ML20140A221
| ML20140A221 | |
| Person / Time | |
|---|---|
| Site: | Vogtle  |
| Issue date: | 05/19/2020 |
| From: | NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 1990-006-00 | |
| Download: ML20140A221 (10) | |
Text
B-340 ACCIDENT SEQUENCE PRECURSOR PROGRAM EVENT ANALYSIS Note: The following is an initial assessment of an event that occurred at cold shutdown. Event sequences were developed based on procedures in place at the time of the event. Information concerning the event was taken from preliminary notifications, verbal communications, etc., and may have been revised in the LER that formally documented the event.
Revised cold shutdown models are currently being developed in support of another NRC program. The operational event described herein will be re-analyzed when the new models are available. At that time, information contained in documentation that was received after the performance of this analysis winl also be addressed. Because of this, the following analysis should be considered PRELIMINARY.
Event No.: 424/90-006 Event
Description:
LOOP, DG failure, and 36 nin interruption of SDC during mid-loop operation Date: March 20, 1990 Plant: Vogtle 1 Summary During a refueling and maintenance outage, while the unit was in mid-loop operation, a truck struck a switchyard tower supporting the 230-ky feeder to unit 1 "A" reserve auxiliary transformer (RAT). This broke a feeder line and induced a ground fault, whereupon protective breaker operation isolated the feed to the IA RAT. The LB RAT was tagged out for maintenance as was "B" emergency diesel generator (EDG). The "A" EDG started and tripped, leaving the unit without normal or emergency power for 36 min until "A" EDG was successfully restarted. The interruption in residual heat removal (RHR) resulted in a reactor coolant system (RCS) temperature rise from 90OF to 136 0 F.
The conditional core damage probability point estimate for this event is 9.7 x 10-4 This value is strongly influenced by assumptions concerning battery lifetime, diesel generator recovery, and the operation staff's ability to implement an essentially nonprocedurized approach to long-term core cooling.
Event Description Prior to the event, Unit 2 was operating at 100% power and Unit I was in day 24 of a planned 44-day refueling outage. Power was being supplied to both emergency 4-ky buses on Unit I from the "A" RAT as "B" was out of service for maintenance. "B"
B-341 emergency diesel generator was also out of service for overhaul and inspection. Non-emergency AC power was being supplied by backfeed through the main transformer and the unit auxiliary transformers.
The reactor coolant system level had been reduced to "mid-loop" (centerline of the vessel nozzles) to facilitate maintenance activities. The vessel head was in place, but not tensioned. Accumulator isolation valve IHV-8808D was being worked on, as was charging system check valve 1-1208-U4-038. The pressurizer manway had been removed. Refueling operations were complete, and 1/3 of the core had been replaced with new fuel. The refueling canal was drained and the refueling water storage tank (RWST) level was 78% (100% is approximately 700,000 gal). "A" loop of RHR was in service and RCS temperature was approximately 90TF. "B" RHR injection valve was closed and out of service.
At about 9:20 a.m. EST, a lubrication and fuel truck in the Unit 1 switchyard struck a support post for the 230-ky feeder to the "A" RAT. One phase of the supply shorted to ground, the supply breaker to the feeder opened, and "A" RAT was deenergized, removing offsite power from both Unit 1 and one of the Unit 2 emergency 4-kY buses.
Unit 2 tripped and proceeded into a relatively normal shutdown. IA diesel generator automatically started but promptly tripped for unknown reasons. This left Unit 1 without AC power to the emergency buses.
Without AC power, residual heat removal was no longer available and the RCS began to heat up. Differing measurements of the heatup rate were obtained, but the most limiting (greatest) heatup rate calculated was approximately 1.3*F per minute. A normal start of EDG "A" was attempted, but it tripped on low jacket water pressure. Vogtle's design does not permit electrical or RHR crosstie between units, so recovery effort focused on returning the EDG to service. At 9:56 "A" EDG was successfully restarted and emergency AC power was restored to the IA emergency bus. This permitted the resumption of RHR to the reactor, and the RCS temperature rise was stemmed at 136'F, approximately 36 min into the event. The "B" RAT was returned !to service approximately 2 h later, permitting the restoration of offsite power supply.
Event-Related Information Core Hefat=. Of particular interest in any loss of shutdown cooling event is the amount of time available for action before decay heat would cause damage to the reactor core.
For this to occur in a well-vented RCS in mid-loop operation, the pressure vessel inventory must heat to the saturation temperature, and the reactor coolant level must boil down to the top of the core (assumed to result in core damage in ASP calculations). At
B-342 the time of the event, the RCS was vented through the open pressurizer manway.
Given the plant configuration that existed during this event, a simplified hand calculation indicates 1.5 h would be required for the core to heat up to saturation conditions. An additional 3.2 h would be required to boil off the excess inventory above the reactor core.
Thus, a total time interval of approximately 4.7 h would be available prior to core damage.
(The Vogtle loss of RHR procedure also provides curves with expected core heatup times. However, these curves predict much shorter heatup times than occurred during this event and may have implied an unnecessarily short response time for some actions.)
Batter lifetime. The Vogtle FSAR specifies a battery lifetime of 2.75 h. Probabilistic risk assessments (PRAs) typically assume that battery lifetime can be extended following a station blackout by shedding less important loads. When the plant is in cold shutdown, loads are also expected to be less than just after a trip from power. This expectation is supported by an event in 1987 at Wolf Creek (482/87-043, Battery discharge causes ESF actuations at Wolf Greek, October 15, 1987, Precursorsto PotentialSevere Core Damnage Accidents: 1987, A Status Report, NUREG/CR-4674, Vol. 8, p. C-80), where two batteries remained operable for approximately 40 h (each Wolf Creek battery is rated for 3.3 h). During the Wolf Creek event, the batteries were presumably off-loaded as much as possible in support of a 30 h maintenance that preceded the event. Applying the observed battery lifetime to Vogtle, a battery life of greater than 24 h could be possible.
Once the batteries are depleted, the ability to monitor core status, start the diesel generators, and remotely operate switchgear is lost, and core damage is assumed to occur.
Su~lplemental RCS makeuD. Vogtle Abnormal Operating Procedure 18019-C, Rev. 6, Loss of Residual Heat Removal, identifies three alternate sources of RCS makeup:
accumulators (by electrically opening the discharge valves), the charging system, and gravity feed from the RWST. Since both RHR trains were assumed available once AC power was restored, and the first two alternate sources require AC power, only the last source, gravity feed from the RWST, was addressed in this analysis. Gravity feed can be accomplished without AC power, since the valves that must be operated (I-V-8812A or HV-88 12B) are equipped with manual operators.
The effectiveness of gravity feed in cooling the core has been assumed in the analysis, although this has not been confirmed for the specific openings that existed in the RCS. It has also been assumed that initiating gravity feed any time prior to core uncovery is
B-343 adequate. Note that gravity feed was employed at Diablo Canyon when RHR was lost for 1.5 h during mid-loop operation (323/87-005 R2, Loss of RHR cooling causes core boiling at Diablo Canyon 2, April 10, 1987, Precursorsto PotentialSevere Core Damtage Accidents: 1987, A Status Report, NUREG/CR-4674, Vol. 8, p. C-46).
Once RWST gravity feed is initiated, two possibilities exist. If the RWST is allowed to drain in an uncontrolled manner, then, depending on the relative head between the RWST and the RCS openings, the entire RWST could be drained in 1 or 2 h. If draining is initiated prior to core boiling, uncontrolled draining could result in less than 3 or 4 h of additional core cooling. If valves that control RWST flow are opened only to the extent required to keep the pressure vessel nozzles flooded, then core cooling should be maintainable well beyond 24 h. Given successful implementation of RWST gravity feed, a probability of 0.8 was assumed for successfully limiting flow such that at least 24 h of RCS cooling was available.
Alternate RCS Makeup Actions. The potential use of the positive displacement charging pump (which is apparently powered from a nonsafety bus but requires cooling water powered from a safety bus) and improvised approaches (such as powering Unit 1 buses from Unit 2 buses through jumper cables) were also considered during the analysis.
However, the potential use of these approaches was not considered to substantially increase the likelihood of recovery from the event.
Analysis Approach Core Damage Model, The core damage model considers the recovery of AC power and the requirement for RCS makeup once core boiling begins. Once AC power is recovered and provided RCS inventory is adequate, RHR is assumed available to provide core cooling. The following cases were considered:
- 1. Recovery of AC power prior to core boil (1.5 h). In this case, restoration of RHR provides core cooling.
- 2. Recovery of AC power after core boil but prior to core uncovery (4.7 h). In this case, both RCS makeup and recovery of AC power must occur. If an RHR pump is started before level is restored to mid-loop, then air entrainment in the RHR suction will require the pump to be tripped and the RHR loop vented (20-60 min).
- 3. Recovery of AC power after core boil but prior to battery depletion. In this case, RCS makeup must be provided before core uncovery and must be maintained until AC power is recovered and RHR is restored.
B-344 The event tree model is shown in Fig. 1. Three core damage sequences are shown.
Sequence 1 involves a loss of AC power with failure to recover power prior to core boiling. RWST gravity feed is utilized for RCS makeup in a way such that RWST inventory is preserved, plus unnecessary loads are stripped from the DC buses, thereby maximizing the time available for long-term AC power recovery. AC power is not recovered, however, and core uncovery (and assumed core damage) occurs. Sequence 2 is similar to sequence 1 except that no efforts are made to conserve RWST inventory or battery life. In sequence 3, AC power is also not recovered prior to boiling, and RCS makeup fails.
The careful shedding of unnecessary DC loads plus control of RWST gravity feed (represented by sequence 1) is assumed to increase the overall recovery time to twice the assumed battery lifetime. For this sequence, RWST inventory is assumed adequate for at least 24 h. For sequence 2, gravity feed is assumed to prolong core uncovery for 2.5 h (time to drain the RWST plus reheat the RCS inventory), provided the assumed battery lifetime has not been exceeded.
Battery Lifetime. To account for the uncertainty in battery lifetime during cold shutdown at Vogtle, three potential values were assumed in this analysis: 2.75 h (the rated battery life), 5.5 h (twice the rated life), and 8.25 h. The probability of the three battery lifetimes was assumed to be 0.2, 0.6, and 0.2, respectively. Careful load shedding was assumed to extend the initial battery life by a factor of two.
RC aep The likelihood of failing to initiate RCS makeup assumed in the analysis is shown in Fig. 2. This curve was developed based on the upper-bound joint human error probability (HEP) values shown in Fig. 7.3-2, "Nominal Model of Estimated Diagnosis EJEPs for a Single Abnormal Event," of Analysis of Core Damage Frequency:
Internal Events Methodology, NUREG/CR-4550, Vol. 1, Rev. 1, with the time after signal skewed by 20 min to account for recovery out of the control room.
Probability of Not Recovering AC Power. AC power can be recovered by either recovering the single tripped diesel or by recovering offsite power. For this analysis, it was assumed that DG start in the local emergency mode bypassed the fault that initially tripped the DG. A failure-to-recover probability of 0. 1 prior to core boiling was assumed for the DG. In the event that AC power recovery was not effected prior to core boiling, DG repair starting at the time of core boiling was also considered.
The likelihood of not recovering offsite power was calculated based on curves included in NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants.
B-345 LOOP recovery likelihoods were bas,;d on plant class 13, which has the least likelihood of recovery of the three plant classes.
The probability of not recovering offsite power shown on Fig. A.3 of NUREG-1032 was fit to a Weibull distribution. This distribution [pN~op (t) = exp(- 1.35t0 *533 )] was used to estimate the likelihood of failing to recover offsite power by time t. (The calculated value was additionally constrained to no less than 0.01.) For long-term DG repair, the likelihood of failing to repair was assumed to be exponentially distributed with a mean time to repair of 4 h starting at the onset of core boiling [pR (t) = exp(-0. 17 (t..
These assumptions result in the following estimates for failure to recover AC power:
p(failure to recover AC power prior to core boiling) =
p(failure to recover the DG prior to core boiling)
- p(failure to recover offsite power prior to core boiling) =
0.1
- PNO (tbodl = 0.1
- 0.19=
0.019, for tboil = 1.5 h.
p(failure to recover AC power prior to battery depletion or core uncovery given offsite power not recovered prior to core boiling) =
pffailure to repair DG)
- p(failure to recover offsite power prior to battery depletion or core uncovery given offsite power not recovered prior to core boiling) =
pN1UyG(tb~t) * [piN~op (tbatt) / pNRop (tbo1 1 )] = 0.81
- 0.53=
0.43, for tbatt= 2.75 h and tboil= 1.5 h.
Branch probabilities based on the above are shown in Fig. 3. This figure was developed from Fig. 1 and includes a branch associated with the three assumed initial battery lifetimes.
Analysis Results The estimated core damage probability associated with the loss of shutdown cooling at Vogtle is 9.7 x 10-4. This value is strongly influenced by assumptions concerning battery lifetime, diesel generator recovery, and the operation staff's ability to implement an essentially nonprocedurized approach to long-term core cooling.
Substantial uncertainty is also associated with these estimates. The low core decay heat provides an extended period of time for AC power recovery, particularly if battery
B-346 lifetime can be extended and supplemental makeup provided. However, these actions are for the most part not procedurized. This, plus the unavailability of ex-control room recovery models, makes the likelihood of implementing such actions very difficult to estimate.
Different assumptions will result in different core damage point estimates, and these can be used to provide information on the range of estimates that could be associated with the event. If a design battery lifetime of 2.75 h is assumed, with no efforts to extend battery life or conserve RWST inventory, a core damage probability of 8.0 x 10-3 is estimated.
Alternately, optimistic assumptions concerning RAT recovery (for example, a nonrecovery estimate for offsite power of 0.00 1), results in a core damage probability estimate of 2.4 x 10-4 The impact of different assumptions concerning time after shutdown, the likelihood of providing RCS makeup, the likelihood of implementing DC load shedding plus conserving RWST water, and the recovery of AC power were also explored. The sensitivity of the analysis model to these values was calculated to be:
Assu tionDamage Probability Event occurs 2 days after shutdown with no fuel swapped (time to 2.8 x 10-3 boil estimated to be 0. 13 h, time to uncover estimated to be 1.0 h)
RCS makeup totally reliable No appreciable change RWST inventory and battery life conserved 5.3 x 10-4 RWST inventory and battery life not conserved 2.9 x 10-3 RAT and DG recovery based on observed times as mean estimates No appreciable and exponential model change
B-347 Loss of A oe C AC Power AecPowere Maeu Conservative AC Power During Prec tPover dMaeup Makeup and Recovered Shutdown PortPovdd Unnecessary Prior to Battery Cooling Saturation (RWST DC Loads Depletion End Seq.
(mid-loop Gravity Stripped State No.
operation) Feed)
OK OK CD 1 OK CD 2 CD 3 Fig. 1. Core damage event tree for loss of AC power during mid-loop operation at Vogtle 1 (LER 424/90-006)
0.1 CU 0.01
.0 0.001[320,0.001]
0 10 100 1000 Time (minutes)
Fig. 2. Probability of not implementing RCS makeup at Vogtle 1 (LER 424/90-006)
B-349 Loss of AC Power FACS Conservative AC Power DurPowg Postulated Recovered Makeup Makeup and Recovered Battery Prior to - Provided Uncsay pirt atr Shutdown DC Loads Depletion Cooling Life Saturation (RWST mi-op(available Gravity Stripped (available timne End Seq. Seq.
opraid-on) time) Feed) (battery lIge beyond State No. Prob.
opeatin)extended) saturation)
OK OK CD la 2.9E-4 OK CD 2a 3.3E-4 CD 3a 4.6E-6 OK OK CD lb 9.1 E-5 OK CD 2b 2.1IE-4 GO 3b l.4E-5 OK OK CD 10c l.2E-5 OK 0.09 1.h)4.2-2(57h CD 20 3.2E-5 CD 3c 4.6E-6 0.0012 _____
Total Core - 99-Damage 99-Probability Fig. 3. Core damage event tree for loss of AC power during mid-loop operation at Vogtle 1, including branch and sequence probability values (LER 424/90-006)