ML20114E266

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Surry 1 and 2 (LER 280-01-001)
ML20114E266
Person / Time
Site: Surry  Dominion icon.png
Issue date: 05/12/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 280-01-001
Download: ML20114E266 (13)
v  d  e


Text

1 Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Surry Units 1 & 2 Diesel Generator #3 inoperability caused by insufficient lubricant Event Date: 4/23/2001 LER: 280/01-001 280/01001 Importance (CDP)

Unit 1 = 3x10-6 Unit 2 = 6x10-6 August 20, 2004 Condition Summary Description. On April 23, 2001, the Number 3 emergency diesel generator (#3 EDG) lube oil sampling showed an increase in silver content and the EDG was taken out of service. An inspection of the #3 EDG found three cylinders with excessive wear on the piston wrist pin and wrist pin bearing. At the time of discovery, both units were in Mode 1 with reactors at 100 percent thermal power reported by Licensee Event Report 280/01001 (Ref. 1). Subsequent investigation into the cause of the increase in silver content by NRC inspectors concluded that there was decreasing confidence that the # 3 EDG could have operated for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> because the #3 EDG had actually run for decreasing time (less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) as the date approached April 23, 2001, when the inspection revealed severe damage. Inspection reports 50-280/01-06 and 50-281/01-06 (Ref. 2) was issued for this event. Subsequently a final significance determination and a notification of violation were issued (Ref. 3).

Cause. The cause of this event is abnormal wear of EDG piston wrist pins and piston carrier bearings, as evidenced by abnormally high bearing material wear products in engine oil samples.

Condition duration. The following information shows that #3 EDG operated at an elevated failure probability between October 3, 2000 and April 28, 2001 (201 days):

On April 23, 2001 the licensee found three cylinders with excessive wear on the piston wrist pin and wrist pin bearing.

The exact point in time of excessive wear is unknown. However, licensees investigations showed silver content in lube oil exceeded manufacturers recommended limit (2 ppm) on October 3, 2000.

The EDG was repaired and returned to operation on April 28, 2001.

Even though the EDG had successfully completed periodic surveillance testing between October 3, 2000 and April 23, 2001, those surveillance runs did not exceed 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. That is,

those surveillances did not provide a reasonable confidence that the #3 EDG could complete its expected mission time. Therefore, the analysis conservatively assumed that the #3 EDG would fail to complete its mission for a condition duration of 201 days (4824 hours0.0558 days <br />1.34 hours <br />0.00798 weeks <br />0.00184 months <br />).

LER 280/01-001 1 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

2 Recovery opportunity: Failure of EDG # 3 would not be recoverable. Offsite power recovery curves were adjusted for the two hours run time of EDG # 3.

Emergency Diesel Generators Unit 1: In the event that #1 EDG fails, there is no backup for Bus 1H. In the event that

  1. 3 EDG fails, the backup to Bus 1J is the ACC EDG (SBO EDG).

Unit 2: In the event that #2 EDG fails, there is backup to Bus 2H with the ACC EDG.

However there is no backup for Bus 2J, in the event the #3 EDG fails ( see Figure 1 for simplified diagram).

EDGs alignment with Vital Buses:

The #1 EDG is dedicated to Unit 1 and it powers Bus 1H. The #3 EDG is shared between two units and powers Bus 1J of Unit 1. In the case of failure of #3 EDG, the ACC EDG can be connected to Bus 1J of the Unit 1. The #2 EDG is a dedicated diesel generator to Unit 2 and powers Bus 2H. The #3 EDG is shared between two units and powers Bus 2J of Unit 2. If the #2 EDG is lost, the ACC EDG backs up this diesel generator and powers Bus 2H of Unit 2, but not Bus 2J. The only diesel generator that powers Bus 2J of Unit 2 is #3 EDG (see Figure 1 or Electric Power Distribution, One Line Diagram, Ref. 10). With failure of #3 EDG, the ACC EDG is the backup for Bus 1J in Unit 1, while Bus 2J in Unit 2 does not have any backup, since the ACC EDG powers Bus 2H rather than Bus 2J.

Analysis Results Importance1 The risk significance of #3 EDG being unavailable for 201 days is determined by subtracting the nominal core damage probability from the conditional core damage probability:

The Unit 1 point estimate importance is an increase of 3.1 x 10-6 over the nominal CDP for the 201-day period when the #3 EDG was not available.

The Unit 2 point estimate importance for the condition is an increase of 6.3 x 10-6 over the nominal CDP for the 201-day period when the #3 EDG was not available.

The Accident Sequence Precursor (ASP) Program acceptance threshold is an importance (CDP) of 1 x 10-6.

LER 280/01-001 3

Dominant sequence Units 1& 2: Loss of Offsite power (LOOP) involving station blackout (SBO), Sequences 29-03 and 29-18 are considered as the dominant sequences. The events and important component failures in these sequences are as follows:

Sequence 29-03 (See Figures 2A and 2B)

Loss of offsite power (LOOP) - initiating event Successful reactor trip Failure of emergency power system operation Sufficient AFW flow during SBO Successful PORV operation during SBO Offsite power is not recovered within one hour Successful RCP seal cooling (no seal LOCA)

Recovery of offsite power does not occur before battery depletion Results tables Table 1a provides the conditional probabilities for the dominant sequences for Unit 1.

Table 1b provides the conditional probabilities for the dominant sequences for Unit 2.

Table 2a provides the event tree sequence logic for the dominant sequence listed in Table 1a.

Table 2b provides the event tree sequence logic for the dominant sequences listed in Table 1b.

Table 3a provides the definitions of event tree sequence logic elements listed in Tables 2a.

Table 3b provides the definitions of event tree sequence logic elements listed in Tables 2b.

Table 4a provides the conditional cut sets for the dominant SBO sequences for Unit 1 and Unit 2.

Table 4b provides the conditional cut sets for the dominant LOOP sequence for Unit 2.

Table 5a provides the definitions and probabilities for modified and dominant basis events for Units 1&2.

Modeling Assumptions Assessment summary This event was modeled as an at-power condition assessment with the #3 EDG non-functional for 201 days (4824 hours0.0558 days <br />1.34 hours <br />0.00798 weeks <br />0.00184 months <br />).

SPAR model used in the analysis The Revision 3.02 Standardized Plant Analysis Risk (SPAR) model for Surry Unit 1 and Unit 2 (Ref. 4) was used for this assessment. The SPAR model includes event trees for loss of offsite power (including a transfer tree for station blackout). External events are not included in the SPAR model and are not reflected in this analysis. This version was used with modifications to fault trees listed below to reflect site validated changes,

LER 280/01-001 4

Modifications to fault tree models Fault tree was added for Unit 2 division 2H AC power system (see Figure 3) to clarify alignment with the ACC EDG (SBO EDG). A fault tree was also added to show the alignment of EDG 3 for Unit 2 division 2 J AC power system (see Figure 4).

Basic event probability changes Table 5a provides the basic events that were modified to reflect the condition being analyzed. The bases for these changes are as follows.

Conditional assessment probability changes - Unit 1 and Unit 2 Probability of failure of the No. 3 diesel generator to run (EPS-DGN-FR-DG3). The probability that the diesel generator would fail to run was set to a failure probability of 1.0, TRUE (was 1.3E-2) to reflect the failure of the train to provide AC power.

Operator fails to recover the No. 3 diesel generator (EPS-XHE-XL-DG3). The probability that the operator fails to recover the diesel generator was set to 1.0, TRUE (was 6.5E-1) to reflect no recovery.

Operator fails to recover offsite power within one hour (OEP-XHE-NOREC-1H). The base event value was changed to 6.5E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

Operator fails to recover offsite power within two hours (OEP-XHE-NOREC-2H). The base event value was changed to 2.82E-1 using the conditional probability and convolution methodology with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 Section 7).

Operator fails to recover offsite power before battery depletion (OEP-XHE-NOREC-BD). The base event value was changed to 4.7E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

Operator fails to recover offsite power before seal LOCA (OEP-XHE-NOREC-SL). The base event value was changed to 6.5E-2 using the frequency rated average with credit for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of successful DG3 run time (Ref. 4 using an increase in time of recovery to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to account for the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> credit).

Model update None.

Note: A Rhodes model update was not made for either Unit 1 or Unit 2. Both units have a mixture of high and low temperature RCP seals.

LER 280/01-001 5

References 1.

LER No. 280/01001, Inoperable Emergency Diesel Generator Results in Technical Specification Violation, event date 04/23/01(ADAMS Accession No. ML011190003).

2.

NRC Inspection Report, EA-01-235, Surry Power Station - NRC Special Inspection Report NOS 50-280/01-06 and 50-281/01-06: Preliminary Yellow Finding For Unit 1 and Unit 2, October 11, 2001 (ADAMS Accession No. ML01850202).

3.

NRC Office of Enforcement Notification of Significant Enforcement Action, EN-01-045, Issuance of Final Significance Determination and Notice of Violation, dated December 15, 2001 (Surry Power Station) (ADAMS Accession No. ML013520104).

4.

James K. Knudsen and Martin B. Sattison, Standardized Plant Analysis Risk Model for Surry Units 1 and 2 (ASP PWR A1), Revision 3.02, Idaho National Engineering and Environmental Laboratory, March 2004.

5.

J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.

6.

J. P. Poloski, et.al., Reliability Study: Auxiliary/Emergency Feedwater System, 1987-1995, NUREG/CR-5500, Vol. 1, U. S. Nuclear Regulatory Commission, Washington, DC, August 1998.

7.

C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:

1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.

8.

F. M. Marshall, et al., Common-Cause Failure Parameter Estimations, NUREG/CR-5497, U.S. Nuclear Regulatory Commission, Washington, DC, October 1998.

9.

G. M. Grant, et al., Reliability Study: Emergency Diesel Generator Power System, 1987-1993, NUREG/CR-5500, Vol. 5, U.S. Nuclear Regulatory Commission, Washington, DC, September 1999.

10.

Electric Power Distribution, One Line Diagram Schematic, Surry Power Station, Unit 1, 11448-FE-1A2.

LER 280/01-001 6

Table 1a. Conditional probabilities associated with the highest probability sequence for Unit 1 Event tree name Sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance (CCDP - CDP)2 LOOP 29-03 3.6E-006 6.4E-007 3.0E-006 Total (all sequences)1 6.7E-006 3.6E-006 3.1E-006 Notes:

1. Total CCDP and CDP includes all sequences (including those not shown in this table).for the point estimate.
2. The point estimate importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 1b. Conditional probabilities associated with the highest probability sequences for Unit 2 Event tree name Sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance (CCDP - CDP)2 LOOP 29-03 3.7E-006 6.4E-007 3.0E-006 LOOP 14 2.9E-006 6.4E-007 2.3E-006 Total (all sequences)1 9.9E-006 3.6E-006 6.3E-006 Notes:

1. Total CCDP and CDP includes all sequences (including those not shown in this table).for the point estimate.
2. The point estimate importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a. Event tree sequence logic for dominant sequence for Unit 1 Event tree name Sequence no.

Logic

(/ denotes success; see Table 3a for top event names)

LOOP 29-03

/RPS,EPS,/AFW3,/PORV4, OEP-1H, /RCPSL. OEP-BD Table 2b. Event tree sequence logic for dominant sequences for Unit 2 Event tree name Sequence no.

Logic

(/ denotes success; see Table 3a & 3b for top event names)

LOOP 29-03

/RPS,EPS,/AFW3,/PORV4,OEP-1H, /RCPSL, OEP-BD LOOP 14

/RPS,/EPS,/AFW2,/PORV3, RCPSL3, HPI2, OEP-2H

LER 280/01-001 7

Table 3a. Definitions of fault trees listed in Table 2a (Unit 1)

/RPS Successful reactor protection system (RPS) to insert enough negative reactivity by the control rods to shutdown the reactor EPS Failure of onsite emergency power. Success implies that at least one onsite emergency diesel generator is providing power to its division bus. The success criteria are one-of three onsite diesel generators or station blackout diesel.

/AFW3 Success of the auxiliary feedwater system to remove decay heat via the steam generators during SBO. Success implies the motor-driven pumps started and is providing flow to the steam generators.

/PORV4 or PORV4 Success or failure of the PORV to reclose after opening during a SBO.

OEP-1H Failure of offsite power recovery in the short term (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

HP12 No or insufficient flow from HPI system during LOOP.

/RCPSL Reactor coolant pump seals have adequate cooling OEP-BD Unsuccessful recovery of offsite power before battery depletion.

Table 3b. Definitions of fault trees listed in Table 2b (Unit 2)

/RPS Successful reactor protection system (RPS) to insert enough negative reactivity by the control rods to shutdown the reactor

/EPS or EPS Success or Failure of onsite emergency power. Success implies that at least one onsite emergency diesel generator is providing power to its division bus. The success criteria are one-of three onsite diesel generators or station blackout diesel.

/AFW2 Success of the auxiliary feedwater system to remove decay heat via the steam generators during LOOP. Success implies the motor-driven pumps started and is providing flow to the steam generators.

/AFW3 Success of the auxiliary feedwater system to remove decay heat via the steam generators during SBO. Success implies the turbine-driven pump started and is providing flow to the steam generators.

PORV3 Failure of the PORV to reclose after opening during LOOP.

/PORV4 or PORV4 Success or failure of the PORV to reclose after opening during a SBO.

OEP-2H Failure of offsite power recovery in the short term (2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

HP12 No or insufficient flow from HPI system during LOOP.

RCPSL3 Reactor coolant pump seals have adequate cooling HPI2 Unsuccessful recovery of HPI.

LER 280/01-001 8

Table 4a. Conditional cut sets for SBO Sequences 29-03 and 29-18, Unit 1 and Unit 2 CCDP Percent contribution Minimal cut sets1 Event Tree: SBO Sequence 29-03, Unit 1 3.1E-07 8.6 EPS-DGN-CF-FRALL EPS-DGN-TM-SBO OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 2.8E-07 7.8 EPS-XHE-XM-SBO1H EPS-DGN-TM-DG1 OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 3.6E-06 Total2 Event Tree: SBO Sequence 29-03, Unit 2 3.1E-07 8.6 EPS-DGN-CF-FRALL EPS-DGN-TM-SBO OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 2.8E-07 7.8 EPS-XHE-XM-SBO1H EPS-DGN-TM-DG2 OEP-XHE-NOREC-1H OEP-XHE-NOREC-BD 3.6E-06 Total2 Notes:

1.

See Table 5a for definitions and probabilities for the basic events.

2.

Total CCDP includes all cut sets (including those not shown in this table).

Table 5a. Definitions and probabilities for modified and dominant basic events -Units 1&2 Event name Description Probability

/Frequency Modified EPS-DGN-FR-DG3 DIESEL GENERATOR 3 FAILS TO RUN TRUE YES1 EPS-XHE-XL-DG3 OPERATOR FAILS TO RECOVER DG3 TRUE YES1 EPS-DGN-CF-FRALL COMMON CAUSE FAILURE OF DIESEL GENERATORS TO RUN 2.3E-02 NO AFW-TDP-FR-TDP2 AFW TURBINE DRIVEN PUMP FAILS TO RUN 2.8E-02 NO OEP-XHE-NOREC-1H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN ONE HOUR 6.5E-02 YES2 OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN TWO HOURS 4.7E-02 YES2 OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTERY DEPLETION 2.8E-01 YES2 OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE SEAL LOCA 6.5E-02 YES2 Notes:

1.

Basic event was changed to reflect condition being analyzed. TRUE has a failure probability of 1.0.

2.

Modified base event reflects credit for two hours of DG3 run time (See Ref 4, Section 7)).

Figure 1 Simplified EDG Power Distribution 9

LER 280/01-001 Figure removed during SUNSI review.

LPR LOW PRESSURE RECIRC HPR HIGH PRESSURE RECIRC CSR CONTAINMENT SPRAY RECIRC RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN OEP-6H OFFSITE POWER RECOVERY IN 6 HRS FAB1 FEED AND BLEED HPI HIGH PRESSURE INJECTION OEP-2H OFFSITE POWER RECOVERY IN 2 HRS RCPSL3 RCP SEALS SURVIVE LOOP PORV3 PORVs ARE CLOSED AFW2 AUXILIARY FEEDWATER EPS EMERGENCY POWER RPS REACTOR TRIP IE-LOOP LOSS OF OFFSITE POWER END-STATE 1

OK 2

OK 3

OK 4

OK 5

CD 6

CD 7

OK 8

CD 9

CD 10 CD 11 OK 12 CD 13 CD 14 CD 15 OK 16 CD 17 CD 18 OK 19 CD 20 CD 21 CD 22 OK 23 CD 24 CD 25 OK 26 CD 27 CD 28 CD 29 T SBO 30 CD Figure 2A Dominant SBO Sequence 29 Units 1&2 10 LER 280/01-001

LPR LOW PRESSURE RECIRC HP R HIGH PRESSURE RECIRC CSR CONTAINMENT SPRAY RECIRC RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOW N FAB FEED AN D BLEED HPI HIGH PRESSURE INJECTION OE P-BD OFFSITE POW ER REC BEFORE BAT DEPL OEP -SL OFFSITE POW ER REC DURING SEALLOCA RCPSL RCP SEALS SURVIVE OEP-1H OFFSITE POWER RECOVERY IN ONE HOUR PORV4 PORVs ARE CLOSED AFW3 AUXILIARY FEEDW ATER EPS EMERGENCY POWER (STATION BLACKOUT)

END-S TA TE FR 1

OK 2

OK 3

CD 4

OK 5

OK 6

OK 7

CD 8

CD 9

OK 10 CD 11 CD 12 CD 13 T SBO-1 14 OK 15 CD 16 CD 17 CD 18 CD 19 OK 20 CD Figure 2B Dominant Sequence 29-03 Units 1&2 11 LER 280/01-001

ACP-BAC-LP-2H DIV-H-AC-1 EPS-DG2 LOOP-2H DIV-H-AC ESGR ACP-XHE-XM-RCOOL DIV-H-AC-2 DIV-H-AC-3 DIV-H-AC-4 EPS-SBO EPS-XHE-XM-SBO2H DIVISION 1H AC POWER 4160V BUS 2H FAILS FAILURE OF DIESEL GENERATOR 2 DIVISION 2H AC POWER FAILS LOSS OF POWER TO 2H 4160V AC BUS LOSS OF DIVISION 2H OFFSITE POWER LOSS OF EMERGENCY SWITCHGEAR ROOM COOLING OPERATOR FAILS TO ESTABLISH ROOM COOLING W/O ESGR ROOM COOLING IS UNAVAILABLE FAILURE OF EMERGENCY POWER TO BUS 2H STATION BLACKOUT DIESEL IS UNAVILABLE FAILURE OF SBO DIESEL GENERATOR OPERATOR FAILS TO ALIGN SBO DIESEL TO BUS 2H Figure 3 Surry 2 Division 2 H AC Power System 12 LER 280/01-001

ACP-BAC-LP-2J DIV-J-AC EPS-DG3 DIV-J-AC-1 LOOP-1J ESGR ACP-XHE-XM-RCOOL DIV-J-AC-2 DIVISION 1J AC POWER 4160V BUS 2J FAILS DIVISION 2 J AC POW ER FAILS FAILURE OF DIESEL GENERATOR 3 LOSS OF POW ER TO 2 J 4160V AC BUS LOSS OF DIVISION 2J OFFSITE POWER FLAG LOSS OF EMERGENCY SW ITCHGEAR ROOM COOLING OPERATOR FAILS TO ESTABLISH ROOM COOLING W /O ESGR ROOM COOLING IS UNAVAILABLE Figure 4 Surry 2 Division 2J AC Power System 13 LER 280/01-001

Retrieved from "https://kanterella.com/w/index.php?title=ML20114E266&oldid=4289901"