ML20135G724
| ML20135G724 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 05/14/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 368-1995-001 | |
| Download: ML20135G724 (5) | |
Text
ADDendix B LER No. 368/95-001 AB.nd8 LER No. 368/95-001 Event
Description:
Loss of direct current bus could fail both emergency feedwater trains Date of Event: July 19, 1995 Plant: Arkansas Nuclear One, Unit 2 B.8.1 Event Summary During a simulator procedure validation exercise, personnel discovered that both trains of emergency feedwater (EFW) could be failed by the loss of a single train of direct current (dc) power at Arkansas Nuclear One, Unit 2 (ANO-2). Plant personnel confirmed the validity of the simulator exercise and declared the motor-driven EFW pump inoperable. A 72-h Technical Specification action statement was entered until the bus providing power to the normally open green-powered EFW injection valves could be transferred to an alternate power source that precluded the condition, while a permanent solution could be developed and implemented. A modification to the control relays for the green-powered injection valves in the red EFW train was completed on July 27, 1995, that corrected the condition. The root cause of this condition was the assumption that the normally open motor-operated EFW injection valves (which replaced the electro-hydraulic injection valves in 1984) would fail "as-is"~ upon loss of power. Because of a design error during development of the plant modification that implemented the injection valve replacement, a failure of the green train dc; bus could cause the green-powered injection valves in series with the two red-powered valves for the motor-driven EFW pump to close enough to restrict EFW flow to the steam generators. The conditional core damage probability (CCDP) estimated for this event is 6.0 x 10'. The increase in the core damage probability (CDP), or importance, associated with this event is 1.1 x 10'-.
B.8.2 Event Description While validating Abnormal Operating Procedures (AOPs) on the plant simulator, a loss of "green-train" dc power was simulated during power operations. Approximately 3 s into the scenario, the main turbine tripped from loss of dc power to the electrohydraulic control system. The turbine trip resulted in the trip of the main generator output breaker, but, because of the loss of dc control power, the generator field breaker did not trip, and the generator remained tied to alternating current (ac) bus 2A2 via the Unit Auxiliary Transformer.
Generator voltage decayed over the next 30 s.
The loss of green-train dc power rendered multiple dependent systems and sub-systems inoperable, including ac buses 2A2 and 2A4, emergency diesel generator (EDG) B, and the A-train turbine-driven EFW pump. In addition, an unexpected interaction rendered the B-train ("red-train") motor-driven EFW pump unavailable.
The discharge of EFW pump B can be routed to either steam generator via lines that each contain two isolation valves. The inboard (closest to the pump) valves are normally closed and are supplied by "red-train" power. The outboard valves are normally open and are supplied by green-train ac power. These valves have a normally energized green-train dc relay, which signals the valves to close on loss of dc; control power.
When this configuration. was designed, it was assumed that any loss of green-train dc power would be B.8-1 NUREG/CR-4674, Vol. 23
LER No. 368/95-001' AiDiDendix Appendix B B LER No. 368/95-001 accompanied by a simultaneous loss of green-train ac power. During the simulator run, the ac power remained available for approximately 30 s, which allowed the B-tramn EFW isolation valves to close, contrary to design intent. Once closed, the valves could not be reopened until ac power was restored and an open command wats given.
B.8.3 Additional Event-Related Information The Licensee Event Report (LER) for this event (Ref. 1) indicates that there is no conclusive evidence that the actual plant response would have resulted in complete closure of the affected EFW valves. Based on a review of plant documentation, the LER indicates that sufficient voltage to operate the EFW isolation valves might have existed for only about 10 s after a reactor trip. In this case, the EFW isolation valves would have closed only partially. In that event, some EFW flow-but less than the amount required by technical specifications-might have been maintained.
The ANO-2 Individual Plant Examination (IPE) (Ref. 2) indicates that the expected frequency for the loss of one dc; bus is 3.94 x 10'~per year. The IPE also provides information about the potential impacts of a loss of dc power. Once-through cooling (feed and bleed) requires that either the. high-point vent. line or one of the low temperature overpressure (LTOP) paths be opened. The loss of green-train dc power would render all pathways unavailable, hence once-through cooling would be unavailable. In addition, a dependency table in the IPE indicates that the following systems are also dependent on green-train dc power: high pressure safety injection (HPSI) train B, shutdown cooling (SDC) train A, and main feedwater (MFW).
B.8.4 Modeling Assumptions The wiring logic error, which caused the loss of the green-train dc; power, apparently existed from the time a plant modification was made in 1984 until 1995, when it was discovered. In this analysis, it was assumed that the plant performance would be similar to that of its simulator. For one operating year [the longest time period analyzed in the Accident Sequence Precursor (ASP) Program], both trains of EFW were assumed to be initially inoperable, given a loss of the green-train dc power. The frequency of this initiator, 3.9 x 10' per year, was taken from the ANO-2 IPE.
As described above, MFW and once-through cooling are unavailable following a loss of dc; power. Core cooling, therefore, requires successful EFW operation or recovery of EFW if it were to initially fail (this is shown in Figure 1).
The nonrecovery probability of the EFW was calculated by determining:
(a) the nonrecovery probability of operators failing to manually open the EFW discharge valves, and (b) failure to initiate once-through cooling given EFW is not recovered within 25 mini.
The model used to estimate these failure probabilities is the time-reliability correlation given by Dougherty and Fragola in Human Reliability Analysis (Ref. 3). These two failure probabilities are then combined to 23 Vol. 23 B.8-2 NUREG/CR-4674, Vol.
NUREG/CR-4674, B.8-2
Appendix B Appenix No.
BLER368/95-001 determine the overall probability of operators failing to recover EFW by considering the availability of personnel throughout a 24-b period.
The probability of failing to recover the initially unavailable EFW system was estimated by assuming that the closed EFW discharge valves would be apparent to the operators and that the initial attempt to recover EFW would be by manually opening these valves. Assuming 70 min to core uncovery (Ref. 2, p. 3.1-20),
10 min to implement the emergency operating procedures (EOPs), diagnose the event and determine a recovery strategy, and 10 mini for response, a failure probability of 0.056 is estimated. Because of the degree of stress expected during such an event, a time-reliability correlation involving "recovery with hesitancy" was used to model the operator response, as described in Ref. 3.
If EFW is not recovered within about 25 min of the start of the transient, the water level in the steam generator (SG) is expected to drop to a value where once-through cooling is required to be initiated (Ref. 2,
- p. 3.1-19, -20). Because the ability to initiate once-through cooling cannot be met because of the loss of dc power, it is expected that plant personnel will place additional emphasis on recovering EFW. Shortly thereafter, additional resources, if available, are assumed to be used to manually control the turbine-driven EFW pump and its discharge valves in a further attempt to feed water to the SGs. A failure probability of 0.27 is estimated for this action, assuming it occurs 30 min into the event (5 mini after the cue for once-through cooling) and requires the 20 min response time specified in Ref. 2.
The failure probabilities for the two recovery actions are:
Recovery FailureProbability operators fail to manually open the EFW discharge valves 0.056 failure to initiate once-through cooling within time required 0.27 Assuming additional resources are available for initiating once-through cooling except on the back shift (resources are assumed to be available two-thirds of the time) provides an overall probability of failing to recover EFW of:
probability of operators failing = [(0.056)(0.27)(2/3)J + [(0.056)(1/3)] = 0.028.
to recover EFW These estimates result in the following increase in the CDP over a one-year period:
3.9 x 10 ýrob of a loss of ~ x 1.0 ýrob of EFW failurel
[the green dc bus J [due to wirnero 0.028 trob of failure 1 ~ - 1.1 X 10' Jnominal failure prob 1 t(to recover EFWJ Wor EFW train BJ
=1. 1 X 10- Jncrease in CDP duel Ito wiring logic error)I.
B.8-3 NLTREG/CR4674, Vol. 23
LER No. 368/95-001 Amendix B B.8.5 Analysis Results The estimated increase in the CDP due to the wiring logic error is 1.1 x 10-' The dominant core damage sequence for this event (Sequence number 3 in Fig. B.8. 1)involves:
- a postulated loss of the green dc bus,
- the resultant unavailability of EFW, and
- failure to recover EFW.
The nominal CDP over a one-year period estimated using the ASP Integrated Reliability and Risk Analysis System (IRRAS) models for ANO-2 is approximately 4.9 x 10'. The wiring logic error increased this probability to 6.0 x 10' This value is the CCDP for a one-year period in which the wiring logic error existed.
B.8.6 References
- 1. LER 368/95 -00 1, Rev. 0, "Unanticipated effect of analyzed failure of dc electrical bus upon train of EFW system containing ac motor-driven pump," August 18, 1995.
- 2. ArkansasNuclear One-Unit 2 IndividualPlantExaminationfor Severe Accident Vulnerabilities,August 1992.
- 3. Dougherty and Fragola, Human ReliabilityAnalysis, Wiley and Sons, New York, 1988.
B.8-4 NUREG/CR-4674, Vol.
NUREGICR-4674, Vol. 23 23 B.8-4
LER Annendix B ADDendix B LER No.
No. 368/95-001 368/95-001 wl 0 0 w
D 004) az w
COz w
C) 0 0U COw0 COa:
0w wL O
wu LL (0)
- 0) i to z ow Fig. B.8. I. Dominant core damage sequence for LER 368/95-00 1.
NUREG/CR-4674, Vol. 23 B.8-5 B.8-5 NUREG/CR4674, Vol. 23