ML20132F803
| ML20132F803 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 12/23/1996 |
| From: | Salehi K NRC (Affiliation Not Assigned) |
| To: | Hutchinson C ENTERGY OPERATIONS, INC. |
| References | |
| NUDOCS 9612260098 | |
| Download: ML20132F803 (14) | |
Text
-.
t i
December 23, 1996 Mr. C. Randy Hutchinsen Vice President, Operations ANO
~
Entergy Operations, Inc.
1448 S. R. 333 Russellville, AR 72801
SUBJECT:
REVIEW 0F PRELIMINARY ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT AT ARKANSAS NUCLEAR ONE - UNIT 2 1
Dear Mr. Hutchinson:
Enclosed for your information is a copy of the final Accident Sequence Precursor Analysis of the operational event which occurred at Arkansas: Nuclear One - Unit 2, reported in Licensee Event Report No. 368/95-001. _.0ak Ridge National Laboratory (ORNL), our contractor, evaluated your. comments.on the preliminary analysis of this event, comments from the NRC staff, and comments >from our other contractor, Sandia National Laboratories.
Enclosure I contains the final analysis prepared by the ORNL. contains our response to your specific comments. Our review of your comments used the. criteria contained in the material which accompanied the preliminary analysis. The results of,thel final analysis indicate that this event is a precursor for 1995.-
Please contact me at (301)415-1367,Lif you;have any questions regarding the enclosures. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
/
Sincerely, ORIGINAL SIGNED BY:
Kombiz Salehi, Acting Project Manager Project Directorate IV-1 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation Docket No. 50-313
Enclosures:
1.
Final Accident Sequence Precursor. Analysis 2.
Responses to your comments cc w/encls: See next page DISTRIBUTION:
(3p~cket 1 ^11ef PUBLIC PD4-1 r/f P. O'Reilly, AE0D K5ileh~1
~
CHawes OGC S. Mays, AE0D ACRS J. Dyer, RIV JRoe E. Adensam (EGA1)
Document Name: ARPASPA.LTR OFC (A)PM/PD4-1 (A)LA/PD4-1 PD/PDh4l 6 NAME KSalehi M.
CHawes fy,,7f WBeckN O
DATE lb/23/96
/J/23/96 lb/M/96 COPY (yds /NO YES/N0 YESh 0FFICIAL RECORD COPY
~
\\
9612260098 961223 PDR ADOCK 05000368 NfitC MECE M M 2G0006 I
P CE:
I y
UNITED GTATES j
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. enans aang
- %*****/
December 23, 1996 l
l l
Mr. C. Randy Hutchinson l
Vice President, Operations ANO Entergy Operations, Inc.
1448 S. R. 333 Russellville, AR 72801
SUBJECT:
REVIEW OF PRELIMINARY ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT AT ARKANSAS NUCLEAR ONE - UNIT 2
Dear Mr. Hutchinson:
Enclosed for your information is a copy of the final Accident Sequence Precursor Analysis of the operational event which cccurred at Arkansas Nuclear One - Unit 2, reported in Licensee Event Report No. 368/95-001. Oak Ridge j
National Laboratory (ORNL), our contractor, evaluated your comments on the i
preliminary analysis of this event, comments from the NRC staff, and comments from our other contractor, Sandia National Laboratories.
Enclosure I contains i
the final analysis prepared by the ORNL. contains our response to j
your specific comments. Our review of your comments used the criteria contained in the material which accompanied the preliminary analysis. The results of the final analysis indicate that this event is a precursor for 1995.
Please contact me at (301)415-1367, if you have any questions regarding the enclosures. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
Sincerely,
/
$1 cr Kombiz Salehi, Acting Project Manager Project Directorate IV-1 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation Docket No. 50-313
Enclosures:
1.
Final Accident Sequence Precursor Analysis f
2.
Responses to your comments cc w/ enc 1s: See next page
i Mr. C. Randy Hutchinson Entergy Operations, Inc.
Arkansas Nuclear One, Unit 2 cc:
Executive Vice President Vice President, Operations Support 4
& Chief Operating Officer Entergy Operations, Inc.
Entergy Operations, Inc.
P. O. Box 31995 4
1 P. O. Box 31995 Jackson, MS 39286-1995 Jackson, MS 39286-199 Wise, Carter, Child & Caraway Director, Division of Radiation P. O. Box 651 Control and Emergency Management Jackson, MS 39205 Arkansas Department of Health 4815 West Markham Street, Slot 30 Little Rock, AR 72205-3867 Winston & Strawn 1400 L Street, N.W.
Washington, DC 20005-3502 i
Manager, Rockville Nuclear Licensing Framatone Technologies 1700 Rockville Pike, Suite 525 Rockville,10 20852 Senior Resident Inspector U.S. Nuclear Regulatory Commission P. O. Box 310 London, AR 72847 Regional Administrator, Region IV U.S. Nuclear Regulatory Commission 611 Ryan Plaza Drive, Suite 400 Arlington, TX 76011-8064 County Judge of Pope County Pope County Courthouse Russellville, AR 72801
/
i i
i I
LER No. 368/95-001 l
(
l L
LER No. 368/95-001 4
Event
Description:
Loss of droct current bus could fail both emergency feedwater trains f
Date of Event: July 19,1995
)
Plant: Arkansas Nuclear One, Unit 2 Event Summary During a simulator procedure validation exercise, personnel discovered a condition whereby both trains of
~
emergency feedwater (EFW) could be failed by the loss of a single train of direct current (de) power at Arkansas Nuclear One, Unit 2 (ANO-2.). Plant personnel confirmed the validity of the simulator exercise and declared the motor-driven EFW pump inoperable. A 72-hour Technical specification action statement was entered until the bus providing power to the normally open green-powered EFW injection valves could be trasferred to an alternate power source that precluded the condition, while a permanent solution could be developed and implemented. A miification to the control relays for the green-powered injection valves in the red EFW train was completed on July 27,1995 that corrected the condNon. The root cause of this condition was the assumption that the green-pr/wed motor operated EFW injection valves (wiuch replaced the electro-hydraulic injection valves in 1984) would fail "as-is" upon loss of power. R== nee of a design error during development of the plant modification that implemented the injection valve replacement, a failure of the green train de bus could cause the green-powered injection valves in senes with the two red-powered valves for the motor driven EFW pump to close enough to restnct EFW flow to the steam generators. The conditional core damage probability (CCDP) estimated for this event is 6.0 x 104 The 4
increase in the core damage probability (CDP), or importance, associated with this event is 1.1 x 10.
Event Description While validatmg Abnormal Operatag Procedures (AOPs) on the plant simulator, a loss of" green-train" de i
power was simulated dunng power operations. Approxunately 3 s into the acenario, the main turbine tripped j
from loss of de power to the electrohydraulic control system. The turbine trip resulted in the trip of the main generator output breaker, but, because of the loss of de control power, the generator field breaker did not trip, and the generator remamed tied to ahernatmg current (ac) bus 2A2 via the Unit Auxiliary Transformer.
Generator voltage decayed over the next 30 s.
The loss of green-train de power rendered multiple et systems and sub-systems inoperable, including ac buses 2A2 and 2A4, emergency diesel generator (EDG) B, and the A-train turbine-driven EFW pump. In addition, an unexpected interaction rendered the B-train (" red-train") motor-driven EFW pump unavailable.
1 The discharge of EFW pump B can be routed to either steam generator via lines that each contain two inalation valves. The inboard (closest to the pump) valves are normally closed and are supplied by " red-train" power. The outboard valves are normally open and are supplied by green-train ac power. These valves have a normally energized green-train de relay, which signals the valves to close on loss of de control power.
1 ENCLOSURE 1
1
?
LER No. 368/95-00I
+
l l
review of plant documentation, the LER indicates that sufficient voltage to operate the EFW isolation valves j
' might have existed for only about 10 s after a reactor trip. In this case, the EFW isolation valves would have closed only partially, In that event, some EFW flow-but less than the amount required by technical specifications-might have been maintained.
i The ANO 2 Individual Plant Exammation (IPE) (Ref. 2) indicates that the expected frequency for the loss of one de bus is 3.94 x 10 per year. The IPE also provides information about the potential impacts of a loss d
of de power. Once-through cooling (feed and bleed) requires that either the high-point vent line or one of the low temperature overpressure (LTOP) paths be opened The loss of green-train de power would render -
all pathways unavailabic, hence once-through cooling would be unavailable. In addition, a dependency table in the IPE indicates that the following systems are also dependent on green-train de power; high pressure safety injection (HPSI) train B, shutdovm cooling (SDC) train A, and main feedwater (MFW).
l l
Modeling Assumptions l
The wiring logic error, which caused the loss of the green-train de power, apparently existed from the time a plant modification was made in 1984 until 1995, when it was discovered. In this analysis, it was assumed that the plant performance would be similar to that ofits simulator. For one operating year [the longest time l
period analyzed in the Accident Sequence Precursor (ASP) program), both trains of EFW were assumed to l
be initially inoperable, given a loss of the green-train de power. The frequency of this initiator,3.9 = 10" per l
year, was taken from the ANO 2 IPE.
As described above, MFW and once-through cooling are unavailable following a loss of de power, Core cooling therefore requires successful EFW operation or recovery of EFW if it were to initially fail (this is shown in Figure 1).-
The nonrecovery probability of the EFW was calculated by determmmg:
(1) the nonrecovery probability of operators failing to manually open the EFW discharge valves, and (b) failure to initiate once-through cooling given EFW is not recovered within 25 min.
The model used to estimate these failure probabilities is the time-reliability correlation given by Dougherty and Fragola in Numan Reliability Analysis (Ref. 3). These two failure probabilities are then combined to determine the overall probability of operators failing to recover EFW by considering the availability of pwscawlthroughout a 24 h period The probability of failing to recover the initially unavailable EFW system was estimated by assuming that the closed EFW discharge valves would be apparent to the operators and that the initial attempt to recover EFW would be by manually opemng these valves. Assuming 70 min to core uncovery (Ref. 2, p 3.1 20), ten minutes to implerrrat ik: emergency operstmg procedures (EOPs), diagnose the event and determme a recovery strategy, and ten minutes for response, a failure probability of 0.056 is estimated. Because of the
)
I 2
I l
i
.s i
l i
I LER No. 368/95-001 degree of stress expected during such an event, a time reliability correlation involving " recovery with hesitancy" was used to model the operator response, as described in Ref. 3.
If EFW is not recovered within about 25 min of the start of the transient, the water level in the steam i
generator (SG) is expected to drop to a value where once-through cooling is required to be initiated (Ref. 2, pp 3.1-19, -20). Because the ability to initiate once-through cooling cannot be met because of the loss of de power, it is expected that plant personnel will place additional emphasis on recovering EFW. Shortly thereafter, additional resources, if available, are assumed to be used to manually control the turbine driven EFW pump and its discharge valves in a further attempt to feed water to the SGs. A failure probability of j
0.27 is estimated for this action, assuming it occurs 30 min into the event (5 min after the cue for once-i through cooling) and requires the 20 min response time specified in Ref. 2.
The failure probabilities for the two recovery actions are:
Recovery Failure Probability operators fail to manually open the EFW discharge valves 0.056 failure to initiate once through cooling within time required 0.27 Assuming additional resources are available for initiating once-through cooling except on the back shift (resources are assumed to be available two-thirds of the time) provides an overall probability of failing to recover EFW of:
probability of
[(0.056)(0.27)(2/3)] + [(0.056)(1/3)] = 0.028.
operators failing
=
to recover EFW These estimates result in the following increase in the CDP over a one-year period:
)
3.9x10" prob of aloss of }
x 1.0 prob of EFW failure}
x tthe green de bus J ldue to wiring error 1 1.1x10-3 fnommal failure probl, 0.028 fprob of failure 1, lto recover EFW, lfor EFW train B 1.t x10-5 increase in CDP due }
=
Lto wiringlogic error 1.
i Analysis Results The estimated increase in the CDP due to the wiring logic error is 1.1 x 10-5 The dommant core damage sequence for this event (Sequence number 3 in Fig.1) involves:
l 3
l l
LER No. 368/95-001 a postulated loss of the green de bus, the resultant unavailability of EFW, and failure to recover EFW.
The nominal CDP over a one-year period estimated using the ASP Integrated Reliability and Risk Analysis System (IRRAS) models for ANO-2 is approximately 4.9 = 10-5.
The wiring logic error increased this probability to 6.0.= 10-5 This value is the CCDP for a one year period in which the wiring logic error existed.
Acronyms 1
ac allemating current ANO-2 Arkansas Nuclear One, Unit 2 AOP abnormal operating procedures ASP accident sequence precursor CCDP conditional core damage probability CDP core damage probability de direct current -
EDG emergency diesel generator EFW emergency feedwater EOP emergency operating procedure HPSI high pressure safetyinjection IPE individual plant examination IRRAS Integrated Reliability and Risk Analysis System LER licensee event report LTOP low temperature overpressure MFW main feedwater SDC shutdown cooling SG steam generator References 1.
LER 368/95-001, Rev. O, " Unanticipated effect of analyzed failure of de electrical bus upon train of EFW system containing ac motor-driven pump." July 19,1995.
2.
Arkansas Nuclear One - Unit 2 Individual Plant Examinationfor Severe Accident Vulnerabilities, August 1992.
3.
Dougherty and Fragola, Human Reliability Analysis, Wiley and Sons, New York,1988.
4
.s E= i B2f8_
F E
DT N A K
x D
T O
o C
E S ECN E
UO 2
3 1
QN ES e
YR D
m CE E
NTM R
EAE E GWT V S
RDY O E E SC ME E
EF R
Y R C
F NTEM O E E
SGMS T
m SR DY OE ES L ME EF ll SU FB O C SD S
N O E L
ERG T.=~
Fi j38 i eg *.
9~
f-i m
-___._._._.____.m i
LER No. 368/95-001
}
i i
l l
LER No. 368/95-001 i
i Event
Description:
Loss of direct current bus could fail both emergency feedwater trains j
Date of Event: July 19,1995 j
Plant: Arkansas Nuclear One, Unit 2 Licensee Comments 1
l
Reference:
Letter from D. C. Mims, Director, Nuclear Safety, Entergy Operations, Inc., to U. S. Nuclear Regulatory Commnaion, transmitting Arkansas Nuclear One - Unit 2, Docket No. 50-368, i
License No. NPF-6. Prehminary Accident Sequence Precursor Analysis, 2CAN099607, September 9,1996.
l i
Comment 1:
(Summary) The Event Description is accurate in that it reflects the results of the simulator i
run. The LER stated that there is no conclusive evidence that the actual plant response to the condition would have resulted in a generator coast down of sufficient duration to allow green j
train valves to close completely and block all EFW flow. Subsequent investigation has failed to establish a duration of valve motion. A detailed analysis of the voltage decay has l
not been perfonned due to the cost. If the EFW performance had been able to exceed the minimum requirements to preclude core uncovery, the event would not have pr==W ot core damage via the event sequence originally postulated, and this condition would result in no net change in Core Damage Frequency (CDF). To preclude this from being the case, the valve would have had to travel at its normal speed (which would require its vorma.1 voltage) for 16 seconds after the generator tripped.
Response 1:
Because a detailed analysis of expected voltage decay was not developed by the licenser;, the analysis was based on the assumption that the plant performance would be similar to that of its simulator. This is noted among the modeling assumptions.
1 j
Comment 2:
While flow blockage due to valve closure is uncertain, potential operator recoveries were examined in order to provide a complete evaluation of the significance of this condition.
i Two operator recovery actions were identified that would each be successful in restoring
)
I 6
ENCLOSURE 2 4
.. -.__.. - - ~ ~. - - _ -. - - - -. - -. -... -. -..-
?
i 4
LER No. 368/95-001 i
i j
1 EFW flow to the steam generators. These recoveries would have been attempted in parallel 1
L to increase the 'dFW flow, and either would have been adequate if successful. Therefore, in order to have core damage, both recoveries would have to fail.
1 These rowveries are:
i f.
Restore power to electrical buses 2A2/2A4 by manually aligning offsite i
power to 2A2. Reset Main Steam isolation Signal (MSIS). Open Emergency Feed Water (EFW) discharge valve (s) from the control room.
2.
Open EFW discharge valve (s) locally using the handwheel (s).
)
Only one valve must be opened because heat removal by one steam generator is adequate.
The local manipulations for both recoveries are provided with specific lighting that is battery
?
powered and is, therefore, unaffected by the loss of power situation. In addition, adequate power is available through 2Al such that adequate lighting is available to permit ingress to j
the local station without impaA=aat. Both recoveries are addressed in procedures 2202.001, j
i
" Standard Post Trip Actions," and 2203.037, " Loss of 125V DC," with the specific details i
of the MSIS reset in procedure 2202.010," Standard Attachments," An=chment 14,"MSIS Reset." All these actions are a routine part of training received by operators in completing l
their qualification cards.
l Recovery #1 is partially accomplished in the control room and partially in a location that a
requires entry through a security door. Recovery #2 is accomplished in a location that.
i requires entry into the radiologically controlled access area.
Recovery #1 requires manually opemng one breaker and manually closing one breaker outside the control room and electncally openmg one valve after resettmg MSIS in the controt room...
j The portion of r--~c:.- #1 requiring ac' ion outside the control room has been determmed
)
in the ANO-2 Human Reliability Analysis Work Package (HRAWP) to take 5 minutes and j
the default value of 4 minutes for the control room portion of the recovery will be l
conservatively used in senes with the portion of the time regarement for actions outside the j
control room. The time required to accomplish recovery #2 has been deternuned in the l
HRAWP to be 10 minutes.
l ANO 2 analysis has determmed that core uncovery would not begin for at least 40 minutes j
following steam generator dryout. Values established in ANO-2 analyses indicate that 38 i
minutes would elapse from the time of reactor trip to the time of steam generator dryout for this scenano with no EFW flow and four Reactor Coolant Pumps (RCPs) runmng (based on 4.5 MWt into the Reactor Coolant System from each RCP). Therefore, if the EFW valve receives adequate power to completely close,78 minutes are available to accomplish the 3
l 4
7 I
1 4
4 I
t
?
i LER No. 368/95-001 l
recovery. If the valve does not receive adequate power to close, the additional EFW flow that occurs during the post trip time frame will significantly lengthen the available recovery time even if there is not enough flow to prevent core uncovery without recovery action.
Using the Human Recovery Action numerical modeis developed in the Individual Plant
~
Evaluation (IPE) model with these three input par.uneters the failure probabilities for
)
recovery are:
i Recovery Failure Probability
- 1 with 78 min. available time 4.24E-2
- 2 with 78 min. available time 3.98E-2 Both # 1 and #2 with 78 min. available time 1.69E-3 For these recoveries, a combined failure probability of 1.69E-03 was detemuned Since the failure of electrical bus 2D01 was already modeled in the IPE with the exception of this postulated EFW failure, the change in CDF due to the loss of 2D02 initiator (Til) is estimated to be essentially the Til frequency times the operator failure to recover EFW Train B or 6.66E-07/rx-yr. This is a small increase in the ANO-2 CDF from its estimated value of 3.29E-5/rx yr, as reported in the ANO-2 IPE/PRA. Note that none of these evaluations, either the original IPE or this re-evaluation, account for the availability of the Station Black Out Diesel generator or the Auxiliary Feed Water train which were installed after the IPE freeze date. The availability of these systems for use in recovering from the i
Tl 1 initiator could even further reduce the contribution of this new failure mode to CDF.
Considering the additional information presented above that is a result of a more detailed evaluation the section of the NRC letter concernmg "Modeling Assumptions" should be reconsidered Response 2 The ANO-2 IPE was reviewed to develop an understandmg of the recovery approach employed following a loss of de power The five most dommant cut sets (as well as eight of the first ten most dominant cut sets, based on the use of plant-specific data) involve the
)
loss of a de bus, either as the initiating event or as s. failure following a reactor trip and loss l
of an ac bus. Following the loss of a de bus, main feedwater is lost and EFW is required to feed water to the steam generators (SGs). If EFW is initially unavailable, the water level in the SG will drop to 70 in. in about 25 min. At this wster level, once-through cooling is specified by the emergency operating procedures (EOPs) for removing decay heat (IPE pp
=
3.1-19, -20). Since the loss of either de bus results in the unavailability of once-through cooling (IPE pp 3.7-2, -3), secondary-side cooling must be recovered if core damage is to be prevented. Core uncovery is estimated to begin 70 min following a transient with initially normal SG water levels, such as a loss of de power (IPE p 3.1 20).
The $ recovery analysis assumes (ifferent recovery actions, WWg on the particular de bus and subsequent failures included in each cut set. Following the loss of the " green" 8
l
.i j
LER No. 368/95-001 i
\\
l de bus and EFW pump train B (including the EFW ac-powered discharge valves), the IPE addresses the failure of the operators to manually control the turbine-driven EFW pump and discharge valver [ basic event P7AMANREC (IPE Table 3.41)]. The time required for this
(
action is 20 min (IPE Table 3.4 2). The IPE estimated a failure probability of 0.2 for this l
l action following a loss of feodwater initiating event (55 min to core uncovery). A similar l
action for the motor-driven EFW pump, that only involves the manual control of the pump discharge valves (basic event P7BMANREC), was estimated to require ten minutes. The -
failure probability reported for this basic event (recovery #2)is 8.4E 2.
i In licensee comment 2, two alternate recovery actions are proposed following the loss of the green de bus:
l
\\
l recovery #1:
recovery of ac power to bus 2A2. This recovery would allow the EFW j
discharge valves to be opened from the control room. The estimated time l
to complete this action is 9 min according to licensee comment 2, and 18 i
min according to the ANO 2 IPE. (The IPE reports this basic event as l
MANOSPREC, with a 0.13 failure probability for a 70 min available time i
period).
l recovery #2:
local manual opening of the EFW discharge valves. The time required for this action is 10 min, which is the same as reported in licensee comment 2 and in the ANO 2 IPE.
These two recovery actions, combined with the potential recovery of EFW through manual
)
control of the turbine-driven EFW pump (based on the IPE, this is the recovery of choice) and the nood to recover de power to provide once-through coohng, as required by the EOPs j
about 25 min into the event, would sg-:tc for available resources Resources and time expmulmi on one recovery action would not be available for other actions For this particular event, the licensee's proposed recovery actions are interrelated since they both involve the recovery of the EFW discharge valves and could proceed in parallel, if resources were availaW, :i,,.a the point of valv: manipulation. The ANO-2 IPE recovery analysis assumed all ex-control room recovery actions were performcd sequentially by a single person (IPE p 3.4 5). While conservative if additional resources are available, the IPE analysis avoided modeling issues associated with the parallel recovery of failed components in a cut set.
Based on information provided by the licensee and the timing information and recovery analysis documented in the IPE, a revised probability of operators failing to recover EFW was calculated. This calculation recognizes the potential for multiple concurrent recovery actions, but does not consider such actions proceedmg in a completely k-M-:+h manner, t
as assumed in licensee comment 2. The nonrecovery probability of the EFW was calculated by deternumng:
9
I i
LER No. 368/95-001 i
i i
(a) the nonrecovery probability of operators failing to manually open the EFW i
discharge valves (recovery #2 given above), and j
i (b) failure to initiate once-through cooling given EFW is not recovered within 25 min (called recovery #3).
8
\\
l The model used to estimate these failure probabilities is the time-reliability correlation given by Dougherty and Fragola in Human Reliabihty Analysis (Wiley and Sons, New York, i
1988). These two failure probabilities are then combined to deternune the overall probability of operators failing to recover EFW by considering the availability of personnel throughout a 24 h penod it was assumed that the EFW discharge valves being closed would be apparent to the operators and that the initial attempt to recover EFW would be by manually opening these valves (recovery #2 in licensee comment 2). Assuming 70 min to core uncovery (as documented in the IPE), ten minutes to implement the EOPs, diagnose the event and determine a recovery strategy, and ten minutes for response, a failure probability of 0.056 is estimated for recovery #2. Because of the degree of stress expected during such an event, a time reliability correlation involving " recovery with hesitancy" was used to model the operator response (again, see Dougherty and Fragola, Human Reliability Analysis, Wiley and Sons, New York,1988). This probability is consistent with the probability reported in licensee comment 2 (0.0198) and with the ANO-2 IPE (0.084).
If EFW is not recovered within 25 min of the start of the transient, the water level in the SG is expected to drop to a value where once-through cooling is required to be initiated. This requirement, which cannot be met heniin of the loss of de power, will provide additional emphasis for EFW recovery. Shortly thereaRer, additional resources, if available, are assumed to be used to manually control the turbine-driven EFW pump and its discharge valves in a further attempt to food water to the SGs (recovery #3). A failure probability of 0.27 is estimated for this action using a time-reliability correlahon, assuming the demand occurs 30 min into 1....at (5 min afles the cue for once-through cooling) and ry.m a 20 min response time as specificui in the IPE. This failure probability is consistent with the probability reported in the IPE (0.2).
i The failure probabilities for the two recovery acuans are Recovery Failure Probabihty recovery #2: operators fail to manually open the EFW discharge valves 0.056 recovery #3: failure to initiate once-through cooling within time required 0.27 Assuming additional resources are available for recovery #3 except on the back shift (resources are assumed to be available two-thirds of the time) provides an overall probability of failing to recover EFW of:
10
.. - - ~ -..
. ~ -. - - -. - -. -
)-
l LER No. 368/95-001 i
probability of j
operators failing
[(0.056)(0.27)(2/3)] + [(0.056)(1/3)] = 0.028.
=
l to recover EFW i
These estimates result in the following increase in the CDP over a one-year penod
[
j 3.9x10-* prob of a loss of L x.
1.0 jprob of EFW failure}
x lthe green de bus ;
Idue to wiring error J i
1 4
0.028 ob of failure (
1.1x10 jnommal failure probL
=
to recover EFW, (for EFW train B 2
i 1.tx104 {mcrease in CDP due'
.to winng logic error i.
This compares to the original estimate of 3.9E 5 as reported in the preliminary ASP analysis.
The revised EFW nonrecovery probability involves substantial uncertamty and may bc l
optimistic. An assumption that the operators would not initially attempt to open the EFW l
discharge valves and instead attempt to manually control the turbine-driven pump (as utilized in the IPE for green bus de failures) and that separate action to open the closed EFW -
discharge valves would be cued at the time that once-through coolmg is demanded results in an estimated nonrecovery probability twice as high as developed above (6.6E-2).
The IPE estimates the time required to recover EFW by restonng ac power to bus 2A2 (recovery #1) to be 18 min (licensee comment 2 provides an estunate of 9 min for this action); recovery using o.s.gproach would therefore be no more rehable than manually opemng the EFW d=*arge valves, and may involve additional operator burden since ac power would be recovered to a train without de control power, if resources were diverted to recover de power at the time that once-through cooling was cued, then recovery of EFW could be further delayed.
As noted by the licensee, the nonsafety auxiliary feedwater pump may provide an sitemate l
method to food the SGs following a loss of the green de bus. However,its use would require crew resources that would have to be diverted from the direct recovery of the EFW system.
Response time and crew resources are the major factors that influence the probability of failing to recover EFW, and the potential use of a further recovery path within the same time period would be expected to provide little additional benefit. Since the nonsafety AFW pump discharge is routed to the EFW system upstream of the EFW discharge valves, the problems related to these valves would still have to be addressed by the crew. For these r===, the potentaal use of the nonsafety AFW pump was not cylicitly considered when developing the revised EFW nonrecovery probabihty.
11 l
l l
4
.--