Text

Annendix B LER No. 370/96-002 B.7ndx LER No. 370/96-002 Event

Description:

2B EDG inoperable due to. slow instrumentation response Date of Event: March 6, 1996 Plant: McGuire Unit 2 B.7.1 Event Summary McGuire Unit 2 was at 100% power when the 2B Emergency Diesel Generator (EDG), which was undergoing a scheduled operating test, tripped on a false low lube oil pressure signal shortly after starting.' The test failure was the result of air entrainment into the instrument line for the lube oil piping combined with low room temperature. Personnel determined that these conditions (air ingress and cold room temperature), which were deemed sufficient to cause the 2B EDG to trip, existed for a combined total of 540 h. (The 540-h total was distributed over four separate occasions where the 72-h single EDG outage allowed by Technical Specifications was exceeded.) This long-term unavailability of the 2B EDG could have affected the unit's response to a loss of offsite power (LOOP). The estimated increase in the core damage probability (CDP) over the 540-h period for this event (i.e., the importance) is 1.8 x 10'. The base probability of core damage (the CDP) for the same period is 1.2 x 1' B.7.2 Event Description Unit 2 was at 100% power on February 6, 1996. The 2B EDG was scheduled for a non-prelubricated start test. The 2B EDG reached 95% of rated speed in 9 s.' The 2B EDO tripped on a low lube oil pressure signal 30 s later (39 s after starting the EDO). Indicated pressure was 0. 10-0. 14 MPa (15-20 psig) and decreasing; normal operating pressure is 0.28 MPa (40 psig). However, personnel determined that the low lube oil pressure indication was false. The low pressure indication resulted from a slow instrument response due to air entrainment in the instrument line for the lube oil piping, coupled with the low EDG room temperature.

(An inadequate design of the instrument lines allowed for air to be introduced into the system. The lube oil pressure switch impulse line for the 2B EDO is -21.3 m (70 ft) long. The licensee indicated in the LER that this length is excessive.) The cool EDG room temperature added to the slow instrument response by increasing the viscosity of the oil in the instrument line. Because the low lube oil pressure trip signal is not bypassed on an emergency start of the EDGs, the failure was classified as a valid test failure.

The lowest recorded EDG room temperature in the 7 d preceding the EDO failure to start was 16.7 0C (62 0 F).

EDO room temperature was 20 0 C (68 0 F) just before the test. On March 6, 1996, the licensee determined that the 2B EDO should be considered inoperable with the current instrument line configuration when the EDG room temperature is < 71 OF and the before and after (B&A) lube oil pump is not running. Based on these criteria, all other station ED~s were determined to be operable at the time the 2B EDG failed its operating test. Based on a review of the log books containing the. EDG room temperature readings, the licensee calculated that the 2B EDO was susceptible to this type of failure for a total of 666 h. Because the B&A lube oil pump runs for 15 min during each hour, the licensee estimated that the 2B EDO was susceptible to this B.7-1 NUREG/CR-4674, Vol. 25

LER No. 370/96-002 ADDendix B type of failure only 75% of the time-a total of 499.5 h. Nuclear Regulatory Commission (NRC) inspectors, in NRC Inspection Report 50-370/96-02,2 noted that previous EDO trips occurred while the B&A lube oil pump was running. Therefore, the NRC inspectors discounted the assumption that running a B&A lube oil pump at the time of a start demand with the EDG room temperature below 21.7'C (71 0 F) would have prevented this type of failure of the EDO to start. The 2B EDG was susceptible to these failure conditions on numerous separate occasions through the winter (for a total of 666 h); however, there were only four occurrences of the potential failure conditions that exceeded the EDG Technical Specification Action Statement limit of 72 h. The NRC inspection report' tallied the, total amount of time for the four occurrences that the room temperature dropped below 21.7C (71 'F) and determined that the four susceptibility periods totaled 540 h.

B.7.3 Additional Event-Related Information Mc~uire "Nuclear Station maintains a Safe Shutdown Facility (SSF) designed to provide an alternate and independent means to achieve and maintain hot standby conditions.' The facility includes an EDG that can be used to operate a positive displacement pump to supply seal injection water to the reactor coolant pump (RCP) seals, preventing an RCP seal loss-of-coolant accident (LOCA).. Credit for the SSF is included in the ASP models via a separate top event in the LOOP event tree.

The most important recovery action with respect to this condition assessment is the possibility of restoring ac power to Unit 2 from Unit I via a cross-tie, given a station blackout at Unit 2. Because procedures exist detailing this operation, it is considered a viable option. Recovery via the cross-tie is included as a basic event imbedded in several LOOP event fault trees.

There was a brief period (5.3 h) when both EDGs were technically out of service due to maintenance activities on Motor Control Center IEMXH-1, which affected ventilation. The 2A EDG was functionally available and would have performed its design function. Technical Specifications allow both EDGs to be out of service for up to 8 h.

B.7.4 Modeling Assumptions Similar to the licensee's an alysis of this event,' the failure probability of the 2B EDO was set to 1.0 (TRUE) for this condition assessment. The duration was set to 540 h per the NRC inspection report since previous EDO trips occurred while the B&A fuel oil pump was running. Sensitivity studies are examined for the total time (666 h) the 2B EDO was determined to meet the low temperature criteria and the discounted time (499.5 h) the 2B EDO was determined to be unavailable based on the hourly B&A pump operation.

The licensee suggested that if an actual failure to start occurred under circumstances similar to the conditions that existed since February 6, then a second start attempt would likely be successful.'

• Therefore, the emergency power nonrecovery probability (EPS-XHE-NOREC) was adjusted from 1.0 to 0.34, as shown in Table B.7. 1, to reflect the fact that the equipment appeared recoverable and was accessible (Recovery Class 2).

NUREG/CR-4674, Vol. 25 B.7-2 72

Annendix B LER LER No.

No. 370/96-002 370/96-002 Anoendix B Tbe 2B EDG failure appears to be a failure mode uniqu e to the physical setup of the lube oil pressure instrumentation lines On the 2B EDG. A similar failure of the 2A EDG was documented by special report 25 months earlier.' The length of time between events and, consequently, the number of successful surveillance tests between events indicates that the two failures were random rather than having any common-cause effects. Consequently, the common-cause failure probability for the EDGs was not adjusted from the nominal value of 1.1 x 10-' shown in Table B.7. 1.

During the 5-h period that both EDGs were declared unavailable, the 2A EDG was functionally available and would have performed its design function. This 5-h period was not considered separately when calculating the increase in the CDP over the entire 540-h period because the importance (i.e., the increase in the CDP) is less than the ASP cut-off value of 1.0 x106 Credit for the SSF at McGuire was accounted for by adding a fault tree at the SSF branch point in the LOOP event tree shown in Fig. B.7. 1. The nominal probability of SSF failure is 0.36 based on information in the plant's Individual Plant Examination.' 'The nominal SSF failure probability is derived from the failure probabilities, listed in Table B.7.I1, for the basic events SSF EDG Fails (SSF-DGN-FC- 1), Operator Fails to Start SS;FEDG Within JO Minutes (SSF-XH-E-XM-DGN), and SSF UnavailableDue to Maintenance (SSF-XHE-MAINT).

Additionally, ac power to the emergency buses was recoverable by implementing a cross-tie to Unit 1. Based on a telephone conversation with the licensee,' it was assumed that personnel could cross-tie the power buses at Unit 1 with the buses at Unit 2 in less than I h 50% of the time, and within 2 h 95% of the time. The recovery of power by implementing a cross-tie to Unit I was modeled by adding the basic event Failure to Cross-Tie Emergency Power Within 90 Min (OEP-XI-IE-XTIE) to the McGuire fault trees for failure to recover power before the core uncovering given an RCP seal LOCA (OP-SL) and before battery depletion given no seal LOCA (OP-BD). Failure to cross-tie to Unit I was modeled as a time-reliability correlation (TRC) as described in Ref. 7. The probability distribution for this TRC is lognormal, with an error factor of 2.0 based on the licensee time estimates.6 The median response time of 60 min was assumed to include any delays in initiating the cross-tie procedure. Without power, a seal LOCA was assumed to occur after 60 min, and the core would begin to uncover in an additional 30 min. The probability of crew failure at 90 min, estimated using this TRC and response time, is 0. 17.

The actions to man the SSF and to cross-tie emergency power were assumed to be independent for this analysis. This assumption would have to be confirmed for an event occurring outside the day shift because it is unknown if sufficient personnel would be available during the period between 5:00 p.m. and 8:00 a~m.

to perform all the necessary actions in parallel.

B.7.5 Analysis Results The increase in the CDP (i.e., the importance) over a 540-h period for this event is 1.8 x 10'. This is an increase over the nominal CDP of 1.2 x 10'. The dominant core damage sequence for this event (sequence 41 on Fig. B.7.l1) involves a postulated LOOP, NUREG/CR-4674, Vol.25 B.7-3 NUREG/CR-4674, Vol. 25

LER No. 370/96-002 ADDendix B 0 a successful reactor trip,

• failure of emergency power, and

• failure of the auxiliary feedwater (AFW) system.

This sequence accounts for 38% of the total contribution to the increase in the CDP. Sequences 29 and 39 are similar, but LOOP sequence 39 involves a power-operated relief valve (PORV) lift and successful reclosure. Combined, these two sequences account for an additional 36% of the total contribution to the increase in the CDP (Table B.7.2). Core damage in these two sequences (29 and 39) is the result of a failure of the SSF and a resulting seal LOCA. Core damage results from battery depletion in two additional sequences (16% of the increase in the CDP) and results from a failure of a PORV to reclose in one other sequence (8% of the increase in the CDP).

The increase in the CDP over a 666-h period for this event is 2.2 x 10' if the 2B EDG is assumed to be inoperable for the collective total time the 2B EDG room temperature was below 21.7 "C (71'F) as reported by the licensee. This is an increase over the nominal CDP for 666 h of 1.5 x 10'. The dominant core damage sequence for this sensitivity case study is the same as it is for the 540-h analysis. Similarly, if a 499.5-h period is assumed (as the licensee contends is the most appropriate period when-the operation of the B&A pump is considered), the increase in the CDP is 1.6 x 10.6 over the nominal CDP for 499.5 h of 1.1 x 10 -6.

These sensitivity studies show that there is not much difference with respect to the CDP between an unavailability of 499.5, 540, and 666 h.

Definitions and probabilities for selected basic events are shown in Table B.7. 1. The conditional probabilities associated with the highest probability sequences are shown in Table B.7.2. Table B.7.3 lists the sequence logic associated with the sequences listed in Table B.7.2. Table B.7.4 describes the system names associated with the dominant sequences. Minimal cut sets associated with the dominant sequences are shown in Table B.7.5.

B.7.6 References

1. LER 370/96-002, Rev. 0, "Past Inoperability of Emergency Diesel Generator 2B Due to Low Lube Oil Pressure Caused by Unanticipated Interaction of Systems and Components," March 29, 1996.

2. NRC Inspection Report No. 50-370/96-02, Inspection Conducted: March I1I - April 1, 1996.

3. FinalSafety Analysis Report, McGuire Nuclear Station.

4. Duke Power Company, Diesel GeneratorSpecial Report, McGuire NuclearStation, Special Report 94-01 (PIP 2-M94-0242), March 15, 1994.

5. McGuire Nuclear Station, IndividualPlantExamination.

6. Conference call with McGuire licensing and probabilistic risk assessment staff, September 11, 1997.

7. E. M. Dougherty and J. R. Fragola, Human Reliability Analysis, John Wiley and Sons, New York, 1988.

NUREG/CR-4674, Vol. 25 B.74

LER No. 370/96-002 LRN.309-0 Appendix B

'U 0I1 00000000000OO0UO00UO00O00O0OUO00O00O0UU(00U nj4A ;1 1';

H 2::V~- VV t e A% 9R; ý ci uJ CD

~I I Ui iii Ii'~

Ii I I

'Ii III, w cf)(-

iiI! ILl w

~uI! 0 F- 0 0 0i iiIi~ 0 I

1. 5 2 Iii I T7 Fig. B.7. 1. Dominant core damage sequence for LER No. 370/96-002.

NUREG/CR-4674, Vol. 25 B.7-5 NUREG/CR-4674, Vol. 25

LER No. 370/96-002 AoDendix B Table B.7.1. Definitions and Probabilities for Selected Basic Events for LER No. 370/96-002 Modified Event Base Current for this name Description probability probability Type event IE-L.OOP Initiating Event-LOOP 9.3 E-006 9.3 E-006 No IE-SGTR Initiating Event-Steam Generator 1.6 E-006 1.6 E-006 No Tube Rupture IE-SLOCA Initiating Event-SLOCA 1.0 E-006 1.0 E-006 No LE-TRANS Initiating Event-Transient 5.3 E-004 5.3 E-004 No (TRANS)

AFW-TDP-FC-IA Turbine-Driven AFW Pump Fails 3.2 E-002 3.2 E-002 No AFW-XHE-NOREC-EP Operator Fails to Recover AFW 3.4 E-00 1 3.4 E-00 I No

__________________During a Station Blackout (SBO)

EPS-DGN-C F-ALL Common-Cause Failure of EDGs 1.1 E-003 1.1 E-003 No EPS-DGN-FC-IA EDO A Fails 4.2 E-002 4.2 E-002 No EPS-DGN-FC-IB EDO B Fails 4.2 E-002 1.0 E+000 TRUE Yes EPS-XH-E-NOREC, Operator Fails to Recover 1.0 E+000 3.4 E-00 I Yes Emergency Power OEP-XHE-NOREC-BD Operator Fails to Recover Offsite 9.7 E-002 9.7 E-002 No Power Before Battery Depletion OEP-XHE-NOREC-SL Operator Fails to Recover Offsite 7.4 E-00 1 7.4 E-00 I No Power During a Seal LOCA OEP-XHE-XTIE Failure to Cross-Tie ac Power 1.7 E-00 1 1.7 E-00 I NEW No From the Opposite Unit PPR-SRV-CO-SBO PORVs Open During an SBO 3.7 E-00 1 3.7 E-00 I No PPR-SRV-00-PRVI PORV I Fails to Reclose 2.0 E-003 2.0 E-003 No PPR-SRV-OO-PRV2 PORV 2 Fails to Reclose 2.0 E-003 2.0 E-003 No PPR-SRV-OO-PRV3 PORV 3 Fails to Reclose 2.0 E-003 2.0 E-003 No RCS-MDP-LK-SEALS RCP Seals Fail Without Cooling 2.3 E-O001 2.3 E-00lI No and Injection Water SSF-DGN-FC-1 SSF EDO Fails 2.0 E-001 2.0 E-00 I NEW No SSF-XHE-MAINT SSF Unavailable Due to 6.1 E-002 6.1 E-002 NEW No Maintenance SSF-XHE-XM-DGN Operator Fails to Start SSF EDO 1.0 E-00 1 1.0 E-00 I NEW No IWithin 10 MinIm Vol.25 B.7-6 NUREG/CR-4674, Vol. 25 B.7-6

ADDendix B LER No. 370/96-002 A~~endix B LER No. 370/96-002 Table B.7.2,. Sequence Conditional Probabilities for LER No. 370/96-002 Conditional Event tree Sequence core damage Core damage Importance Percent name number probability probability (CCDP-CDP) contribution" (CCDP) (CDP) _____

LOOP 41 8.0 E-007 1.2 E-007 6.7 E-007 38.3 LOOP 29 4.8 E-007 7.6 E-008 4.0 E-007 23.0 LOOP 39 2.8 E-007 4.4 E-008 2.3 E-007 13.4 LOOP 22 2.1 E-007 3.3 E-008 1.7 E-007 10.1 LOOP 40 1.6 E-007 2.5 E-008 1.3 E-007 7.7 LOOP 32 1.2 E-007 1.9 E-008 1.0 E-007 5.9 Total (all sequences) 3.0 E-006 1.2 E-006 1.8 E-006

'Percent contribution to the total importance.

B.7-7 NUREG/CR-4674, Vol. 25

LER No. 370/96-002 ADDendix B Table B.7.3. Sequence Logic for Dominant Sequences for LER No. 370/96-002 Event tree name Sequence Logic number LOOP 41 /RT-L, EP, AFW-L-EP LOOP 29 /RT-L, EP, /AFW-L-EP, /PORV-SBO, SSF,

___________SEALLOCA, OP-SL LOOP 39 /RT-L, EP, /AFW-L-EP, PORV-SBO,

___________/PORV-EP, SSF, SEALLOCA, OP-SL LOOP 22 IRT-L, EP, /AFW-L-EP, /PORV-SBO, SSF,

___________/SEALLOCA, OP.-BD LOOP 40 /RT-L, EP, /AFW-L-EP, PORV-SBO, PORV-EP LOOP 32 IRT-L, EP, /AFW-L-EP, PORV-SBO,

___________/PORV-EP, 5SF, /SEALLOCA, OP-BD Table B.7.4. System Names for LER No. 370/96-002 System name Logic AFW-L-EP No or Insufficient AFW Flow During a Station Blackout EP Failure of Both Trains of Emergency Power OP-BD Operator Fails to Recover Offsite Power Before Battery Depletion OP-SL Operator Fails to Recover Offsite Power During a Seal LOCA PORV-EP PORVs Fail to Reclose (No Electric Power)

PORV-SBO PORVs Open During a Station Blackout RT-L Reactor Fails to Trip During a LOOP SEALLOCA RCP Seals Fail During a LOOP SSF Safe Shutdown Facility Failure NUREG/CR-4674, Vol. 25B7- B.7-8

AnDendix B LER No. 370/96-002 Table B.7.5. Co nditional Cut Sets for Higher Probability Sequences for LER No. 370/96-002 Cut set Percent number contribution CCDPO Cut sets" LOOP Sequence 41 8.0 E-007 ......... ,  ::.

1 96.8 7.8 E-007 EPS-DGN-FC- IA, EPS-DGN-FC- IB, EPS-XHE-NOREC.

AFW-TDP-FC- IA. AFW-XHE-NOREC-EP 22.6 2.0 E-008 EPS-DGN-CF-ALL, EPS-XHE-NOREC, AFW-TDP-FC-1A, I_________ ________AFW-XHE-NOREC-EP LOOP Sequence 29 4.8 E-007 ......

1 53.9 2.6 E-007 EPS-DGN-FC- IA, EPS-DGN-FC- IB, EPS-XHE-NOREC.

/PPR-SRV-CO-SBO, SSF-DGN-FC- I, RCS-MDP-LK-SEALS.

OEP-XHE-NOREC-SL. OEP-XHE-XTIE 2 27.0 1.3 E-007 EPS-DGN-FC-IA. EPS-DGN-FC-IB, EPS-XHE-NOREC,

/PPR-SRV-CO-SBO. SSF-XHE-XM-DGN, RCS-MDP-LK-SEALS, OEP-XHE-NOREC-SL, OEP-XHE7XTIE 3 16.5 8.0 E-009 EPS-DGN-FC- IA, EPS-DGN-FC- IB, EPS-XHE-NOREC,

/PPR-SRV-CO-SBO, SSF-XHE-MAINT. RCS-MDP-LK-SEALS.

OEP-XHE-NOREC-SL, OEP-XHE-XTIE OEP-XHE-OREC-S. .EP......I 3OO 16.5nc 49.6 E-007 ..........IA X-IENO EC .............-

1 53.9 1.1 E-007 EPS-DGN-FC-IA, EPS-DGN-FC-IB. EPS-XHE-NOREC.

/PPR-SRV-CO-SBO, SSF-DGN-FC- 1, /RCS-MDP-LK-SEALS, OEP-XHE-NOREC-BD. OEP-XH-E-XTIE 2 27.0 5.7 E-008 EPS-DGN-FC-lA, EPS-DGN-FC-lB, EPS-XHE-NOREC, IPPR-SRV-CO-SBO, SSF-XHE-XM-DGN, IRCS-MDP-LK-SEALS,

__________________ ________OEP-XI-E-NOREC-BD, OEP-XHE-XTIE B.7-9H-OE-L NUREG-R-474, ol.2 B.7-9 NUREG/CR-4674, Vol. 25

LER No. 370/96-002 Appendix B Table 13.7.5. Conditional Cut Sets for Higher Probability Sequences for LER No. 370/96-002 (Continued)

Cut set Percent number contribution CCDpa Cut setsb 3 16.5 3.5 E-008 EPS-DGN-FC-1A. EPS-DGN-FC-IB, EPS-XHE-NOREC, IPPR-SRV-CO.-SBO, SSF-HE-MAINT, IRCS-MDP-LK-SEALS, OEP-XHE-NOREC-BD, OEP-XHE-XTIE LOOP Sequence 40 1.6 E-007 1 32.5 5.3 E-008 EPS-DGN-FC-1A, EPS-DGN-FC- IB,EPS-XI-E-NOREC, PPR-SRV-CO-SBO, PPR-SRV-00-PRV 1 2 32.5 5.3 E-008 EPS-DGN-FC-1A, EPS-IX3N-FC-1B, EPS-XHE-NOREC, PPR-SRV-CO-SBO, PPR-SRV-OO-PRV2 3 32.5 5.3 E-008 EPS-DGN-FC-1A, EPS-DGN-FC-1B, EPS-XHE-NOREC.

PPR-SRV-CO-SBO. PRSSFXH-XM-DG, RS-D-L-EAS B....- H -X I 3 32. 0 2.0..... RV..-

IA .-

C -S.R E.P....FC

... .E.S....

N-C-B ........

..- O ....-H -M .. I T C..MD..

..... P-L............-......

L ,.....

H - .E.

OIOE...........................

E - L Total....... 3.0...al.. sequences .. ........

'The CCDP is determined by multiplying the probability that the portion of the sequence that makes the precursor visible (e.g., the system with a failure is demanded) will occur during the duration of the event by the probabilities of the remaining basic events in the minimal cut set. This can be approximated by I - e-', where p is determined by multiplying the expected number of initiators that occur during the duration of the event by the probabilities of the basic events in that minimal cut set. The expected number of initiators is given by It, where I is the frequency of the initiating event (given on a per-hour basis), and t is the duration time of the event (540 h). This approximation is conservative for precursors made visible by the initiating event. The frequency of interest for this event is 1 LOOP= 9.3 x 10 -/h. The importance is determined by subtracting the CDP for the same period but with plant equipment assumed to be operating nominally.

b Basic event EPS-DGN-FC-I11 is a type TRUE event. This type of event is not normally included in the output of the fault tree reduction process but has been added to aid in understanding the sequences to potential core damage associated with the event.

B.7-I 0 NUREG/CR-4674, Vol.25 NUREG/CR-4674, Vol. 25 B.7-1 0