ML20217B635
ML20217B635 | |
Person / Time | |
---|---|
Site: | Byron |
Issue date: | 10/05/1999 |
From: | Dick G NRC (Affiliation Not Assigned) |
To: | Kingsley O COMMONWEALTH EDISON CO. |
References | |
LER-454-98-018, NUDOCS 9910120324 | |
Download: ML20217B635 (25) | |
Text
a I
c f.
October 5, 1999 l
i 1
l'
. Mr. Oliver D. Kingsley, President-Nuclear Generation Group Commonwealth Edison Company Executive Towers West lll q
l
' 1400 Opus Place, Suite 500 L Downers Grove,IL 60515 i
i=
SUBJECT:
- FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT OF SEPTEMBER 12,1998; BYRON STATION, UNIT 1
Dear Kingsley:
l i
Enclosed for your information is a' copy of the final Accident Sequence Precursor (ASP) analysis of the operational eve:d at Byron Station, Unit 1, reported in Licensee Event Report (LER) No. 464/98-018 (Enclosa(1) and NRC responses to Commonwealth Edison Company's (Comed) specific comments provided in your letter of April 22,1999 (Enclosure.2). T;1e final analysis, prepared by our contractor at the Oak Ridge National Laboratory, was based on review and evaluation of Comed's comments on the preliminary analysis and on comments received from the NRC staff. Our review of Comed's comments employed the criteria sent to Comed on March 12,1999, along with our preliminary analysis. The results of tee final analysis L
indicate that this event has a conditional core damage probability greater than 1 E-6 and, consequently, is considered to be an accident sequence precursor for 1998.
1 j
Please contact me at (301) 415-3019 if you have any questions regarding the enclosure. We l:
recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
- Sincerely,
' ORIGINAL SIGNED BY:
George F. Dick, Jr.~, Project Manager, Section 2 l
Project Directorate lll Division of Licensing Project Management Office of Nuclear Reactor Regulation
. Docket No. STN 50-454 DISTRIBUTION:
diledetFile? '
TKing, RES l
Enclosures:
As stated PUBLIC PBaranowski, RES I
PDill r/f '
' SMays, RES cc w/encis: See next page ACRS MJordan, Rlli -
W 58 W RLF RENTS COPY DOCUMENT NAME: G:\\PDill-2\\ byron \\LTR_ ASP.wpd
' To receive a copy of this document, indicgttin the ppx: "C" = Copy without enclosures "E" = Copy with enclosures "N" = No copy OFFICE - PM1PD3/
F 6A:LD K 9/SC:LEQ6
~
NAME
. GDICK lh21 ChtQ4 FRET
~
aglet @fblA l
55TE 10/4 +/Ils 4 10/ 4 /99 10lW/99 f +
M10120324 991005
_ OFFICIAL RECORD COPN 4
PDR ADOCK 05000454 1)
+
' ' pa u a
l p
' UNITED STATES NUCLEAR REGULATORY COMMIGSION If j
WASHINGTON, D.C. 2v544101
_ %*****dok October 5,1999 Mr, Oliver D. Kingsley, President Nuclear Generation Group i
Commonwealth Edison Company -
. Executive Towrrs West 11' 1400 Opus Place, Suite SJO Downers Grove, IL 60515
SUBJECT:
FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT OF SEPTEMBER 12,1998; BYRON STATION, UNIT 1
Dear Kingsley:
I Enclosed for your information is a copy of the final Accident Sequence Precursor (ASP) analysis of the operational event at Byron Station, Unit 1,.eported in Licensee Event Report (LER) No. 454/98-018 (Enclosure 1) and NRC responses to Commonwealth Edison Company's
. (Comed) specific comments provided in your letter of April 22,1999 (Enclosure 2). The final analysis, prepared by our contractor at the Oak Ridge National Labcretory, was based on review and evaluation of Comed's comments on the preliminary analysis and on comments received from the NRC staff. Our review of Comed's comments employed the criteria sent to Comed on March 12,1999, along with our preliminary analysis. The results of the final analysis indicate that this event has a conditional core damage probability greater than 1 E-6 and, consequently, is considered to be an accident sequence precursor for 1998.
Please contact me at (301) 415-3019 if you have any questions regarding the enclosure. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
Sincerely,
.]O YV Geor F. Dick, Jr.,
roject Manager, Section 2 Project Directorate 111
}
Division of Licensing Project Management i
Office of Nuclear Reactor Regulation l
Docket No. STN 50-454 l
Enclosures:
As stated cc w/encis: See next page 1
i J
i S
I l
O. Kingsley Byron Station j
Commonwealth Edison Company Units 1 and 2 i
l cc:
Regional Administrator, Region 111 Mrs. Phillip B. Johnson
)
U.S. Nuclear Regulatory Commission 1907 Stratford Lane i
801 Warrenville Road Rockford, Illinois 61107 Lisle, !!!inois 60532-4351 Attomey General Illinois Department of Nuclear Safety 500 S. Second Street t
Office of Nuclear Facility Safety Springfield, Illinois 62701 1035 Outer Park Drive Springfield, Illinois 62704 Commonwealth Edison Company Byron Station Manager Dccument Control Desk-Licensing 4450 N. German Church Road Commonwealth Edison Company Byron, Illinois 61010-9794 1400 Opus Place, Suite 400 Downers Grove, Illinois 60515 Commonwealth Edison Company Site Vice President - Byron Ms. C. Sue Hauser, Project Manager 4450 N. German Church Road Westinghouse Electric Corporaticn Byron, Illinois 61010-9794 Energy Systems Business Unit Post Office Box 355 Mr. David Helwig Pittsburgh, Pennsylvania 15230 Senior Vice President Commonwealth Edison Company Joseph Gallo Executive Towers West 111 Gallo & Ross 1400 Opus Place, Suite 900 1025 Connecticut Ave., N.W., Suite 1014 Downers Grove, Illinois 60515 Washington, DC 20036 Mr. Gene H. Stanley Howard A. Learner PWR Vice President Environmental Law and Policy Commonwealth Edison Company Center of the Midwest Executive Towers West 111 35 East Wacker Drive 1400 Opus Place, Suite 900 Suite 1300 Downers Grove, Illinois 60515 Chicago, Illinois 60601 Mr. Christopher Crane U.S. Nuclear Regulatory Commission BWR Vice President Byron Resident inspectors Office Commonwealth Edison Company 4448 North German Church Road Executive Towers West ;ll Byron, Illinois 61010-9750 1400 Opus Place, Suite 900 Duwnere Grove, Illinois 60515 Ms. Lorraine Creek RR 1. Box 182 Manteno, Illinois 60950 Chairman, Ogle County Board Post Office Box 357 Oregon, Illinois 61061
r=
O,' Kingsley -
Byron Station
- Commonwealth Edison Company Units 1 and 2 Mr. R. M.' Krich
- Vice President - Regulatory Services Commonwealth Edison Cornpany Executive Towers West lll 1400 Opus Place, Suite 500 Downers Grove, Illinois 60515 Commonwealth Edison Company Reg. Assurance Supervisor - Byron 4450 N. German Church Road Byron, Illinois 61010-9794 Ms. Pamela B. Stroebel Senior Vice President and General Counsel Commonwealth Edison Company P.O. Box 767 Chicago, Illinois 60690-0767 l
I LER No. 454/98-018 LER No. 454/98-018 Event
Description:
Long-term unavailability of an emergency diesel genciator Date of Event: September 12,1998 Plant: Byron Station, Unit 1 Event Summary Byron Station, Una 1 (Byron 1), had been in Mode 1 for 6 months following a refueling outage. During a monthly surveillance test on the l A emergency diesel generator (EDG), the EDG tripped on a low lube oil pressure signal during the first minute of the test run. Personnel determined that the l A EDG had been susceptible to tripping on a low lube oil pressure signal for at least 11 d until the EDG was repaired and tested satisfactorily, Because plant personnel could not precisely determine the actual failure point of the l A EDG, for this analysis, the EDG was assumed to be unavailable for one-half of the 15-d interval between the last successful surveillance test and the point when the clogged strainers had the potential to be positively identified.
Hence, this event was modeled as an 18-d (432 h) condition assessment with the 1 A EDG failed. The core damage probability (CDP) at Byron 1 increased because of the increased susceptibility that would result from a loss ofoffsite power (LOOP) that progressed to a station blackout. The estimated increase in the CDP (i.e.,
the importance) for this event is 5.6 x 104 Event Description On September 12,1998, operators were starting the 1 A EDG for the planned monthly surveillance test. The 1 A EDG was started locally in the slow-start mode. The 1 A EDG experienced a test-mode trip on an " engine lube oil pressure low" alarm during the first minute of the test run. Concurrent with this alarm were an " engine lube oil pressure low" alarm and a " turbo tube oil pressure low" alarm. An immediate inspection of the 1 A EDG failed to reveal any leaks or obsious component feNrw e!! piping components were in the correct configuration.'
Subsequent troubleshooting revealed that a fibrous material, consistent with that of the engine's main tube oil filter element medium, had clogged both lobe oil strainers. The fibrous material was found tc have covered the entire internal surface of the r cainer element. An imernal inspection of the lube oil filter housing unit showed that none of the filter elements had undergone a catastrophic failure. Regardless, the licensee decided to repla e all 146 6!ter elements to perform a closer inspection of the removed elements. While replacing the tilters, personnel noted that one filter element was missing its cartridge guide and many other filter elements were slightly crushed. A root-cause analysis determined that an inadequate maintenance practice was a factor in allowing a significant amount of unfiltered oil to bypass the filter elements and dislodge and transport the filter material to the lube oil strainers.'
l l
~.
l LER No. 454/98-018 1
Additional Event-Related Information The lube oil circulating pump for each EDG mns continuously during standby conditions so that the internal engine parts remain lubricated. This facilitates a rapid start of the diesel engine. The EDGs at Byron are designed to trip on a low lube oil pressure condition when manually started or when the manual test mode switch is selected at the main control board. Although the l A EDG should have successfully started in an emergency, the ability of the EDG to continue to perform its required function with a low lebe oil pressure condition was questionable.'
No fibrous material was discovered in any other part of the 1 A EDG lube oil system. Additionally, although no fibrous material was found in the lube oil filters on the turbocharger, the filters were replaced.'
The 1 A EDG was returned to service on September 14,1998. A review of the l A EDG operating history revealed that the lube oil relief valve had lined on September 3,1998. The licensee subsequently determined that the relief valve had liRed because of the strainer blockage. Therefore, the l A EDG was considered to be unavailable for at least 11 d - from September 3,1998, until September 14,1998, when the l A EDG was returned to service. The licensee could not determine the actual point of failure before September 3,1998. The last successful surveillance test on the 1 A EDD ~,s completed on August 19, ! 998. Additionally, the 1 A EDG operated without incident for ~12 h during a ' < "> event on August 4,1998.
The licensee verified that the 1 B EDG was continually available between August 19,1998, and September 14, 1998.'
Modeling Assumptions ARer reviewing the l A EDG records, the licensee considered the I A. EDG to be unavailable for the Il-day period between September 3,1998, when the lube oil relief valve lifted, and September 14,1998, when the EDG was returned to service. Because plant personnel could not precisely determine the actual failure point of the l A EDG, for this analysis, the EDG was assumed to be unavailable for one-half of the 15-d interval between the last successful surveillance test (August 19,1998) and the point when the clogged strainers had the potential to be positively identific' ' September 3,1998). This 7.5-d window before the relief valve was noted to have lifted is in addition to the Il-d period that the l A EDG was known to be failed. This results in a total unavailability of-18.5 d. This event was modeled as an 18-d (432 h) condition assessment with the 1 A EDG failed.
If the lube oil relief valve had not lifted and provided a reference failure point, the l A EDG would have been presumed to be unavailable for half of the 26-d period since the last successful surveillance. A 13-d EDG unavailability was analyzed as a sensitivity study.
Because the ability to cross-tie the A and B emergency buses between Byron 1 and 2 exists, the EDGs from i
Unit 2 were added to the Integrated Reliability and Risk Analysis System (IRRAS) model for Unit 1. The probabilities that either of the opposite unit EDGs fails to start and run (basic events EPS-DGN-FC-2A and 2
l l
L
J r.
M.
r LER No. 454/98-018 EPS-DGN FC-28) were set to the base probability of the Unit i EDGs (3.8 x 10-2). The Byron /Braidwood Updated Final Safety Analysis Report indicates that a single EDG can provide sufficient ac power to safely shut down both units in the event ofa station blackout.2 However, because operators must manually cross-tic the emergency buses between units, a basic event was added to reflect the probability that the operator fails to start and load the alterr. ate EDG (basic event EPS-XHE-XM-OU). The probability for basic event EPS-
- XHE-XM OU was set to 8.0 x 10 2 based on a human error analysis provided in the Byron individual plant emination (IPE).8 i
The common-cause failure probability of the emergency power system for the base case was revised to reflect i
the availability of four EDGs (two from each unit) and was developed using the data distributions contained in NUREG/CR-5497, Common-Cause Failuir Parameter Estimations (Ref. 4, Table 5-9:~ alpha factor distribution summary - fail to start, CCCG = 4, a.,3 = 0.0116; and Table 5-12: alpha factor distribution sununary-fail to run, CCCG = 4, as = 0.0146). Because a4 s equivalent to the pyS factor of the multiple i
Greek letter (MGL) method used in the IRRAS models, the base case common-cause failure probability for four EDGs (basic event EPS-DGN CF-AL.L)is 4.6 x 10" LER No. 454/98-018 (p. 3) states that "other factors that contributed to the event were determined to be an
_ inadequate maintenance procedure and inadequate maintenance practice." Both causes would transcend a
. single maintenance crew and the maintenance done on the 1 A EDG was not presented as unique to just that EDG. Furthermore, crushed filter media degrades at variable rates. Therefore, the fact that this maintenance is not done simulaneously on multiple EDGs does not preclude this failure mechanism from simultaneously affecting more than one EDG, The common-cause failure probability for the EDGs is composed of failure to start and failure to run. The portion of the base case EDO conunon-cause failure probability for an engine to start was not altered because the low lube oil pressure trip is not in effect following an emergency start of an 4
EDG. However, the portion of the base case EDG common-cause failure probability for failure to run for the i
mission time was adjusted based on the failure mechanism described. Because data specific to common-cause
~ failures of the lube oil system was not available, aggregate EDG common-cause failure data wer: used in this
- analysis. However, it is not expected that this use of data introduces a significant error in the resulting estimate. Based on the failure of the l A EDG with common-cause failure potential, basic event EPS-DGN-CF-ALL was adjusted for this event from 4.6 x 10d to 1.5 x 10 -2 based on the MGL method (Ref. 4, Table
-l 5 Summary of MGL Parameter Estimations - Fail to Run).
In the S BO sequences, the probabilities of a reactor coolant pump (RCP) scal loss-of-coolant accident (LOC A)
- and of failing to recover ac power at yarious points in time are calculated using a convolution approach that recognizes that all probabilities are a function of time. A Weibull distribution is used to predict the LOOP-related parameters applicable for Byron'as defined in ORNL/NRC/LTR-89/Il (Ref. 5). Probabilities associated with the failure to recover ac power and the potential for an RCP seal LOCA are calculated given that ac power was not restored at specific points in time. Additionally, the prob tb?" fm ha yen. ort failure L to restore emergency power is based on the assumption that the median repair time for an EDG is 4 h, as developed in NUREG-1032 (Ref. 6). The ac power non-recovery probabilities (typically valued at 0.8) in the Byron Integrated Reliability and Risk Analysis System (IRRAS) model are conditional probability values.
These ac power non-recovery basic events represent the probability that an ac power source is not reestablished 3
F l:
l LER No. 454/98-018 l
before core damage occurs given that power has not been restored at a particular reference point (i.e., battery failure or an RCP seal LOCA). Accounting for the conditional attributes of the ac power recovery basic events in the Byron IRRAS model, the 2-h and 8-h ac power non-recovery probability values can be approximated as 0.42 and 0.02, respectively, when taken over the entire time interval. These values are not significantly
- different from the historically generated values used in the Byron PSA (0.32 and 0.03, respectively).
Analysis Results The increase in the CDP (i.e., the importance) as the result of an 18-d failure of the 1 A EDG with common-cause failure-to-run implications for this event is estimated to be 5.6 x 10. The base probability over the same 4
18-d period (the CDP) for all sequen:,es is 3.0 x 10, resulting in a conditional core damage probability 4
(CCDP)of 6.4 x 104 As expected, station blackout (SBO) sequences dominate. The doruinant core damage sequence for this event (Sequence 18 on Fig. I and Sequence 18-9 on Fig. 2) involves the following events:
a LOOP, a successful reactor trip, e
a failure of the emergency power system, a successful initiation of auxiliary feedwater (AFW),
e successful control of reactor coolant system pressure such that the power-operated relief valves (PORVs) remain closed, a failure of the RCP seals, and a failure of the operators to restore ac power before core damage.
This sequence accounts for 24% of the total contribution to the increase in the CDP. A second SBO sequence where the RCP seals do not fail, but the operators fail to restore ac power before the batteries are depleted (Sequence 18-2), accounts for an additional 21% of the increase in the CDP. A third SBO sequence where the PORVs fail open accounts for 20% of the increase in the CDP (Sequence 18-20).
A sensitivity study on the length of time that the l A EDG was unavailable was performed assuming the 1 A EDG to be unavailable forjust halfof the 26-d surveillance period. Such a 13-d unavailability results in a calculated importance of 4.0 x 10 This is similar to the importance calculated for the assumed 18-d 4
unavai: bility. Therefore, the length of the unavailability does not significantly affect the importance
- calculation.
Definitions and probabilities for selected basic events are shown in Table 1. The conditi:9 pebabilities associated with the highest probability sequences are shown in Table 2. Table 3 lists the sequence logic associated with the sequences listed in Table 2. Table 4 describes the system names associated with the dominant sequences. Minimal cut sets associated with the dominant sequences are shown in Table 5.
Acrooyms ARV auxiliary feedwater system l
4
g O
y 4
L LER No. 454/98-018 1
CCDP --
conditional core damage probability CDP
' core damage probability L
EDG cmergency diesel generator -
}
l
- HPI L high pressureinjection j
'IPE'
. individual plant examination IRRAS Integrated Reliability and Risk Analysis System
}
. loss-of-coolant accident
)
LOOP.
loss of offsite power
- MGL' multiple Greek letter
' PORV.
power-operated relief valve RCP reactor coolant pump SBO station blackout i
References -
- 1. LER 454/98-018, Rev. 0, " Inoperable Unit 1 Diesel Generator Due to Low Lube Oil Pressure Condition,"
October 9,1998.
. 2. ComEdBymn andBraidwoodStations UpdatedFinalsafetyAnalysis Report.
3.
Comed Bymn and Braidwood Stations IndividualPlant Examinations, March 1997.
- 4. Marshall, Rasmuson, and Mosleh, Common-Cause Failure Parameter Estimations, NUREG/CR-5497, October 1998.
1
- 5. RevisedLOOP Recovery and PWR SealLOCA Models, ORNIJNRCILTR-89111, August 1989, 6.
P. W. Baranowsky, Evaluation ofStation Blackout Accidents at Nuclear Power Plants, NUREG-1032, i
a l
U.S. Nu:icar Regulatory Commission, June 1988.
i 1
5 I.
7:
LER No. 454/98-018 Dd668686886686688@8
$l
---...~..,=uas,,,,,
l I
I E
gf (
lil
- il [
l 11ll il i ill a l
lil 1 lll l 81I f
I' lI 4"
lll 1 g
l 6
\\
lt i
lit i Fig.1. Dominant core damage sequence for LER No. 454/98-018.
6 i
j
~ '
LER No. 454/98-018 Sk 6866868886866868886868 assansaassis::::::::::
g i
1l l
_EJ _l
_I
_E lll 3
18l
'J lll l l
l g
l lIl l l i n i 4
8 l
Is lt l
- tlI' ll 1 l11 8 i
i Fig. 2. Dominant core damage sequence for LER No. 454/98-018.
7 L.
i r
l Ll'*
l LER No. 454/98-018 I
i i
i Table 1. Definitions and Probabilities for Selected Basic Events for i
LER No. 454/98-018 i
Modified Event Base Current for this name Description probability probability Type event IE-LOOP Initiating Event-loss ofofTsite 1.6 E-005 1.6 E-005 No power (LOOP)(excludes the Probability ofRecovering Ote Power in the Short Term)
IE-SGTR Initiating Event-Steam Generator 16 E-006 1.6 E-006 No Tube Ruprure IE-SLOCA Initiating Event-Small-Break 2.3 E-006 2.3 E-006 No loss-of-coolant accident ( LOCA)
IE-TRANS Initiating Esent-Transient 2.5 E-004 2.5 E-004 No AIW.EDP-FC-1B Auxiliary Feedwater(AFW) 2.0 E-002 2.0 E-002 No Diesel-Driven Pump Fails AFW-MDP-FC-1 A AFW Motor-Driven Pump Fails 4.0 E-003 4.0 E-003 No AFW FMP-CF-ALL Common-Cause Failure ofAFW 2.1 E 004 2.1 E-004 No Pumps EPS-DGN-CF-ALL Common-Cause Failure of 4.6 E-004 1.5 E-002 Yes emergency diesel generators (EDGs )
EPS-DGN-FC-1 A EDG 1A Fails 3.8 E-002 10E+000 TRUE Yes EPS-DGN FC-1B EDG 1B Fails 3.8 E-002 3.8 E-002 No EPS-XIIE-XM-OU Operator Fails to Cross <onnect 8.0 E-002 8 0 E-002 NEW No ESF Bus Without ac Power to Opposite Unit IIPI-MDP-CF-ALL Common.Cause Failure ofIligh 7.8 E-004 7.8 E-004 No Pressute Injection (liPI) Pumps 1IPI-MDP-FC-1B IIPl Motor-Driven Pump Fails 3.8 E-003 3.8 E-003 No IIPI-XIIE-XM-FBL Operator Fails to initiate Feed-1.0 E 002 1.0 E-002 No and-Bleed Cooling LOOP-17-NREC LOOP sequence 17 Nonrecovery 2.2 E-001 2.2 E-001 No Probability-Failure to Recover AFW-L (0.26) and Feed-and-Bleed Cooling (0.8) l I
8
1 l
LER No. 454/98-018 Table 1. Definitions and Probabilities for Selected Basic Events for LER No. 454/98-018 (Continued) i Modified Event Base Current for this name Description probability probability Type event LOOP-18-02-NREC LOOP Sequence 18-02 8.0 E-001 8.0 E-001 No Nonrecovery Probability-Failure to Recover Ceetric Power (EP)
LOOP-18-11-NREC LOOP Sequence 18-11 8.0 E-001 8.0 E-001 No Nonrecovery Probability -
Failure to Recover EP LOOP.I 8-; 8-NREC LOOP Sequence 18.I8 8.0 E-001 8.0 E-001 No Nonrecovery Probability -
Failure to Recover EP 1.OOP-18-20-NREC LOOP Sequence 18-20 8.0 E-001 8.0 E-001 No Nonrecovery Probability-Failure to Recover EP i
LOOP-18 22-NREC LOOP Sequence 18-22 2.7 E-001 2.7 E-001 No Nonrecovery Probability - Failure to Recover EP(0.8)and AFW-L
)
(034)
OEP XIIE-NOREC 13D Operator Fails to Recover ac 2.0 E-002 2.0 E-002 No Power Before Battery Depletion OEP-XHE-NOREC-SL Operator Fails to Recover ac 6 3 E-001 63 E-001 No Power Before Core Darnage Results From a Seal LOCA OEP-XIIE-NOREC-ST Operator Fails to Recover ac 53 E-001 53 E-001 No 1
Power in the Short Term PPR SRV-CC-PRV1 PORY ! Faib to Open on 63 E-003 63 E-003 No Demand PPR SRV-CC-PRV2 PORV 2 Fails to Optn on 63 E-003 63 E-003 No Demand PPR-SRV-CO-Si30 Safety / Relief Valves Open 3.7 E-001 3.7 E-001 No During a Station Blackout (SBO)
PPR-SRV-OO-PRVI PORV 1 Fails to Rescat 3.0 E 002 3.0 E402 No PPR-SRV-OO-PRV2 PORV 2 Fails to Rescat 3.0 E-002 3.0 E 002 No I
l 9
~;
LER No. 454/98-018 Table 1. Definitions and Probabilities for Selected Basic Events for LER No. 454/98-018 (Continued)
Modified Event Base Current for this name Description probability probability Type event RCS-MDP-LK-SEALS Reactor Coolant Pump (RCP) 3.5 E-002 3.5 E-002 No Seals Fail without Cooling and injection l
i 1
i l
10
_.o.
LER No. 454/98-018 Table 2. Sequence Conditional Probabilities for LER No. 454/98-018 Conditional Event tree Sequence core damage Core damage Importance Percent name number probability probability (CCDP-CDP) contribution *
(CCDP)
(CDP)
LOOP 18-09 1.4 E-006 4.4 E-008 1.3 E-006 24.1 LOOP 18-02 1.2 E-006
. 3.9 E-008 1.2 E-006 21.1 LOOP-18-20 1.2 E-006 3.8 E-008 1.1 E-006 20.4 LOOP 18-18 8.1 E-007 2.6 E-008 7.9 E-007 14.2 LOOP 18-11 7.1 E-007 2.3 E-008 6.9 E-007 12.4 LOOP 18-22 3.6 E-007 1.2 E-008 3.5 E-007 6.3 LOOP 17 7.8 E-008 1.4 E-008 6.4 E-008 1.1 Total (all sequences) 6.4 E 006 8.0 E-007 5.6 E-006
' { ' {, 4.f I
m
' Percent contribution to the total importance.
Table 3. Sequence Logic for Dominant Sequences for LER No. 454/98-018 Event tree Sequence name number Logic LOOP 18-09
/RT-L, EP, /AFW-L, /PORV-SBO, SEALLOCA, OP-SL LOOP 18-02
/RT-L, EP, /AFW-L, /PORV-SBO, /SEALLOCA, OP-BD LOOP-18-20
/RT-L, EP, /AFW-L, PORV-SBO, PRVL-RES, ACP-ST LOOP 18-18
/RT-L, EP, /AFW-L, PORV-SBO, /PRVL-RES, SEALLOCA, OP-SL LOOP 18 11
/RT-L, EP, /AFW-L, PORV-SBO, /PRVL-RES,
/SEALLOCA, OP-BD LOOP 18-22
/RT-L, EP, AFW-L, ACP-ST 11
[
m.
i LER No. 454/98-018 l
L
'l i
LOOP.
17
/RT-L, /EP, AFW-L, F&B-L i
Table 4. System Names for LER No. 454/98-018
' System name Logic ACP-ST Offsite Power Recovered in Short Term AFW-L No or Insufficient AFW System Flow During LOOP EP Emergency Power System Fails F&B-L.
Failure to Provide Feed and Bleed Cooling OP-BD Operator Fails to Recover ac Power Before Battery Depletion OP-SL Operator Fails to Recover ac Power Before Core Damage Results Following an RCP Seal LOCA PORV-SBO PORVs Open During an SBO PRVL-RES PORVs and Block Valves Fail to Reclose RT-L Reactor Fails to Trip Duiing a LOOP SEALLOCA RCP S:als Fail During a LOOP c
12 l
LER No. 454/98-018 Table 5. Conditional Cut Sets for Iligher Probability Sequences for LER No. 454/98-018 Cut set Percent l'
number contribution CCDP' Cut sets6 LOOP Sequence 18-09 1.4 E-006
' A, ' Mr,
f;
.u l
1 83.1 1.1 E-006 EPS-DGN-CF-ALL, /PPR-SRV-CO-SBO, RCS-MDP-LK-SEALS, OEP-X1 E-NOREC-SL, LOOP-18-09-NREC 2
16.8 2.3 E-007 EPS-DGN-FC-l A, EPS-DGN-FC-1 B, EPS-XI E-XM-OU,
/PPR-SRV-CO-SBO, RCS-MDP-LK-SEALS, OEP-X1 E-NOREC-SL, LOOP-18-09-NREC
\\
~ENW ~ -
LOOP Sequence 18-02 1.2 E-006 1
83.1 1.0 E-006 EPS-DON-CF ALL,/PPR-SRV-CO-SBO,/RCS-MDP-LK-SEALS, OEP-XIE NOREC-BD, LOOP-IR-02-NREC 2
16.8 2.0 E-007 EPS-DGN-FC-I A, EPS-DON 1 C-18. EPS XIE XM-OU,
/PPR-SRV-CO-SBO, /RCS-MDP-L K-SEALS, OEP XIIE-NOREC-BD, LOOP 18-02-NREC LOOP Sequence 18-20 1.2 E-006
'f 41.6 4.9 E-007 EPS-DGN CF-ALL, PI.c ;RV-CO-SBO, PPR SRV-OO-PRV1, OEP-X1IE-NOREC-ST, LOOP-18-20-NREC 2
41.6 4.9 E-007 EPS-DGN-CF-ALL,PPR-SRV-CO-SEO,PPR SRV-OO-PRV2, OEP-X1E-NOREC-ST, LOOP 18-20-NREC 3
8.4 9.9 E-008 EPS-DON-FC-1 A. EPS-DGN-FC-1B, EPS-XIE XM-OU, PPR-SRV-CO-SBO,PPR-SRV-OO-PRV2,OEP-XIIE-NOREC ST, LOOP I8-20-NREC 4
8.4 9.9 E-008 EPS-DGN-FC-1 A, FPS-DGN-FC-1B, EPS-XIE XM OU, PPR-SRV-CO-SBO, PPR-SRV-OO-PRV2, OEP-X1 E-NOREC-ST, LOOP-18-20-NREC LOOP Sequence 18-18 8.1 E-007 w
p
-s t ~~~
UQ i f 3, Z a 1
83.I 6.7 E-007 EPS-DGN CF-ALL, PPR-SRV-CO-SBO, RCS-MDP-LK-SEALS, OEP-X1 E-NOREC-SL, L(X)P-18-18-NREC 2
16.8 1.4 E-007 EPS-DGN-FC I A EPS-DON-FC 18, EPS XIIE-XM-OU, PPR-SRV-CO-SBO, RCS MDP-LK-SEALS,OEP-XIE-NOREC-SL, LOOP 18-18-NREC 13
LER No. 454/98-018 Table 5. Conditional Cut Sets for fligher Probability Sequences for LER No. 454/98-018 (continued)
Cut set Percent number '
contribution CCDP" Cut sets6 LOOP Sequence 18-11 7.1 E-007 Zun ;
f,'
~
"^
4
+
e I
83,1 5.9 E-007 EPS DON-CF-ALL,PPR-SRV-CO-SBO,/RCS-MDP-LK-SEALS, OEP-X1E-NOREC-BD, LOOP 18-11-NREC 2
16.8 1.2 E-007 EPS-DGN-FC-1 A, EPS-DGN-FC 1 B, EPS-XIE-XMOU, PPR-SRV-CO-SDO, /RCS-MDP LK-SEALS, OEP-XIE-NOREC-BD, LOOP 1811-NREC LOOP Sequence 18-22 3.6 E-007
'N]
~
N -
M
'W P
zu -
1 82.1 3.0 E-007 EPS-DON-CF-ALL, AFW-EDP-FC-1B, OEP-XI E-NOREC-ST, LOOP-18-22-NREC 2
16.6 6.0 E-008 EPS-DON-FC-1 A, EPS-DGN-FC 1B, EPS-XIE-XM-OU, AFW-EDP-FC. I B, OEP-X1 E-NOREC-ST, LOOP-18-22-NREC LOOP Sequence 17 7.8 E-008
~N y,
y 1
31,1 2.4 E-008 EPS-DGN-FC-I A, EPS-XIE-XM-OU, AFW-EDP-FC-1B, IU'I XIE-XM-FBL, LOOP-17-NREC 2
19 4 1.5 E-008 EPS-DGN-FC-1 A, EPS XIE-XM-OU, AFW-EDP-FC-1B, PPR-SRV-CC-PRV1, LOOP-17 NREC 3
19.6 1.5 E-008 EPS-IXiN-FC-1 A, EPS-XIE-XMOU, AFW-EDP-FC-I B, PPR-SRV-CC-PRV2, LOOP-l 7-NREC 4
11.8 9.2 E-009 EPS.DGN-FC-1 A, EPS-XIE-XM-OU, AlW-EDP-FC-1B, 1IPI-MDP-FC.IB. LOOP-17-NREC 5
4.1 3.2 E-009 AFW-FMP-CF-ALL IIPI-XIE-XM-FBL, LOOP-17-NREC 6
2.6 2.0 E-009 AFW-PMP-CF.ALL,PPR SRV-CC-PRV1, LOOP-17 NREC 7
2.6 2.0 E-009 AFW-PMP-CF-ALL, PPR-SRV-CC-PRV2, LOOP-17-NREC 8
2.4 1.9 E-009 EPS-DGN-FC-I A, EPS-XIE-XM-OU, AFW-EDP-FC-1B, 1M MDP-CF-/.LL, LOOP-17-NREC 9
1.6 1.2 E-009 AFW EDP-FC-1B, AFW-MDP-FC 1 A,IIPI XIIE-XM-F13L, L(X)P-17-NREC Total (all sequences) 6,4 E-006 Ur-M gJM 4
,X
}
14 t
- - - +
s
LER No. 454/98-018
'The change in conditional probabi'ity (importance)is determined by calculating the conditioaal probabihty for the penod in which the condition existed and subtracting the conditional probability for the same period but with plant equipment assumed to be operating nominally. The conditional probabihty for each cut set within a sequence is determined by multiplying the probability that the portion of the sequence that makes the precursor visible (e.g., the system with a failure is demanded) will occur during the duration of the event by the probabilities of the remaining basic events in the minimal cut set. This can be approximated by 1 - e*, where p is detennined by multiplying the expected number ofinitiators that occur during the duration of the event by the probabilities of the basic events in that minimal cut set. The expected number ofinitiators is given by it, where 1is the frequency of the mitiating event (given on a per-hour basis) and t is the duration time of the event. This approximation is conservative for precursors made nsible by the initiating event. The i
frequencies ofinterer' for this event are Arnam - 2.5 x 10/h, Am - 1.6 x 10 4 h,1.00A-23 x 10 4 h, and ison " 1.6 x 10 '/h. The
/
/
31 duration time for this event i!. 432 h.
" Basic event. EPS-IXIN-FC-1 A,is a TRUE type event that is not normally included in the output of fault tree reduction programs but has been added to aid in understanding the sequenws to potential core damage associated with the event.
I 15 l
l
[
. ~.
l*
l LER No. 454/98-018 i
- LER No. 454/98-018 Event
Description:
Long-term unavailability of an emergency diesel generator Date of Event: ~ September 12,1998 Plant: Byron Station, Unit 1 Licensee Comments
Reference:
Letter from R. M. Krich, Vice President - Regulatory Services, to U. S. Nuclear Regulatory Commission, " Review Comments Regarding the Preliminary Accident Sequence Precursor Analysis for Byron Station, Unit 1," April 22,1999.
j I
Comment 1:
Event
Description:
He ASP documentation appropriately characterized the sequence of events and the failure mechanism provided in LER 50-454/98-018.
Response 1:
No response is necessary.
i Comment 2:
Additional Event-Related Information: The ASP analysis document is accurate with respect to the configuration of the plant, the design of the emergency diesel generators (EDGs) at Byron Station, and the continued availability of the 1B EDO.
Response 2:
No response is necessary.
Comment 3:
Modeling Assumptions: The assumption that the 1 A EDG was unavailable for 18 d is overly conservative. There is reasonable assurance that the 1A EDG became unavailable on September 3,1998, and was therefore, unavailable for 11 d instead of I 8 d. LER 50-454/93-018 did indicate that although the actual failure point could not be determined, the EDG was considered tmavailable for 11 d - from September 3,1998. until September 14,1998. The basis for this consideration is that plant operators identified a lifting relief valve on the l A EDG on September 3,1998. Prior to September 3,1998, there was no indication of this relief 1
LER No. 454/98-018 valve lifting. Although the initial operability determination that was performed after identification of the lifling relief valve did not consider the potential for a plugged lube oil strainer, there is a reasonable belief that the condition did not exist prior to September 3, 1998, since the lifting relief valve would have been noted by plant operators on daily rounds or other plant personnel during routine course of activities.
Response 3:
There is evidence that the 1 A EDG was failed on September 3,1998. However, there is no concrete support for a fixed point in time prior to September 3,1998, when the 1 A EDG may have no longer been able to run continuously for its required 4-h mission time. Prior to the relief valve lifting, there would have been fibrous material building up on the internal surface of the strainer element until suflicient back pressure was established to lin the relief valve.
This buildup could have b;en accelerated by an EDG autostart prior to the point in time when the reliefvalve eventually lifted. Therefore, assuming the l A EDG was failed only after that point in time when the operators noted that the relief valve lifted does not seem appropriate.
A reasonable estimate is to assume that the EDG would be unavailable for one-half of the period between the last successful surveillance test ( August 19,1998) and when the clogged strainers were positively identified (September 3,1998)-a 15-d period. This 7.5-d window before the relief valve was noted to have lifted is in addition to the ll-d period that the l A EDG was known to be failed. This results in a total unavailability of ~18.5 d. An 18-d window was analyzed.
If the rehef valve lifting was not considered proof that the l A EDG was failed, then a typical failure window ofone-halfof the 26-d period since the last successful surveillance test would be assumed. Such a 13-d window was analyzed as a sensitivity study. No significant change in the calculated importance for this event was observed after adjusting the EDG unavailability period from 18 d to 13 d. The sensitivity study has been documented as part of the analysis.
Comment 4:
Modeling Assumptions: In the ASP analysis document, it appears that the assumptions overly compensate for the potential for a common-mode failure of the remaining EDGs. There is no indication that the remaining three EDGs were ever impacted by the particular event documented in LER 50-454/98-018. The Byron Station Technical Specifications required plant operators to immediately perform an assessment of the common-mode failure potential for the 1B EDG In addition, temporary modifications were installed on all four of the EDGs following this event to allow plant operators to monitor the EDO lube oil strainer differential pressures to ensure that the condition was not common to more than the one diesel generator.
No evidence to date has been identified which supports the common-mode failure assumptions contained in the ASP analysis document. This concheian is supported by the fact that maintenance is not performed on multiple EDGs at one time and there is no single dedicated 2
i l..
l i
LER No. 454/98-018 crew that is responsible for perfonning maintenance on all the EDGs. Lack of attention to
' detail by maintenance personnel is one of the significant contributors identified in the root cause analvsis for this event. Therefore, given the objective evidence, including inspection activity during the condition, there is little reason to believe that the calculations indicate that a rc-characterization of the failed condition of the 1 A EDG as a non-common-cause potential failure results in a net increase in core damage probability ofless than 1.0 x 104 Response 4:
LER 454/98-018 (p. 3) states that "c.dier factors that contributed to the event were determined to be an inadequate maintenance procedure and inadequate maintenance practice." Both
. causes would transcend a single maintenance crew. Furthermore, r.ushed filter media degrades at variable rates. Therefore, the fact that this maintenar ce is not performed simultaneously does not preclude this failure mer nism from simult' acously affecting more than one EDG Finally, action taken after the c very of this ev at does not remove the increased potential for common-cause failure basea on the identified i vent fac: ors. No change to the analysis methodology was made based on this commen.. However, additional justification for increasing the common-cause failure probability from the base case has been provided in the Modeling Assumptions.
Comment 5:
Modeling Assumptions: The design basis for the Byron Station is such that any single EDG is capable of providing sufficient ac power to provide the capability to ssfely shutdown both units in the event of a Station Blackout (SBO). This design basis is documented in Byron /Braidwxxl Updated Final Safety Analysis Report (UFSAR) section 8.3.11.2.2, "Emer;ency Onsite Power Sources (Diesel Generators)" Credit does not appear to be given to this design basis in the Modeling Assumptions. We would suggest that such credit is appropriately taken by multiplying each "MUI.TI-UNIT-LOOr" cut set associated with a SB0 sequence, none of which contain a common-cause EDG failure term by the value represented by basic event "EPS-XHE-XM-0U."
Response 5:
Because a single EDG is capable of providing suflicient ac power to safely shutdown both units if there is an SBO, basic event MULTI-UNIT-LOOP was removed from the NRC's standardized plant analysis risk (SPAR) model for Byron Station, Unit 1. The calculated importance of this event was revised from 6.9 x 104 to 5.6 x 10 This change represents a 4
20% reduction from the origiaal calculation.
Comment 6:
Modeling Assumptions: It appears that a value of 0.8 was used as the failure probability for offsite power recovery for all sequences. This value, in most cases, is overly conservative.
3
[
LER No. 454/98-018 Furthermore, this value appears to be used in all sequences, regardless of the expected accident progression time to core damage.
For the Byron Station Updated Probabilistic Safety Assessment (PSA), the. vere essentially three diffmnt post-SB0 scenarios postulated The first post-SB0 scenario, which best correlates to Sequence 18-2, has a successful diesel-driven Auxiliary Feedwater (AFW) pump combined with a reactor coolat pump (RCP) seal loss-of-coolant accident (SEALLOCA) probability that results in the core being uncovered at 8 h. The 8-h period is based on a reasonable assumption that battery depletion occurs 4 h into the event and results in AFW failure. However, there is sufficient secondary inventory in the steam generators and primary inventory in the RCS to provide an additional 4 h prior to core damage when considering the reduction in decay heat tnat has occurred in the first 4 h following the initiating event.
Thermal-hydraulic analysis performed for the Byron Station Individual Plant Examination (IPE) has demonstrated the core will remain covered for at least 2 h with this primary and secondary inventory available immediately following such an initiating event. In the preliminary ASP analysis, decay heat was initially assumed to be at its maximum value and was reduced exponentially as a function of time. Therefore, use of an ac power non-recovery probability corresponding to an 8-h period would be more appropriate for this sequence.
The second post-SBO scenario in the Byron Station Updated PSA, which best correlates to Sequence 18-9, includes the same plant conditions discussed in the first scenario (Sequence 18-2), except that the core does uncover (i.e. the SEALLOCA probability is sufliciently large) in less than 8 h, such that recovery of ac power at 8 h is of no value for > 'oiding core damage Sequence 18-9 does credit such recovery. But with 0.8 ac power non-recovery probability, there appears to be a presumption that very little time is available prior to core damage following the RCP seal failure. Given Byron's offsite ac power non-recovery probability vs.
the time after a loss ofoffsite power (LOOP)/ dual-unit loss of offsite power (DLOOP) events curve, the ac power non-recovery probability of 0.8 appears to be reasonable for this sequence.
The third post-SBO scenario in the Byron Station Updated PSA, which best correlates to Sequence 18-22, postulates the failure of the diesel-driven AFW pump. As demonstrated m the thermal hydraulic analysis performed for the Byron Station IPE, ac power recovery must occur within 2 h in order to avoid core damage. Although there is a potential for a large enough SEALLOCA to uncover the core in less than 2 h, rendering the recovery of ac power meaningless, accounting for this will have a second or third order effect on overall core l
damage frequency, as this is already in a low probability sequence. Therefore, use ofra ac l
power non-recovery probability corresponding to a 2-h period would be more appropriate for this sequence.
In addition, the preliminary ASP analysis document event tree included Sequence 18-20. This sequence postulates the cycling of a pressurizer power-operated relief valve (PORV),
[
4
~
7 e
- s. g I
LER No. 454/98-018 l-
. presumably due to an expected reactor coolant system pressure transient following the initial turbine trip and loss of the condenser and the steam dump valves. The scenario continues with the PORV failing to re-close, resulting in an effective small break loss-of-coolant accident (LOCA). Again a 0.8 ac power non-recovery probability was assigned. Thezmal hydraulic analyses from the Byron Station IPE indicate that such a scenario (i.e., the largest small-break LOCA) would progress for slightly more than 2 h prior to core damage occurring. Therefore,
=
use of an ac power non-recovery probability corresponding to a 2-h peried would be more appropriate for this sequence.
Given the presious discussion of Sequences 18-2, !8-9,18-20, and 18-22, use of ac power non-recovery probability values that correlate to time durations of 2 h or 6 h, respectively, after the LOOP /DLOOP event would be more appropriate for the sequences where the time to core damage is 2 h or 8 h, respectively. The ae power non-recovery probability values in the Byron Station Updated PSA database for these time durations are 0.316 and 0.032, l
respectively.
These ac power non-reovery probability values were derived from Electric Power Institute Research (EPRI) Report TR-106306, " Losses of Off Site Power at U.S. Nuclear Power l
Plants-Through 1995," dated April 1996. This study covered approximately the same time period as NUREG/CR-5496, " Evaluation of Loss of Offsite Power Events at Nuclear Power Plc.nts: 1980-1996," dated November 1998, which is referenced in the preliminary ASP
' analysis document. In addition, EPRI Report TR-106306 covered more industry events than i
NUREG/CR-5496 and was in a final published form, whereas NUREG/CR-5496 was only l
in draft form at the time we perfonned our ac power non-recovery probability calculations.
The determination of the ac power non-recovery probability values was accomplished sia a thorough review of EPRI Report TR-106306 and ofthe LOOP /D LOOP events in its database.
Certain events that clearly did not apply were excluded. Primary examples ofexcluded events pertain to those caused by hurricanes and salt spray. Hurricanes were only partially excluded to give some representation of the recent Davis-Besse tornado event. In addition, any single-unit LOOP at a multi-unit site which u., aminated by simply cross connecting to another unit's power supply was also excluded, in order to obtain a more accurate picture of offsite ac power recovery. The remaining events were plotted on a chart and curve fit. The 2-h duration value was determined from the curve fit. For the 8-h duration value, a value from the curve fit was interpolated to avoid non-conservative predictions by the curve fit equation in the region of the curve correronding to 8 h. The resulting ac power non-recovery probability values are considered reasonable and reficctive of actual industry experience, as r.pplieJ to Byron Station.
Response 6:
Modeling Assumptions: In the SBO sequences, the probabilities of a reactor coolant pump (RCP) seal loss-of-coolant accident (LOCA) and of failing to recever ac power at various points in time are calculated using a convolution approach that recognizes that all probabilities i
1 t
LER No. 454/98-018 are a function of time. A Weibull distribution is used to predict the LOOP-related parameters applicable for Byron as defined in ORNL/NR C/LTR-89/11 (Ref.1). Probabilities associated with the failure to recover ac power and the potential for an RCP seal LOCA are calculated given that ac power was not restored at specific points in time. Additionally, the probability for the operators' failure to restore emergency power is based on the assumption that the median repair time for an EDG is 4 h, as developed in NUREG-1032 (Ref. 2). The ac power non-recovery probabilities (typically valued at 0.8) in the Byron SPAR model are conditional probability values. These ac power non-recovery basic events represent the probability that an ac power source is not reestablished before core damage occurs given that power has not been restored at a particular reference point (i.e., battery failure or en RCP seal LOCA). The Byron PSA ac power non-recovery probability values appear to be based on an historical evaluation of the total clapsed time since the initiation of an SBO event. The conditional probabilities for basic events LOOP-18-02-NREC, LOOP-18-09-NREC, LOOP-18-ll-NREC, LOOP-18-18-NREC, LOOP-18-20-NREC, and LOOP-18-22-NREC in the Byron IRRAS model do not represent the same probabilities that Byron PSA ac power non-recovery probability values (0.316 and 0.032) represent. Theiefore, the free substitution of non-recovery values frons the Byron PSA into the Byron SPAR model is inappropriate without making further adjustments to the other LOOP-related parameters in the Byron SPAR model.
j Accounting for the conditional attributes of the ac power recovery basic events in the Byron i
SPAR model, the 2-h and 8-h ac power non-recovery probability values can be approximated as 0.42 and 0.02, respectively, when taken over the entire time interval. These values are not significantly different from the historically generated values used in the Byron PSA (0.32 and 0.03, respectively). No change to the analysis methodology was made as a result of this comment.
References:
L RevisedLOOP RecoveryandPWR SealLOCA Models, ORNLINRCILTR-391ll, August i989.
- 2. P. W. Baranowsky, Evaluation ofStation Blackout Accidents at Nuclear Power Plants, NUREG-1032, U.S. Nuclear Regulatory Conunissior., June 1988.
1 1
~
l