ML20140A217

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Turkey Point 3 and 4 (LER 250-92-S01)
ML20140A217
Person / Time
Site: Turkey Point  NextEra Energy icon.png
Issue date: 05/19/2020
From:
NRC/RES/DRA/PRB
To:
Littlejohn J (301) 415-0428
References
LER 1992-S01-00
Download: ML20140A217 (18)
v  d  e


Text

B-17 B.6 Identifier Number: 250/92-SO1 and 251/92-SOI Event

Description:

Loss of Office Power Due to Hurricane Andrew Date of Event: August 24, 1992 Plant: Turkey PointUnits 3 and 4 B.6.1 Summary On August 24, 1992, Hurricane Andrew, a Category 4 hurricane, struck the Turkey Point Electrical Generating Station with sustained winds of 145 mph. The storm caused a loss of offsite power (LOOP) which required the use of the emergency diesel generators (EDGs) for 6.5 d. Prior to the arrival of the storm, both units were shut down. The class I structures of the plant sustained essentially no damage.

Damage to other equipment, including the offsite power supplies, offsite communications, on-site electrical distribution systems, fire protection system, and miscellaneous plant structures, complicated the recovery from the event. The conditional core damage associated with this event is 1.6 x 10-" per unit.

This event was of long duration and occurred while both units were shut down. The analysis of core damage risk from shutdown-related events has only recently begun in the nuclear industry. Issues that are important in estimatiAg risk during shutdown, primarily human error and equipment repair over the long term, are not well understood. Because of this, core damage probability estimates developed for shutdown-related events, including this event, are not directly comparable to estimates developed for at-power events. Therefore, the relative significance of this event has not been compared to other postulated events using a relative significance graph.

B.6.2 Event Description On Friday, August 21, 1993, site personnel began preparing for the potential arrival of Hurricane Andrew at Turkey Point. Preparations were guided by an Emergency Plan Implementing Procedure (EPIP). Most of the preparations consisted of removing equipment from outside areas, securing of equipment, and preparing for the storm surge. On Saturday, August 22, the operators completed simulator scenarios likely to occur during the hurricane. These included loss of instrument air, loss of residual heat removal (RHR), and loss of all ac power.

On Sunday, August 23, the National Hurricane Center issued a hurricane warning for the Turkey Point area. The utility declared an Unusual Event and began preparations for a Category 5 hurricane. At 1800 hours0.0208 days <br />0.5 hours <br />0.00298 weeks <br />6.849e-4 months <br /> on August 23, a shutdown of Unit 3 began. The Unit 4 shutdown was started 2 h later at 2000 hours0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br />. The objective of the shutdowns was to place the units in Mode 4 (on RHR) prior to the onset of Hurricane winds. The units were placed in the shutdown (Mode 4) rather than cold shutdown (Mode 5) to retain the availability of the turbine driven auxiliary feedwater (AFW) pumps as an immediate backup for RHR cooling.

Operators were prepositioned in the EDG control centers for Units 3 and 4. Each of these are located in class I structures and are not accessible from other class I structures without going outside. As a result, personnel may not have been able to respond to abnormal EDG conditions during the storm unless Identifier NO: 250/92-SOI and 251/92-SOI

B-18 they were prepositioned. By midnight, preparations were complete and all on-site personnel were located in class I structures.

The leading edge of the storm hit the Turkey Point site at about 0200 hours0.00231 days <br />0.0556 hours <br />3.306878e-4 weeks <br />7.61e-5 months <br /> on Monday, August 24.

Winds steadily increased from about 20 mph to 145 mph. At 0440 hours0.00509 days <br />0.122 hours <br />7.275132e-4 weeks <br />1.6742e-4 months <br /> offsite power was lost to Unit

3. At 0522 hours0.00604 days <br />0.145 hours <br />8.630952e-4 weeks <br />1.98621e-4 months <br />, offsite power was lost to Unit 4. The EDGs automatically started and loaded for both units. Throughout the event, the plant remained in a stable condition. The plant vital areas were secure and were never jeopardized by the storm.

During the time period that offsite power was lost, the EDGs ran continuously to supply plant safety-related loads. An EDG tripped on two instances during this period. The "A" EDG for Unit 4 tripped during troubleshooting efforts to isolate a ground on the dc control power supply. The procedure was intended to be used when the bus was supplied by offsite power. The EDG was restarted after a few minutes and the procedure was revised. The "A" EDG for Unit 3 tripped 3.5 d after the storm.

Troubleshooting to locate the cause of the trip was unsuccessful. The EDG was restarted 2.5 h later.

No further problems were encountered.

By 0700 hours0.0081 days <br />0.194 hours <br />0.00116 weeks <br />2.6635e-4 months <br />, the storm had passed and assessment of the damage began. During the storm offsite power had been lost. Restoration of offsite power took 4.5 d. The startup transformers for Units 3 and 4 were energized 6.5 d after the storm and the EDGs were shutdown. A second offsite line became available about one day later.

Two fossil plants, Units 1 and 2, are located adjacent to the two nuclear units (Units 3 and 4). Each fossil unit has a 400 foot reinforced concrete chimney. The chimneys were designed to withstand 150-mph winds. During the storm, the unit 1 stack sustained significant, visible damage. The Unit 2 stack, the closest to the nuclear units, suffered minor cracking but without any significant structural damage.

The Unit 1 stack was subsequently demolished.

B.6.3 Additional Event-Related Information The impact of Hurricane Andrew at Turkey Point is described in detail in a report jointly sponsored by the Institute of Nuclear Power Operations (INPO) and the Nuclear Regulatory Commission (NRC);

NUREG-1474, Effect of HurricaneAndrew on the Turkey Point Nuclear GeneratingStationfrom August 20-30, 1992, March 1993.

B.6.4 Modeling Assumptions The analysis addresses the potential to proceed to core damage for the conditions observed during the actual event: the hurricane-induced loss of offsite power (LOOP) occurred with both units shut down, depressurized below 350 psig, and on RHR cooling. Reactor coolant system (RCS) temperature was maintained between 200 and 350°F to facilitate prompt initiation of the turbine-driven AFW pumps for core cooling if RHR failed. All four EDGs auto-started and loaded following the LOOP. Any one of the four diesel generators and any one of the three AFW pumps was assumed capable of providing ac power and secondary-side makeup to both units. The event was initially modeled by NRC staff personnel. That analysis which used somewhat different assumptions is included as Attachment 1. Some of the conclusions from that assessment were utilized in this analysis.

Identifier NO: 250/92-SO1 and 251/92-SOI

B-19 An event tree model of the potential sequences to core damage during the 157 h that offsite power was unavailable is shown in F1ig. B.5. Three core damage sequences are addressed:

0 failure of RHR and AFW with emergency power available (both decay heat removal mechanisms unavailable);

0 failure of emergency power (which fails RHR) with successful AFW and failure to recover ac power prior to core uncovery (AFW is assumed to fail following battery depletion and consequent loss of dc power if ac power is not recovered); and failure of emergency power (which fails RHR), failure of AFW, and failure to recover ac power.

Emergency RHR AFW Ac power LOOP ac power recov.

Seq. End Seq.

No. State Prob.

OK OK I CD 4.OE-06 OK 2 CD 1.6E-04 OK 3 CD 4.2E-07 TOTAL 1.6E-04 Fig. B.5. Event tree model for loss of offsite power at Turkey Point.

Development of conditional probabilities for the three sequences is described in the following paragraphs.

Analysis assumptions which may result in over- or under-estimation of the conditional probability for the event are then discussed.

Sequence 1. Failure of RHR and AFW. RHR operated correctly during the event. However, because of the debris in the intake water at Turkey Point, the service water strainers required hourly cleaning.

Errors during this process could have resulted in a loss of service water and a subsequent loss of RHR.

If RHR was lost, the turbine-driven AFW pumps could have been used for core cooling. Failure of both RHR and AFW was estimated in the attached analysis to be approximately 4.0 x 10- over the 157-h period, assuming nominal RHR and AFW performance. Increasing the RHR system failure probability by an order of magnitude to account for the degraded service water system performance (caused by the excessive amount of debris in the intake water) results in a conditional probability estimate for the sequence of approximately 4.0 x 10-1. This probability is low compared with the probability estimated Identifier NO: 250/92-SOI and 251/92-S01

B-20 for the second sequence. Therefore, although further mitigation strategies are potentially available to allow further time for RHR or AFW recovery (e.g., high-pressure injection (HPI) for feed and bleed),

this sequence was not developed further.

Sequence 2. Failureof emergency AC power, AFW success, andfailure to recoverpower before battery depletion and core uncovery. The analysis addressed the potential for emergency power failure caused by all four EDGs failing to start and all four EDGs failing to run. (The analysis described in Attachment A also considered the potential for emergency power failure caused by the postulated collapse of the Unit 2 (fossil plant) stack plus independent failures of the two remaining EDGs. Failure of emergency power due to this cause did not significantly contribute to the overall failure probability estimated in Attachment A and was not addressed herein.) If emergency power were to fail, it must be recovered before battery depletion, steam generator (SG) dryout, and RCS boil-off, to prevent core damage.

Time to core uncovery. Battery depletion was assumed to occur at 2 h, based on the data included in the Turkey Point FSAR. If the EDGs failed during the first day following the LOOP, secondary-side dryout and RCS boil-off to the point of core uncovery was estimated to occur - 10.5 h after battery depletion. The time to core uncovery was increased in proportion to the reduction in decay heat on subsequent days (loss of RCS inventory through the RCP seals and other leakage was assumed not to significantly affect these estimates).

EDG failure probability. The probability of an EDG failing to start (0.03) and failing to run (0.003/h) was estimated based on data included in NUREG/CR-4550, Vol. 1, Rev. 1, Analysis of Core Damage Frequency: Internal Events Methodology, 1990. The value for failure to run is consistent with two EDG unavailabilities observed during the 6-d event.

The probability of all four EDGs failing to start was assumed to be dominated by common-cause effects.

Utilizing the multiple Greek Letter (MGL) parameters included in NUREG/CR-5801, Procedurefor Analysis of Common Cause Failuresin ProbabilisticSafety Analysis, 1993 (8 = 0.03, y = 0.27, and 6

= 0.4) results in an overall failure-to-start probability of 9.7 x 10W, without consideration of repair.

The probability of the four EDGs failing to run for the required period (157 h - time to core uncovery) was estimated by first calculating the probability that three of the four EDGs were failed and multiplying this value by the probability that the fourth EDG would fail and by the probability that none of the EDGs would be repaired before core uncovery.

Assuming EDG failure and repair are exponentially distributed, the unavailability of a single EDG at time t is F(t) = [X x MTTR / (1 + X x MTTR)] [ 1 - exp (-( X + MT'TR-) X t] (see Martz and Waller, Bayesian ReliabilityAnalysis, p. 154). In this equation, Xis the EDG failure rate and MTTR is the mean time to repair. The unavailability of the four combinations of three EDGs is therefore 4 x [F(t)]'. The probability of the fourth EDG failing is X x (157 h - time to core uncovery). The probability of not repairing any of the EDGs prior to core uncovery was estimated to be [p(single EDG not repaired before core uncovery)]2 .1 I p(no EDG recovered before core uncovery) was estimated in Attachment A as p(single EDG not repaired before core uncovery)r. This value is too small, because repair of the first three failed EDGs is addressed to a certain extent in [F(t)]3 . p(single EDG not repaired.. .)' underestimates this value -

Identifier NO: 250/92-SO1 and 251/92-S01

B-21 EDG Repair Probability. The spare parts and central receiving warehouses were severely damaged by the hurricane. Many of the spare parts that were in these warehouses were scattered and waterlogged.

Some EDG spare parts were available -- the licensee noted in the telephone conversation with NRC and ORNL on November 30, 1993 that spare fuel filters were used during the 6-d period and that other spare parts had been identified after the storm. In an attempt to address the impact of the damaged warehouses, this analysis assumed that only one-half of repairs requiring spare parts could be accomplished with on-site spares and that the remainder of repairs required either the cannibalization of another failed unit or one of the non-safety-related black-start diesels (the bus used to provide power from these diesels to the safety-related buses was damaged during the hurricane) or the use of parts obtained from another site.

The nominal probability of EDG non-repair as a function of time, shown in Table 1, was developed from data included in NUREG/CR-2989, Reliability ofEmergency A C PowerSystems at NuclearPower Plants, 1983, plus supplemental data provided by a report author. This data was modified as follows to reflect the reduced availability of spare parts on-site:

a. EDG failures that could be recovered in 2 h or less were assumed not to require spare parts.

Such repairs could be accomplished within their nominal repair times following the LOOP.

b. Repairs that required more than 2 h were assumed to require spare parts. Spare parts for half the potential repairs were assumed to be unavailable on-site. If these were obtained by cannibalizing another faulted EDG, repair times were increased by 50 percent (to disassemble the other EDG and obtain the part).

If the spare parts were instead obtained from another site, the repair times were increased by 24 h. Repair personnel were assumed capable of choosing the most expeditious repair method

-- the minimum of the two modified repair times was utilized. Note that a spare, truck-mounted EDG was brought on site after the second day. The estimated time to power a safety-related bus from this EDG is 24 h, the same as the time estimated to obtain spare parts from another site. Because of this, the spare EDG was not specifically addressed in the analysis.

Revised EDG repair probabilities as a function of time, based on these assumptions, are provided in Table 2 and is shown graphically for the first 30 h in Fig. 1.

c. During the first day following the LOOP, communications were non-existent to poor. Only repairs that did not require the shipment of spare parts from offsite were assumed possible in this period. The failure of four EDGs to start was assumed to be dominated by common-cause failures. Repairs that required cannibalized parts were not possible in this case, since similar parts were assumed failed on all four EDGs.

To address the variability in the time to core uncovery and EDG failure to run as a function of time since the start of the event, the conditional probability for sequence 2 was estimated for single-day increments throughout the 6-d period that offsite power was unavailable. The time to core uncovery, probability of repair of the three EDGs is assumed to continue after the fourth EDG fails (multiple EDG repair was assumed possible). p(no EDG repaired before core uncovery) was approximated by p(single EDG not repaired...*y in the analysis. This value recognizes some potential for repair of the first three EDGs, but is not overly optimistic.

Identifier NO: 250/92-SOI and 251/92-SOI

B-22 not repairing an EDG before core uncovery, and MTTR were estimated as described earlier in this section. These estimates are given in Table B.2, Table B.2. Estimates of parameters by 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> periods.

day (24 h increment) time to core p(single EDG not MTTR uncovery* repaired) 1 12.5 h 0.39 (0.86**) 48.4 h 2 14.7 0.32 42.2 3 17.9 0.27 42.2 4 20.2 0.26 42.2 5 22.7 0.24 42.2 6 24.7 0.22 42.2 includes 2 h battery depletion time

    • EDG common-cause failure to start The probability of AFW success is about 1. This value was combined with the probability of AC power failure and the probability of not recovering AC power prior to core uncovery to estimate the conditional probability for sequence 2: p(AC power fails) x p(AFW success) x [p(EDGs fail to start) x p(failure to recover from failure to start prior to core uncovery) + p(EDGs fail to run for 157 h - core uncovery time) x p(failure to recover from failure to run prior to core uncovery)]. This calculation is shown in Table B.3.

Identifier NO: 250/92-SO1 and 251/92-SO1

B-23 Table B.3. Conditional core damage probability values for sequence 2 day (24 h p(AC power p(AFW success) p(AC power not p(cd) increment) fails) recovered) start 9.7 x 10 5 - 1 0.86 8.4 x 10 5 1 8.9 x 10 -1 0.15. 1.3 x 10' 2 9.6 x 10 -1 0.10 9.6 x 10' 3 2.1 x 104 -1 0.073 1.5 x l0 4 2.9 x 10' -1 0.068 2.0 x 10' 5 3.4 x 10' -1 0.058 2.0 x 10' 6* 1.9 x 10W -1 0.048 9.1 x 10 TOTAL: 1.6 x 10'

  • 12.3 h Sequence 3. Failureof emergency power and AFW, andfailure to recover ac power before core uncovery. In this sequence, ac power must be recovered before SG dryout and RCS boil-off, about 2
h. The probability of this sequence can be estimated using the probabilities values described above, with an EDG non-repair probability at 2 h (0.84, from Fig. B.5). The probability of a non-recoverable failure-to-start or failure-to-run for the four EDGs in this case is 1.0 X 10-3.

Multiplying this value by the AFW failure probability estimated for Turkey Point in the ASP program (4.1 x 10-4)1 results in a sequence conditional probability of 4.2 X 10-1, not a significant contributor to the conditional probability estimated for the event.

Potential Sources of Over- and Under-estimation A number of simplifying assumptions were made to facilitate the ?malysis. A precise estimate of the conditional probability associated with the event cannot be developed without the use of numeric methods, which are beyond the scope of ASP-type analyses. The assumptions and approach used in the analysis include the potential for over- and under-estimation. In many cases, the potential impact of these assumptions cannot be rigorously estimated. Principle contributors are discussed below.

'The approach to system modeling used in the ASP program is described in Appendix A. For Turkey Point, the AFW system failure probability is assumed to be dominated by the common cause failure of the three turbine-driven AFW pumps and the failure to recover one pump in the short term: p(failure of the first pump) X p(common cause failure of second pump I first pump failed) x p(common cause failure of third pump I first two pumps failed) x p(failure to recover one pump) = 0.05 X 0.1 X 0.3 X 0.27.

Identifier NO: 250/92-SO1 and 251/92-SO1

B-24 EDGfailure-to-startcommon causeprobability. The analysis assumed that the four EDGs were subject to the same common-cause failure mechanisms. In actuality, two of the four EDGs were installed at a later date and are of a somewhat different design. These factors may reduce the significance of common cause failures during EDG start, and subsequently lower the combined failure-to-start probability for the four EDGs.

EDGfailure-to-runprobability. Most of the data associated with EDG failures to run was developed from short run durations (1 h to 24 h). EDGs are rarely run for greater than 24 h. Applying such data to the 157-h LOOP duration observed during the event may be conservative or non-conservative.

However, the 0.003 failure rate used in the analysis is consistent with the two EDG trips observed during the 157-h period.

EDGfailure-to-runcommon cause probability. The analysis did not address the potential for EDG common cause failures-to-run; all potential failures were assumed to be independent. Little data is available concerning EDG common-cause run time failures. Consideration of potential common cause failures would increase the conditional probability for the event.

The likelihood of EDG repair. The probability of failing to repair a faulted EDG was based on data included in NUREG/CR-2989. This data was modified to, address the warehouse damage that occurred during the hurricane. The failure-to-repair distribution is quite skewed; the median repair time is approximately 9 h, while the MTTR is approximately 42 h. Thus, the probability of failing to repair an EDG is dominated by failures that would require long repair times. Prior to the arrival of Hurricane Andrew, personnel were stationed in both units' EDG control centers. This was to facilitate EDG recovery in the event of a failure. The control centers would not be accessible from other plant structures during the height of the storm. While this would increase the likelihood of short-term repair for failures that could be addressed without spare parts, access to the parts warehouse would be required for long-term repairs. Unfortunately, the hurricane severely damaged the Turkey Point parts warehouse. The damage to the parts warehouse reduced the likelihood of long-term repair.

The combined effect of these contributors to over- or under-estimating the core damage probability calculated for the event cannot be easily determined. For some contributors, such as common cause failure data, available information may not represent the actual plant design or the long run times required during the event. The effect of other contributors, such as the approach used to estimate the probability of multiple nonrecoverable EDG failures, could be better understood through more detailed modeling. However, the additional detail provided by such modeling is not expected to substantially impact the conditional probability estimated for the event.

B.6.5 Analysis Results Combining the conditional probabilities for the three sequences described in Sect. B.6.4 results in an overall conditional probability estimate for the event of approximately 1.6 x 10'. This value is applicable to both units at Turkey Point (sequences 2 and 3 results in core damage at both units). The dominant core damage sequence is 9equence 2 on Fig. B.5, and involves a postulated failure of emergency power following the LOOP, successful AFW, and failure to recover emergency power prior to battery depletion and core uncovery.

Identifier NO: 250/92-SO1 and 251/92-SO1

B-25 Table B.4. Nominal Drobability of EDG non-repair Time (h) p(EDG repaired) Time (h) p(EDG repaired) 0.50 0.89 14.50 0.26 1.50 0.86 19.50 0.20 2.50 0.77 27.00 0.17 3.50 0.69 35.00 0.14 4.50 0.63 45.00 0.11 5.50 0.59 55.00 0.10 6.50 0.48 65.00 0.09 7.50 0.40 75.00 0.07 8.50 0.38 85.00 0.07 9.50 0.36 95.00 0.06 10.50 0.34 125.00 0.05 11.50 0.30 175.00 0.03 12.50 0.28 250.00 0.02 13.50 0.26 950.00 0.00 MTI'R = 37.6 Identifier NO: 250/92-SOI and 251/92-S01

B-26 Table B.5. Probability of EDG non-repair utilized in the analysis Time (h) p(EDG repaired) Time (h) p(EDG repaired) 0.50 0.89 20.25 0.24 1.50 0.86 21.75 0.23 2.50 0.82 27.00 0.22 3.50 0.77 29.25 0.19 3.75 0.73 35.0 0.18 4.50 0.71 40.50 0.16 5.25 i 0.66 15.00 0.15 5.50 0.64 52.50 0.13 6.50 0.62 55.00 0.13 6.75 0.59 65.00 0.12 7.50 0.56 67.50 0.11 8.25 0.53 75.00 0.10 8.50 0.49 74.00 0.09 9.50 0.49 85.00 0.09 9.75 0.47 89.00 0.08 10.50 0.45 95.00 0.08 11.25 0.42 99.00 0.07 11.50 0.41 109.00 0.07 12.50 0.39 119.00 0.06 12.75 0.35 125.00 0.06 13.50 0.34 149.00 0.05 14.25 0.33 175.00 0.04 14.50 0.32 199.00 0.03 15.75 0.31 250.00 0.03 17.25 0.30 274.00 0.02 18.75 0.28 950.00 0.01 19.50 0.25 974.00 0.00 MTTR = 42.2 Identifier NO: 250/92-SOI and 251/92-SO1

B-27 0.9

  • 0.8 0.7 0.8 S 8

0 0.4 C

- 0.3 0.2 0

0.1 0.2 05 10 I 20 25 30 time (h)

Fig. B.6. Probability of not repairing an EDG by time t (day 2-6)

Identifier NO: 250/92-SO1 and 251/92-SO1

B-28 Attachment 1 to 250/92-SO1 and 25i/92-S02 "Evaluation of the Risk Significance of the Impact of Hurricane Andrew on the Turkey Point Nuclear Power Plant" By: S. Long, SPSB IDENTIFIER NO: 250/92-SOI & 251/92-S01

B-29 EVALUATION OF THE RISK SIGNIFICANCE OF THE IMPACT OF HURRICANE ANDREW ON THE TURKEY POINT NUCLEAR POWER PLANT S. Long, SPSB INTRODUCTION As Hurricane Andrew approached the Turkey Point Nuclear Power Plant in the early morning hours of August 24th, both units were shut down, cooled and depressurized below 350 psig, and placed on RHR cooling. Cooldown was intentionally stopped above 200°F and bubbles were maintained in the pvessurl:es to facilitate prompt initiation of (turbine-driven) auxiliary i:*ewater.

Storm damage to the switchyard and grid caused complete loss of offslte power, resulting in the automatic start and loading of all four emergency diesel generators. The five "black start" diesels located on site were covered with oil (from a damaged tank) and the "C" non-safety buses that could link these diesels to the safety buses were also damaged. Offsite power was not recovered for about 6 days.

Additional storm related damage of significance included:

- extensive cracking of the unit I stack, and minor cracking of the unit 2 stack (both are oil-fired units),

- extensive debris in the intake water, which necessitated cleaning the service water strainers every hour to prevent clogging,

- severe damage to the warehouses, which could have hampered recovery efforts If the emergency diesels required repair.

- loss of the station fire system, including damage to both raw water tanks and the fire header downstream of the fire pumps.

.The systems remaining operable for protection against core damage were:

- the four operating diesels, any one of which could power both units,

- two trains of RHR for each unit,

- the three operable turbine-driven AFW pumps, any one of which could

.provide secondary cooling to either unit so long as DC power remained available

- DC batteries, which are credited with capability for coping with 4,hours of station blackout and were being charged by the diesels.

IDENTIFIER NO: 250/92-SO1 & 251/92-SOI

B-30 2

Two sequences of additional equipment failures were considered for assessing the conditional core damage probability (CCDP) for this event:

1. Failures of all four emergency diesels creating a station blackout period exceeding at least six hours (to deplete the batteries, dry out the steam generators and boil down the RCS inventory sufficiently to expose the core), or
2. Failures of both RHR trains in one unit followed by failure of all three auxiliary feedwater trains.

CCDP CONTRIBUTION FROM DIESEL FAILURES It was assumed for this analysis that the five non-safety "black start" diesels would not have been available if needed during this event.

Factors that are relevant, if not quantifiable, with respect to the probability of success for the onsite emergency power system include:

1. The diesels are cooled by radiators, and are thus not dependent on the service water system.
2. The fuel systems for the diesels are independent with the exception of the use of the same storage tank by EDGs 3A and 3B. (Fuel transfer systems, day tanks, etc. are provided separately for each diesel.)
3. EDGs 4A and 4B are physically located in a category I structure separate from the structure for EDGs 3A and 3B.
4. The severely damaged unit I (fossil-plant) stack is located where it could not have fallen on safety related equipment. However, the less severely damaged unit 2 stack could fall on either, but not both of the EDG buildings.

Three cases of EDG failure are considered below:

a. failure of all 4 EDGs to start,
b. concurrent failures of all EDGs while they are running,
c. collapse of the unit 2 smoke stack causing failure of 2 EDGs in combination with independent failure of the other 2 EDGs.

Diesel failure to start: Due to the potential for common cause failures, probabilistic risk assessment methods give reduced benefit to total system reliability, for the addition of each similar train to a system. For early failures of the diesels at Turkey Point, the probabilities of failure to start, load or run for the first hour were taken from NUREG/CR-4550, Vol.1, Rev.1:

1st DG failure = 0.03 failure of other 3 DGs given 1 failure - 0.013 Failure to recover any one of the diesels was assumed - 0.6, giving a system failure-to-start estimate of about 2.3E-4.

IDENTIFIER NO: 250/92-SOI & 251/92-SOI

B-31 3

Diesel failure to run: Because the diesels were required to run for long periods, it is also necessary to consider the probabilities of failures while running. Units 3 and 4 were on emergency diesel power for 154 hours0.00178 days <br />0.0428 hours <br />2.546296e-4 weeks <br />5.8597e-5 months <br /> and 157 hours0.00182 days <br />0.0436 hours <br />2.595899e-4 weeks <br />5.97385e-5 months <br />, respectively. Generic data for failures whilerunning ranges from 0.002/hour (NUREG-1150) to 0.003/hour (IREP). This results in failure probabilities of about 0.27 to 0.37 for each diesel during the extended run.

The probability of multiple EDG failures is:

failures in failure rate failure rate 155 hours0.00179 days <br />0.0431 hours <br />2.562831e-4 weeks <br />5.89775e-5 months <br /> 0.002/hour 0.003/hour 0 0.29 0.16 1 0.42 0.37 2 0.23 0.33 3 0.06 0.13 4 0.005 0.02 The probability that no diesel would fail durina this run is only about 0.29 to 0.16. It is more probable that there would be one DG failure, and almost as likely that two diesels would experience failures. In fact, EDG 3A was lost for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, 38 minutes due to a lockout on Thursday, August 27. Thus, the experience in this case is not inconsistent with the generic data.

The probability that all four EDGs would experience failures during this run duration is about IE-2. However, as illustrated by the experience with EDG 3A, there is also a probability for recovery from each failure within a short period of time. Generic data for the mean time for recovery from failures is about 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br />. (This is a very skewed probability distribution; the median time to recovery is only 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.) In order to account properly for the CCDP due to DG failures while running, it is necessary to perform a time-dependent analysis that determines the probability that all four diesels would become inoperable at the same time for a period long enough to deplete the batteries (failing AFW), dry out the steam generators, and deplete the RCS inventory sufficiently to expose the core. The station batteries are rated at four hour capacity for coping with station blackout (SBO), and the time necessary to expose the core after AFW failure is estimated to be at least two hours at the beginning of theevent. As the decay heat diminished over the duration of the LOSP condition, the time available for EDG repair significantly increased.

However, it is difficult to capture these time-dependent complexities in the analysis, so several simplifying assumptions were made in order to produce an estimate of this portion of the CCDP.

The contribution to the CCDP from diesel failures while running was estimated with the formula 4 x (failure rate) x (run time - 63 hours7.291667e-4 days <br />0.0175 hours <br />1.041667e-4 weeks <br />2.39715e-5 months <br />) x (failure rate x mean time to repair) x (nonrepair probability @ 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />)'

This is the probability of the fourth diesel failing times the steady-state probability of three diesels being in the failed state times the probability that none of the four diesels will be recovered in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after this condition occurs. (Note that this analysis assumes no time-correlated common cause failures of the EDGs while they are running and that their repair IDENTIFIER NO: 250/92-SO1 & 251/92-SO1

B-32 4

probability is unaffected by the number of EDGs that are failed simultaneously.)

Because the reliability of diesels and their repair probabilities are poorly documented for periods exceeding 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, calculations were performed to explore the sensitivity of this formula to its various parameters. For a failure rate of 0.003 per hour, a mean recovery time of 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> and a probability of nonrecovery within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of 0.6, tha contribution to the CCDP is 2.5E-4. If the failure rate is assumed to be 0.002 per hour, the contribution would be 4.9E-5. If it is assumed that only one diesel can be repaired at a time, thfse numbers would increase by a factor of 1/(nonrepair probability @6 hours) l 4.6. If the coping time was increased to allow repair within 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />, the probability of not recovering each diesel would decrease to 0.25, resulting in a decreased CCDP contribution by a factor of 33 (independent repair) to 2.4 (repair only one at a time). On the basis of these calculations, it was assumed that the contribution to CCDP from failures while running is about equal to the contribution from failures to start and load.

CONTRIBUTION OF POTENTIAL FOSSIL UNIT STACK COLLAPSE TO THE CCDP The contribution of the potential unit 2 stack collapse to the CCDP is difficult to assess. If it fell on one of the structures housing two of the EDGs and caused both to fail, it would increase the failure to start probability to about 9E-4 and the failure while running probability to about 3E-2. Thus, in order to double the CCDP estimate presented above, the probability of.the stack falling, hitting an EDG structure, and causing both EDGs to fail would have to be at least 1.7E-2.

Licensee and staff analyses indicate that failure of the unit 2 stack was not imminent. However, failure of the upper portion of the unit 1 stack may have been imminent. Discussion with Goutam Bagchi (ESGB) indicated that, having sustained the observed hurricane wind damage, credible values for the failure probability for the unit I stack were in the range of 0.5 to 0.9. Also, because nominal design and construction of these two stacks is presumably identical, this experience suggests a probability of about 0.5 that this hurricane could have damaged the unit 2 stack to the degree experienced by unit 1. Thus, the probability of the unit 2 stack falling may have been as high as (0.5-to-0.9 x 0.5), or 0.25 to 0.45.

It is unlikely that even the category I building housing EDGs 4A and 48 could withstand the impact of the stack. This makes the probable direction of fall very important. A telephone discussion with Mike Janus (one of the Resident Inspectors) gave some insights into the pattern of wind damage on-site. The wind blew nominally north-to-south before passage of the eye and approximately the opposite direction afterwards. The strongest winds occurred after passage of the eye. The elevated water tower and two elevated light towers which blew down all fell approximately northward. This indicates that the unit 2 stack, if it had been damaged and had fallen, would probably have fallen away from the diesel buildings rather than toward them. In addition, the stacks behavior during demolition indicated that it may have twisted to the east if IDENTIFIER NO: 250/92-SO1 & 251/92-SOI

B-33 5

it had fallen due to wind loading. Damage to other elevated light towers indicated generally northward leaning with a significant spread in direction.

Therefore, under the conditions actually encountered in this storm, it seems unlikely that the unit 2 stack would have fallen in the direction of the EDGs.

This is important, because the two EDG buildings occupy about one-fifth to one-tenth of the arc around the stack (depending on the interpretation of what constitutes a whitm). Thus, if the direction of fall were assumed to be random, it would be the dominant risk contributor for this event. However, given the conditions observed, it appears that the potential stack failure does not make a significant contribution to the total CCDP.

It is logical to ask what is the conditional probability of a storm such as Andrew having a wind pattern that would cause the stack to fall toward the south. Although the necessary information is not available to answer that question prectsely, it is useful to note some important factors. First, the hurricane would have to have a wind pattern that put the most intense winds on the leading side of the storm, so that they would blow southward. Second, the storm's forward speed would have to be such that winds would persist at the site for a sufficient time for the stack concrete to degrade and collapse before the wind changed direction. Although Andrew had neither of these attributes, they are not necessarily improbable for a class 4 hurricane.

In summary, the CCDP contribution from the unit 2 stack striking one of the EDG buildings, combined with independent failures of the other two EDGs, is not considered to be dominant for the conditions that actually occurred on site. However, it should be noted that collapse of the unit 2 stack could increase the total CCDP by an order of magnitude under other conditions that are perhaps equally probable for a class 4 hurricane.

Thus the total CCDP estimate for SBO sequences is estimated at about 5E-4, about half from failure to start and half from failure to run.

CONTRIBUTION FROM RHR PLUS AFW FAILURES TO CCDP The RHR systems were initiated only a few hours before the storm arrived, and the service water system strainers required hourly cleaning after the storm's passage due to the debris that had beenblown into the intake water. Had both trains of RHR failed on a unit, three trains of AFW were available to cool either reactor's steam generators. Thus, core damage would have required failure of two trains of RHR plus three trains of AFW. (It was assumed that the two motor-driven standby feedwater pumps would be unavailable because they receive power through the damaged C buses.)

Data developed by BNL for the probability of RHR failure at Surry indicates a system failure rate of only 7.3E-6 per hour. This gives a probability of 1.IE-3 that the system will fail in 157 hours0.00182 days <br />0.0436 hours <br />2.595899e-4 weeks <br />5.97385e-5 months <br />. The current ASP models for Turkey Point provide an AFW system failure probability (with nonrecovery) of 4.1E-4 per demand. Thus, the probability that these two systems will cause core damage due to independent failures is only about 4E-7. The failure rate IDENTIFIER NO: 250/92-SO1 & 251/92-SO1

B-34 6

of the RHR system would have to be increased by about three orders of magnitude to make a significant contribution to the total CCDP.

Clearly, the contribution to the CCDP from this sequence of failures will be insignificant in comparison to those from potential EDG failures, unless the storm could cause common mode failures that would affect both RHR and AFW together.

OTHER CONTRIBUTORS TO THE CCDP The Turkey Point IPE contains an analysis of risks due to hurricanes and the conclusion that storm surge is the only factor that contributes significantly.

The mechanism is flooding of the safety bus switchgear when the surge exceeds the plant's flood protection elevation (20 feet). However, Hurricane Andrew did not produce a large surge. It was estimated at only 8 feet. As with the potential for the collapse of the unit 2 stack, no effort was made to calculate the conditional probability of a 20' storm surge, given a class 4 hurricane.

BENEFIT OF RECENT PLANT MODIFICATIONS Recent modifications at the Turkey Point plant included the addition of EDGs 4A and 4B. Without these two additional sources of emergency AC power, the CCDP for this event would have been considerably higher.. The formula used above to estimate the probability of a six-hour SBO with four EDGs would yield a value of about 3.3E-2 with only two EDGs (assuming a failure rate of 0.003/hour and independence of repair probabilities). Failure to start probability would be only about 9E-4 for two EDGs, on the basis of NUREG-1150 common cause factors. Thus, the addition of EDGs 4A and 4B appears to have reduced the CCDP associated with this event by a factor of about 70.

Addition of EDGs 4A and 4B also made the plant much more robust with respect to the CCDP contribution from the unit 2 stack, although that was not a significant factor for this particularevent due to the direction of the strongest winds.

IDENTIFIER NO: 250/92-SOI & 251/92-SO1

Retrieved from "https://kanterella.com/w/index.php?title=ML20140A217&oldid=3368189"