ML20140A215

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Three Mile Island 1 (LER 289-97-007)
ML20140A215
Person / Time
Site: Crane 
Issue date: 05/19/2020
From:
NRC/RES/DRA/PRB
To:
Littlejohn J (301) 415-0428
References
LER 289-1997-007, LER 289-1997-008, LER 289-1997-010
Download: ML20140A215 (12)
v  d  e


Text

LER Nos. 289/97-0007,-008 -010 Appendi B LE o.29700.-0.

-1 BA4 LER Nos. 289/97-007, -008, -010 Event

Description:

Failure of both generator output breakers causes a LOOP Date of Event:

June 21, 1997 Plant:

Three Mile Island, Unit 1 B.4.1 Event Summary Three Mile Island, Unit 1 (TMI 1), was at 100% power when the plant experienced a loss of offsite power (LOOP) after both generator output breakers in the 230-kV substation failed.' The LOOP resulted in an immediate trip of both the reactor and the turbine; plant computer data indicated that the trip insertion times were excessive for four control rods.2 Both emergency diesel generators (EDGs) started and loaded as designed. Offsite power was restored within 90 mini. The unit was cooled by natural circulation cooling until offsite power and forced cooling were restored. It was subsequently discovered that the pressurizer power-operated relief valve (PORV) was failed closed during this event (see Additional Event-Related Information).3 The estimated conditional core damage probability (CCDP) for this plant-centered LOOP is 9.6 x 10'.

B.4.2 Event Description TMI 1 was at 100% power after almost 617 d of continuous operation. On June 21, 1997, the B phase of the 230-kV generator output breaker GBI-02 (Fig. B.4. 1) developed a fault and caused severe overheating and the subsequent ejection of the bushing and conductor from the breaker housing. This resulted in a fault being detected on 230-ky bus 4. The parallel generator breaker, GBI-12, opened because of the detected fault on 230-ky bus 4. Breaker GBI-12 subsequently suffered a restrike, which damaged the B phase of this breaker, causing a fault on 230-ky bus 8. Automatic breaker action because of both faults isolated electric power to the station, resulting in a LOOP.'

The LOOP caused an imm ediate reactor trip and turbine trip. The plant computer captured times associated with each control rod reaching the 25% zone reference as the reactor trip occurred. A review of the data showed that four control rods exceeded the trip insertion time limit of 1.66 s for three-fourths insertion.

Personnel attributed the slow insertion times to reduced clearances in the old-style control rod drive thermal barriers because of the presence of deposits on the internal check valves, between the thermal barrier bushing, and on the leadscrew. All control rods inserted to the three-fourths insertion position within 3.0 s. The licensee determined that there would be no adverse effects associated with control rod insertion times as high as 3.0 s (Ref. 2).

Both EDGs started and loaded onto their respective safeguards bus as designed. Nonvital loads, including main feedwater, condensate, circulating water, and main condenser vacuum pumps, were not energized. The reactor coolant pumps (RCPs) were also without power. Natural circulation was verified in the reactor coolant system within 19 min following the trip and LOOP. Decay heat removal was established using the emergency feedwater (EFW) system and the steam generator atmospheric dump valves. Offsite power was B.4-1 NUREG/CR-4674, Vol. 26

LER No. 289/97-007. -008, -010 Awendix B restored within 90 min after the breaker failures. After operators established the main condenser heat sink, the RCPs were restarted. The reactor coolant system was returned to forced circulation cooling -9 h after the unit tripped.'

11.4.3 Additional Event-Related Information TMI 1 has a single PORV installed on the pressurizer that is replaced with a spare PORV during each refueling outage. The licensee discovered that during the previous refueling outage, the PORV was wired incorrectly and was subsequently inoperable for the entire operating cycle. The PORV was failed in the closed position and would not have opened in response to an automatic [16.9 MPa (2450-psig)] or a manual signal.? The operating cycle completed with a failed PORV encompassed the LOOP event described by Refs.

1 and 2.

In addition to the PORV, two safety relief valves are connected to the pressurizer with a nominal relief set point of 17.2 MPa (2500 psig). The shutoff head of the safety injection pumps is '-20 MPa (2900 psig).

Feed-and-bleed operation is possible with an inoperable PORV because the safety relief valves can be lifted with the head established by operating the safety injection pumps.'

TMI 1 has two dedicated EDGs (IA and 113) to supply electric power to engineered safeguards buses ID and 1 E, respectively, in the event of a LOOP. Additionally, one EDG previously from TMI 2 is available as an alternate ac power source during a station blackout (SBO). The alternate EDG, which is manually started from the control room, can be aligned to either engineered safeguards bus ID or lE or the balance-of-plant bus I C within 10 mini following an SBO. Operators must close two breakers and open/lockout two breakers, and any desired loads must be manually loaded onto the bus selected to be reenergized.4 B.4.4 Modeling Assumptions This event was modeled as a plant-centered LOOP. The probability of not recovering offsite power in the short term is included in the initiating event probability (IE-LOOP). That is, the probability of a LOOP is 1.0. The probability that offsite power is not recovered in -.30 mini is 0.5, based on the data distributions provided in NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants.-'

Consequently, IE-LOOP was set to the probability for a plant-centered LOOP assuming operators fail to recover offsite power in the short term (5. 0 x I0W).

The probability of short-term and long-term offsite power recovery for a plant-centered LOOP and the probability of a RCP seal loss-of-coolant accident (LOCA) following a postulated station blackout were developed based on data distributions contained in NUR.EG-1032.

The RCP seal LOCA models were developed as part of the NUREG-I 150 probabilistic risk assessment (PRA) efforts. Both models are described in Revised LOOP Recovery and PWR Seal LOCA Models.' The probabilities for the following basic events are based on these models:

1. initiating event-LOOP (IE-LOOP),
2. operator fails to recover offsite power within 2 h (OEP-XHE-NOREC-2H),
3. operator fails to recover offsite power within 6 h (OEP-XHE-NOREC-6H),

NUREG4CR-4674, Vol. 26 B.4-2

Appendix B LER Nos. 289/97-0007. -008. -010 4.pperaorfilstxeoe fst pwrbfr atr Beito LOEXE-NRENsC29-0007, 1

4. operator fails to recover offsite power before batRyP deplefion (OPE-XHE-NOREC-BD),an
6. RCP seals fail without cooling and injection water (RCS-MDP-LK-SEALS).

The PRA for TMUI 1indicates that an SBO with a concurrent failure of EFW would lead to core damage in approximately 2 h (Ref. 7, Table B. 1-11, page B. 1-25). This indicates that substantial time is available for the recovery of electric power. Potential recovery actions were modeled (using data from NUREG-1032) by the addition of a basic event (OEP-XI-E-NOREC-SB) under the OP-SBO top event (OP-2H) on the LOOP event tree (Fig. B.4.2). Top event OP-SBO is substituted for the OP-2H top event whenever emergency power (EP) and EFW fail.

The alternate EDG (from TMI 2) was added to the Integrated Reliability and Risk Analysis System (IRRAS) model for TMI 1.

The probability that the alternate EDG fails to start and run (basic event EPS-DGN-FC-AAC) was set to the same value as the dedicated ED~s (4.2 x 10.2). In addition, because operators must start and load the alternate EDG manually, a basic event was added to reflect the probability that the operator fails to start and load the alternate EDG (basic event EPS-XHE-XM-AAC).

Basic event EPS-XHE-XM-AAC was set at 1.0 x 10.' in accordance with similar human error probabilities already incorporated in the IRRAS model for TMI. The common-cause failure probability of the emergency power system for the base case was based on two ED~s. This was adjusted based on the availability of three ED~s and was developed based on data distributions contained in INEL-94-0064, Common-Cause Failure Data Collection and Analysis System (Ref. 8, Table 5-8: alpha factor distribution summary - fail to start, CCCG = 3, a~s 0.0224; and Table S-li1: alpha factor distribution summary - fail to run, CCCG.= 3, aX3R = 0.0232). Because;a is equivalent to the P3 factor of the multiple Greek letter method used in the IRRAS models, the common-cause failure probability of the ED~s (basic event EPS-DGN-CF-ALL) was adjusted from 1.6 x 10-3 based on two EDGs to 9.5 x 10' based on three EDGs.

The slow insertion of four reactor control rods was not considered in the model. The control rods inserted well within the time (3.0 s) that the licensee calculated to be limiting. Additionally, all but four control rods met the three-fourths insertion time prescribed by the Technical Specifications.

Because the PORV was inadvertently disabled during the operating cycle that encompassed the LOOP event, the probability that the PORV fails to open on demand (basic event PPR-SRV-CC-PORV) was set to "TRUE" (i.e., will not open).

Two additional basic events were added to the IRRAS model to account for the availability of the safety relief valves to relieve any pressure buildup (basic events PPR-SRV-CC-IA and PPR-SRV-CC-lB). The probability that a safety relief valve would fail to open when its set point was reached was set to the nominal failure rate for the PORV (see Table BA.4.1). Additionally, the operator would only need to veriI* that the high-pressure injection (HP!) pumps started in a situation that required feed-and-bleed cooling to remove decay heat; no other action regarding the PORV or the safety relief valves is required from the operators. Therefore, the probability that the operator fails to initiate feed-and-bleed cooling (basic event HPI-XHE-XM-HPICL):was reduced from 1.0 x 10`2 to 1. 0 x 0'

B.4-3 NUREG/CR-4674, Vol. 26 B.4-3 NUREG/CR-4674, Vol. 26

LER No. 289/97-007, -008, -010 Apni Appendix B B.4.5 Analysis Results The CCDP for this event is 9.6 x 10'.* The dominant core damage sequence for this event (sequence 26 on Fig. B.4.2) involves

" a LOOP,

" a successful reactor trip, a afailure of EP,

" a successful initiation of EFW,

" no challenge to the PORV (failed) or pressurizer safety relief valves,

  • a failure of the RCP seals, and
  • a failure to restore electric power before core damage.

This SBO sequence (sequence 26 on Fig. B.4.2) accounts for 85% of the total contribution to the CCDP. The next most dominant sequence (sequence 41 on Fig. B.4.2) contributes 11% to the total CCDP. This sequence involves an SHO, a failure of the EFW system, and a failure to recover any form of electrical power before the onset of core damage.

All of the most significant sequences involve an SBO. The nominal probability that a PORV is challenged during a LOOP or an SBO is 0. 16 and 0.37, respectively, based on actual LOOP and SBO events. However, the PORV failure diminished those sequences where the PORV could potentially have lifted and then failed to reseat. Basic events PPR-SRV-CO-L and PPR-SRV-CO-SBO (defined in Table BA4. 1) were set to 5.0 x 10' and 5.4 x 10`, respectively (i.e., the PORV will not open, but the safety valves are challenged) based on Integrated Plant Examination (IPE) data. Because the safety relief valves have a higher set point than the PORV, they may or may not have lifted in place of the PORV. However, the safety valves were assumed to lift during feed-and-bleed operation.

Definitions and probabilities for selected basic events are shown in Table B.4. 1. The conditio 'nal probabilities associated with the highest probability sequences are shown in Table B.4.2. Table B.4.3 lists the sequence logic associated with the sequences listed in Table B.4.2. Table B.4.4 describes the system names associated with the dominant sequences.

Minimal cut sets associated with the dominant sequences are shown in Table B.4.5.

B.4.6 References

1. LER 289/97-007, Rev. 0, "Generator Output Breaker Failure Resulting in a Loss of Off-Site Power and Reactor Trip," July 21, 1997.
2. LER 289/97-008, Rev. 0, "Control Rod Trip Insertion Times Exceed TS Section 4.7.1.1 Limits," July 21, 1997.
3. LER 289/97-010, Rev. 0, "Pilot Operated Relief Valve (PORV) Inoperability Due to Being Mis-Wired and Failure to Perform Post-Maintenance Test (PMT) Following Replacement During 1 IR Refueling Outage," November 12, 1997.

NUREG/CR-4674, Vol. 26 B.4-4

Appendix B LER Nos. 289/97-0007, -008, -010

4. Three Mile Island, Final Safety Analysis Report (Updated Version).
5.

P. WV. Baranowsky, Evaluation of Station Blackout Accidents at Nuclear Power Plants, USNRC Report NUREG-1032, June 1988.

6. Revised LOOP Recovery and PWR Seal LOCA Models, ORNL/NRC/LTR-89/1 1, August 1989.
7. Three Mile Island Unit 1, Probabilistic Risk Assessment (Level 1), December 1992.
8. Marshall and Rasmuson, Common-Cause Failure Data Collection and Analysis System, INEL-94/0064, December 1995.

B.4-5 NUP.EGICR-4674, Vol. 26 B.4-5.

NUREG/CR-4674, Vol. 26

LER No. 289/97-007, -008, -010 AppendixB Fig. B.4.1 Three Mile Island switchyard.

NUREG/CR-4674, Vol. 26 B.4-6 Figure removed during SUNSI review.

ADDendix B LER Nos. 289/97-0007. -008. -010 ADDendix B LER Nos. 289/97-0007. -008. -010 I

I '~

III I'll iiI~

I1j~

Ii I

lb

-t Nsw~

We M:m ?g!RWNR0 A

LH U

L 0

rj I ýj az SQ Lu IX-(0 0

-A Fig. B.4.2 Dominant core damage sequence for LER Nos. 289/97-007, -008, -010.

B.4-7 B.4-7 NIREG/CR-4674, Vol. 26

LER No. 289/97-007. -008. -010 ADpendix B Table 9.4.1. Definitions and Probabilities for Selected Basic Events for LER Nos. 289/97-007, -008, - 010 Modified Event Base Current for this name Description probability probability Type event IE-LOOP Initiating Event-LOOP (Includes 8.6 E-006 5.0 E-O001 Yes the Probability of Recovering Offsite Power in the Short Term)

IE-SGTR Initiating Event-Steam Generator 1.6 E-006 0.0 E+000 Yes Tube Rupture IE-SLOCA Initiating Event-Small Loss-of-1.0 E-006 0.0 E-i000 Yes Coolant Accident (SLOCA)

IE-TRANS Initiating Event-Transient 1.3 E-004 0.0 E+000 Yes (TRANS)

EFW-TDP-FC-TDP EFW Turbine-Driven Pump Fails 3.2 E-002 3.2 E-002 No EFW-XHE-NOREC-EP Operator Fails to Recover EFW 3.4 E-00l1 3.4 E-001 No

________________during an SBO EPS-DON-CF-ALL Common-Cause Failure of ED~s 9.5 E-004 9.5 E-004 No EPS-DGN-FC-IA IA EDO Fails to Start and Run 4.2 E-002 4.2 E-002 No EPS-DGN-FC-1B IlB EDG Fails to Start and Run 4.2 E-002 4.2 E-002 No EPS-DGN-FC-AAC Alternate ac EDO Fails to Start 4.2 E-002 4.2 E-002 NEW No and Run EPS-XHE-NOREC Operator Fails to Recover 8.0 E-001 8.0 E-001 No Emergency PowerI EPS-XHE-XM-AAC Operator Fails to Start or Load 1.0 E-002 1.0 E-002 NEW No the Alternate ac EDO OEP-XHE-NOREC-2H Operator Fails to Recover Qffisite 2.2 E-00l1 1.4 E-O001 Yes Power within 2 h OEP-XHE-NOREC-6H Operator Fails to Recover Offsite 6.7 E-002 9.9 E-004 Yes Power within 6 h OEP-XHE-NOREC-BD Operator Fails to Recover Offsite 2.4 E-002 3.5 E-004 Yes Power before Battery Depletion OEP-XHE-NOREC-SB Operator Fails to Recover 2.3 E-00 1 2.3 E-O00l NEW No Electric Power before Core Damage (No Electric Power or EFW)

OEP-XHE-NOREC-SL Operator Fails to Recover Offisite 5.7 E-001 4.8 E-00 I Yes Power before RCP Seals Fail I

NUREG/CR-4674, Vol. 26 B.4-8

AbDendix B LER Nos. 289/97-0007, -008, -010 ADDendix B LER Nos. 289/97-0007, -008, -010 Table B.4.I Definitions and Probabilities for Selected Basic Events for LER Nos. 289/97-007, -008, -010 (Continued)

Modified Event Base Current for this name Description probability probability Type event PPR-SRV-CC-lA Safety Relief Valve IA Fails to 6.3 E-003 6.3 E-003 NEW No Open on Demand PPR-SRV-CC-IB Safety Relief Valve lB Fails to 6.3 E-003 6.3 E-003 NEW No Open on Demand PPR-SRV-CC-PORV PORV Fails to Open on Demand 6.3 E-003 1.0 E-i000 TRUE Yes PPR-SRV-CO-L PORV Fails to Open, but Safety 1.6 E-00O1 5.0 E-003 Yes Valves Challenged during a LOOP PPR-SRV-00-SBO PORV Fails to Open, but Safety 3.7 E-O00I 5.4 E-003 Yes Valves Challenged during an SBO RCS-MDP-LK-SEALS RCP Seals Fail without Cooling 4.6 E-002 4.0 E-002 Yes and Injection I______

B.4-9 NUREG/CR-4674, Vol. 26 B.4-9 NUREG/CR-4674, Vol. 26

LER No. 289/97-007,008. -010 Anvendix B LER No. 289/97-007. -008. -010 Aopendix B Table B.4.2. Sequence Conditional Probabilities for LER Nos. 289/97-007, -008, -010 Conditional Event tree Sequence core damage Percent name number probability contribution

~(CCDP)_______

LOOP 26 8.2 E-006 85.0 LOOP 41

1. 1 E-006 10.8 LOOP 19 1.5 E-007 15 Total (all sequences) 9.6 E-006 Table B.4.3. Sequence Logic for Dominant Sequences for LER Nos. 289/97-007, -008, -010 Event tree name Sequence Logic number LOOP 26 IRT-L, EP, /EFW-L, IPORV-SBO,

_____________________SEALLOCA, OP-SL LOOP 41

/RT-L, EP, EFW-EP, OP-SBO LOOP 19 IRT-L, EP, IEFW-L, JPORV-SBO,

_____________________/SEALLOCA, OP-BD NI.JREG/CR-4674, Vol. 26 B.4-10 NUREG/CR-4674, Vol. 26 B.4-10

Annendix B LER Nos. 289/97-0007.-008. -010 ADDendix B LER Nos. 289/97-0007. -008. -010 Table B.4.4 System Names for LER Nos. 289/97-007, -008, -010 System name Logic EFW-EP No or Insufficient EFW Flow during an SBO EFW-L No or Insufficient EFW Flow during a LOOP EP Failure of Both Trains of Emergency Power OP-BD Operator Fails to Recover Off-Site Power before Battery Depletion OP-SBO Operator Fails to Restore ac Power before Core Damage Occurs Following an SBO and Loss of EFW OP-SL Operator Fails to Restore ac Power before a RCP Seal LOCA Occurs PORV-SBO PORV/Safety Relief Valves Challenged during an SBO RT-L Reactor Fails to Trip during a LOOP

,SEALLOCA RCP Seals Fail during a LOOP B.4-11 B.4-1 1NUREGICR-4674, Vol. 26

LER No. 289/97-007.-008. -010 ADDendix B LER No. 289/97-007. -008. -010 Appendix B Table B.4.5. Conditional Cut Sets for Higher Probability Sequences for LER Nos. 289/97-007, -008, -010 Cut set J Percent number jcontribution CCDP Cut sets LOOP Sequence 26 8.2 E-006 1

91.2 7.5 E-006 EPS-DGN-CF-ALL, EPS-XHE-NOREC, RCS-MDP-LK-SEALS, OEP-XHE-NOREC-SL 2

7.1 5.8 E-007 EPS-DGN-FC-IA, EPS-DGN-FC..1B. EPS-DGN-FC-AAC, 3

1.7 1.4 E-007 EPS-DGN-FC-IA. EPS-DGN-FC-lB, EPS-XHE-XM-AAC, LOOP Sequence 41

1. 1 E-006 1

91.1 9.6 E-007 EPS-DGN-CF-ALL, EPS-XHE-NOREC, EFW..TDP-FC-TDP.

_________EFW-XHiE-NQREC-EP, OEP-XHiE-NOREC-SB 2

7.1 7.5 E-008 EPS-DGN-FO-IA, EPS-DGN-FC-lB, EPS-DGN-FC-AAC, EPS-XHE-NOREC, EFW-TDP-FC-TDP, EFW-XHE-NOREC-EP, OEP-XHE-NOREC-SB 3

1.7 1.8 E-008 EPS-DGN-FC-IA, EPS-DGN-FC-IB, EPS-XHiE-XM-AAC, EPS-XHE-NOREC, EFW-TDP-FC-TDP, EFW-XGiIE-NOREC-EP.

OEP-XHE-NOREC-SB LOOP Sequence 19 1.5 E-007 M

1 91.2 1.3 E-007 EPS-DGN-CF-ALL, EPS-XHE-NOREC, OEP-XKE-NOREC-BD 2

7110E08 EPS-DGN-FC-lA, EPS-DGN-FC-IB, EPS-DGN-FC-AAC, 7.1

1. E-008 EPS-XHE-NQREC, OEP-XHE-NQREC-BD 3

1.7 2.5 E-009 EPS-DGN-FC-IA, EPS-DGN-FC-IB, EPS-XH-E-XM-AAC, E-PS-XI-W-NRFCr OFP-YHPF-NORFCr.Rf Total (all sequences) 9.6 E-006 "The conditional probability for each cut set is determined by multiplying the probability of the initiating event by the probabilities of the, basic events in that minimal cut set. The probabilities for the initiating events and the basic events are given in Table B.4. 1.

NUREG/CR-4674, Vol. 26 B.4-12 NUREG/CR-4674, Vol. 26 B.4-12

Retrieved from "https://kanterella.com/w/index.php?title=ML20140A215&oldid=4194793"