ML20135H315

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - River Bend (LER 458-94-023)
ML20135H315
Person / Time
Site: River Bend Entergy icon.png
Issue date: 05/14/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Littlejohn J (301) 415-0428
References
LER 1994-023-00
Download: ML20135H315 (7)
v  d  e


Text

Appendix C LER No. 458/94-023 Appendix C LER No. 458/94-023 C.9 LER No. 458/94-023 Event

Description:

Scram, Main Turbine-Generator Fails to Trip, Reactor Core Isolation Cooling and Control Rod Drive Systems Unavailable Date of Event: September 8, 1994 Plant: River Bend C.9.1 Summary With the plant at 97% power, spurious high-level scram signals from two newly replaced reactor level transmitters resulted in a reactor trip. Due to the nature of the trip signal, the main turbine and generator did not automatically trip and were manually tripped by plant operators. The manual generator trip resulted in a slow transfer of plant preferred power supplies to components in the condensate, feedwater, reactor protection system (RPS), circulating water, service water, and instrument air systems. A voltage transient at the time of the power supply transfer caused a control power fuse in the control rod drive (CRD) system to open, causing the loss of power to most control room indicators for the system and the CR1) flow control valves to fail shut. Operators attempted to align the reactor core isolation cooling system (RCIC) to provide cooling water makeup to the reactor, but it tripped on overspeed and could not be restarted.

The high pressure core spray (H-PCS) system was then used to provide reactor makeup water. The conditional core damage probability estimated for this event is 1.8 x 10s C.9.2 Event Description River Bend Station was operating at 97% power when two of four reactor water level channels simultaneously initiated spurious high-level scram signals, causing a reactor trip. Subsequent investigation determined that the two newly replaced channels of level instrumentation were insufficiently damped and were overly sensitive to random noise. Since only two of the channels sensed a high level, the logic for the turbine/generator and feedwater system trips was not satisfied.

Within 2 mein of the reactor trip, the main generator megawatt output declined to zero and the generator began motoring.

The reverse power relay protection for the generator failed to cause a trip due to a high power factor. Approximately 7 min after the reactor trip, the operators noticed that the main turbine had not tripped. Following a discussion, the turbine was manually tripped. The operators expected the main generator output breakers to open automatically at this point. When they did not, the operators manually tripped the breakers.

When the main generator output breakers were manually opened, the plant responded differently from the way the operators were trained to expect. The delayed power transfer resulted in the unexpected loss of the nonsafety-related electrical loads. This required the operators to manually restore power to these affected loads.

The power transfer delay caused the loss of all main feedwater pumps, all condensate pumps, both trains of the RPS, the A and C main circulating water pumps, one of two running normal service water pumps, both recirculation pumps, the turbine building ventilation system, one instrument air compressor, and miscellaneous nonessential control room indications. In addition, the main steam isolation valves (MSIVs) and other containment isolation valves closed, and the standby service water system automatically started.

The transfer delay did not affect the safety-related electrical busses (because they are normally powered from a different power source). Since no safety-related loads were lost, the emergency diesel generators did not get a start signal. The loss of the balance of plant (BOP) loads caused loss of the normal heat sink for reactor decay heat removal.

C.9-1 C.9-1 NJRIEGICR-4674, Vol. 21

LER No. 458/94-023 Appendix C LER No. 458/94-023 Appendix C At the same time, a fuse in the CRD system blew. As a result, almost all the control room CRD indications were lost, and the CRD flow control valves failed shut. It took approximately 2-1/2 h for the operators to identify that the CPJ) parameters were not reading correctly. The only available indication of the CR1) system operability was pump current.

Operators attempted to align RCIC to provide reactor vessel makeup, but it tripped on overspeed and could not be restarted. The I-PCS pump was started to provide vessel injection. The operators also manually opened the safety relief valves (SRVs) intermittently to reduce reactor pressure by relieving steam to the suppression pool. The I-PCS system isolated four times during the event due to swells from the lifting of the SRVs.

While taking the actions described above, the operators were also taking actions to return power to the RPS busses and to restore the feedwater system, condensate system, and turbine building ventilation. The condensate and feedwater systems required venting before they could be restarted.

About 1 h into the event (at 2127 hours0.0246 days <br />0.591 hours <br />0.00352 weeks <br />8.093235e-4 months <br />), the residual heat removal system (R.HR) was placed in the suppression pool cooling mode. At 2140 hours0.0248 days <br />0.594 hours <br />0.00354 weeks <br />8.1427e-4 months <br />, the HYCS system suction switched to the suppression pool because of high suppression pool level.

At approximately 2209 hours0.0256 days <br />0.614 hours <br />0.00365 weeks <br />8.405245e-4 months <br />, the shift superintendent declared an Unusual Event because (1) there was only one source of high-pressure makeup water to the reactor, (2) the event had the potential of degrading, and (3) additional personnel were required to assist in returning the BOP systems to service.

To help control the reactor pressure and water level, valves in the main steam drain system were opened to provide equalization of pressures around the MSIVs and to assist with pressure control by dumping steam to the condenser.

At approximately 2220 hours0.0257 days <br />0.617 hours <br />0.00367 weeks <br />8.4471e-4 months <br />, operators had restored the condensate system, and at approximately 2321 hours0.0269 days <br />0.645 hours <br />0.00384 weeks <br />8.831405e-4 months <br /> the feedwater system was restored to service. The MSIVs were then opened, and the operators verified that reactor water level and pressure were being properly controlled. At 0017 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> on September 9, the IIPCS pump was secured. At 0030 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> the Unusual Event was exited, and the plant was cooled down to the cold shutdown condition.

Additional information regarding this event can be found in NRC Augmented Inspection Team (AIT) Report 50-458/94-20, October 19, 1994 (Ref. 2).

C.9.3 Additional Event-Related Information The event was initiated by a sensed high reactor water level. The reactor trip was set for +51 in. (level 8). The turbine/generator and feedwater pump trips would also occur at this level. There are four sensors (channels) in the RPS that detect a level 8 condition. The channels, identified as A, B, C, and D, are arranged in one-out-of-two-taken-twice logic for a reactor trip. The high-level condition must be detected by channels A or C and B or D. During this event, only channels C and D sensed high level. Channels A, B, and C are arranged in a two-out-of-three logic for feedwater system and turbine/generator trip signals. Since channels A and B did not sense a high level, the feedwater system and the turbine/generator did not automatically trip.

Post-event investigation revealed that the sensors for channels C and D were a different model than that used in channels A and B. The sensors for channels C and D were installed during the recent refueling outage. They were found to be overly sensitive to transient level signals.

The main generator did not automatically trip on reverse power due to the high-power factor that was experienced during the event. There are two reverse power relays. One is set at approximately 3 MW (at a 0 power factor angle) and is only enabled if the turbine stop valves are closed, as is the case following a turbine trip. The second relay is also set at approximately 3 MW (also at a 0 power factor angle) but does not require a turbine trip permissive. Post-event*

investigation found that these relays were sensitive to large power factor angles such as the power factor angle (approximately 850) that existed when the main generator was motoring.

NUREG/CR-4674, Vol. 21 C.9-2

Appendix C LER No. 458/94-023 Post-event investigation revealed that the normally open RCIC governor valve was stuck in the open direction. As a result, when steam was admitted to the turbine, its speed increased until the overspeed trip setpoint was reached. Upon disassembly, the governor valve stem was found to have excessive corrosion in the gland area. This corrosion caused the valve stem to stick and resist the hydraulic pressure that otherwise would have repositioned the valve.

C.9.4 Modeling Assumptions This event was modeled as a transient with the power conversion system (PCS), condensate, feedwater, RCIC, and CRD systems unavailable.

The PCS was modeled as failed and not recoverable. During the actual event, it took approximately 2-1/2 h to equalize pressure across the MSIVs and restore the PCS. Therefore, the system failure probability (PCS-SYS-VF-MISC) and the nonrecovery value (PC S-XHIE-XE-NOREC) were set to 1.0 (true).

The condensate and feedwater systems were modeled as failed and not recoverable. During the actual event, it took approximately 2 h to restore the condensate system and approximately 3 h to restore the feedwater system. A step in the feedwater system (FWS) abnormal procedure required the venting ofthe system under these circumstances regardless of whether system indications indicated the need for system venting. The emergency procedure for the FWS does not require the system to be vented. However, it is unclear when the emergency procedure would be used as opposed to the abnormal procedure used during this event. It is also unclear whether the system actually needed to be vented to ensure its operability under the conditions observed during this event. A high priority was placed on the restoration of the FWS, as its unavailability was, in part, the basis for declaring a Notification of Unusual Event. Given the other equipment that needed to be manually recovered during the event, it does not appear as if the FWS could have been recovered any faster. Therefore, although the pumps and valves were operable, the extended time period required to vent the system makes it unavailable as a source of high-pressure makeup. Therefore, the system failure probabilities (CDS-SYS-VF-COND and MFW-SYS-VF-FEEDW) and the nonrecovery values (CDS-XHE-XE-NORJEC and MFW-XHE-XE-NOREC) were set to 1.0 (true).

Since there were no failures in the FW or condensate systems, the systems would be recoverable in the long term. The current ASP models do not account for recovery at this point in the sequences. However, since the dominant sequence (sequence 31) involves early injection system failures, incorporation of long-term feedwater recovery into the model would have little affect on the conditional core damage probability for this event.

The RCIC system was modeled as unavailable and nonrecoverable. Following the event, investigation revealed that the turbine governor would not function due to excessive corrosion. Therefore, the system failure probability (RCI-TDP-FC-TRAIN) and the nonrecovery value (RCI-XHE-XE-NOREC) were set to 1.0 (true).

The CR1) system was modeled as failed and not recoverable. The lack of control room indication and the failed closed*

flow control valves were not identified for approximately 2-1/2 h into the event. Once the incorrect readings were noted, it took an additional 55 min to restore the system to operability. The operators were concerned with high-pressure injection systems as noted by the basis for the declaration of the notification of unusual event. It would seem unlikely that the CRD system could have been restored faster based on the number of tasks that needed to be accomplished (systems that needed to be restored) and the need for additional manpower. Therefore, modeling the system as inoperable and unrecoverable in the time period required to maintain core cooling is appropriate. The pump train failure probabilities (CRD-MDP-FC-TRNA and CRD-MDP-FC-TRNB) and the nonrecovery value (CRD-XHE-XE-NOREC) were set to 1.0 (true). It was assumed that the system could be recovered in time to operate following the successful operation of low-pressure core spray or low-pressure coolant injection, failure of RJ-R, and successful containment venting.

Therefore, the operator nonrecovery value under these conditions (CRI-XHE-XE-NOREC) was not modified.

The HPCS isolation valve closed four times during the event due to a high vessel level (level 8 signal). The additional cycling of the isolation valve was not explicitly modeled.

Standby Service Water Pump 2A discharge valve 1-SWP*MOV40A did not fully open when the pump started and control room position indication for the valve was lost. Post-event investigation indicated that the valve opened C.9-3 C.9-3NUREG/CR-4674, Vol. 21

LER No. 458/94-023 Appendix LER No. 458/94-023 Appendix C C approximately 20%. The valve was subsequently opened manually by an operator. The valve failed to fully open due to a short in one of the control cables. Although this valve did not fuly open automatically, the valve was modeled with a nominal failure rate. Given that the other SSW pumps and valves operated, flow through the system was sufficient to provide the design cooling loads.

Other support systems, such as instrument air, were also impacted by the slow power transfer that occurred during this event. However, it was assumed that these systems were restored quickly following the recovery of offsite power to the nonemergency buses. It was assumed that the loss of these systems had minimal impact on the oepration of safety-related systems. As a result, the modeling was not modified as a result of these support system failures.

C.9.5 Analysis Results The conditional core damage probability estimated for this event is 1.8 x 10- . The dominant sequence highlighted on the event tree in Figure C.9. 1 involves a trip, failure of the PCS, operation of the SRVs with no more than one valve failing to close, failure of high-pressure makeup systems (NEW, FIPCS, and RCIC), failure of the ADS system, and failure of the CRD system.

A sensitivity calculation was performed to determine the impact of assuming the condensate and main feedwater systems were unrecoverable. If the nominal nonrecovery values are used, the conditional core damage probability for the event decreases by a factor of 2.2 to 8.0 x 10-6 .

Definitions and probabilities for basic events are shown in Table C.9.l1. The conditional probabilities associated with the highest probability sequences are shown in Table C.9.2. Table C.9.3 describes the system names associated with the dominant sequences. Cutsets associated with each sequence are shown in Table C.9.4.

C.9.6 References

1. LER 458/94-023, Rev. 1, "Reactor Scram Due to Spurious Signals from Undamped Rosemount Model 1153 Transmitters," December 12, 1994.
2. NRC Augmented Inspection Team Report No. 50-458/94-20, October 19, 1994.

NUREGICR-4674, VoL 21 .-

C.94

Appendix C Appenix No.

CLER458/94-023 Figure C.9.1. Dominant core damage sequence for LER 458/94-023.

C.9-5 NLJREGICR-4674, Vol. 21

LER No. 458/94-023 Appendix C Table C.9. I. Definitions and probabilities for selected basic events for LER 458/94-023 Base Current Modified Event name Description probability probability Type for this event ADS-SRV-CC-VALVS; ADS Valves Fail to Open 3.7E-003 3.7E-003 N ADS-XHE-XE-ERROR Operator Error Prevents E03 LE03N Depressurization1.O-0 1.E03N ADS-XHE-XEF-NOREC Operator Fails to Recover ADS 7.lE-O0l 7.1E-O0l N CDS-SYS-VF-COND Condensate Hardware Components 3.4E-O0l l.OEH-OO TRUE Y Fail CDS-XHAE-XE-NOREC Operator Fails to Recover I .OE+OOO 1.OE+OOO TRUE Y Condensate CRD-MDP-FC-TRNA Train A Failures 7.2E-004 l.OE+OOO TRUE Y CRD-MDP-FC-TRNB Train B Failures 7.2E-003 l.OE-I-OO TRUE Y CRD-XIHE-XE-NOREC Operator Fails to Recover CRD 1.OE+OOO 1.OE+OOO TRUE Y CR1-XIHE-XE-NOREC Operator Fails to Recover CRD .E0 .E00N (After Venting)1.E+O 1.EOON HCS-MDP`-FC-TRAIN 1HPCS Train Level Failures 6.6E-003 6.6E-003 N HCS-XIHE-XE-NOREC Operator Fails to Recover HPCS 7.OE-OO1 7.OE-O0l N LE-LOOP Loss-of-Offsite Power Initiator 1.7E-005 O.OE+OOO IGNORE Y IE-SLOCA Small LOCA Initiator 4.8E-007 O.OE+000 IGNORE Y IE-TRAN Transient Initiator .LIE-003 1.OE+OOO Y M1FW-SYS-VF-FEEDW MEW Hardware Components Fail 4.6E-001 l.OE+OOO TRUE Y MffW-XIHE-XE-NOREC Operators Fail to Recover 3.4E-001 l.OE+OOO TRUE Y Feedwater PCS-SYS-VF-MISC PCS Hardware Components Fail 1.7E-001 l.OE+OOO TRUE Y PCS-XHE-XE-NOREC Operator Fails to Recover PCS 1.OE+OOO l.OE+OOO TRUE Y RCI-TDP-FC-TRAIN RCIC Train Component Failures 4.OE-002 l.OE+OOO TRUE Y RCI-XIHE-XE-NOREC Operator Fails to Recover RCIC 7.OE-O0l l.OE+OOO TRUE Y SRV One or Less SRV Fail to Close 2.2E-003 2.2E-003 N NUREGICR-4674, Vol. 21C9- C.9-6

Appendix C LER No. 458/94-023 Table C.9.2. Sequence conditional probabilities for LER 458/94-023 Conditional Event Seune core%

tree Seunme damage Contribution Logic name probability (CCDP)

TAS 31 1.6E-005 89.8 /RPS, PCS, /SRV, MFW, HCS, RCI, ADS, CRD TRANS 07 1.5E-006 8.1 IRPS, PCS, /SRV, MEW, /HCS, RHR, CVS Total (all sequences) 1 .8E-00 ___ _ _ ..._ ............................................... _.........

Table C.9.3. System names for LER 458/94-023 System name Description AD)S Automatic Depressurization Fails CRD Insufficient CRD Flow to RCS CVS Containment (Suppression Pool) Venting HCS I-PCS Fails to Provide Sufficient Flow to Reactor Vessel MEW Failure of Main Feedwater System PCs Power Conversion System RCI RCIC Fails to Provide Sufficient Flow to RCS RHR Residual Heat Removal Fails RP S Reactor Shutdown Fails SRV One or Less SRV Fail to Close Table C.9.4. Conditional cut sets for higher probability sequences for LER 458/94-023 Cut seNo% Frequency Cut sets*

TRANS Seq: 31 1.600E-005 1 723 1200E005 ADS-SRV-CC-VALVS, ADS-XHE-XE-NOREC, 1 723 1200E005 HCS-XIHE-XE-NOREC, HCS-MDP-FC-TRAIh4, /SRV 2 27. 4.60E-006 ADS-SRV-XE-ERROR, HCS-XIHE-XE-NOREC, 2 27. 4.60E-006 HCS-MI)P-FC-TRAIN, /SRV TRANS Seq: 07 1.5E-006 CVS-XIIE-XE-VENT, RHR-MDP-CF-MDPS, /SRV, 1 65.5 9.9E-007 CSS-XIHE-XE-NOREC, SDC-XIHE-XE-NOREC, SPC-XIHE-XE-NOREC CVS-XIHE-XE-VENT, RHR-MDP-FC-TRNB, 2 9.4 1.4E-007 RHR-MDP-FC-TRNA, /SRV, CSS-XI-IE-XE-NOREC, SDC-XI-IE-XE-NOREC en es).....00(all. seq Total..................

C.9-7 NIREGICR-4674, Vol. 21 C.9-7

Retrieved from "https://kanterella.com/w/index.php?title=ML20135H315&oldid=3375423"