ML20135G745
| ML20135G745 | |
| Person / Time | |
|---|---|
| Site: | Dresden  |
| Issue date: | 05/14/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 1994-018-00 | |
| Download: ML20135G745 (7) | |
Text
Appendix C LER No.
Appendix C LER No. 237/94-018 237/94-0 18 C.3 LER No. 237/94-0 18 Event
Description:
Motor Control Center Trips Due to Improper Breaker Settings Date of'Event: June 8, 1994 Plant: Dresden 2 C.3.1 Summary Following an unexpected trip of a motor control center (MCC) at Dresden 2 during surveillance testing, three MCCs were identified at Dresden 2 and Dresden 3 with improperly set feeder breakers. A review of MCC loading indicated that load additions since the original settings were determined had created an overload situation. For two of the MCCs, the overload condition would only have existed if an emergency diesel generator (EDG) had been running following a reactortrip with offsite power available. Load shedding following a loss-of-offsite power (LOOP) would have precluded an overload condition for this initiating event. For one of the MCCs, the overload condition would also have existed following a LOOP. The conditional core damage probability estimated for the event is 6.1 x 10-6 C.3.2 Event Description On June 8, 1994, Dresden Unit 2 was operating at 99% power, and Unit 3 was in refueling. The Unit 2/3 standby gas treatment (SBGT) system was in operation, and a 24-h endurance run for EDG 3 was in progress, as was a Unit 2 high-pressure coolant injection (HCI) surveillance.
Shortly after the Unit 2 HPCI auxiliary oil pump started, MCC 39-2 tripped. As a result of the loss of power at MCC 39-2, (1) EDG 3 tripped on high temperature following loss of power to its cooling water pump and ventilation fan, (2) the 125-V dc and 250-V dc battery systems had to be realigned to alternate chargers, (3) ahalf-scram forUnit 3 was generated as a result of loss of power to a reactor protection system (RPS) motor-generator, and (4) SBGT train A automatically started following loss of power to train B components.
MCC 39-2 loads were stripped, and the MCC feeder breaker was reclosed. MCC 39-2 loads were reenergized within 30 min of the breaker trip.
The trip of MCC 39-2 was caused by an incorrectly set feeder breaker. The feeder breaker for the MCC had a General Electric dashpot type EC-2A overcurrent trip device, which was original equipment. The setting for this breaker was 400 A. A review of the original loading on the MCC indicated that the 400-A setting was adequate, but load additions made to the MCC over time had increased the available running load current above the 400-A setting.
Two other breakers were subsequently identified with similar problems-MCC 28-3 and 38-3. The EC-2A trip devices for both of these MCCs had been replaced with newer General Electric solid state type RMS-9 trip devices. Both of these MCCs were also set to trip at 400 A. The licensee noted in the licensee event report (LER) that the setting for MCC 38.3 was chosen to be identical -with the original breaker setting based on the assumption that MCC loading had not changed over time. However, since the loading had changed, the total connected load was greater than the protective device setting. At the time of the MCC 28-3 trip device replacement, it was recognized that the overcurrent setting was lower than the total connected load. However, it was assumed that the running load during accident conditions would be within the setting of the protective device.
Based on the loads associated with each MCC, the licensee concluded that MCCs 38-3 and 39-2 could be overloaded and trip during a safety actuation in which the associated EDG was running (e.g., for testing or following a spurious start) while offsite power was still available. For these MC Cs, loads shed following a LOOP would preclude an overload C.3-1 NUREG/CR4674, Vol. 21
LER No. 237/94-018 Apni Appendix C condition. For MCC 28-3, however, the overload condition could exist for both LOOPs and other events in which the associated EDO was running.
C.3.3 Additional Event-Related Information Three EDGs provide emergency power to the two Dresden units: EDO 2 provides power to Unit 2 bus 24-1, EDG 3 provides power to Unit 3 bus 34-1, and swing EDG 2/3 provides power to either Unit 2 bus 23-1 or Unit 3 bus 33-1 in the event of a LOOP on Unit 2 or Unit 3, respectively. In the event of a dual-unit LOOP with a loss-of-coolant accident (LOCA) on one unit, EDO 2/3 provides power to the unit with the LOCA. In the event of a dual-unit LOOP without a LOCA, EDG 2/3 powers the unit that suffers the LOOP first. Unit 2 bus 24-1 and Unit 3 bus 34-1 can be cross-tied by closing two normally open breakers.
Two 250-V dc and two 125-V dc batteries are shared between both units. The 250-V dc batteries primarily power large loads, such as dc-powered pumps and valves, while the 125-V dc batteries provide control power to components such as circuit breakers. Battery chargers that normally supply dc power and provide battery charging can be powered from buses associated with EDO 2 (Unit 2) or EDO 3 (Unit 3) or the swing EDG. Each battery is sized to power its respective loads for 4 h.
The isolation condenser (IC) and HPCI can provide decay heat removal in the event of a LOOP with unavailability of on-site ac power. Diesel-driven pumps provide IC secondary side makeup in this case. Since the IC does not provide RPV makeup, it cannot be used if an SRV sticks open or if a recirculation pump seal fails. The model also assumes that if ac power (the ED~s or offisite power) is not recovered prior to battery depletion core damage occurs. Following battery depletion, all instrumentation would be lost, as would control power for breaker, turbine-driven pump, and dc valve operation. Potential recovery after this time, although possible, is extremely difficult and beyond the scope of this analysis.
C.3.4 Modeling Assumptions Four possible situations were addressed in the analysis of this complex event. All three MCCs could have tripped following an initiating event in which emergency core cooling system (ECCS) actuation Was required, offsite power was available, and the EDO associated with the MCC was running (e.g., for testing or following a spurious start).
Analysih Case Ila addresses the situation in which one EDO was running. Analysis Case lb addresses the situation in which two EDGs were running. In addition, MCC 28-3 could have tripped following a LOOP. Analysis Cases 2a and 2b consider a plant-centered LOOP at Unit 2 and dual-unit LOOPs at Units 2 and 3. In all cases, the MCCs were assumed to trip if they could have tripped. This assumption may be conservative.
Case Ia. Postulated initiating event with offsite power available and one EDG running. This situation could exist if a transient or small-break LOCA occurred and one of the two ED~s associated with a unit was undergoing monthly surveillance testing. The greatest potential impact is associated with MCCs 39-2 and 38-3 at Unit 3. These MCCs, in addition to supplying power to EDO components (and turning gear components for MCC 38-3), also supply power to containment cooling service water (CC SW) cubicle fans. CCSW provides decay heat removal for the containment cooling mode of low-pressure coolant injection. The analysis assumed the two CCSW trains associated with the running EDO would be unavailable after the MCC tripped. The trip of MCC 38-3 at Unit 3 (and 28-3 at Unit 2) also impacts fire protection panel FP-3 (and FP-2). The analysis assumes these panels do not influence the use of firewater as an alternate source of low-pressure injection. The probability of a running EDO was estimated to be 1.4 x 10-3, based on an assumed 1-h surveillance run-time for each EDO per month.
The significance for this case was estimated by setting basic events associated with the two impacted CCSW trains to true (failed) and calculating the increase in core damage probability for non-LOOP (transient and small-break LOCA) initiating events over a 1-year period using the IRRAS-based ASP model for Dresden. Long-term unavailabilities such as this event have typically been modeled in the ASP Program for a 1-year period, assuming the plant was at power 70% of the time; this is equal to 6132 h (365 d x 24 h/d x 0.7). The increase in core damage probability was multiplied NUREG/CR-4674, Vol. 21 C.3-2
Appendix C LER No. 237/94-018 by the probability that an EDG would be running to estimate thle conditional probability for Case Ila. This conditional probability is less than 1.0 x 10-8. Since this is substantially below the 1.0 x 10-6 documentation limit used in the ASP Program, the calculational results are not included here.
Case lb. Postulated initiating event with offsite power available and two EDGs rmuning. This situation could exist if a transient or a small-break LOCA occurred and both EDGs associated with a unit were spuriously started. The analysis for this case is similar to Case Ila, except all trains of CCSW were assumed to be unavailable. The probability of spurious EDG start was estimated using a Sequence Coding and Search System search of Boiling Water Reactor (BW~R) automatic or manual reactor trips with spurious EDG starts. Three such events were identified in 573 trips from power, resulting in an estimated probability of spurious EDG actuation of 5.2 x 10-3 . The resulting conditional core damage probability is estimated to be 4.3 x 10- 8 , also well below 1.0 x 10.6. As for Case la, the calculational results are not included here.
Case 2a. Postulated plant-centered LOOP at Unit 2. For a postulated plant-centered LOOP at Unit 2 only, offisite power remains available at Unit 3. Trip of MCC 28-3 will result in inoperability of swing EDG 2/3 and unavailability of power to 4-ky bus 23-1. Power can be recovered to bus 24-1 if EDG 2 fails by recovering offisite power or by closing the cross-tie from Unit 3 bus 34-1. Because of the shared dc system at Dresden, dc power will remain available for instrumentation even if Unit 2 batteries are depleted. Therefore, a sequence involving safety relief valve (SRV) reseat and isolation condenser or HPCI success following a postulated station blackout will not proceed to core damage (essentially all of sequence 44).
The probability of failing to recover power to bus 24-1 through closure of the cross-tie breakers from Unit 3 was assumed to be 0. 12 [Accident Sequence Precursor (ASP) nonrecovery class R3, see Appendix A, Sect. A. 1 to the 1992 Annual Report, NUREG/CR-4674, Vol. 17]. This value was chosen because recovery appeared possible in the required time from the control room, but was not considered routine (the value chosen for this failure probability for this case is considered a bounding probability and does not substantially impact the overall analysis results). This value is used in lieu of the failure probability for EDG 3 in the IRRAS-based ASP models to reflect the failure to provide power from bus 34-1. The probability of EDG common-cause failure was set to false to reflect the unavailability of EDG 2/3 and the availability of power on bus 34-1.
After elimination of sequence 44 of the LOOP tree shown in Figure C.3. 1 (since it does not proceed to core damage for a single-unit plant-centered LOOP), a conditional core damage probability of 1.6 x 10-8 is estimated. As for Cases la and lb, the calculational results are not included here.
Case 2b. Dual-unit LOOP at Units 2 and 3. For a postulated dual-unit LOOP (primarily grid- and weather-related LOOPs), offsite power is unavailable to both units. If the LOOP occurs at Unit 2 first, trip of MCC 28-3 will result in unavailability of swing EDO 2/3. EDG 3 will be required to power Unit 3 loads, leaving only EDG 2 to supply power to Unit 2 loads (except for battery charging, which can be provided by either EDG 2 or EDG 3).
The frequency of a dual-unit LOOP and the probability of failing to recover offsite power in the short-term and before battery depletion were estimated to be 1.7 x 10-2 /year, 0.66, and 0.2 1,re~pectively, based onmodels described inRevised LOOP Recovery and PWR Seal LOCA Mfodels, ORN~L/NRCILTR-89/1 1, August 1989. These models are based on the results of data distributions contained in Evaluation of Station Blackout at Nuclear Power Plants, NUREG-1032. The probability of the dual-unit LOOP occurring first at Unit 2 was assumed to be 0.5. This value is based on the assumption that a dual-unit LOOP has an equal probability of occurring first at either unit. Therefore, the initiating event probability is equal to (1.7 x 10-2 /year x 0.66 x 0.5 x 1 year). The failure probability for EDO 2/3 was set to true to reflect its unavailability following a trip of MCC 28-3. The common-cause failure probability for the EDGs was revised to 4.4 x 10-3t reflect the unavailability of EDO 2/3. Sequence 44, which involves failure of emergency power and failure to recover offsite power prior to battery depletion, dominates the analysis results. For this sequence to occur, both EDO 2 and EDG 3 must fail; otherwise power for battery charging will exist and the batteries will not deplete. The resulting conditional core damage probability is estimated to be 6.1 x 10- . This is the only case that significantly contributes to the conditional core damage probability for this event. The calculational results are shown in Tables C.3.1 through C.3.5.
NUREGICR-4674, Vol.21 C.3-3 NUREG/CR4674, Vol. 21
LER No. 237/94-018 Apni Appendix C C.3.5 Analysis Results The conditional core damage probability estimated for this event is 6.1 x 10-6. The dominant core damage sequence, highlighted on the event tree in Figure C..3.1, involves a postulated dual-unit LOOP (Case 2b) with subsequent failure of all three Dresden EDGs and failure to recover offsite power prior to battery depletion. In the dominant sequence, EDG 2/3 fails due to MCC 28-3 trip following its alignment to Unit 2 (the postulated dual-unit LOOP affects Unit 2 first), and EDG 2 and 3 fail for unspecified reasons (random or common-cause failures).
The calculational. results for Cases la, lb, and 2a were not included since they do not provide a significant contribution to the conditional core damage probability for the event. The calculational results for Case 2b are shown in Tables C.3.1 through.C.3.5. Definitions and probabilities for selected basic events are shown in Table C.3.1. The conditional probabilities associated with the highest probability sequences are shown in Table C.3.2. Table C.3.3 lists the sequence logic associated with the sequences listed in Table C.3.2. Table C.3.4 describes the system names associated with the dominant sequences. Cut sets associated with each sequence are shown in Table C.3.5.
C.3.6 Reference
- 1. LER 237/94-018, "Potential Trip of Motor Control Centers Due to Improper Feed Breaker Settings,"
July 7, 1994.
NUREGICR-4674, Vol. 21 .-
C.34
ADDendix C LER LER No.
No. 237/94-018 237/94-018 ADDendix C Figure C.3. I. Dominant core damage sequence for LER No. 237/94-018 (see Case 2b).
C.3-5 NUREGICR-4674, Vol. 21
LER No. 237/94-018 Appendix C Table C.3.1. Definitions and probabilities for selected basic events for LER 237/94-018 (Case 2b)
Base Current Modified Event name Description probability probability Type for this event EPS-DGNCF-DGNS Common Cause Failure of Diesel 12-0 A-0 EPS-DGN-F-DGNS Generatorsl.E03 4E-0Y EPS-DGN-FC-DG2 Unit 2 Generator Fails 4.4E-002 4.4E-002 N EPS-DGN-FC-DG3 Unit 3 Diesel Generator Failure 4.4E-002 4.4E-002 N EPS-DGN-FC-DG23 Swing Diesel Generator Fails 4.4E-002 1.OE+OOO TRUE Y EPS-XIHE-.XE-NOREC Operator Fails to Recover 8.OE-O0l 8.OE-OO1 N Emergency Power rn-LOOP Loss-of-offsite Power Initiator 9.IE-007 5.6E-003 Y LE-SLOCA Small LOCA Initiator 1.7E-006 O.OE+OOO IGNORE Y IE-TRAN Transient Initiator 3.4E-004 O.OE+000 IGNORE Y OEP-XH-E-XE-NOREC Operator Fails to Recover Offisite 2.1E-OO1 2.lE-OO1 N Power Table C.3.2- Sequence conditional probabilities for LER 237/94-018 (Case 2b)
Event tree name Sequence name Cnioalcr Cre damageprbilt Importance%
droamaget proabiit (CCDP-CDP) Contribution proablit (DP LOOP 44 5.9E-006 3.5E-006 2.3E-006 96.7 Total (all sequences) 6. IE-006 .. .......______.........___....... ___._ ..........
Table C.3.3. Sequence logic for dominant sequences SEvent tree name rSequence for LER 237/94-018 (Case 2b) name Logic LOOP 44 /RP1, EPS, OEP Table C.3.4. System names for LER 237/94-0 18 (Case 2b)
System name Description EPS Emergency Power System Fails OEP Offsite Power Recovery RP 1 Reactor Shutdown Fails NUREG/CR4674, Vol. 21 C.3-6
Appendix C LER No. 237/94-018 Table C.3.5. Conditional cut sets for higher probability sequences for LER 237/94-0 18 Cut set No. Cotibto Frequency Cut sets LOOP Sequence: 44 6.OE-606 ... .......
1 695 4A-006 EPS-DGN-CF-DGNS, EPS-XIHE-XE-NOREC, 1 69. 4.1-006 OEP-XIHE-XE-NOREC 2 30.6 1.0-006 1 .8-00 EPS-XIHE-XE-NOREC, OEP-XI-IE-XE-NOREC, EPS-DGN-FC-DG2, EPS-DGN-FC-DG3 I Total (all sequences) 6.OE-006 C.3-7 NIREGICR-4674, Vol. 21 C.3-7