E-001 No Probability-Failure to Recover AFW (2.6 x 10-') and Failure to Recover Feed and-Bleed Cooling (8.4 x 10')

Appendix B LER No. 346/98-011 B.6-17 NUTREG/CR-4674, Vol. 27

I V N-~ 346/98-0l11Apni Table B.6.2. Sequence Conditional Probabilities for Scenario 1 for LER No. 346/98-011 Conditional Event tree Sequence core damage Percent name number probability contribution (CCDP)

TRANS 20 I

Total (all sequences) 1.4 E-005 100.0 1.4 E-005 Table B.6.3. Sequence Logic for Dominant Sequences for Scenario I for LER No. 346/98-011 Event tree name Sequence Logic number TRANS 20

/RT, MFW-T, AFW, HPI-COOL Table B.6.4. System Names for Scenario I for LER No. 346/98-011 System name Logic AFW No or Insufficient AFW Flow HPI-COOL Failure to Provide HPI Cooling (feed-and-bleed cooling)

MFW-T Failure of the Main Feedwater System During Transient RT Reactor Fails to Trip During Transient NUREG/CR-4674, Vol. 27 B.6-18 NUREG/CR-4674, Vol. 27 B.6-18 Appendix B

Appnend iB LRN.369-1 Table B.6.5. Conditional Cut Sets for Higher Probability Sequences for Scenario I for LER No. 346/98-011 Cut set Percent Conditional number contribution probability' Cut sets TRANS Sequence 20 1.4 E-005 1

74.9 1.0 E-005 MFW-SYS-UNAVAIL, AFW-TDP-FC-P 11, AFW-X)HE-XE-SUFP, D2N-RECHARGE, TRANS-20-NREC 2

6.9 9.5 E-007 MFW-SYS-UNAVAIL, AFW-TDP-CF-ALL, AFW-XHE-XE-SUFP, D2N-RECHARGE, TRANS-20-NREC 3

3.8 5.2 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-Pl 1, AFW-XHE-XE-SUFP, HPI-XHE-XM-HPIC, TRANS-20-NREC 4

2.9 3.9 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-P 11, AFW-MDP-FC-SUFP, D2N-RECHARGE, TRANS-20-NREC 5

2.4 3.3 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-P1 I, AFW-XHE-XE-SUFP, PPR-SRV-CC-PORV, TRANS-20-NREC 6

1.5 2.1 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-PI 1, AFW-XHE-XE-SUFP, DHR-MDP-FC-P1 1, TRANS-20-NREC 7

1.4 2.0 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-PI 1, AFW-XHE-XE-SUFP, CVC-MDP-FC-MU 11, TRANS-20-NREC 8

1.4 1.6 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-PI 1, AFW-XHE-XE-SUFP, CVC-AOV-OC-DIS, TRANS-20-NREC 9

1.1 1.6 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-P 11, AFW-XHEzXE-SUFP, CVC-MOV-FC-SUC 11, TRANS-20-NREC 10 1.1 1.6 E-007 MFW-SYS-UNAVAIL, AFW-TDP-FC-P 11, AFW-XHE-XE-SUFP, DHR-MOV-CC-DH64, TRANS-20-NREC Total (all sequences) 1.4 E-005 "Thlhe conditional probability for each cut set is determined by multiplying the probability of the initiating event by the probabilities of the basic events in that minimal cut set. The probabilities for the initiating events and the basic events are given in Table B.6. 1.

B.6-19 NIJREGICR-4674, Vol. 27

" -fir"......

NUREG/CR-4674, Vol. 27 B.6-19 LER No. 346/98-011

4Annendix B Table B.6.6. Conditional Probabilities for Scenarios 2 and 3 for LER No. 346/98-011 Table B.6.7. Sequence Logic for Scenarios 2 and 3 for LER No. 346/98-011 Event tree name Sequence Logic number CCW 2

ISOLATE, TRIPRCP CCW 3

ISOLATE, /TRIPRCP, SEALS, HPI/MAKEUP Table B.6.8. System Names for Scenarios 2 and 3 for LER No. 346/98-011 Failure System name Description probability IE-CCW Initiating Event-Loss of CCW 1.0 E+000 ISOLATE Failure to Isolate Leak in RCS Letdown Cooler 2.6 E-004 TRIPRCP Failure to Trip Reactor Coolant Pumps 1.0 E-003 SEALS Failure to Recover CCW Cooling to RCP Seals f*(t)

Before Seal Failure HPI/MAKEUP Failure to Recover HPI or Makeup Pumps Before P,.r(t+2)

Core Uncovery NUREG/CR-4674, Vol. 27 B.6-20 Conditional Event tree Scenario core damage Percent name number probability contribution (CCDP)

CCW 2

2.6 E-007 16.7 CCW 3

1.3 E-006 83.3 Total (all sequences) 1.5 E-006 A.

LER No. 346/98-011 Avnendix B NUREG/CR-4674, Vol. 27 B.6-20