ML20140A224
| ML20140A224 | |
| Person / Time | |
|---|---|
| Site: | Wolf Creek  |
| Issue date: | 05/19/2020 |
| From: | NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 482-1994-018 | |
| Download: ML20140A224 (5) | |
Text
Appendix DLRNoInptinRpr48/-1 LER No. Inspection Report 482/94-18 D.2 LER No. Inspection Report 482/94-18 Event
Description:
Reactor Coolant System Blows Down to Refueling Water Storage Tank During Hot Shutdown Date of Event: September 17, 1994 Plant: Wolf Creek D.2.1 Summary On September 17, 1994, about 28 h after shutting down to begin a refueling outage, an inappropriate alignment of the residual heat removal (RJIR) system allowed the rapid transfer of about 9,200 gal of water from the reactor coolant system (RCS) to the refueling water storage tank (RWST). Operators corrected the misalignment within about 66 s.
Subsequent analyses have shown that, had the operators not acted within about 3 min, the RCS could have been voided down to the loop piping elevation, potentially rendering all emergency core cooling systems (ECC Ss) inoperable. With the RCS vented to the environment through the RWST, core uncovery could have occurred in as little as 30 mnin. The conditional core damage probability estimated for this event is 3.0 x 10 D.2.2 Event Description At 0400 hours0.00463 days <br />0.111 hours <br />6.613757e-4 weeks <br />1.522e-4 months <br /> on September 17, 1994, Wolf Creek was in Mode 4 preparing to begin a refueling outage with an RCS pressure of340 psig and temperature of 300'F. Two reactor coolant pumps (RCPs) were in service, the steam generators (SGs) were filled, and the condenser and condensate systems were secured. The safety injection (SI) pumps and one of two centrifugal charging pumps were out of service with breakers open to prevent low-temperature overpressurization.
RIIR train A was in service to provide shutdown cooling.
Activities in progress included monitoring RCS cooldown and depressurization, performing a 24-h emergency diesel generator test run, and responding to alarms caused by minor component cooling water (CCW) system problems.
Maintenance work was being performed on RHR valve 87 16A, the A RHR to SI system hot leg recirculation isolation valve, and efforts were in progress to ready RHIR train B for use.
RI{R train B was being lined up for recirculation back to the RWST in order to raise boron concentration before placing the train in service. This required the opening of valve 8717, a manual valve in the 8-in. common line from the RHR pump discharge headers to the RWST ECCS pump suction header. A nuclear station operator (NSO) was dispatched to locally open valve 8717.
The reactor operator was controlling the chemical and volume control system (CVCS) inpreparation for taking the RCS solid. This effort was complicated by failure of the volume control tank's nitrogen cover gas pressure regulator. The balance of plant (BOP) operator was lining up the B RHR train for service and adjusting the CCW system to deal with incoming alarms. The operators then received a call from a plant electrician requesting that valve 87 16A be stroked (closed and reopened) in support of a test procedure. Meanwhile, the NSO had arrived at valve 8717 and prepared to open it.
Approximately 3 ft from the NSO, the electrician was working on valve 87 16A, but neither he nor the NSO recognized the significance of opening valves 8717 and 8716A simultaneously. When opened together, valves 8716A and 8717 provide a direct pathway from the RHR pump discharge to the RWST ECCS suction header. When the control room operator closed valve 8716A from the control room, the operator stationed at valve 8717 apparently had only begun opening it. As water flowed from the RCS to the RWST, pressurizer level dropped about 2%, but this was not noted until the event was reviewed later. After valve 8716A closed, the control room operator waited about 30 s and then reopened it.
D.2-1 D.2-1NUREG/CR-4674, Vol. 21
LER No. Inspection Report 482/94-18 Appendix Appendix D D LER No. Inspection Report 482/94-18 Valve 8717 was fully open by this time, and reactor coolant inventory began rapidly flowing to the RWST. The operator stationed at 8717 observed loud flow and water hammernoises, called the control roomto report them, and was instructed to close the valve. This instruction was apparently based on good operating practice to reclose a valve when unexpected flow and noise 'results from opening it, rather than from an understanding of the circumstances of the event. At the same time, control room personnel received a high RWST level alarm, the pressurizer level high annunciator cleared, and the pressurizer level instrumentation "pegged low."
Operators responded by tripping the RCPs, increasing charging flow, and manually isolating letdown. A relief supervising operator who was present at the time identified the flow path through valves 87 16A and 8717 to the RWST.
Operators closed valve 87 16A, isolating the blowdown about 66 s into the event.
During the time that the blowdown was in progress, about 9,200 gal flowed from the RCS to the RWST causing the RWST to overflow. Approximately 650 gal overflowed from the RWST to the waste holdup tank.
The RHR and charging systems remained in service, and RCS level was gradually restored.
Additional infornation related to this event is contained in LER 482/94-0 13, "Personnel Error Resulted in an Unanticipated Loss of Reactor Coolant Level."
D.2.3 Additional Event-Related Information Subsequent analysis determined that, had the blowdown not been quickly isolated, the primary system could have drained down to the RCS loop elevation in as little as 3 min. The RWST ECCS suction header could have been filled with steam shortly thereafter. It was further determined that an operating RHR pump could have been damaged by as little as 0.5 min of operation after the primary system drained down to the RCS loop elevation. Unisolated, the blowdown could have led to core uncovery in as little as 30 min, based on a Westinghouse analysis of the event.
The Westinghouse analysis, perfonned after the event, suggests that once the RWST ECCS suction header voided, operation of the multistage SI pumps would have resulted in their failure. Isolation of the blowdown path would have allowed water to flow back from the RWST into the suctionheader; however, there is no assurance that the ECCS pumps could fulfill their functions while drawing water from the RWST following such an event.
The Westinghouse analysis also indicates that if the suction header voided, recovery would be problematic even if the RHR pumps were shut off in time. In less than the time required to fill, vent, and restart an RHR pump, reactor pressure could exceed the RI]R reactor high-pressure shutoff point.
Also noteworthy in this event is the fact that the containment was bypassed. Had the blowdown not been isolated, core damage could have occurred in as little as 30 min. A direct pathway would have existed via the RJIR return line to the RWST and to the environment via the RWST vent. Off-site doses could be expected to exceed technical specification limits under such conditions.
D.2.4 Modeling Assumptions Evaluation of this event is strongly influenced by assumptions regarding human reliability, the time and degree of effort required to recover ECCSs, and the viability of the "reflux" cooling method, wherein steam from a boiling core may be condensed in the SG tubes with the condensate draining back to the reactor. Substantial uncertainty is associated with each of these assumptions.
Approximately 3 min was available for the operators to diagnose and isolate the blowdown before all RHR and ECCS pumps were rendered inoperable. Even though procedures did not address the response to this condition, the operators' understanding of the existing system alignment allowed them to rapidly diagnose and correct the problem. During the event, the blowdown was isolated after a period of 66 s.
NUJREGICR-4674, Vol. 21D.- D.2-2
Appendix D AppenixNo.
DLERInspection Report 482/94-18 To estimate the likelihood that operators would fail to isolate the blowdown prior to uncovering the RCS loops, the time reliability correlation (TRC) models from Human Reliability Analysis (Dougherty and Fragola, Wiley, 1988) were employed. Operator response within the first 3 muin was assumed to be rule-based and without hesitancy. This is considered appropriate based on the indications available to the operators at the time. Assuming the median response time to be the response time observed in this event (--60 s), and using Table 10-8 of Dougherty and Fragola, a crew error probability of 0.06 is estimated.
Had operators failed to isolate the blowdown path within 3 min, a direct vent path would have been established from the RCS through the RWST. Analyses were performed showing that core damage could have occurred as little as 27 muin later.
After the RCS ioops voided at 3 min, the ECCS common suction header would have begun to void. Additional consequences of a failure to terminate the event prior to this point would require more difficult operator actions. These actions were considered recovery (general diagnosis that must be used in the absence of rules) with hesitancy (due to conflict, burden, and uncertainty) within the context of the TRC model. Based on Table 10-11 in Dougherty and Fragola, a crew failure probability of 0.05 is estimated for the 27-mmn time period.
If the blowdown had been isolated after the loops voided (after 3 min, but before 30 muin), substantial time and effort would have been required to refill and vent the RWST ECCS suction header and the ECCS pump suctions that are aligned to it. An analysis performed by Westinghouse indicates that significant voids entrained in the suction supply (5 to 20%) would guarantee a loss of ECCS prime [Reference 3], and other analyses have shown that operation in that condition for more than a minute or two would cause pump failure.
Without extensive venting and priming, the high-pressure pumps would be expected to fail after loop voiding. A report concerning the event indicated that there was no assurance that the ECCS pumps would fulfill their function while drawing water from the RWST following the event [Reference 4]. Further, questions have been raised regarding the structural integrity of the RWST, if it were subjected to the water hammer effects from a blowdown. The high-pressure ECCS pumps were, therefore, assumed in this analysis to be unavailable once the RWST ECCS suction header voided.
A conservative analysis (without consideration of SG secondary-side inventory that existed during the event) showed that, without some form of decay heat removal, pressure in the RC S could exceed the RHR shutoff head within as little as 15 muin. This is less than the time that would likely be required to restore the RIIR system to service. Because the power-operated relief valves were found to be inoperable subsequent to this event, it was assumed that depressurization of the RC S would have been difficult to achieve. The RJ{R pumps were, therefore, assumed to be inoperable once the RWST ECCS suction header voided. The only remaining decay heat removal path would be reflux cooling via the SGs.
The S Gs were available during the event, and reflux cooling was considered a viable core cooling method. In the short term, the water inventory in the SG would provide decay heat removal. Eventually, SG makeup and the opening of atmospheric vent valves would be required for continued heat removal via this method. Reflux cooling was assumed to require two SGs and one source of feedwater for success (consistent with SBO requirements). Assuming both motor-driven auxiliary feedwater pumps and all four S~s and their atmospheric dump valves are available, a faiure probability of -7.0 x 10 -4 is estimated for reflux cooling based on component failure probabilities used in the IRRAS-based ASP models for Wolf Creek. It should be noted that this estimate addresses equipment availability only and not the uncertainty in the viability of the reflux cooling method. Since consideration of such uncertainty is beyond the scope of this analysis, the potential impact of reflux cooling being unavailable or ineffective was addressed in a sensitivity analysis.
The analysis of this event follows the simple event tree mn Figure D.2. 1. The tree includes the following branches:
BLOWDN. Blowdown. Blowdown of RC S inventory via valves 8717 and 8716A.
ISOS-S. Isolation in the short term (3 ruin). Isolation of the blowdown within 3 muin is assumed to prevent voiding of the RCS. After the RCS loops voided at 3 min RCS pressure would have rapidly dropped, and the ECCS common suction header would have begun to void. It was assumed that once the RWST ECCS suction header voided, the high-pressure ECCS pumps would be unavailable.
D.2-3 N-UREG/CR-4674, Vol. 21
LER No. Inspection Report 482/94-18 LER No. Inspection Report 482/94-18 Appendix D Appendix D ISOS-L. Isolation in the long term (within the next 27 min). Had operators failed to isolate the blowdown path within 3 min, a direct vent path would have been established from the RCS through the RWST. Analyses were performed showing that core damage could have occurred as little as 27 min later.
REEL UX. Successful use of SG reflux cooling. If the blowdown is successfully isolated 3 to 30 min after the initiating event, SGreflux cooling must be successful to prevent core damage. ECCS is assumed to be unavailable due to voiding in the suction header.
D.2.5 Analysis Results The probability of core damage for this event is the probability of sequence 3 (failure to isolate the RCS blowdown before voiding the RCS loops, successful isolation before core uncovery, and failure of reflux cooling) plus the probability of sequence 4 (failure to isolate the RC S blowdown before voiding the RC S loops and failure to isolate the blowdown before core uncovery):
0.06 x (1-0.05) x 7.0 x 10- + 0.06 x 0.05 = 3.0 x 101.
If reflux cooling is assumed to be viable, a core damage probability of 0.003 is estimated. This estimate is probably conservative because it assumes that all ECCS pumps are unavailable once significant voiding occurs in the ECCS common suction header. Assumptions concerning the viability of reflux cooling play an important role in the core damage probability estimated for this event. For example, it may be of interest to consider what reflux cooling failure probability would lead to a doubling of the estimated core damage probability. An assumed failure probability of -0.05 for reflux cooling raises the estimated core damage probability by a factor of 2, to 6.0 x10 D.2.6 References I1. LER 482/94-013, "Personnel Error Resulted in an Unanticipated Loss of Reactor Coolant Level,"
January 4, 1995.
- 2. NRC Inspection Report 482/94-18, "Drain-down event of September 17, 1994," December 9, 1994.
- 3. Wolf Creek RCS Draindown Event Analysis, NTD-NSRLA-95-083, Westinghouse Electric Co., February 1995.
- 4. Reactor Coolant System Blowdown at Wolf Creek on September 17, 1994, AEOD/S95-01, J. Kauffman and S. Israel, USNRC, March 1995.
NUREGICR-4674, VoL 21D.4 D.24
Appendix D AppenixNo.
DLER Inspection Report 482/94-18 w ýe 0 0 0 0 0 0 W/3 z
0i z T" CWM I LU X z X
-1
- -0 U-Wo w U)
C,,
W 0-0o 0 -jCO mm w,
6CO F00 00 M:-jM z
0t 0
O-j N
Figure D.2. 1. Dominant core damage sequence for Inspection Report 482/94-18.
NUREG/CR-4674, Vol.21 D.2-5 NUREG/CR4674, Vol. 21