ML20147A335
| ML20147A335 | |
| Person / Time | |
|---|---|
| Site: | Arkansas Nuclear  |
| Issue date: | 10/12/1989 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 1989-028-00 | |
| Download: ML20147A335 (8) | |
Text
B-92 ACCIDENT SEQUENCE PRECURSOR PROGRAM EVENT ANALYSIS LER No: 313/89-028 Event
Description:
Wiring errors associated with two service water pump breakers would inhibit autostart following slow bus transfer Date: October 12, 1989 Plant: Arkansas Nuclear One, Unit 1 Summary An extra contact was discovered in the control circuits for service water pumps P4A and P4C, which, in situations involving a safety actuation signal without main generator lockout, would prevent pump restart after trip. The conditional core damage probability estimated for the event is 2.8 x 10-4 The relative significance of this event compared with other events at ANO 1 is shown below.
LER 313/89-028 1E-7 1E-6 1E-5 1E-4 1 1E-3 1E-2 TripJ 360 hAFWIjL 360 hE LOFW
+1 L IOOP L.precursor cutoff Event Description During a comparison of electrical schematics with actual wiring configurations for ANO 1 Engineered Safeguards (ES) equipment, a relay contact not shown on the schematics was discovered in the control room control circuits for the "A" and "C" service water (SW) pumps (pumps P4A nd P4C). An evaluation of the extra contact determined that it would prevent closure of the feeder breaker for the affected pump if an ES actuation signal occurred before or without a main generator lockout.
The extra contact in the P4A and P4C control circuit would have affected the ability of the pumps to restart if a safety actuation signal was present and buses Al and A2 had completed a slow transfer to an offsite source. This situation would exist if a spurious
B-93 safety actuation signal occurred during power operation, or if a valid safety actuation signal was generated prior to main generator lockout, as would occur following a large-break LOCA. In these cases, the slow transfer of buses Al and A2, combined with the extra contact in the P4A and P4C control circuits, would have caused the "anti-pump" circuit in the breakers to lock out the close signal to the breakers, effectively disabling pumps N4A and P4C.
The breakers could not have been closed automatically, or by manual handswitch operation either in the control room or at the breaker. The breakers could have been mechanically closed by manipulating the breaker mechanism.
Additional Event-Related Information During normal power operation, safety-related buses A3 and A4 are fed from buses Al and A2, which are powered by the unit auxiliary transformer (UAT). If a main generator lockout occurs (e.g., following a reactor trip), the UAT feeder breakers trip and buses A l and A2 fast transfer to an offsite power source. In this case, buses AlI and A2 do not see an undervoltage condition.
A safety actuation signal also trips the UAT feeder breakers; however, without a generator lockout the fast transfer is not enabled, and a slow transfer occurs on bus undervoltage. An undervoltage condition results in a trip of the running service water pumps. At the completion of the slow transfer, the service water pumps are designed to restart. The emergency diesel generators also start on bus undervoltage but do not close onto their bus provided the transfer to offsite power has been successful.
There are three SW pumps at ANO 1. The "B" pump control circuitry did not have the extra contact and the "B" pump would have been available for restart after a slow bus transfer. Technical Specifications require that two of the three pumps be available during power operation, but one pump is considered to be sufficient to mitigate the consequences of an accident. The FSAR notes that the third pump is provided to facilitate maintenance.
ASP Modeling Approach and Assumptions It was assumed that two service water pumps are normally in operation at ANO 1, and that these pumps are rotated. Because of this, pumps A and C are assumed to be jointly operating one-third of the time. It has also been assumed that the breaker for pump B is
B-94 racked-out when pumps A and C are operating (if this is not the case, and the third pump is usually available, then the event is less significant than estimated). Three different scenarios were addressed in the analysis. In each scenario, the likelihood of not recovering service water locally was assumed to be 0.34 (ASP nonrecovery class R2).
- 1. Spurious safety actuation signal with normal transient sequences. In this case, HPI and HPR were assumed unavailable due to the failure of service water. Based on information in the FSAR, the auxiliary feedwater pumps are both self-cooled, and hence are not impacted by the postulated loss of service water. The frequency of spurious safety actuation was assumed to be 0.06/reactor year (consistent with the Oconee and Seabrook PRAs). This, combined with the fraction of time pumps A and C are jointly in operation (0.33) and the likelihood of the recovering service water by mechanical breaker manipulation (0.34), results in a nonrecoverable loss of service water frequency of 6.7 x 10-3 /reactor year. Note that the ASP transient sequences do not currently address potential RCP seal failure resulting from a loss of service water.
- 2. RCP seal failure resulting from the loss of service water. For this situation, the probability of the operator failing to perform actions necessary to prevent seal failure was assumed to be 0.04.
- 3. Large break LOCA. This initiator is not addressed in the ASP models because of its low frequency (10-4 /reactor year). System failures that impact large-break LOCA sequences also impact more likely small-break LOCA sequences. In this analysis, mitigation of a large-break LOCA was assumed to require successful accumulators, low-pressure injection, and low-pressure recirculation. The probability of LPI failure was assumed to be 0.33 (to account for the fraction of time pumps A and C are jointly operating). An assumption was also made that LPI pumps could successfully operate during the injection phase without service water, but that service water had to be restored for recirculation (p(nonrecovery) = 0.34).
Analysis Results The conditional core damage probabilities estimated for the three scenarios are 1.0 x 10-6, 2.7 x 104, and 1.1 x 10-5. These values result in a combined estimate of 2.8 x 10-4 The dominant sequence involves a postulated loss of service water due to a spurious safety injection, and a resulting RCP seal LOCA.
B-95 It should be noted that the safety actuation signals assumed in each scenario will start the diesel generators and ECCS pumps. These must be tripped in a short period of time to prevent damage due to the lack of service water.
B-96 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier: 313/89-028 Event
Description:
Two service water pumps with inhibited autostart (caic 1)
Event Date: 10/12/89 Plant: ANO - Unit 1 INITIATING EVENT NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 6. OE-02 SEQUENCE CONDITIONAL PROBABILITY SUMS End State/Initiator Probability CD TRANS 2. 9E-0 6 Total 2 . 9E-0 6 ATWS TRANS 2. SE-OS Total 2. SE-SE SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER) tt Sequence End State P rob N Rec 17 TRANS -rt afw MfW NPI(F/B) CD 2.4E-06 5. 3E-03 12 TRANS -rt -afw porv.or.srv.chail porv.or.srv.reseat NPI CD 5. 3E-07 6. 6E-04 18 TRANS rt ATWS 2.OE-SS 7.2E-03
- non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence End State P rob N Rec**
12 TRANS -rt -afw porv.or.srv.chall porv.or.srv.reseat NPI CD 5.3E-07 6 . 6E-04 17 TRANS -rL afw MfW NPI(F/B) CD 2.4E-06 5. 3E-03 18 TRANS rt ATWS 2. SE-SE 7 .2E-03
- non-recovery credit for edited case SEQUENCE MODEL: c:\asp\1989\pwrdseal .cmp BRANCH MODEL: c:\asp\1989\anol.sll PROBABILITY FILE: c:\asp\1989\pwr~bsll .pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch System Non-Recov Opr Fail TRANS 1.4E-04 > 1.4E-04 L.OE+SS > S.SE-52 Branch Model: INITOR Initiator Freg: 1.4E-04 loop 1 . SE-05 3.6SE-01 loca 2 .4E-0S6 4. 3E-01 rt 2. 8E-04 1.2E-01 rt/loop 0 .SE+SS 1. SE+00 emerg.power 2.9E-03 3. SE-Ol a fw 2. 3E-03 2. 6E-01 afw/emerg.power 5.SOE-02 3.4E-01 MEW 2. OE-01 3.4 E-01 Event Identifier: 313/89-028
B-97 porv.or.srv.chail 8 .OE-02 I1.OE+OO porv.or.srv. reseat 1. OE-02 1. IE-02 porv.or.srv.reseat/erserg.power 1. OE-02 1. OE+OO seal .loca 4. OE-02 1. OE+OO ep. rec (si) 5. 9E-01 1. OE-.-O ep. rec 1.5SE-01 1. OE+OO
((P1 3.OE-04 > 1.OE+OO 8.4E-Ol > 1.OE+OO Branch Model: l.OF.3 Train 1 Cond Prob: 1.OE-02 > Unavailable Train 2 Cond Prob: l.OE-Ol > Unavailable Train 3 Cond Prob: 3.OE-Ol > Unavailable HPI (F/B) 3.OE-04 > l.OE+OO 8.4E-O1 > l.OE+OO 1 .OE-02 Branch Model: 1.OF.3+opr Train 1 Cond Prob: 1.OE-02 > Unavailable Train 2 Cond 2mob: 1.OE-Ol > Unavailable Train 3 Cond Prmb: 3.OE-Ol > Unavailable HPR/-HPI 1.5E-04 > l.OE+OO 1. OE+OO l.OE-03 Branch Model: 1.CF.2+opr Train 1 Cond Prob: 1.OE-02 > Unavailable Train 2 cond Prob: 1.5E-02 > Unavailable
- branch model file
- forced Minarick 06-21-1990 18:09:51 Event Identifier: 313/89-028
B-98 CONDITIONAL CORE DAMAGE PROBABILITY CALCULATIONS Event Identifier: 313/89-028 Event
Description:
Two service water pumps with inhibited autostart (caic 2)
Event Date: 10/12/89 Plant: AND, - Unit 1 INITIATING EVENT NON-RECOVERABLE INITIATING EVENT PROBABILITIES TRANS 6.OE-02 SEQUENCE CONDITIONAL PROBABILITY SUNS End State/Initiator Probability CD TRANS 2.8BE-08 Total 2. BE-08 ATWS TRANS 2.OE-06 Total 2.OE-06 SEQUENCE CONDITIONAL PROBABILITIES (PROBABILITY ORDER)
Sequence End State Prob N Rec**
17 TRANS -rt afw mfw hpi(f/b) CD 2.5SE-O8 4 . 5E-03 16 TRANS -rt afw mfw -hpi(f/b) hpr/-bpi CD 2. 8E-09 5. 3E-03 18 TRANS rt AIMS 2. GE-06 7 .2E-03
- non-recovery credit for edited case SEQUENCE CONDITIONAL PROBABILITIES (SEQUENCE ORDER)
Sequence End State Prob N Rec**
16 TRANS -rt afw mfw -hpi(f/b) hpr/-hpi CD 2.8SE-09 5 . 3E-03 17 TRANS -rt afw mfw hpi(f/b) CD 2. 5E-OS 4 .5E-03 18 TRANS rt AIMS 2. GE-OB 7 .2E-03
- non-recovery credit for edited case SEQUENCE MODEL: c:\asp\l989\pwrdseel.cmp BRANCH MODEL: c:\asp\1989\anol.all PROBABILITY FILE: c:\asp\1989\pwr~bsll.pro No Recovery Limit BRANCH FREQUENCIES/PROBABILITIES Branch System Non-Recov Opr Fail TRANS l.4Z-04 > 1.4E-04 l.OE+00 > 6.OE-02 Branch Model: INITOR Initiator Freq: 1.4E-04 loop 1.6BE-O5 3.6BE-01 loca 2. 4E-O06 4.3E-01 rt 2.8E-04 1.2E-01 rt/ loop 0. OE+00 1. OE+00 emerg. power 2.B9E-03 8. OE-0l sfw 2.3E-03 2.6E-01 sfw/emerg.power 5.0E-02 3.4E-01 mfw 2.OE-0l 3.4E-01 Event Identifier: 313/89-028
B-99 porv.or.srv.chall B.0E-02 1.OE+00 porv.or.srv.reseat 1.OE-02 1.1E-02 porv.or.srv. reseat/emerg.power 1.OE-02 1.OE--00 aeal.loca 4.OE-02 1.OE+00 ep.rec(sl) 5.9E-01 1.OE+00 ep.rec 1.5E-01 1.OE+0O hpi 3.OE-04 8.4E-O1 hpi(f/b) 3.OE-04 8.4E-01. 1.OE-02 hpr/-hpi 1.5E-04 1..OE+OO 1.OE-03
- branch model file
- forced Ninarick 06-21-1990 18: 11:40 Event Identifier: 313/89-028