ML20135G730

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Byron 1 (LER 454-96-007)
ML20135G730
Person / Time
Site: Byron Constellation icon.png
Issue date: 05/14/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Littlejohn J (301) 415-0428
References
LER 1996-007-00
Download: ML20135G730 (10)
v  d  e


Text

Aovendix C LER No. 454/96-007 AC.ndx2 LER No. 454/96-007 Event

Description:

Transformer bus fault causes a LOOP Date of Event:

May 23, 1996 Plant:

Byron 1 C.2.1 Event Summary When a fault occurred on the output bus from station auxiliary transformer (SAT) 142-2, protective relaying isolated the Unit 1 SATs, resulting in a complete loss of offsite power (LOOP) to Unit I (Ref. 1). The unit was shut down at the time, with the residual beat removal (RHR) system being used to remove the decay heat from the core.

All of the reactor coolant system (RCS) loop stop valves were closed to support steamn generator (SGj) maintenance. The estimated conditional core damage probability (CCDP) associated with the event is 1.7 x 10-'.

C.2.2 Event Description Byron Unit 1 was in cold shutdown with reactor coolant pressure at 2.41 MPa (350 psig) and reactor coolant temperature at 29.40C (85'F) when a fault occurred at 0804 h on May 23, 1996, on the output of SAT 142-2.

Water leaking through insulator mounting holes degraded the metal inserts in the insulator as well as the insulator material between the inserts. This initiated a phase-to-ground fault. The fault expanded to involve the other phases and switchyard protective relaying isolated SATs 142-1 and 142-2. At the time, all 4. 16-ky and 6.9-kV buses were powered from the SATs, so a complete LOOP resulted.

Both emergency diesel generators (EDGs) started and loaded onto their respective engineered safety feature (ESF) buses. Shutdown cooling was restored using the IA RHR pump.

At the time of the event, Unit 2 was operating at 100% power. Air compressors and nonessential service water for both units were being powered from non-ESF buses on Unit 1 (the Unit 2 station air compressor was out of service). As designed, these buses were not reenergized when the EDGs energized their respective ESF buses. Two minutes after the Unit I LOOP, plant operators manually scrammed Unit 2 because of the lack of station air and cooling water for plant secondary systems.

During a telephone call on May 19, 1997, with ASP Program staff, licensee personnel provided additional information concerning this event. Unit I had been shut down on April 5, 1996. At the time of this event, the RCS loop stop valves were closed, and the water in the RCS piping between the loop stop valves and the SGs was drained to support maintenance work that was in progress on the SGs. The water level in the pressurizer was at -50%.

Following the LOOP, the EDGs provided power to the ESF buses until personnel restored oifsite power to SAT 142-1 at 1300 h on May 24, 1996 (29 h1 after the LOOP).

The EDGs were operated instead of cross-tying the safety buses on the two units because they were operating acceptably and because of concern over the condition of the buses due to a lack of understanding of the cause of the LOOP.

C.2-1 C.2-INUREG/CR-4674, Vol. 25

LER No. 454/96-007 ADDendix C (Subsequent trouble-shooting determined that cross-tying would have been viable following the LOOP.)

Following repairs and trouble shooting, offsite power was restored to SAT 142-2 on June 9, 1996.

C.2.3 Additional Event-Related Information.

Normal ac power for nonessential and essential loads at Unit I is provided via a unit auxiliary transformer (UAT) and both SATs. During power operation, non-ESF buses (including two of the four 6.9-ky buses that provide power to the reactor coolant pumps and other large electrical loads) are usually aligned to the two UATs, which are fed from the output of the main generator. The other two 6.9-ky buses are usually fed from the SAT. The ESF buses are connected via the SATs to the 345-ky transmission lines, which supply offsite power. Each SAT serves as a reserve power source for the non-ESF buses as well as a second source of offsite power for the corresponding ESF bus at the other unit. Each SAT is capable of furnishing startup and limited opcrating loads.

Buses 141 and 142 at Unit I can be cross-tied to buses 241 and 242 at Unit 2, to provide ac power for ESF loads. Procedure I BOA ELEC-3, "Loss of 4 kV ESF B us"2 specifies the actions required for protective load shedding, closing electrical breakers, and loading buses. If the battery charger associated with the ESF bus cannot be reenergized by cross-tying the ac buses, Ref. 2 instructs the operators to cross-tie the associated dc buses in the two units using procedure BOP DC-7, "125V DC ESF Bus Cross-tie/Restoration."3 This cross-tie can provide limited dc power.

The RHR system is provided with relief valves to prevent overpressurizing the system. Each RHR pump suction line is equipped with a relief valve set to lift at 3. 10 MPa (450 psig). Below 93.3TC (200'F), each valve has a relief capacity of 2,555 L/min (675 gpm). At 191 "C (375 "F), the relief capacity of this valve is 1,800 L/min (475 gpm). Each RHR pump discharge line is equipped with a relief valve capable of relieving 1,5 10 L/min (400 gpm) at a pressure of 4.14 MPa (600 psig). Two motor-operated gate valves in each suction line from the RCS are independently powered and interlocked to prevent these valves from opening above 2.32 MPa (337 psig). An alarm is also provided to alert the operators in the event that double-valve isolation is not being maintained and if RCS pressure increases above 2.76 MPa (400 psig).

The RHR system is a two-train system that includes two cross-connect valves (RH8716A and B) in series in the discharge piping.

These valves are normally open during power operation, but one is closed when entering Mode 4 (hot shutdown) to prevent potentially lifting a relief valve in the nonoperating train."

Closure of RH871I6A or B isolates the two RI-R trains, resulting in the availability of only one RH-R suction and discharge relief valve for pressure relief when one RHR train is in use (the normal shutdown cooling alignment at Byron).'

'This event actually happened. In 1989, an RI-R suction relief valve on the nonoperating RI-R train unexpectedly lifted at Braidwood (a plant similar to Byron) and failed to reseat. The operators at Braidwood initially assumed the valve was associated with the operating RI-R train and isolated that train. A discharge of 242,266 L (64,000 gal) occurred before the open relief valve was found 97 min after this event began.

Flow from two charging pumps was required to reestablish the water level in the pressurizer. This event is documented in Appendix C of the 1989 ASP status report.

NUREG/CR-4674, Vol. 25 C.2-1

Appendix C Appenix CLER No. 454/96-007 According to licensee personnel, if ac power had not been recovered following the LOOP, the water in the core region would begin to boil in -4.5 h, and core uncovery would occur in 9-10 h.

C.2.4 Modeling Assumptions The Unit 1 event was analyzed as a LOOP during shutdown. The bus fault was the result of insulator degradation over an extended period of time, and it was considered unlikely that an additional fault could have occurred close in time on another bus. Because of this, the potential for a concurrent LOOP at Unit 2 was not addressed.

At the time of this event, the Unit I RCS loop isolation valves were closed, and the water in the piping between the loop isolation valves and the SGs was drained to support maintenance work that was in progress on the SGs. The RCS was at 2.41 MPa and 29.4'C (350 psig and 85'F), with the pressurizer one-half full.

Following the LOOP, RHR cooling was momentarily lost until RHR train IA was restarted after EDG IA reenergized its ESF bus. Instrument air (IA) was lost because the operable station air compressors were powered from non-ESF Unit 1 buses.

If personnel could not reestablish cooling using the RHR system, Byron's procedure IBOA PRI-lO, "Loss of RHR Cooling, Unit I,"~ specifies several alternatives. For the plant condition that existed at the time of the LOOP, these alternatives include (1) feed-and-bleed cooling using normal charging and excess letdown through loop drains and (2) feed-and-bleed using normal charging and the pressurizer power-operated relief valves (PORVs). Two other methods (safety injection pump hot-leg injection and accumnulator injection) could potentially be adapted to provide decay heat removal, using the PORVs as a bleed path. At a minimum, this would require ac power to be available to at least one of the ESF buses. Use of the PORVs for bleed also requires ac power to be available to a non-ESF bus to provide power to one of the station air compressors, because IA is necessary for PORV operability during long-term feed-and-bleed. [If the PORVs were selected to "open"~ for feed-and-bleed prior to depleting the air in the reservoir, because of pressure cycling, then the PORVs may stay open for an extended period of time before air leakage depleted the reservoir. The open PORVs, in conjunction with manually opening the accumulator discharge valves, could extend the time until the onset of boiling in the core region. This potential recovery action (for which procedures do not exist) was not considered in this analysis.]

Because the current ASP models only address a LOOP at power, a separate shutdown event tree model was constructed to represent the conditions that existed during the actual event. Because of the multiplicity of decay heat removal methods and the need for ac power for all of them, the shutdown event tree model only addresses (1) the potential failure of the EDGs to start and load following the LOOP, and (2) the potential failure to recover ac power if the EDGs were to fail. Once ac power is recovered, this analysis assumes that operator actions to recover RCS level, if necessary, and reestablish decay heat removal can be relatively easily accomplished. That is, the probability of failing to restore decay heat removal using one of the approaches C.2-3 NURiEG/CR-4674, Vol.25 C.2-3 NUREG/CR-4674, Vol. 25

LER No. 454/96-007 ADDendix C described in Ref. 5, given that ac power has been recovered, is assumed to be small compared to the probability of not recovering ac power.'

The licensee estimated that if the EDGs failed to start following the LOOP and ac power was not subsequently recovered to allow the RHR system to be restarted, boiling in the region around the core would begin -4.5 h after the LOOP. Up to this time, reactor coolant would expand slightly as its temperature increased because of decay heat and would begin to fill the pressurizer with water. Depending on the specific conditions in the pressurizer, RCS pressure could increase to the 3. l0-MPa (450-psig) lift pressure of the RHR inlet relief valve. For the estimated decay heat level at the time of the LOOP (-4 MWt), the RHR inlet relief valve capacity is more than adequate to limit the pressure in the RCS to -3. 10 MPa (450 psig) before boiling begins. Therefore, up to the point of boiling, the previously operating RI-R pump could be restarted once ac power is available to its ESF bus to restore RHR (alternate decay heat removal methods specified in Ref. 6 could be used if the pump failed to start).

Once boiling begins and water in the core region is converted to steam, the relief capacity required to. prevent pressure from increasing in the RCS is substantially greater.

This specific concern was addressed in NUREG/CR-6 144 (Ref. 6) in the screening analysis preformed in Phase 1 of the Nuclear Regulatory Commnission's (NRC's) evaluation of potential risks during low power and shutdown operations at Surry.

Appendix I to Ref. 6 estimates that if the RHR system was not isolated in response to high pressure at the onset of boiling, a relief capacity of 1,650 L/min (436 gpm) would be required for each megawatt-thermal (MWt) of decay heat. A relief capacity of -6,440 L/min (1,700 gpm) would therefore be required to prevent overpressurizing the RI-R system for the -4 MWt decay heat load estimated to exist at the time of this event.

This relief capacity would initially be available, because the PORVs would be set for low-temperature overpressure protection (LTOP).

However, since IA was lost when the LOOP occurred, only a limited number of PORY cycles would be available until the in-containment PORV IA accumulator was depleted.

Once the accumulator was depleted, the PORVs would cease to function. Because the suction and discharge relief valves in the operating RI-R train cannot relieve the --6,440 L/min (1700 gpm) necessary to prevent overpressurizing the system, RCS and RHR system pressure would begin to increase, eventually resulting in RHR system rupture unless the RHR suction was manually isolated beforehand. The screening analysis in Ref 6 assumed that overpressurizing the RHR system would result in a large-break LOCA and core damage.

(Unlike Surry, Byron uses an RHR system that is located outside containment, like most aThe RHR train that was operating before the LOOP would remain configured for operation and only require restart of the RJ-R pump once ac power was recovered. Because of the short time that the pump would be stopped, standby-related failures to start would not substantially contribute to the pump failure-to-restart probability, leaving only demand-related failures.

Such failures contribute -15% to the total failure-to-start probability for motor-driven pumps [Personal communication, E. Lofgren (SAIC) and J. Minarick (SAIC), July 2, 19971. Considering only demand-related failures results in a failure-to-start probability for the previously operating train of -4.5 x 10-'. Combining this probability with the probability that the redundant RI-R pump will suffer a demand-related failure to start (Pr=0. I in the ASP models) or that other failures will occur in the redundant RI-R train, and the probability of failure of feed-and-bleed cooling using a charging pump and the PORVs (estimated to be < 0.02), results in an overall estimated failure of decay heat removal, given that ac power is available, of < 1.0 x 10' (p[demand-related RI-R pump failures (4.5 x10-') x [demand-related pump failure (0. 1)) x p[failure of feed-and-bleed (0.02)] = 9.0 x 10-'}.

NUREG/CR-4674, Vol.25 C.2-4 NUREG/CR-4674, Vol. 25 C.24

Annendix C LER No. 454/96-007 pressurized-water reactors. An RHR system rupture at Byron would result in an interfacing system LOCA, which would be much more difficult to mitigate than a break inside containment.)

At about the same time that boiling would begin and the RCS and RHR systems would begin to pressurize, the Byron batteries would be depleted. The batteries are sized to supply dc loads for 4 h.' Once dc power is lost, indication of RCS status would be unavailable to the operators. Control power for circuit breaker operation would also be unavailable, which would further complicate recovery.

To address these issues, the model used in this analysis considered (1) the potential failure of the EDGs to start and run for the 29-h period that offsite power was not recovered following the LOOP and (2) the potential failure to recover ac power to one ESE bus, if the EDGs failed, before boiling began at -4.5 h. (The 29-h period may be conservative. If emergency power had been lost, the licensee may have expedited the recovery of offsite power.) To simplify the analysis, battery depletion was also assumed to occur at 4.5 h.

The potential for the operators to protect the RHR system from overpressure by manually closing one of the suction isolation valves (this does not appear to be addressed in Ref. 5) and restore ac power prior to core uncovery (9-10 h), given that only dc power remained available once boiling began, is also addressed.

Because the probability of RHR failing is low given that ac power is successfully recovered, the potential failure of the RHR system and feed-and-bleed cooling is not included in the model.

The model for this event, shown in Fig. 1, includes the following branches:

LOOP The LOOP was caused by a fault on the output bus from SAT 142-2.

Protective relaying isolated both Unit I SATs and resulted in a LOOP to Unit 1. The unit was in cold shutdown, with the RHR system in operation, the loop isolation valves closed, and the SGs unavailable. A probability of 1.0 was assigned to the LOOP.

EP This branch represents the EDGs starting and running for the time period before offsite power was recovered. The licensee, in the May 19, 1997, telephone call, noted that a conscious decision was made to power the ESF buses from the EDGs, instead of recovering offsite power using SAT 142-1 or cross-tying to Unit 2. This was because the condition of the Unit I ac power system was not well understood.

The EDGs supplied the ESF buses for 29 h. Using the EDG failure to start and run probabilities given in the ASP model for an at-power event,b the probability of emergency power aThe licensee indicated in the May 19, 1997, phone call that battery lifetime would not be expected to be greater even though the unit was in a shutdown condition. This analysis assumes a 4.5-h battery lifetime, as discussed later. Table 8.3-9 of the Byron Updated Final Safety Analysis Report indicates that most battery loads, including the inverters, are assumed to be unavailable after 30 min. This may imply an actual battery life, if instrumentation remains powered, of less than 4h.

bThe ASP models use an EDG failure to start probability of 0.03, a failure to run probability of 0.002/h, and a common-cause P-factor of 0.038. For the 29-h period, the independent EDG failure probability is 0.088 (0.03 + 0.002 x 29 h).

The independent and common-cause probabilities for both EDGs is 0.088 x 0.088 + 0.088 x 0.038, or 0.0 11.

C.2-5 NUREG/CR-4674, Vol. 25

LER No. 454/96-007 Anoendix C failure in the 29-h period because of independent and commnon-cause effects is estimated to be 1. 1 x 1 V-.

AC RECOY This branch represents the successful recovery of ac power before the onset of boiling (4.5 h) if both EDGs failed to start and run. Following an estimated 30-mmn period to stabilize and assess the status of the unit, it was assumed that the licensee would attempt to recover ac power by repairing a failed EDG and by cross-tying the two units.

Because the cross-tie procedure can be accomplished from the control room, while any EDG repair would take place at the EDGs, both recoveries were assumed to proceed in parallel.

The probability of failing to recover one of the two EDGs was assumed to be exponentially distributed, with a 4-h median time to repair.'

The probability of failing to cross-tie the Unit I and 2 ESF buses was modeled as a time-reliability correlation (TRC) as described in Human Reliability Analysis.' Because the sequences of interest in this analysis involve a station blackout in which concern would have existed over the condition of the ac buses due to a lack of understanding of the cause of the LOOP, the "recovery with hesitancy" TRC was used in the analysis. The probability distribution for this TRC is lognormal, with an error factor of 6.4. Based on a review of operator actions associated with cross-tying the Unit I and 2 ESF buses as described in Ref. 2, a median response of 10.mmn was estimated, following the previously described 30-mmn delay. The potential failure of one of the two breakers in both the bus 141/24 1 cross-ties (potential failure of four sets of two breakers) was also addressed, using a failure-to-operate probability of 3 x 10` per breaker (see Ref. 9, Table 8.2-8) and a P-factor of 0.1. Using this approach, the estimated probability of failing to recover power to an ESF bus before the onset of boiling (-4.5 h) is 5 x 10-' (failure to recover one of the two EDGs) x 1 2.5 x 101' (operator actions associated with the cross-tie)

+ 1.2 x 10` (failure of the cross-tie circuit breakers)]

=1.9 x I V (failure to recover ac power).

The ac power cross-tie procedure' instructs the operators to cross-tie the dc buses if ac power cannot be recovered to the battery chargers. This branch represents the potential to cross-tie the dc buses between units before battery depletion. This would provide control and instrument power to Unit 1. This analysis assumes the dc cross-tie procedure would be successful if the failure to cross-tie the ac buses was caused by ac breaker problems, but not if the failure to cross-tie the ac buses was caused by the failure of the operators to perform the cross-tie procedure. Using this approach and the failure probabilities estimated in the AC RECOV branch, the probability of failing to DC CROSS-TIE NUREG/CR-4674, Vol.25 C.2-6 NUREG/CR-4674, Vol. 25 C.2-6

ADDendix C LER No. 454/96-007 Annendix C LER No. 454/96-007 cross-tie dc power, given the failure to recover ac power, is estimated to be 0.68 [2.5 x LONG-TERM This branch represents the long-term recovery of RHR once boiling begins, provided dc RECOV power remains available for instrumentation and control. Recovering RHR in this time period would require actions for which procedures do not exist to isolate the RHR system by local manual closure of one* of the RI-R suction valves prior to overpressurizing the system and to ultimately recover ac; power to an ESF and non-ESF bus to allow the use of a charging pump and the PORVs for feed-and-bleed. For the purposes of this analysis, a failure probability of 0.34 was assumed (ASP recovery class R2; see Appendix A to the 1995 ASP status report.' 0)

Combining these branch probabilities using the event tree model shown in Fig. C.2. 1 results in an estimated CCDP for this event of 1.7 x 10-5.

C.2.5 Analysis Results The CCDP estimated for this event is 1. 7 x 10'. The dominant sequence, highlighted in Fig. C.2. 1, involves

  • the potential failure of both EDGs to start and run (a station blackout),
  • failure to recover ac power prior to battery depletion and the onset of boiling in the region around the core, and
  • failure to cross-tie dc power to Unit 2 prior to the onset of boiling.

The other potential core damage sequence shown in Fig. C.2. 1 involves

  • the potential failure of both EDGs to start and run (a station blackout),
  • failure to recover ac; power prior to battery depletion and the onset of boiling in the region around the
core,
  • dc cross-tie success, and
  • failure to prevent overpressurizing the RHR system and recover ac power before core uncovery.

The conditional core damage probabilities are shown in Table C.2. 1, while Table C.2.2 lists the sequence logic associated with the sequences listed in Table C.2. 1. Table C.2.3 provides the definitions and failure probabilities for event tree branch points in Fig. C.2. 1.

Other potential sequences leading to core damage, involving the failure to recover RHR once ac power is recovered, are not shown in Fig. C.2. 1. As noted in the section on Modeling Assumptions, the conditional probability for these sequences is estimated to be below 1.0 x10-6.

C.2-7 NUREG/CR-4674, Vol.25 C.2-7 NUREG/CR-4674, Vol. 25

ADDendix C LER No. 454/96-007 Anna The uncertainty in this event analysis is dominated by (1) the uncertainty in the potential for overpressurizing the RHR system pressurization once boiling begins and (2) the uncertainty in the probability that ac power would not be recovered through Unit 1I-Unit 2 cross-tie following a station blackout.

This event involved water intrusion that degraded insulators on a 4.1 6-kV bus and resulted in a phase-to-ground fault. This event could have occurred at other proximate times. If it had occurred earlier in the shutdown, when the amount of decay heat was substantially higher, less time would have been available to recover decay heat removal. This would have resulted in a higher CCDP than estimated here-.

If the event occurred when Unit 1 was at power, the bus fault would have resulted, as a minimum, in an initial loss of power to bus 142. If this occurred, the unit would probably have remained at power, with EDG 11B powering bus 142 loads. If at-power switchyard impacts from the bus fault had been severe enough to have tripped the main transformers, then the fault could have resulted in an at-power LOOP.

Because the switchyard response is unknown, the potential for core damage, had the fault occurred at power, was not addressed in this analysis.

C.2.6 References

1. Licensee Event Report 454/96-007, "Loss of Offsite Power Due to Failure of an Insulator on Phase B of the Unit 1 Station Auxiliary Transformer from Water Intrusion," June 2.1, 1996.
2.

Byron 1 Procedure IBOA ELEC-3, "Loss of 4 kV ESF Bus, Unit I,", Rev. 54A.

3. Byron Procedure BOP DC-7, "125V DC ESF Bus Crosstie/Restoration," Rev. 3.
4.

Personal communication, N. Hilton (U.S. NRC) and J. Minarick (SAIC), June 30, 1997.

5. Byron I Procedure I BOA PRI-l10, "Loss of RHR Cooling, Unit I," Rev. 55.
6. Evaluation ofPotential Severe Accidents During Low Power and Shutdown Operations at Surry, Unit 1, NUREG/CR-6 144, Vol 2, Part 5 (Appendix 1), June 1994.
7. P. W. Baranowsky, Evaluation of Station Black-out Accidents at Nuclear Power Plants, NUREG-1032, June 1988.
8. E. M. Dougherty and J. R. Fragola, Human Reliability Analysis, John Wiley and Sons, New York-, 1988.
9. Analysis of Core Damage Frequency: Internal Events Methodology, NUREG/CR-45S0, Vol. 1, Rev. 1, January 1990.
10. R. J. Belles, et. al., Precursors to Potential Severe Core Damage Accidents:.1995, A Status Report, NUREG/CR-4674, Vol. 23, April 1997.

NUREG/CR-4674, Vol.25 C.2-8 NUREG/CR-4674, Vol. 25 C.2-8

Avvendix C LER No. 454/96-007 Appendix C LER No. 454/96-007 w

uJ0 0

0 0

0 w

UJ0 w 0 oW 13 CO (

0 w

0L C14 Cr 1

t 0.

z0 wU w

w w

0 D-Fig. C.2. 1 Dominant core damage sequence for LER No. 454/96-007.

C.2-9 C.2-9NUREG/CR-4674, Vol. 25

LER No. 454/96-007 Apni Appendix C Table C.2.1. Sequence Conditional Probabilities for LER No. 454/96-007 Conditional Event tree Sequence core damage Percent name number probability contribution

__________(CCDP)

SHUTDOWN 5

1 1.4 E-005 j

86.2 SHUTDOWN 4

2.3 E-006 13.5 Total (all sequences) 1.7 E-005 Table C.2.2. Sequence Logic for Dominant Sequences for LER No. 454/96-007 Event tree name Sequence Logic number SHUTDOWN 5

EP, AC RECOV, DC CROSS-TIE SHUTDOWN 4

EP, AC RECOV, /DC CROSS-TIE, LONG-

, TERM RECOV Table C.2.3. System Names for LER No. 454/96-007 Failure System name Description probability AC RECOV Failure to Recover ac Power Before the Onset of 1.9 E-003

______________Boiling EP Failure to Recover Emergency Power

1. 1 E-002 DC CROSS-TIE Failure to Cross-Tie dc Buses Before Battery 6.8 E-001

______________Depletion LONG-TERM Failure to Recover RHR After the Onset of 3.4 E-00OI RECOV Boiling NUREG/CR-4674, Vol.25 C.2-10 NUREG/CR-4674, Vol. 25 C.2-1 0

Retrieved from "https://kanterella.com/w/index.php?title=ML20135G730&oldid=4220798"