ML20135G980
| ML20135G980 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 05/14/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 423-1991-011 | |
| Download: ML20135G980 (6) | |
Text
B-458 ACCIDENT SEQUENCE PRECURSOR PROGRAM EVENT ANALYSIS LER No.: 423/91-011 Event
Description:
Both trains of HPSI inoperable due to relief valve failures Date of Event: April 10, 41991 Plant: Millstone 3 Summary During testing of the high-pressure safety injection (HPSI) system while in Mode 3, the "A" HPSI relief valve lifted and would not reseat until the running HPSI pump was stopped. Flow loss through the stuck-open valve was 79 gpm. An investigation determined that the incident occurred because the design relief valve set pressure was too close to system operating pressure. A similar condition existed with the "B" HPSI relief valve; however, it was "gagged shut" during the test to prevent it from lifting, and therefore no failure of the "B" valve was noted. Had both valves lifted during accident conditions, the system would have been unable to perform its safety function.
The conditional core damage probability for this event is conservatively estimated to be 8.1 x 10 -4. The relative significance of the event compared to other postulated events at Millstone 3 is'shown below.
LER 423/91
-011 \
1E-7 1E-6 1E-5 IE-4 1E31E-2 11I TripLOFW +1 MTR pjFW L LCooP precursor cutoff ..J 360 AFW Event Description While the plant was in Mode 3, at 557'F and 2250 psia, a leak test surveillance procedure was initiated on the HPSI system. This test involved aligning "A" HPSI pump via a test line to the space between two check valves at the point where HPSI is supplied to reactor coolant system (RCS) loop 4 hot leg. Because of gradual leakage past the check valve closest to the RCS, the pressure between the two check valves was above 1765 psia, the setpoint of the relief valve protecting the "A" HPSI train. When the test line isolation
B-459 valve was opened, the "A" relief valve lifted and began relieving approximately 79 gpm.
It continued to relieve until the pump was stopped.
The utility stated that the root cause of the event was a design deficiency. The HPSI relief valve setpoints were at values only slightly above normal operating pressures.
Perturbations in system pressure, including those resulting from operation at minimum flow conditions, would result in lifting of the relief valves. Noting that the plant design basis allows for no more than 50 gpm of loss from the system during accident operation, the utility indicated that the relief valve is expected to relieve only 40 gpm at pressures in the range of its 1765 psia setpoint. As system pressure should have promptly returned to this range once the test line was aligned and the relief valve lifted, it is unclear why a flow rate of 79 gpm was observed.
During the course of the test, the "B" train relief valve was "gagged" closed to prevent it from opening. As the setpoint of the "B" valve was the same as the "A" valve, it is reasonable to presume that it would also have opened if exposed to the system pressures observed. The utility noted that a number of similar failures have occurred in the past as, a result of pressure surges, valve manipulations, and surveillance testing.
ASP Modeling Assumptions and Approach As this failure could have occurred during any accident sequence in which HPSI was actuated while .RCS pressure exceeded 1750 psig, "A" train of HPSI was assumed to be inoperable.. The "gagging" of the "B" train relief valve corresponding to the failed valve on the "A" train implies that a similar failure mode was expected for the "B" train valve, had it been tested. The "B" train of HPSI was therefore also modeled as inoperable.
The unavailability period is difficult to estimate for this event. It is possible that the relief valve lift was caused by the system lineup used for testing, combined with backleakage through an injection line check valve. However, the LER noted a number of similar failures had previously occurred, and indicated that the problem was a result of relief valve setpoints too close to system operating pressure. In this case, the HPSI unavailability may have existed since initial criticality. For this analysis, a long-term unavailability of HPSI was assumed to have existed. To estimate the relative significance of the event within a 1-yr observation period (the interval being evaluated in this report),
a 1-yr unavailability period was utilized (6132 h, assuming the plant was critical or at hot shutdown for 70% of the year).
Although the current Accident Sequence Precursor (ASP) model for Millstone 3 does not include use of the charging pumps as an alternate to the UPSI pumps for safety injection (SI) and bleed and feed, these pumps can be used for this purpose. The two normally available charging pumps were assumed capable of providing successful SI and feed and bleed for this analysis. The failure probability for high-pressure injection and feed and
B-460 bleed was estimated assuming that the nonrunning charging pump had to start [.01] and one of the two isolation valves to the refueling water storage tank, volume control tank, and RCS cold legs had to operate [3 x .01 x .11. Based on screening probabilities used in the ASP Program, this failure probability is estimated to be 1.3 x 10-2.
Note that while flow through the relief valves during injection would render the HPSI ineffective (requiring the charging pumps for injection), flow through the relief valves after sump switchover to high-pressure recirculation (HPR) would result in loss of containment sump inventory and eventual failure of HPR. This situation could be detected through changes in level indication in auxiliary building tanks and sumps and in the containment sump. The HPSI pumps would have to be tripped and the charging pumps used for HPR as well. Because of the length of time available for this action, an operator failure probability of 0. 12 was assumed (see Appendix A for a description of the operator action failure probabilities used in the ASP analysis).
Alternately, the plant could be cooled down and placed on the residual heat removal (RHR) system, with makeup provided by the charging system (this action is not addressed in the current ASP models).
Analysis Results The conditional probability of subsequent core damage associated with this event was estimated to be 8.1 x 10-4, assuming the charging pumps would be effective for safety injection. The dominant core damage sequence, shown on the following event tree, involves a postulated loss-of-coolant accident ancý I-PR failure.
If the plant was cooled down and placed on the RHR system prior to draining the refueling water storage tank, the need for HPR would be eliminated (makeup using the charging system would still be required). Considering the RHR system as an alternate means of decay heat removal reduces the conditional core damage probability estimated for this event to 8.9 x 10-5. (Modeling changes to address the use of the RHR system as an alternate means of decay heat removal following a small-break LOCA are currently being considered in the ASP program.)
B-461 LCCA RT IAFW MFW HPI HPR PORV ICSR SEQ END I I I I II OPENI NO STATE OK 80 CD 71 CD 72 CD OK 81 CD 73 CD 74 CD OK 82 CD 75 CD 76 CD 77 CD 78 ATWS Dominant core damage sequence for LER 423/91-011
B-462 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier:, 423/91-011 Event
Description:
Roth trains of UPSI unavailable (CPa provide success)
Event Date: 04/10/91 Plant: Millstone 3 UNAVAILABILITY, DURATION- 6132 NON-RECOVERAB3LE INITIATING EVENT PROBABILITIES TRANS 2 .9E+00 LOOP 3. 6E-02 LOCA 6 .3E-03 SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator Probability CD TRANS l.8E-06 LOOP 4 .7E-06 LOCA 8 .OE-04 Total S .lEZ-04 ATWS TRANS 0.OE+00 LOOP 0 .OE+00 LOCA 0 .OE+00 Total 0 .OE+00 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence End State P rob N Rec**
71 loca -rt -afw -HPI NPR/-HPI CO 7 .4E-04 4 .3E-0l 72 loca -rt -afw (PI CO 6 .3E-05 3. 6E-01
-* non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence End State P rob N Rec**
71 loca -rt -afw -(API NPR/-NPI CO 7 .4E-04 4 .3E-01 72 loca -rt -afw (PI CD 6.3E-05 3. SE-01
-*non-recovery credit for edited case Note: For unavailabilities, conditional probability values are differential values which reflect the added risk due to failures associated with an event. Parenthetical values indicate a reduction in risk compared to a similar period without the existing failures.
SEQUENCE MODEL: c:\asp\1989\pwraseal.cmp BRANCH MODEL: c:\asp\19S9\millstn3.sll PROBABILITY FILE: c: \asp\19S9\pwrbsll.pro Event Identifier: 423/91-011
B-463 No Recovery Limit BRANCH FREQUENCIES /PROBABILITIES Branch System Non-Recov Opr Fail trans 4 .6E-04 1. 02+00 loop 1.82-05 3.3F-01 loca 2 .42-06 4.3E-01 rt 2 .SE-04 1.22-01 rt/loop 0 .OE+00 1.02+00 eme rg .power 2. 9E-03 8. 02-01 a iw 3 .BF-04 2.6F-01 afw/emerq .power 5 .OE-02 3. 42-01 mfw 2. 02-01 3. 4E-01 porv.or. srv.chall 4 . OE-02 1.02+00 porv.or. srv.reseat 2.OE-02 1 .12-02 porv.or. srv.reseat /emerg .power 2 .OE-02 1.0c+00 seal. loca 3. 5E-01 1. 02+00 ep. rec (al) 7 .6E-01 1.024+00 ep. rec 1. 5E-Si 1 .02+00 HP I l.OE-03 > 1.3E-02 a 8.42-01 Branch Model: 1.OF.2 Train 1 Cond Prob: 1. OE-02 Train 2 Cond Prob: 1.OE-0l HPI (F/B) 8. 4E-01 1.02-02 Branch Model: 1.OF.2+opr Train I Cond Prob: 1.02-02 Train 2 Cond Prob: l.OE-01 porv. open 1. OE-02 1. 0E+0O 4.02-04 HPR/-HPI 1.5E-04 > l.5E-04 1. 0E+00 1.02-03 > 1.2E-01 Branch Model: 1.OF.2+opr Train 1 Cond. Prob: l.OE-02 Train 2 Cond Prob: 1.5E-02 cs r 9.3E-05 1.02+00
'branch model tile Sforced Minarick 08-31-1992 10:17:05 Event Identifier: 423/91-011