ML20114E266

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Surry 1 and 2 (LER 280-01-001)
ML20114E266
Person / Time
Site: Surry  Dominion icon.png
Issue date: 05/12/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 280-01-001
Download: ML20114E266 (13)
v  d  e


Text

Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Surry Units 1 & 2 Diesel Generator #3 inoperability caused by insufficient lubricant Event Date: 4/23/2001 LER: 280/01-001 Importance (CDP) 280/01001 Unit 1 = 3x10-6 Unit 2 = 6x10-6 August 20, 2004 Condition Summary Description. On April 23, 2001, the Number 3 emergency diesel generator (#3 EDG) lube oil sampling showed an increase in silver content and the EDG was taken out of service. An inspection of the #3 EDG found three cylinders with excessive wear on the piston wrist pin and wrist pin bearing. At the time of discovery, both units were in Mode 1 with reactors at 100 percent thermal power reported by Licensee Event Report 280/01001 (Ref. 1). Subsequent investigation into the cause of the increase in silver content by NRC inspectors concluded that there was decreasing confidence that the # 3 EDG could have operated for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> because the #3 EDG had actually run for decreasing time (less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) as the date approached April 23, 2001, when the inspection revealed severe damage. Inspection reports 50-280/01-06 and 50-281/01-06 (Ref. 2) was issued for this event. Subsequently a final significance determination and a notification of violation were issued (Ref. 3).

Cause. The cause of this event is abnormal wear of EDG piston wrist pins and piston carrier bearings, as evidenced by abnormally high bearing material wear products in engine oil samples.

Condition duration. The following information shows that #3 EDG operated at an elevated failure probability between October 3, 2000 and April 28, 2001 (201 days):

  • On April 23, 2001 the licensee found three cylinders with excessive wear on the piston wrist pin and wrist pin bearing.
  • The exact point in time of excessive wear is unknown. However, licensees investigations showed silver content in lube oil exceeded manufacturers recommended limit (2 ppm) on October 3, 2000.
  • The EDG was repaired and returned to operation on April 28, 2001.

Even though the EDG had successfully completed periodic surveillance testing between October 3, 2000 and April 23, 2001, those surveillance runs did not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. That is ,

those surveillances did not provide a reasonable confidence that the #3 EDG could complete its expected mission time. Therefore, the analysis conservatively assumed that the #3 EDG would fail to complete its mission for a condition duration of 201 days (4824 hours0.0558 days <br />1.34 hours <br />0.00798 weeks <br />0.00184 months <br />).

1

LER 280/01-001 Recovery opportunity: Failure of EDG # 3 would not be recoverable. Offsite power recovery curves were adjusted for the two hours run time of EDG # 3.

Emergency Diesel Generators

  • Unit 1: In the event that #1 EDG fails, there is no backup for Bus 1H. In the event that
  1. 3 EDG fails, the backup to Bus 1J is the ACC EDG (SBO EDG).
  • Unit 2: In the event that #2 EDG fails, there is backup to Bus 2H with the ACC EDG.

However there is no backup for Bus 2J, in the event the #3 EDG fails ( see Figure 1 for simplified diagram).

  • EDGs alignment with Vital Buses:

The #1 EDG is dedicated to Unit 1 and it powers Bus 1H. The #3 EDG is shared between two units and powers Bus 1J of Unit 1. In the case of failure of #3 EDG, the ACC EDG can be connected to Bus 1J of the Unit 1. The #2 EDG is a dedicated diesel generator to Unit 2 and powers Bus 2H. The #3 EDG is shared between two units and powers Bus 2J of Unit 2. If the #2 EDG is lost, the ACC EDG backs up this diesel generator and powers Bus 2H of Unit 2, but not Bus 2J. The only diesel generator that powers Bus 2J of Unit 2 is #3 EDG (see Figure 1 or Electric Power Distribution, One Line Diagram, Ref. 10). With failure of #3 EDG, the ACC EDG is the backup for Bus 1J in Unit 1, while Bus 2J in Unit 2 does not have any backup, since the ACC EDG powers Bus 2H rather than Bus 2J.

Analysis Results

! Importance1 The risk significance of #3 EDG being unavailable for 201 days is determined by subtracting the nominal core damage probability from the conditional core damage probability:

The Unit 1 point estimate importance is an increase of 3.1 x 10-6 over the nominal CDP for the 201-day period when the #3 EDG was not available.

The Unit 2 point estimate importance for the condition is an increase of 6.3 x 10-6 over the nominal CDP for the 201-day period when the #3 EDG was not available.

The Accident Sequence Precursor (ASP) Program acceptance threshold is an importance (CDP) of 1 x 10-6.

1 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

2

LER 280/01-001

! Dominant sequence Units 1& 2: Loss of Offsite power (LOOP) involving station blackout (SBO), Sequences 29-03 and 29-18 are considered as the dominant sequences. The events and important component failures in these sequences are as follows:

Sequence 29-03 (See Figures 2A and 2B)

- Loss of offsite power (LOOP) - initiating event

- Successful reactor trip

- Failure of emergency power system operation

- Sufficient AFW flow during SBO

- Successful PORV operation during SBO

- Offsite power is not recovered within one hour

- Successful RCP seal cooling (no seal LOCA)

- Recovery of offsite power does not occur before battery depletion

! Results tables

- Table 1a provides the conditional probabilities for the dominant sequences for Unit 1.

- Table 1b provides the conditional probabilities for the dominant sequences for Unit 2.

- Table 2a provides the event tree sequence logic for the dominant sequence listed in Table 1a.

- Table 2b provides the event tree sequence logic for the dominant sequences listed in Table 1b.

- Table 3a provides the definitions of event tree sequence logic elements listed in Tables 2a.

- Table 3b provides the definitions of event tree sequence logic elements listed in Tables 2b.

- Table 4a provides the conditional cut sets for the dominant SBO sequences for Unit 1 and Unit 2.

- Table 4b provides the conditional cut sets for the dominant LOOP sequence for Unit 2.

- Table 5a provides the definitions and probabilities for modified and dominant basis events for Units 1&2.

Modeling Assumptions

! Assessment summary This event was modeled as an at-power condition assessment with the #3 EDG non-functional for 201 days (4824 hours0.0558 days <br />1.34 hours <br />0.00798 weeks <br />0.00184 months <br />).

SPAR model used in the analysis The Revision 3.02 Standardized Plant Analysis Risk (SPAR) model for Surry Unit 1 and Unit 2 (Ref. 4) was used for this assessment. The SPAR model includes event trees for loss of offsite power (including a transfer tree for station blackout). External events are not included in the SPAR model and are not reflected in this analysis. This version was used with modifications to fault trees listed below to reflect site validated changes, 3

LER 280/01-001 Modifications to fault tree models Fault tree was added for Unit 2 division 2H AC power system (see Figure 3) to clarify alignment with the ACC EDG (SBO EDG). A fault tree was also added to show the alignment of EDG 3 for Unit 2 division 2 J AC power system (see Figure 4).

! Basic event probability changes Table 5a provides the basic events that were modified to reflect the condition being analyzed. The bases for these changes are as follows.

! Conditional assessment probability changes - Unit 1 and Unit 2

- Probability of failure of the No. 3 diesel generator to run (EPS-DGN-FR-DG3). The probability that the diesel generator would fail to run was set to a failure probability of 1.0, TRUE (was 1.3E-2) to reflect the failure of the train to provide AC power.

- Operator fails to recover the No. 3 diesel generator (EPS-XHE-XL-DG3). The probability that the operator fails to recover the diesel generator was set to 1.0, TRUE (was 6.5E-1) to reflect no recovery.

- Operator fails to recover offsite power within one hour (OEP-XHE-NOREC-1H). The base event value was changed to 6.5E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

- Operator fails to recover offsite power within two hours (OEP-XHE-NOREC-2H). The base event value was changed to 2.82E-1 using the conditional probability and convolution methodology with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 Section 7).

- Operator fails to recover offsite power before battery depletion (OEP-XHE-NOREC-BD). The base event value was changed to 4.7E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

- Operator fails to recover offsite power before seal LOCA (OEP-XHE-NOREC-SL). The base event value was changed to 6.5E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

! Model update None.

Note: A Rhodes model update was not made for either Unit 1 or Unit 2. Both units have a mixture of high and low temperature RCP seals.

4

LER 280/01-001 References

1. LER No. 280/01001, Inoperable Emergency Diesel Generator Results in Technical Specification Violation, event date 04/23/01(ADAMS Accession No. ML011190003) .
2. NRC Inspection Report, EA-01-235, Surry Power Station - NRC Special Inspection Report NOS 50-280/01-06 and 50-281/01-06: Preliminary Yellow Finding For Unit 1 and Unit 2, October 11, 2001 (ADAMS Accession No. ML01850202).
3. NRC Office of Enforcement Notification of Significant Enforcement Action, EN-01-045, Issuance of Final Significance Determination and Notice of Violation, dated December 15, 2001 (Surry Power Station) (ADAMS Accession No. ML013520104).
4. James K. Knudsen and Martin B. Sattison, Standardized Plant Analysis Risk Model for Surry Units 1 and 2 (ASP PWR A1), Revision 3.02, Idaho National Engineering and Environmental Laboratory, March 2004.
5. J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.
6. J. P. Poloski, et.al., Reliability Study: Auxiliary/Emergency Feedwater System, 1987-1995, NUREG/CR-5500, Vol. 1, U. S. Nuclear Regulatory Commission, Washington, DC, August 1998.
7. C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:

1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.

8. F. M. Marshall, et al., Common-Cause Failure Parameter Estimations, NUREG/CR-5497, U.S. Nuclear Regulatory Commission, Washington, DC, October 1998.
9. G. M. Grant, et al., Reliability Study: Emergency Diesel Generator Power System, 1987-1993, NUREG/CR-5500, Vol. 5, U.S. Nuclear Regulatory Commission, Washington, DC, September 1999.
10. Electric Power Distribution, One Line Diagram Schematic, Surry Power Station, Unit 1, 11448-FE-1A2.

5

LER 280/01-001 Table 1a. Conditional probabilities associated with the highest probability sequence for Unit 1 Conditional core Core damage Event tree Sequence damage probability probability Importance name no. (CCDP) (CDP) (CCDP - CDP)2 LOOP 29-03 3.6E-006 6.4E-007 3.0E-006 1

Total (all sequences) 6.7E-006 3.6E-006 3.1E-006 Notes:

1. Total CCDP and CDP includes all sequences (including those not shown in this table).for the point estimate.
2. The point estimate importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 1b. Conditional probabilities associated with the highest probability sequences for Unit 2 Conditional core Core damage Event tree Sequence damage probability probability Importance name no. (CCDP) (CDP) (CCDP - CDP)2 LOOP 29-03 3.7E-006 6.4E-007 3.0E-006 LOOP 14 2.9E-006 6.4E-007 2.3E-006 1

Total (all sequences) 9.9E-006 3.6E-006 6.3E-006 Notes:

1. Total CCDP and CDP includes all sequences (including those not shown in this table).for the point estimate.
2. The point estimate importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a. Event tree sequence logic for dominant sequence for Unit 1 Event tree Sequence Logic name no. (/ denotes success; see Table 3a for top event names)

LOOP 29-03 /RPS,EPS,/AFW3,/PORV4, OEP-1H, /RCPSL. OEP-BD Table 2b. Event tree sequence logic for dominant sequences for Unit 2 Event tree Sequence Logic name no. (/ denotes success; see Table 3a & 3b for top event names)

LOOP 29-03 /RPS,EPS,/AFW3,/PORV4,OEP-1H, /RCPSL, OEP-BD LOOP 14 /RPS,/EPS,/AFW2,/PORV3, RCPSL3, HPI2, OEP-2H 6

LER 280/01-001 Table 3a. Definitions of fault trees listed in Table 2a (Unit 1)

/RPS Successful reactor protection system (RPS) to insert enough negative reactivity by the control rods to shutdown the reactor EPS Failure of onsite emergency power. Success implies that at least one onsite emergency diesel generator is providing power to its division bus. The success criteria are one-of three onsite diesel generators or station blackout diesel.

/AFW3 Success of the auxiliary feedwater system to remove decay heat via the steam generators during SBO. Success implies the motor-driven pumps started and is providing flow to the steam generators.

/PORV4 or Success or failure of the PORV to reclose after opening during a SBO.

PORV4 OEP-1H Failure of offsite power recovery in the short term (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

HP12 No or insufficient flow from HPI system during LOOP.

/RCPSL Reactor coolant pump seals have adequate cooling OEP-BD Unsuccessful recovery of offsite power before battery depletion.

Table 3b. Definitions of fault trees listed in Table 2b (Unit 2)

/RPS Successful reactor protection system (RPS) to insert enough negative reactivity by the control rods to shutdown the reactor

/EPS or EPS Success or Failure of onsite emergency power. Success implies that at least one onsite emergency diesel generator is providing power to its division bus. The success criteria are one-of three onsite diesel generators or station blackout diesel.

/AFW2 Success of the auxiliary feedwater system to remove decay heat via the steam generators during LOOP. Success implies the motor-driven pumps started and is providing flow to the steam generators.

/AFW3 Success of the auxiliary feedwater system to remove decay heat via the steam generators during SBO. Success implies the turbine-driven pump started and is providing flow to the steam generators.

PORV3 Failure of the PORV to reclose after opening during LOOP.

/PORV4 or Success or failure of the PORV to reclose after opening during a SBO.

PORV4 OEP-2H Failure of offsite power recovery in the short term (2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

HP12 No or insufficient flow from HPI system during LOOP.

RCPSL3 Reactor coolant pump seals have adequate cooling HPI2 Unsuccessful recovery of HPI.

7

LER 280/01-001 Table 4a. Conditional cut sets for SBO Sequences 29-03 and 29-18, Unit 1 and Unit 2 CCDP Percent Minimal cut sets1 contribution Event Tree: SBO Sequence 29-03, Unit 1 3.1E-07 8.6 EPS-DGN-CF-FRALL EPS-DGN-TM-SBO OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 2.8E-07 7.8 EPS-XHE-XM-SBO1H EPS-DGN-TM-DG1 OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 3.6E-06 Total2 Event Tree: SBO Sequence 29-03, Unit 2 3.1E-07 8.6 EPS-DGN-CF-FRALL EPS-DGN-TM-SBO OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 2.8E-07 7.8 EPS-XHE-XM-SBO1H EPS-DGN-TM-DG2 OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 3.6E-06 Total2 Notes:

1. See Table 5a for definitions and probabilities for the basic events.
2. Total CCDP includes all cut sets (including those not shown in this table).

Table 5a. Definitions and probabilities for modified and dominant basic events -Units 1&2 Probability Event name Description Modified

/Frequency EPS-DGN-FR-DG3 DIESEL GENERATOR 3 FAILS TO RUN TRUE YES1 EPS-XHE-XL-DG3 OPERATOR FAILS TO RECOVER DG3 TRUE YES1 EPS-DGN-CF-FRALL COMMON CAUSE FAILURE OF DIESEL GENERATORS 2.3E-02 NO TO RUN AFW-TDP-FR-TDP2 AFW TURBINE DRIVEN PUMP FAILS TO RUN 2.8E-02 NO OEP-XHE-NOREC-1H OPERATOR FAILS TO RECOVER OFFSITE POWER 6.5E-02 YES2 WITHIN ONE HOUR OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER 4.7E-02 YES2 WITHIN TWO HOURS OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER 2.8E-01 YES2 BEFORE BATTERY DEPLETION OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER 6.5E-02 YES2 BEFORE SEAL LOCA Notes:

1. Basic event was changed to reflect condition being analyzed. TRUE has a failure probability of 1.0.
2. Modified base event reflects credit for two hours of DG3 run time (See Ref 4, Section 7)).

8

Figure removed during SUNSI review.

9 LER 280/01-001 Figure 1 Simplified EDG Power Distribution

LOSS OF REACTOR EMERGENCY AUXILIARY PORVs RCP SEALS OFFSITE HIGH FEED OFFSITE RCS RESIDUALCONTAINMENT HIGH LOW OFFSITE TRIP POWER FEEDWATER ARE SURVIVE POWER PRESSURE AND POWER COOLDOWN HEAT SPRAY PRESSURE PRESSURE POWER CLOSED LOOP RECOVERY INJECTION BLEED RECOVERY REMOVAL RECIRC RECIRC RECIRC IN 2 HRS IN 6 HRS IE-LOOP RPS EPS AFW2 POR V3 RCPSL3 OEP-2H HPI FAB1 OEP-6H COOLDOWN RHR CSR H PR L PR # EN D-STATE 1 OK 2 OK 3 OK 4 OK 5 CD 6 CD 7 OK 8 CD 9 CD 10 CD 11 OK 12 CD 13 CD 14 CD 15 OK 16 CD 17 CD 18 OK 10 19 CD 20 CD 21 CD 22 OK 23 CD 24 CD 25 OK LER 280/01-001 26 CD 27 CD 28 CD 29 T SBO 30 CD Figure 2A Dominant SBO Sequence 29 Units 1&2

EMERGENCY AUXILIARY PORVs OFFSITE RCP O FFSI TE OFFSITE H IGH FEED RCS RESIDUALCONTAINMENT HIGH LOW POWER FEEDW AT ER ARE POWER SEALS POW ER RECPOW ER REC PRESSURE AN D COOLDOW N HEAT SPRAY PRESSURE PRESSU RE (STATIO N CLOSED RECOVERY SUR VIVE DURI NG BEF ORE INJECTION BLEED REMOVAL RECIRC REC IRC RECIRC BLACKOUT) IN ONE HOUR SEALLOCA BAT DEPL EPS AFW3 POR V4 OEP-1H RC PSL OEP -SL OE P-BD H PI FAB C OOLD OWN R HR CSR HP R L PR # END-S TA TE FR 1 OK 2 OK 3 CD 4 OK 5 OK 6 OK 7 CD 8 CD 9 OK 10 CD 11 CD 12 CD 11 13 T SBO-1 14 OK 15 CD 16 CD LER 280/01-001 17 CD 18 CD 19 OK 20 CD Figure 2B Dominant Sequence 29-03 Units 1&2

DIVISION 2H AC POWER FAILS DIV-H-AC DIVISION 1H AC LOSS OF POWER TO ROOM COOLING POWER 4160V BUS 2H 2H 4160V AC BUS IS UNAVAILABLE FAILS ACP-BAC-LP-2H DIV-H-AC-1 DIV-H-AC-2 LOSS OF DIVISION 2H FAILURE OF OPERATOR FAILS TO LOSS OF EMERGENCY OFFSITE POWER EMERGENCY POWER ESTABLISH ROOM SWITCHGEAR ROOM TO BUS 2H COOLING W/O ESGR COOLING LOOP-2H DIV-H-AC-3 ACP-XHE-XM-RCOOL ESGR STATION FAILURE OF DIESEL BLACKOUT DIESEL GENERATOR 2 IS UNAVILABLE 12 DIV-H-AC-4 EPS-DG2 OPERATOR FAILS TO FAILURE OF ALIGN SBO DIESEL SBO DIESEL TO BUS 2H GENERATOR LER 280/01-001 EPS-XHE-XM-SBO2H EPS-SBO Figure 3 Surry 2 Division 2 H AC Power System

DIVISION 2 J AC POW ER FAILS DIV-J-AC DIVISI ON 1J AC LOSS OF POW ER TO ROOM C OOLI NG POWER 4160V BUS 2J 2 J 4160V AC BUS IS UNAVAILABLE FAILS ACP-BAC-LP-2J DI V-J-AC-1 DIV-J-AC-2 LOSS OF D IVISION 2J FAILURE OF DIESEL OPERATOR FAILS TO LOSS OF EMERGENCY OFFSITE POWER GENERATOR 3 ESTABLISH ROOM SW ITCHGEAR R OOM FLAG C OOLING W /O ESGR COOLING 13 LOOP-1J EPS-DG3 AC P-XHE-XM-RC OOL ESGR LER 280/01-001 Figure 4 Surry 2 Division 2J AC Power System

Retrieved from "https://kanterella.com/w/index.php?title=ML20114E266&oldid=3475801"