ML20147A335

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - ANO 1 (LER 313-89-028)
ML20147A335
Person / Time
Site: Arkansas Nuclear Entergy icon.png
Issue date: 10/12/1989
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Littlejohn J (301) 415-0428
References
LER 1989-028-00
Download: ML20147A335 (8)
v  d  e


Text

B-92 ACCIDENT SEQUENCE PRECURSOR PROGRAM EVENT ANALYSIS LER No:

Event

Description:

Date:

Plant:

313/89-028 Wiring errors associated with two service water pump breakers would inhibit autostart following slow bus transfer October 12, 1989 Arkansas Nuclear One, Unit 1 Summary An extra contact was discovered in the control circuits for service water pumps P4A and P4C, which, in situations involving a safety actuation signal without main generator lockout, would prevent pump restart after trip. The conditional core damage probability estimated for the event is 2.8 x 10-4 The relative significance of this event compared with other events at ANO 1 is shown below.

LER 313/89-028 1E-7 1E-6 1E-5 1E-4 1 1E-3 1E-2 TripJ 360 hAFWIjL 360 h E LOFW

+ 1 L IOOP L.precursor cutoff Event Description During a comparison of electrical schematics with actual wiring configurations for ANO 1 Engineered Safeguards (ES) equipment, a relay contact not shown on the schematics was discovered in the control room control circuits for the "A" and "C" service water (SW) pumps (pumps P4A nd P4C). An evaluation of the extra contact determined that it would prevent closure of the feeder breaker for the affected pump if an ES actuation signal occurred before or without a main generator lockout.

The extra contact in the P4A and P4C control circuit would have affected the ability of the pumps to restart if a safety actuation signal was present and buses Al and A2 had completed a slow transfer to an offsite source. This situation would exist if a spurious

B-93 safety actuation signal occurred during power operation, or if a valid safety actuation signal was generated prior to main generator lockout, as would occur following a large-break LOCA. In these cases, the slow transfer of buses Al and A2, combined with the extra contact in the P4A and P4C control circuits, would have caused the "anti-pump" circuit in the breakers to lock out the close signal to the breakers, effectively disabling pumps N4A and P4C.

The breakers could not have been closed automatically, or by manual handswitch operation either in the control room or at the breaker. The breakers could have been mechanically closed by manipulating the breaker mechanism.

Additional Event-Related Information During normal power operation, safety-related buses A3 and A4 are fed from buses Al and A2, which are powered by the unit auxiliary transformer (UAT). If a main generator lockout occurs (e.g., following a reactor trip), the UAT feeder breakers trip and buses A l and A2 fast transfer to an offsite power source. In this case, buses AlI and A2 do not see an undervoltage condition.

A safety actuation signal also trips the UAT feeder breakers; however, without a generator lockout the fast transfer is not enabled, and a slow transfer occurs on bus undervoltage. An undervoltage condition results in a trip of the running service water pumps. At the completion of the slow transfer, the service water pumps are designed to restart. The emergency diesel generators also start on bus undervoltage but do not close onto their bus provided the transfer to offsite power has been successful.

There are three SW pumps at ANO 1. The "B" pump control circuitry did not have the extra contact and the "B" pump would have been available for restart after a slow bus transfer. Technical Specifications require that two of the three pumps be available during power operation, but one pump is considered to be sufficient to mitigate the consequences of an accident. The FSAR notes that the third pump is provided to facilitate maintenance.

ASP Modeling Approach and Assumptions It was assumed that two service water pumps are normally in operation at ANO 1, and that these pumps are rotated. Because of this, pumps A and C are assumed to be jointly operating one-third of the time. It has also been assumed that the breaker for pump B is

B-94 racked-out when pumps A and C are operating (if this is not the case, and the third pump is usually available, then the event is less significant than estimated). Three different scenarios were addressed in the analysis. In each scenario, the likelihood of not recovering service water locally was assumed to be 0.34 (ASP nonrecovery class R2).

1. Spurious safety actuation signal with normal transient sequences. In this case, HPI and HPR were assumed unavailable due to the failure of service water. Based on information in the FSAR, the auxiliary feedwater pumps are both self-cooled, and hence are not impacted by the postulated loss of service water.

The frequency of spurious safety actuation was assumed to be 0.06/reactor year (consistent with the Oconee and Seabrook PRAs). This, combined with the fraction of time pumps A and C are jointly in operation (0.33) and the likelihood of the recovering service water by mechanical breaker manipulation (0.34), results in a nonrecoverable loss of service water frequency of 6.7 x 10-3/reactor year. Note that the ASP transient sequences do not currently address potential RCP seal failure resulting from a loss of service water.

2. RCP seal failure resulting from the loss of service water. For this situation, the probability of the operator failing to perform actions necessary to prevent seal failure was assumed to be 0.04.
3. Large break LOCA.

This initiator is not addressed in the ASP models because of its low frequency (10-4/reactor year). System failures that impact large-break LOCA sequences also impact more likely small-break LOCA sequences. In this analysis, mitigation of a large-break LOCA was assumed to require successful accumulators, low-pressure injection, and low-pressure recirculation. The probability of LPI failure was assumed to be 0.33 (to account for the fraction of time pumps A and C are jointly operating). An assumption was also made that LPI pumps could successfully operate during the injection phase without service water, but that service water had to be restored for recirculation (p(nonrecovery) = 0.34).

Analysis Results The conditional core damage probabilities estimated for the three scenarios are 1.0 x 10-6, 2.7 x 104, and 1. 1 x 10-5. These values result in a combined estimate of 2.8 x 10-4 The dominant sequence involves a postulated loss of service water due to a spurious safety injection, and a resulting RCP seal LOCA.

B-95 It should be noted that the safety actuation signals assumed in each scenario will start the diesel generators and ECCS pumps. These must be tripped in a short period of time to prevent damage due to the lack of service water.

B-96 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier:

313/89-028 Event

Description:

Two service water pumps with inhibited autostart (caic 1)

Event Date:

10/12/89 Plant:

ANO -

Unit 1 INITIATING EVENT NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator

6. OE-02 Probability CD TRANS Total ATWS
2. 9E-0 6 2. 9E-0 6
2. SE-OS
2. SE-SE TRANS Total SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)

Sequence 17 TRANS -rt afw MfW NPI(F/B) 12 TRANS -rt -afw porv.or.srv.chail porv.or.srv.reseat NPI 18 TRANS rt

    • non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)

Sequence 12 TRANS -rt -afw porv.or.srv.chall porv.or.srv.reseat NPI 17 TRANS -rL afw MfW NPI(F/B) 18 TRANS rt non-recovery credit for edited case SEQUENCE MODEL:

c:\\asp\\1989\\pwrdseal.cmp BRANCH MODEL:

c:\\asp\\1989\\anol.sll PROBABILITY FILE:

c:\\asp\\1989\\pwr~bsll.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch System TRANS 1.4E-04 > 1.4E-04 Branch Model:

INITOR Initiator Freg:

1.4E-04 End State CD CD ATWS End State CD CD ATWS P rob 2.4E-06

5. 3E-07 2.OE-SS P rob 5.3E-07 2.4E-06
2. SE-SE N Rec t t
5. 3E-03
6. 6E-04 7.2E-03 N Rec**

6. 6E-04

5. 3E-03 7.2E-03 loop loca rt rt/loop emerg.power a fw afw/emerg.power MEW 1. SE-05 2.4E-0S6
2. 8E-04 0.SE+SS 2.9E-03
2. 3E-03 5.SOE-02
2. OE-01 Non-Recov L.OE+SS > S.SE-52 3.6SE-01
4. 3E-01 1.2E-01
1. SE+00
3. SE-Ol 2. 6E-01
3. 4E-01 3.4 E-01 Opr Fail Event Identifier: 313/89-028

B-97 porv.or.srv.chail porv.or.srv. reseat porv.or.srv.reseat/erserg.power seal.loca ep. rec (si) ep. rec

((P1 Branch Model:

l.OF.3 Train 1 Cond Prob:

Train 2 Cond Prob:

Train 3 Cond Prob:

HPI (F/B)

Branch Model:

1.OF.3+opr Train 1 Cond Prob:

Train 2 Cond 2mob:

Train 3 Cond Prmb:

HPR/-HPI Branch Model:

1.CF.2+opr Train 1 Cond Prob:

Train 2 cond Prob:

8.OE-02

1. OE-02
1. OE-02
4. OE-02
5. 9E-01 1.5SE-01 3.OE-04 > 1.OE+OO 1.OE-02 > Unavailable l.OE-Ol > Unavailable 3.OE-Ol > Unavailable 3.OE-04 > l.OE+OO 1.OE-02 > Unavailable 1.OE-Ol > Unavailable 3.OE-Ol > Unavailable 1.5E-04 > l.OE+OO 1.OE-02 > Unavailable 1.5E-02 > Unavailable I1.

OE+OO

1. IE-02
1. OE+OO
1. OE+OO
1. OE-.-O
1. OE+OO 8.4E-Ol > 1.OE+OO 8.4E-O1 > l.OE+OO
1. OE+OO 1.OE-02 l.OE-03
  • branch model file
    • forced Minarick 06-21-1990 18:09:51 Event Identifier: 313/89-028

B-98 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier:

313/89-028 Event

Description:

Two service water pumps with inhibited autostart (caic 2)

Event Date:

10/12/89 Plant:

AND, -

Unit 1 INITIATING EVENT NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS SEQUENCE CONDITIONAL PROBABILITY SUNS End State/Initiator 6.OE-02 Probability CD TRANS Total ATWS 2.8BE-08

2. BE-08 2.OE-06 2.OE-06 TRANS Total SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)

Sequence 17 TRANS -rt afw mfw hpi(f/b) 16 TRANS -rt afw mfw -hpi(f/b) hpr/-bpi 18 TRANS rt non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)

Sequence 16 TRANS -rt afw mfw -hpi(f/b) hpr/-hpi 17 TRANS -rt afw mfw hpi(f/b) 18 TRANS rt non-recovery credit for edited case SEQUENCE MODEL:

c:\\asp\\l989\\pwrdseel.cmp BRANCH MODEL:

c:\\asp\\1989\\anol.all PROBABILITY FILE:

c:\\asp\\1989\\pwr~bsll.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch System TRANS l.4Z-04 > 1.4E-04 Branch Model:

INITOR Initiator Freq:

1.4E-04 End State CD CD AIMS End State CD CD AIMS Non-Recov l.OE+00 > 6.OE-02 3.6BE-01 4.3E-01 1.2E-01

1. OE+00
8. OE-0l 2.6E-01 3.4E-01 3.4E-01 Prob 2.5SE-O8
2. 8E-09
2. GE-06 Prob 2.8SE-09
2. 5E-OS
2. GE-OB N Rec**

4. 5E-03

5. 3E-03 7.2E-03 N Rec**

5. 3E-03 4.5E-03 7.2E-03 Opr Fail loop loca rt rt/ loop emerg. power sfw sfw/emerg.power mfw 1.6BE-O5

2. 4E-O06 2.8E-04
0. OE+00 2.B9E-03 2.3E-03 5.0E-02 2.OE-0l Event Identifier: 313/89-028

B-99 porv.or.srv.chall B.0E-02 1.OE+00 porv.or.srv.reseat 1.OE-02 1.1E-02 porv.or.srv. reseat/emerg.power

1. OE-02 1.OE--00 aeal.loca 4.OE-02 1.OE+00 ep.rec(sl) 5.9E-01 1.OE+00 ep.rec 1.5E-01 1.OE+0O hpi 3.OE-04 8.4E-O1 hpi(f/b) 3.OE-04 8.4E-01.

1.OE-02 hpr/-hpi 1.5E-04 1..OE+OO 1.OE-03

  • branch model file
    • forced Ninarick 06-21-1990 18: 11:40 Event Identifier: 313/89-028
Retrieved from "https://kanterella.com/w/index.php?title=ML20147A335&oldid=4182155"