ML20140A208
| ML20140A208 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 05/19/2020 |
| From: | NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 335-1997-011 | |
| Download: ML20140A208 (7) | |
Text
LER E No. 335/97-011 o 359-1 Appendi B B.6 LER No. 335/97-011 Event
Description:
Nonconservative recirculation actuation signal set point Date of Event: November 2, 1997 Plant: St. Lucie, Unit 1 B.6.1 Event Summary St. Lucie, Unit 1, was defueled and undergoing a steam generator replacement refueling outage. Utility personnel determined that the engineered safety feature actuation system's (ESFAS 's) recirculation actuation signal (RAS) bistable set point for indicating the water level in the refueling water tank (RWT) had been set less conservatively than the Technical Specification set point. Plant personnel determined that the unit was more susceptible to core damage in the event of a large-break loss-of-coolant accident (LBLOCA) since changing the span of the RWT level indication during a 1993 refueling outage.' The nomiinal core damage probability (CDP) is 1.7 x 10-5 The increase in CDP (i.e., the inmportance) is 1.7 x 10 - over a 1-year period because of an improper RAS set point. Hence, the less conservative RAS set point results in an estimated conditional core damage probability (CCDP) of 3.4 x 10 for a 1-year period of operation. Uncertainty in the frequency of an LBLOCA (none have occurred) and uncertainty in the amount of emergency core cooling system (ECCS) flow required when recirculation is initiated contribute to the uncertainty in this estimate.
B.6.2 Event Description On October 27, 1997, St. Lucie, Unit I was defueled and undergoing a steam generator replacement refueling outage. As part of the outage, obsolete ESFAS bistables were being replaced to improve system reliability and calibration methods. The equipment to be replaced included all four channels of the RWT low-level bistables. A signal from these RWT low-level bistables causes the operating mode of the safety injection system to change from the injection mode to the recirculation mode following a loss-of-coolant accident (LOCA).
Because of the RWT bistable changes, a system engineer performed additional verification to ensure that the RWT level set point agreed with the instrument loop scaling requirement. This review showed that the Technical Specification set point of 1.2 m (48 in.) from the bottom of the RWT correlated to a bistable set point of 5.28 mA.' The functional test procedure required an assigned set point of 4.96 mA, which corresponds to a water level in the RWT of 0.9 m (36 in.) above the tank bottom.' The less conservative set point dictated by the functional test procedure was applied to all four channels of the Unit 1 RWT level instrument bistables.
In January 1993, an engineering calculation was issued by the St. Lucie engineering staff to change the span of the RWT level measurement loop such that 0 m (0 ft) would reference the bottom of the tank. The level instruments are actually 0.3 m (1 ft) above the bottom of the RWT, and the 0-in (0-ft) mark previously referenced the height of the level instruments. Before the change in the span of the RWFT level, the set point B.6-1 NUREG/CR-4674, Vol. 26
LER No. 335/97-011 B LER o. 35/97011Annendix procedure correctly initiated the RAS 1.2 m (48 in.) above the true bottom of the RWT [0.9-rn (36-in.) set point plus 0.3 m (12-in.) instrument heighti.' 'After the change in the span of the RWT level, the set point procedure was not changed. Subsequently, the set point procedure incorrectly initiated RAS at 0.9 mn (36 in.)
above the bottom of the RWT.
B.6.3 Additional Event-Related Information The RAS causes the suction source for the ECCS to transfer from the RWT at the end of the injection phase to the containment sump. This begins the recirculation phase. The injection phase is not influenced by the set point error; under worst-case conditions, the injection phase will last at least for the initial 20 min following a LOCA.' When the RAS set point is reached, the containment sump isolation valve is opened in -30 s, and the RWT isolation valve is closed in -90 s. The operator is directed by the emergency operating procedure (EOP) to initiate recirculation manually if the automatic signal fails to initiate recirculation when the RWT level reaches 48 in. from the bottom of the tank.'
The ECCS suction pipe outer diameter is -0.6 mn (24 in). The top of the inner diameter of the ECGS suction pipe is 1.1 mn (42.25 in.) above the bottom of the RWT. The bistable set point error would delay the automatic initiation of recirculation until the RWT water level was -15 cm (6 in.) below the top of the ECCS suction piping. Without operator action, a condition known as open channel flow would occur. From calculations made by the licensee, open channel flow conditions could not support full EGGS flow [-49,000 L/min (13,000 gal/mmn)]. The mismatch between available open channel flow and full EGGS flow would drain down the level in the EGGS suction piping and lead to air ingestion and reduction of the available net positive suction head for the EGGS pumps. Under these conditions, chugging flow would result until the EGGS pumps became air bound. This interruption of EGGS flow would prevent a further drain down of the RWT, and the lower RAS set point might never be reached.'
The licensee further calculated that EGGS flows below 26,500 L/min (7000 gal/min) could be supported by open channel conditions until the lower RAS set point Was reached.' This limits concern for EGGS failure, as a result of the less conservative RWT bistable set point, to an LBLOGA. Additionally, the peak containment temperature and pressure will be mitigated within the first 20 min following a LOGA; when containment pressure falls below 0.03 MPa (5 psig), operators are directed by the EOPs to secure the containment spray pumps. Because the spray pumps provide more than 22,700 L/min (6000 gal/min) flow
[25,500 L/min (6750 gal/mmn), Ref. 2, Table 6.3-61, this would reduce the total EGGS flow required below 26,500 L/min (7000 gal/mmn) before reaching open channel flow conditions.
B.6.4 Modeling Assumptions This event was modeled as a failure of the automatic RAS for an LBLQGA during a 1-year period. A failure to initiate recirculation could air bind all EGGS pumps following an LBLOGA, leading to core damage.
Therefore, the significance of this event can be estimated directly from the change in EGGS pump failure probabilities because of the improper RAS set point and the probability of an LBLOGA during a 1-year period. The St. Lucie Individual Plant Examination (IPE) estimates the frequency of an LBLOGA to be 2.7 x 104/year.
NIJREG/CR-4674, Vol. 26B6- B.6-2
Annendix B LER No. 335/97-011 The increased probability of core damage because of EGGS pump failures is estimated by considering the probability that the operators will fail to initiate recirculation manually when the RWT water level drops to 1.2 m (48 in.) and the probability that the operators will fail to secure the spray pumps when conditions allow.
Hence, the increased probability of core damage is P(LBLOGA) x P(operator fails to initiate recirculation manually) x P(operator fails to secure spray pumps).
Operator fails to initiate recirculation manually Manual initiation of recirculation following a LOGA is directed by EOPs if the automatic RAS should fail.
The operators had correct indication of the RWT level in the control room, and the EOP directs operator attention to the RWT level when the water level drops to 1.8 to 2.4 m (6 to 8 ft). Manual initiation of recirculation when directed by the EOP would prevent any damage to the EGGS pumps because of the RAS set point error. It was assumed that the high-pressure injection (HPI) pumps would not be required to prevent core damage for the LBLOGA of concern in this event. Therefore, the low-pressure injection (LPI) pumps were expected to be the key to preventing core damage. Reference 1 indicated that 240 s was available after reaching the nominal RAS set point before the LPI pumps would fail. (The HPI pumps would fail within 90 s.) A simulator test suggested that operating crews maintained positive control of the RWT level and recognized the need to manually initiate recirculation -40 s after the nominal automatic set point was reached.
The Human Reliability and Safety Analysis Data Handbook' suggests that for postaccident task actions, a 1-min delay for travel/manipulation should be allowed (Ref. 3, p. 66). So, 100 s was considered the median time response for an operating crew. Allowing -10 s for the containment sump valves to reposition enough to allow significant flow, the critical time was assumed to be 230 s before the LPI pumps would fail because of gas binding (i.e., 240 s - 10 s). The probability of the operating crew failing to initiate recirculation manually can be estimated by assuming that the failure probability can be represented as a time-reliability correlation (TRG) as described in Human Reliability Analysis . 4 Operator response was assumed to be rule-based and without hesitancy. For the 230-s period of interest, a failure probability of 1.2 x 10- was estimated.
Operator fails to secure sprgy pumps If total EGGS flow could be reduced below 26,500 L/min (7000 gal/min) before reaching the automatic RAS set point, then the potential for EGGS pump failure, because of the nonconservative bistable set point, is 2
eliminated (Ref. 1, p. 9). Analysis of containment pressure curves in the final safety analysis report (FSAR) indicates that containment pressure should be reduced to 0.03 MPa (5 psig) in -20 min following an LBLOGA. If the RWT level were at the Technical Specification minimum level [1,521,000 L (401,800 gal)
(Ref. 2)] and EGGS flows were at the maximum indicated by Ref. 1 [49,000 L/min (13,000 gal/mmn)], then a minimum of 25.8 min would be available until the intended automatic RAS set point is reached [25 1,000 L (66,200 gal) (Ref. 2)]. The EOPs direct the operating crew to secure the containment spray pumps when containment pressure returns below 0.03 MPa (5 psig). The Human Reliability and Safety Analysis Data Handbook' suggests that for postaccident task actions, a 5-mmn delay for diagnosis/ analysis be allowed and a 1-min delay for travel/manipulation be allowed (Ref. 4, p. 66). With this median response prediction, the probability of the operating crew failing to secure the spray pumps can be estimated by assuming that the failure probability can be represented as a TRG as described in Human Reliability Analysis.' Operator B.6-3 NUREG/CR-4674, Vol. 26
Annendix A~ni B LER No. 335/97-011 response was assumed to be rule-based, but with hesitancy, because conditions to secure the spray pumps are not met immediately. This operator action was assumed to be independent of the operator action to manually establish the recirculation line-up, because of the way the EOP directs these activities be performed and the independence of the instrumentation required. Allowing 0.2 min for equipment response, a failure probability of 5.2 x 10. `was estimated for the 5.6-mmn period of interest [(25.8 - 20.0 - 0.2) mini]. A sensitivity study on the operator response time is presented at the end of the next section.
B.6.5 Analysis Results The nominal CDP over a 1-year period because of an improper RAS set point is approximately 1.7 x10 The increase in the CDP over a 1-year period (i.e., the importance) is 1.7 x 10.* Hence, the less conservative RAS set point increased this probability to 3.4 x 10-. This value is the CCDP for the 1-year period with an improper RAS set point. A large uncertainty is associated with this estimate because it relies on an estimated LBLOCA frequency (none have occurred) and estimations of operator response during accident conditions.
The dominant core damage sequence (sequence 4 in Fig. B.6. 1)for this event involves
" an LBLOCA,
- successful injection from the safety injection tanks,
" a failure of automatic RAS,
" operator fails to manually back up the RAS, and
" operators fail to secure the containment spray pumps before the RAS set point is reached.
The CCDPs are shown in Table B.6. 1, while Table B.6.2 lists the sequence logic associated with the sequences listed in Table B.6. 1. Table B.6.3 provides the definitions and failure probabilities for event tree branch points in Fig. B.6.l1.
The HPI pumps were expected to fail 90 s following an RAS failure.' If it is assumed that HPI pump failure impacts adequate decay heat removal following some LOCA events of concern, the probability of the operating crew failing to initiate recirculation manually before HPI pump failure can be estimated by assuming that the failure probability can be represented as a TRC as described in Human Reliability Analysis.'
Operator response was assumed to be rule-based and without hesitancy. Again allowing 10 s for valves to reposition and allow significant flow, a failure probability of 6.2 x 10`was estimated for the 80-s period of interest. In this case, the estimated increase in the CDP is 8.7 x 10- for a 1-year period with the RAS set point too low. The CCDP then is increased to 1.0 x 14 It could be assumed that the operator focus on current EOP steps and accident conditions overall would preclude any consideration of securing the containment spray pumps so early in the event. In this case, the probability of failing to secure the spray pumps before reaching the RAS set point would be 1.0. The estimated CCDP for this event increases to 4.9 x 10` for a 1-year period with the RAS set point lower than the design basis. In contrast, with increased attention on RWt water management per the EOP, it is possible that the operating crew would be quick to secure containment spray pumps when it became permissible. If the median response were considered to be 3 min instead of the 6 mini assumed previously, the probability that the operator fails to secure the spray pump is 1.9 x 10-'. The estimated CCDP for this event decreases NUREG/CR-4674, Vol. 26 B.6-4
LER No. 335/97-011 LRN.359-1 ADnendi B to 2.3 x 10' for a 1-year period with the RAS set point too low. Similar results are obtained if the water level in the RWT is assumed to start well above the minimum water level allowed by Technical Specifications when demanded.
B.6.6 References
- 1. LER 335/97-011, Rev. 0, "Non-Conservative Recirculation Actuation Signal Set Point Resulted in Operation Prohibited by the Technical Specifications," December 2, 1997.
- 2. St. Lucie, FinalSafety Analysis Report (Updated Version).
- 3. D. 1. Gertman and H. S. Blackmnan, Human Reliability and Safety Analysis DataHandbook, John Wiley and Sons, 1994.
- 4. E. M. Dougherty and J. R. Fragola, Human Reliability Analysis, John Wiley and Sons, 198 8.
NUREG/CR-4674, Vol. 26 B.6-5 NUREG/CR-4674, Vol. 26
LER No. 335/97-011 Aipendix B
ý4~!40 0 0 0 C) 0 N0v CO')0 0
Rp OC 0
< 0 iii LL Fig. BA6 1. St. Lucie LBLOCA event tree.
B.6-6 NUREG/CR-4674, Vol.26 Vol. 26 B.6-6
LER No. 335/97-011 Annendi B LRN.359-1 Table B.6.1. Sequence Conditional Probabilities for LER No. 335/97-011 Conditional Event tree Sequence core damage Core damage Importance Percent name number probability probability (CCDP- contribution
LBLOCA 4 3.4 E-005 1.7 E-005 1.7 E-005 99.9 LBLOCA 5 2.7 E-008 2.7 E-008 0.0 E+000 0.1 Total (all sequences) 3.4 E-005 1.7 E-005 1.7 E-005 .......
Table B.6.2. Sequence Logic for Dominant Sequences for LER No. 335/97-011 Event tree name SequenceLoi number LBLOCA 4 /SIT, RAS, RAM, SPRAY LBLOCA 5 SIT ______________
Table B.6.3. System Names for LER No. 335/97-011 Failure System name Description probability IE-LBLOCA Initiating Event-LBLOCA 2.7 E-004 RAS The RAS Bistable Fails to Change the Safety 1.0 E+000
______________Injection Mode from Injection to Recirculation RAM Operator Fails to Manually Initiate Recirculation 1.2 E-00 1 when the Water Level in the RWT Drops to 1.2 m (48 in.)
SIT The Safety Injection Tanks Fail to Inject Water 1.0 E-004 Properly_______
SPRAY Operator Fails to Secure the Spray Pumps when 5.2 E-O001
______________Conditions Allow NITREG/CR-4674, Vol. 26 B.6-7 NLTREG/CR-4674, Vol. 26