ML20135H301
| ML20135H301 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 05/14/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 529-1993-001 | |
| Download: ML20135H301 (8) | |
Text
A. 15-1 A. 15 LER No. 529/93-001 Event
Description:
Steam Generator Tube Rupture Date of Event: March 14, 1993 Plant: Palo Verde 2 A. 15.1 Summary On March 14, 1993, Palo Verde 2 was at 98% power when a 240-gal/mmn tube rupture occurred in steam generator (SG) 2. The reactor was manually tripped, and safety injection (SI) plus containment isolation actuated on low-pressurizer pressure. As a result of a defective radiation monitor, high alert and alarm set points on two radiation monitors, isolation of the SQ blowdown radiation monitors by the SI actuation, and inadequate procedure implementation, the diagnosis of the tube rupture was delayed for an hour. The ruptured generator was identified and isolated 3 h after the tube rupture occurred, and the unit was placed in cold shutdown. The conditional core damage probability estimated for this event is 4.7 x 10- . The relative significance of this event compared to other postulated events at Palo Verde is shown in Fig. A. 15. 1.
LER 529/93-001 IE-7 E-6 I E-5 I E-4 I E-3 1E-2 L..Precursor Cutoff TRIP K L360 hEP 360 hAFW LOFW & I1MTR AFW Fig. A. 15. 1 Relative event significance of LER 529/93-00 1 compared with other potential events at Palo Verde 2 A. 15.2 Event Description On March 14, 1993, at 0434 hours0.00502 days <br />0.121 hours <br />7.175926e-4 weeks <br />1.65137e-4 months <br />, Palo Verde 2 was operating at 98% power. A steam generator tube rupture (SGTR) occurred in SQ 2. The rupture of the SQ tube, caused by intergranular stress corrosion cracking, resulted in a reactor coolant system (RCS) leak rate of -240 gal/min. Indication of SQ 2 tube leakage had existed for about a month (the calculated leak rate prior to the rupture was 10 gal/d). SQ 2 main steam line radiation monitor, RU- 140, alarmed at the time of the rupture. A third charging pump was started, and the backup pressurizer heaters were energized in an attempt to recover pressurizer level and pressure. At 0438 hours0.00507 days <br />0.122 hours <br />7.242063e-4 weeks <br />1.66659e-4 months <br /> (+ 4 min), an alarm was also received on auxiliary steam condensate receiver tank radiation monitor, RU-7.
Earlier in the evening, the gas stripper had been placed in service to degas the RCS in preparation for an upcoming refueling outage. An interfacing system loss-of-coolant accident (LOCA) through the gas stripper was recognized as a potential source of the RC S leakage, as was an SQTR; both of these would result in radiation monitor actuation. No indications. existed that the LOCA was inside containment, although the tailpipe temperature on one pressurizer relief valve was high (caused by previously existing leakage). At 0440 hours0.00509 days <br />0.122 hours <br />7.275132e-4 weeks <br />1.6742e-4 months <br /> (+ 6 min), the operators isolated letdown flow in an attempt to stop the leak (a leaking gas stripper would have been isolated by this action). To minimize radiation release to the environment if the LER No. 529/93-001
A. 15-2 leak was an SGTR, steamn bypass control valves 1007 and 1008 were removed from service, and the condensate draw-off controller was disabled.
At 0447 Ih(+ 13 min), pressurizer level had dropped to 26%, and the pressurizer heaters deenergized. The reactor was manually tripped due to low pressurizer level and pressure. Safety injection actuation system (SIAS) and containment isolation actuation system (CIAS) actuations occurred 22 s later due to low pressurizer pressure. The RU- 140 alarm cleared shortly after the trip; this was inconsistent with simulator scenarios, where RU- 140 alarms late in an SGTR. (It is thought that RU- 140 alarmed due to N- 16. Because N- 16 production ceased once the reactor was tripped, RU- 140 cleared at that time.) The two SG blowdown radiation monitors, RU-4 and RU-5, were rendered ineffective when the blowdown lines were isolated by the SIAS signal. RU-4 and RU-5, along with RU-141 ( the condenser vacuum exhaust monitor) are the primary indicator alarms for an SGTR. RU-141 was later determined to be reading a factor of 6 low due to a deteriorated scintillation crystal (caused by elevated temperatures from heat tracing; RU-141 had a history of operability problems before the tube rupture). The unavailability of RU-4, RU-5, and RU-141 impacted diagnosis of the SGTR. In addition, the alarm set points for RU- 140 and RU- 141 were based on not exceeding regulatory dose limits at the site boundary, a high value relative to the expected readings that would indicate an SGTR. This further complicated diagnosis of the event.
Following the reactor trip (RT) and SI, the operators stopped two of the four reactor coolant pumps (RCPs).
High-pressure SI (HPSI) restored pressurizer level to -~4 to 8% at 0449 hours0.0052 days <br />0.125 hours <br />7.423942e-4 weeks <br />1.708445e-4 months <br /> (+ 15 min). When operator actions to regain control of pressurizer level and pressure were not successful, the control room supervisor (CRS), using the Palo Verde emergency operations procedure diagnostic logic tree (DLT), diagnosed a RT; plant conditions did not allow diagnosis of a more specific recovery procedure. However, the entry conditions for the RT recovery procedure could not be met because pressurizer level was not greater than 10%. The event was rediagnosed; as before, a RT was indicated, but the entry conditions were still not satisfied. At 0502 hours0.00581 days <br />0.139 hours <br />8.300265e-4 weeks <br />1.91011e-4 months <br /> (+ 28 min), the CRS entered the functional recovery procedure (FRP) due to inconclusive diagnosis using the DLT. The diagnosis of an SGTR was not made using the DLT (even though it was suspected) because Palo Verde used a "snap-shot" approach while proceeding through a procedure. Only the plant conditions at the specific time of a procedure step were considered, and not previous alarms or trends (the radiation monitors that had alarmed early in the event had cleared by the time the procedure steps concerning them were encountered).
The FRP directed the operators to align the charging pump suctions directly to the refueling water tank (RWT) and close the volume control tank outlet valve. Charging pump "E" tripped on low-suction pressure.
Its suction was aligned to an alternate boration flow path in accordance with the FRP, and the pump was restarted. Postevent analysis concluded that inadequate charging pump suction pressure existed because three charging pumps plus a boric acid pump were taking suction from a common 3-in. -diameter pipe. At 0520 hours0.00602 days <br />0.144 hours <br />8.597884e-4 weeks <br />1.9786e-4 months <br /> (+ 46 min), the operators restored SG blowdown radiation monitors RU-4 and RU-S as directed by the FRP. These monitors had been isolated by the SIAS signal. RU-S alarmed 9 min later, and 2 min after that RU- 141 reached its alert set point. These signals allowed confirmation of the SGTR.
The CRS continued through the FRP, placing systems in normal shutdown alignments. The licensee stated in the LER that it was the CRS's intent to proceed through the FRP, depressurizing the RCS and using HPSI to restore pressurizer level. Restoration of pressurizer level would allow the FRP to be exited and the DLT to be used to diagnose the SGTR. This was different from the SGTR response strategy in the FRP, where indication of an SGTR is found at step 3.21. When step 3.21 was encountered, the radiation monitors were not alarming (although they had been 5 min earlier), and the SGTR attachment to the FRP was not utilized.
At the time of the event, the Palo Verde procedures differed from the Combustion Engineering "Emergency Procedure Guidelines" (CEN- 152) in two ways that also complicated diagnosis of the SGTR: (1) radiation alarm indications were used rather than secondary activity trends to aid diagnosis, and (2) a floating step LER No. 529/93-001
A. 15-3 to continuously check for secondary-side activity as an indication of an SGTR did not exist (the FRP checked for secondary activity only once).
At 0604 hours0.00699 days <br />0.168 hours <br />9.986772e-4 weeks <br />2.29822e-4 months <br /> (+ 90 min), an RCS cooldown to 5450 F and a depressurization to 1500 psia were begun.
HPSI flow increased as the RCS depressurized. Pressurizer level was restored to 33%, RCS temperature and pressure were stabilized, the acceptance criteria for the FRP pressure and inventory control safety function success path were met, and the FRP was exited at 0624 hours0.00722 days <br />0.173 hours <br />0.00103 weeks <br />2.37432e-4 months <br /> (+ 114 min). The DLT was again performed, an SGTR was diagnosed, and the SGTR recovery procedure was entered at 0645 hours0.00747 days <br />0.179 hours <br />0.00107 weeks <br />2.454225e-4 months <br />
(+ 131 min). Palo Verde 2 then performed a crew turnover. At 0721 hours0.00834 days <br />0.2 hours <br />0.00119 weeks <br />2.743405e-4 months <br /> (+ 167 min) the RCS cooldown was restarted in accordance with the SGTR procedure. SG 2 was isolated at 0728 hours0.00843 days <br />0.202 hours <br />0.0012 weeks <br />2.77004e-4 months <br />, 3 h after the tube rupture occurred. The unit was subsequently placed in cold shutdown. Use of the FRP to mitigate the event, instead of the normal SGTR procedure, resulted in significantly longer times to isolate the ruptured SG and depressurize the RCS. Recovery was delayed and complicated, following the tube rupture, because of poor procedure implementation, inappropriate radiation monitor calibration for the conditions experienced, and a degraded radiation monitor. Further complicating recovery, the qualified safety parameter display system channel "A" core exit thermocouples were reading -25F high, causing subcooled margin to be indicated as question marks (inconsistent data).
A. 15.3 Additional Event-Related Information Palo Verde 2 is a two-loop pressurized-water reactor (PWvR) manufactured by Combustion Engineering.
Each loop includes two RCPs and one U-tube SG. The Palo Verde auxiliary feedwater (AFW) system consists of two safety-related pumps (one motor- and one turbine-driven), plus one nonsafety-related motor-driven pump. Each pump can supply both SGs.
Additional information concerning this event is included in Augmented Inspection Team report No. 50-529/93-14, dated April 15, 1993.
A. 15.4 Modeling Assumptions The event has been modeled as a primary-to-secondary side LOCA (SGTR), with the potential failure to diagnose the SGTR addressed within the model. Because an SGTR is not included within the normal set of ASP models and no SGTR has been previously analyzed for the ASP plant class associated with Palo Verde (PWR Class H), a model specific to the event at Palo Verde was developed. The event tree depicting potential sequences to core damage is shown in Fig. A. 15.2. The event tree includes the following branches:
INIT EVENT (SGTR). Initiating event. The initiating event is a primary-to-secondary side break with a flow rate sufficient to require HPSI for RCS makeup.
RT. Reactor trip. Failure to trip results in an anticipated transient without scram (ATWS) sequence and is not developed further.
HPSI. HPSI is required to provide RCS makeup following the break. Flow from one of the two HPSI pumps is required for success. Failure of HPSI requires rapid RCS depressurization and the use of low-pressure safety injection (LPSL) for RCS makeup.
AFW'. AFW provides RCS cooling via the SGs. In the event of failure of the three AFW pumps, RCS cooling can be provided using a condensate pump following depressurization of the SGs to < 500 psi using the atmospheric dump valves (ADVs) or turbine bypass valves (TBVs).
LER No. 529/93-001
A. 15-4 RCS DEPRESS AND LPSI. RCS depressurization and LPSI. If HPSI fails, LPSI can provide RCS injection if thle RCS is depressurized. This requires AFW flow to both SGs and the use of one-of-two ADVs on each SG or two of the eight TBVs for depressurization. In addition, two of the four SI tanks (SITs) must supply water to the RCS during the cooldown to prevent core uncovery.
SGTR IDENT. SGTR identified. This branch addresses the operator's potential success or failure in identifying the tube rupture. If the tube rupture is successfully identified, as it eventually was in this event, nominal post-SGTR response is modeled. If the operators fail to identify the tube rupture, the event tree addresses two actions that will still provide core protection: RCS depressurization and implementation of shutdown cooling (SDC), or continual HPSI with RWT makeup after ~-40 h (based on the leak rate observed during the event).
RUPTURED SG ISOL. Ruptured SQ isolated. Once the tube rupture is identified, the faulted SG is isolated by closing both main steam isolation valves (MSIVs), the AFW and main feedwater (MFW) injection valves, and the ADVs on the impacted SG. RCS pressure is reduced to below the SQ relief valve set point, terminating almost all RCS flow through the break. At this point the tube rupture is considered mitigated. If the ruptured SQ is not isolated, the RCS must be depressurized and placed on the SDC mode to terminate flow from the break.
DEPRESS TO SDC. RCS depressurization to the SDC initiation pressure. Either the ADVs or TBVs associated with the intact (nonfaulted) SQ must be used, along with pressurizer pressure control, to depressurize the RCS to SDC entry conditions.
SDC. If the RCS is depressurized to SDC entry conditions, then the SDC system can be used to remove decay heat and cool the unit to cold shutdown conditions. Initiation of SDC (one of two LPSI pumps and its associated SDC heat exchanger) provides success.
RWT REFILL. RWT refill. If SDC initiation is unsuccessful, the RCS remains pressurized, and makeup flow must be continually provided. The RWT will have to be eventually refilled to prevent the failure of HPSI. For a break of the size observed during this event, RWT refill must occur -40 h into the event.
In the event of an SQTR, the expected plant response (seen during this event) is shown on the top sequence in Fig. A. 15.2. Following the tube rupture, the reactor trips. HPSI provides RCS makeup, and AFW provides core cooling via the S~s. When the ruptured SQ is identified, it is isolated, and the good (intact) SQ continues to be used for core cooling. Sequences that involve equipment failures or operator errors that can result in core damage are shown in Table A. 15. 1.
Table A. 15. 1. Sequence descriptions for SGTR event tree Seguence Description 101 Successful RT, HPSI, and AFW following the SQTR. The SQTR is identified, but the ruptured SQ is not isolated. SDC fails following RCS depressurization to the SDC initiation pressure. The operators fail to make up to the RWT in the long term.
102 Similar to sequence 101 except RCS depressurization to the SDC initiation pressure fails 103 Successful RT, HPSI, and AFW following the SQTR. The SQTR remains unidentified, although the operators are aware of a LOCA outside containment and initiate RCS depressurization. SDC fails following RCS depressurization, and the operators fail to make up to the RWT in the long term.
LER No. 529/93-001
A. 15-5 Sequence Description 104 Similar to sequence 103 except RCS depressurization to the SDC initiation point fails 105 Successful RT and HPSI following the SGTR. AFW (including SQ depressurization and use of a condensate pump) fails.
106 HPSI failure following successful RT. AFW and the ADVs/TBVs are used to depressurize the RCS to the LPSI initiation pressure. LPSI and the SITs provide RCS makeup (at this point the RCS is at the SDC initiation pressure). SDC and long-term IRWT refill fail.
107 Similar to sequence 106 except RCS depressurization or LPSI fails, resulting in a
_________ failure of RCS injection 108 Failure of HPSI and AFW following successful RT 109 ATWS sequence (not developed further); failure of RT following the SGTR Failure probabilities assigned to the event tree branches were developed as follows (see Fig. A. 15.2):
INITE VENT (SGTR). Initiating event (SGTR). An SGTR occurred during the event. Because SGTRs cannot be recovered, a probability of 1.0 was assigned to this branch.
RT. Reactor trip fails. A probability of 3. 0 x 10-5 was used, consistent with other ASP analyses.
HPSI. HPSI fails. A probability of 8.4 x 10-4 was used, consistent with other Palo Verde ASP analyses.
This value was developed as described in Appendix A, Sect. A. 1 of NUREG/CR-4674, Vol. 17, Precursors to Potential Severe Core Damage Accidents: 1992, A Status Report.
AFW. AFW fails. For sequences involving HPSI success, a probability of 1.1 x 10-5 was used. This value was developed from the failure probabilities for AFW and SQ depressurization and the use of a condensate pump if AFW fails. The development of failure probabilities for AFW, SQ depressurization, and condensate are described in Appendix A, Sect. A. 1 of NUREG/CR-4674. The overall AFW failure probability follows:
p[lAF WI -HPSI] = p[AFW(nominal)] x p[SG depress or condensate fails] =
p[AFW(nominal)] x {p[SG depress] + p[MFWI trip] x p~lcondensatel MFW]}
9.9 X10-5 x [3.6 x10-2 + (0.2 x0. 35)] =1. 1 x10-5 .
For sequences involving HPSI failure, RCS depressurization is addressed in conjunction with LPSI, and p[AFW(nominal)] was used for AFW fails:
p[AFWI HPSI] = 9.9 x 10'-.
RCS DEPRESS AND LPSI. Failure to depressurize the RCS and use the SITs and LPSI for RCS makeup given failure of HPSI. Branch failure will occur if the operators fail to initiate a secondary-side depressurization, if both LPSI trains fail, or if three of the four SITs fail to inject. Thermal-hydraulic calculations performed after the tube rupture indicate that 5 h is an acceptable time for depressurization and use of LPSI following a loss of both trains of HPSI. However, at the time that depressurization would LER No. 529/93-001
A. 15-6 have been required during the event, an SGTR had not been diagnosed. For some small-break LOCAs, depressurization must begin within 15 min.
To address this dichotomy, the branch failure probability was assumed to be dominated by operator failure to initiate the cooldown and depressurization. A failure probability of 0. 12 was used (ASP Recovery class R13; see Sect. A. 1.3 of Appendix A of NUREG/CR-4674, Vol. 17). An additional factor of 0. 34 was then applied to address the potential for recovery from errors made during the initial depressurization.
SGTR IDENT. Operators fail to identify the tube rupture. Because of the problems with the radiation monitors and the event diagnosis using the DLT, the SGTR was not confirmed until 1 h after the event began. If the SGTR had not been identified, the analysis assumed that the operators would have proceeded to place the unit on SDC. Once on SDC, flow from the rupture would have been terminated, although the event would never have been correctly diagnosed. The probability of failing to identify the SGTR before SDC initiation was estimated by assuming that the observed time to identify (1 h) was the median of a lognormal distribution with an error factor of 3.2 [see Dougherty and Fragola, Human Reliability Analysis, John Wiley and Sons, New York, 1988, Chapter 10. This is the error factor for time reliability correlations for actions without hesitancy, which is considered appropriate based on the slowly evolving nature of the event]. The time to SDC initiation was assumed to be 3.5 h (CESSAR, Sect. 5.4.7.3), resulting in an estimated failure probability of 0.04.
RUPTURED SG ISOL. Failure to isolate the ruptured SG. Isolation requires closure of the MSIVs, isolation of MFW and AFW to the faulted SG, blocking the ADVs on that generator closed, and an RCS cooldown to reduce RCS pressure below the SG relief valve set point. A screening value of 0.01 was used in the analysis (sequences involving failure to isolate the ruptured SG do not contribute substantially to the core damage probability for the event).
DEPRESS TO SDC. Failure to depressurize the RCS to the SDC initiation pressure. The failure probability was assumed to be dominated by operator actions associated with the cooldown and depressurization (limited depressurization is previously addressed in RUPTURED SG ISO). An operator error probability of 0.00 1 was utilized [see Table A. 14 in Appendix A of NUREG/CR-4674 and NRR Daily Events Evaluation Manual, 1-275-03-336-01, January 31, 1992].
SDC. Failure to provide decay heat removal via the residual heat removal portion of the LPSI system. Two redundant trains of SDC exist at Palo Verde. Each train consists of a LPSI pump, six normally closed motor-operated valves, and two parallel, normally closed LPSI injection valves. The SDC failure probability is, therefore, approximately [p(PMP A) x p(PMP BI PMP A) + 6 x p(VLV A) x p(VLV BI VLV A)] x p(nrec) + p(opr). Using typical ASP screening probabilities for pump and valve failures, a nonrecovery probability of 0.34 and an operator error probability of 0. 001 [see NRR Daily Events Evaluation Manual, 1-275-03-336-01, January 31, 1992] results in an estimated failure probability for the branch of
{[(.0.1 x0. 1) + (6 x0. 01 x0. 1)] x0. 341}+ 0. 001 = 3.4 x 103 .
RWT REFILL. Failure to refill the RWT before RWT depletion. Based on the flow rate observed during the event, RWT refill must be accomplished before 40 h following the SGTR. The Palo Verde IPE considered RWT refill in the analysis of a maximum flow rate (600-gal/mmn) SGTR and assumed that it would not be initiated until the RWT low-level alarm was received, -2.7 h before the tank was empty. For this time period, the IPE estimated a diagnosis time of 140 min and a resulting failure probability of 8.5x 0 Although the lower flow rate that existed during this event would provide additional diagnosis time and reduce the expected failure probability, the value of 8.5 x 103was used in this analysis as well (sequences LER No. 529/93-001
A. 15-7 involving failure of RWT refill do not substantially contribute to the core damage probability estimated for the event).
Applying the above branch probabilities to the model for the event, as shown in Fig. A. 15.2, results in an estimated core damage probability of 4.7 x 105 .
A. 15.5 Analyseis Results The conditional core damage probability estimated for the SGTR at Palo Verde is 4.7 x 10- . The dominant core damage sequence, shown on Fig. A. 15.2, involves the tube rupture with a postulated failure of HPSI and failure to depressurize the RCS and utilize LPSI for injection.
LER No. 529/93-001
A. 15-8
. . IDpn SGI"
.TR Ruphwed Dope~ S WT Sequmene Ed Sqnn (50Th) mwd LPSI 50501 80 to ISOL Rfl N. state Prebsbiity OK 9.6 E-MOK d 3.4E-03OK
.0E 5E03 101 CD 2.8 E-07 OK
- 0. -3 102 CD 8.2 E-08 OK OK
- 4. -0 . E .5EM103 CO 1.2E -06 1.0 &MOK
- 8. -3 104 CD 3.4 E-07 11EW105 CD 1.1E-05 OK 3.4 E4M ~OK 34E0
- 1. 85E-3 106 CD 2. E-05
.. -2107 4 . CD . E0
.9EW108 CD 8.3 E-08
- 3. EW109 ATWv TOTAL: 4.7 E-05 Fig. A. 15.2 Dominant core damage sequence for LER 529/93-001 LER No. 529/93-001