ML22125A048

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Davis-Besse Nuclear Power Station, Reactor Trip Due to Failed UPS and Sfrc System Actuations (LER 346-2021-003) - Precursor
ML22125A048
Person / Time
Site: Davis Besse Cleveland Electric icon.png
Issue date: 05/17/2022
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Energy Harbor Nuclear Corp
Hunter, Christopher - 301 415 1394
References
IR 2021050, LER-2021-003-00
Download: ML22125A048 (11)
v  d  e


Text

Final ASP Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Davis-Besse Nuclear Reactor Trip due to Failed Uninterruptible Power Supply and Power Station Steam Feedwater Rupture Control System Actuations LER: 346-2021-003 Event Date: 7/8/2021 CCDP = 3x10-6 IR: 05000346/2021050 Babcock & Wilcox Raised-Loop Pressurized-Water Reactor (PWR) with Large, Plant Type:

Dry Containment Plant Operating Mode Mode 1 (100% Reactor Power)

(Reactor Power Level):

Analyst: Reviewer: Completion Date:

Christopher Hunter Mehdi Reisi Fard 5/6/2022 1 EXECUTIVE

SUMMARY

On July 8, 2021, an automatic reactor trip occurred due to de-energization of motor control center (MCC) E32A caused by the failure of breaker BE306 during testing. The subsequent failure of an uninterruptible power supply (UPS) caused a loss of power to the main generator automatic voltage regulator (AVR) and resulted in a generator lockout and trip of the main turbine.

Following the reactor trip, overcooling was observed due to loss of power to a moisture separator reheater steam supply second state source valve MS199, which caused it to remain open. Operators manually initiated emergency core cooling systems (ECCS) as directed by plant procedures. The steam and feedwater rupture control system (SFRCS) actuated on low level on steam generator (SG) 1 due to the failure of a startup feedwater valve in automatic mode. Both turbine-driven auxiliary feedwater (AFW) pumps started, per design. Operators successfully closed MS199 approximately 8 minutes after the reactor trip occurred. Decay heat removal was provided by the main condenser and operators subsequently secured the ECCS pumps.

Approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the reactor trip, low pressure on SG 2 was experienced while operators were transferring gland steam supply from main steam to auxiliary steam, which caused the SFRCS to isolate main feedwater (MFW) and close the main steam isolation valves (MSIVs). Operators took manual control of the atmospheric vent valves (AVVs) to control SG pressure when they failed to operate in automatic mode following the SFRCS actuation. Decay heat removal was maintained though manual control of the AVVs.

The mean conditional core damage probability (CCDP) for this event is calculated to be 3x10-6.

This accident sequence precursor (ASP) analysis reveals that the most likely core damage sequence is a loss of condenser heat sink initiating event with successful AFW, but operators fail to initiate high-pressure injection (HPI) prior to a safety features actuation system (SFAS) signal, which results in a loss of reactor coolant pump (RCP) seal cooling and injection and subsequent operator failure to trip the RCPs results in a loss-of-coolant accident (LOCA). HPI is successful, but recirculation fails resulting in core damage. This accident sequence accounts for approximately 48 percent of the total CCDP for this event.

1

LER 346-2021-003 2 EVENT DETAILS 2.1 Event Description On July 8, 2021, an automatic reactor trip occurred due to de-energization of MCC E32A caused by the failure of breaker BE306 during testing. The subsequent failure of an UPS caused a loss of power to the main generator AVR and resulted in a generator lockout and trip of the main turbine.

Following the reactor trip, overcooling was observed due to loss of power to a moisture separator reheater steam supply second state source valve MS199, which caused it to remain open. Operators manually initiated ECCS as directed by plant procedures. The SFRCS actuated on low level on SG 1 due to the failure of a startup feedwater valve in automatic mode. Both turbine-driven AFW pumps started, per design. Operators successfully closed MS199 approximately 8 minutes after the reactor trip occurred. Decay heat removal was provided by the main condenser and operators subsequently secured the ECCS pumps.

Approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the reactor trip, low pressure on SG 2 was experienced while operators were transferring gland steam supply from main steam to auxiliary steam, which caused the SFRCS to isolate MFW and close the MSIVs. Operators took manual control of the AVVs to control SG pressure when they failed to operate in automatic mode following the SFRCS actuation. Decay heat removal was maintained through manual control of the AVVs.

Additional information is provided in licensee event report (LER) 346-2021-003, Reactor Trip due to Failed Uninterruptible Power Supply and Steam Feedwater Rupture Control System Actuations, (ML21250A131) and inspection report (IR) 05000346/2021050, Davis-Besse Nuclear Power Station - Special Inspection Reactive Report 05000346/2021050 and Apparent Violation, (ML21321A365).

2.2 Cause The direct cause of the reactor trip was that with the AVR aligned to MCC E32A, a failure of breaker BE306 to close along with a failure of a battery within the digital electro-hydraulic control (DEHC) UPS caused a loss of control power to the automatic transfer switch (ATS),

preventing the transfer to the alternate power source. The UPS battery failed due to normal aging. The primary cause of the ATS failure was inadequate licensee review of a change in the ATS control power for impact on the DEHC UPS.

3 MODELING 3.1 SDP Results/Basis for ASP Analysis The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for maintenance) that occurred during the event, regardless of licensee performance. 1 For this analysis, no windowed events were identified.

1 ASP analyses also account for any degraded condition(s) that were identified after the initiating event occurred if the failure/degradation exposure time(s) overlapped the initiating event date.

2

LER 346-2021-003 In response to this event, the NRC performed a special inspection per Management Directive 8.3, NRC Incident Investigation Program (ML18073A200). The special inspection, as documented in IR 05000346/2021050, revealed three licensee performance deficiencies. These three inspection findings were associated with the licensee failure to:

  • appropriately classify the DEHC UPS battery bank as non-critical as required by component classification procedures,
  • establish procedural guidance for transferring the gland sealing steam supply from the main steam system to the auxiliary steam system following a reactor trip, and

All three findings were determined to be Green (i.e., very low safety significance). The LER remains open.

3.2 Analysis Type An initiating event analysis was performed using version 8.58 of the standardized plant analysis risk (SPAR) model for Davis-Besse Nuclear Power Plant created in August 2021.

3.3 SPAR Model Modifications The following SPAR model modifications were made to support this analysis:

  • Overcooling Event. The failure of MS199 to automatically close after the reactor trip resulted in an overcooling event, which resulted in a quick reactor coolant system (RCS) pressure decrease. Operators manually initiated HPI, taking a suction off the residual heat removal (RHR) pumps (i.e., piggy-back mode), as directed by procedure. This mode of HPI operation has injection pressure of 1800 psig. 2 RCS pressure reached a low of approximately 1710 psig prior to HPI restoring RCS pressure. This action prevented the automatic actuation of the SFAS when RCS pressure reaches 1600 psig, which would have resulted in the automatic actuation HPI. 3 In addition, an SFAS actuation would have resulted in the loss of seal cooling and injection to the RCPs.

Operators would then need to trip the RCPs to prevent a failure of the RCP seals and a subsequent LOCA. To model this issue, the loss of condenser heat sink (LOCHS) event tree was modified by adding a new SFAS top event prior to querying the loss of seal cooling (LOSC) top event. The event tree branching was modified that if no SFAS actuation occurs (i.e., success branch) the LOSC fault tree is queried. If an SFAS actuation does occur (i.e., failure branch), then the LOSC-ISINJ is queried. This fault tree assumes the loss of RCP seal cooling and injection. This modified LOCHS event tree is shown in Figure A-1 of Appendix A. The SFAS fault tree includes only a new basic event SFAS-XHE-XL-HPI (operators fail to manually initiate HPI prior to SFAS signal).

2 Because HPI pump discharge pressure is limited to 1800 psig in piggy-back mode, there is no possibility of RCS pressure increase resulting in the pressurizer power-operated relief valves from opening.

3 Operators also successfully closed MS199 in approximately 8 minutes after the reactor trip. However, this action could not be performed in time to prevent an SFAS actuation.

3

LER 346-2021-003

  • Failure of Startup Feedwater Control Valve. During the event, startup feedwater control valve SP7B should have automatically opened when SG 1 experienced low level.

However, a failure of the integrated control system (ICS) module resulted in the failure of SP7B. Operators attempted to take manual control of SP7B; however, they could not restore SG 1 level prior to actuation of SFRCS. Although operators could not restore SG 1 level prior to the SFRCS actuation, operators maintained the ability to manually control MFW and AFW flow via SP7B throughout the event. The base SPAR model does not include this manual action. Therefore, the MFW-SG11-Feed fault tree was modified to account for the manual control of SP7B. Specifically, a new AND gate MFW-AOV-SP7B was added under existing OR gate MFW-AOV-SF7B. Existing basic event MFW-AOV-CC-SP7B (startup control valve SP7B to SG 1-1 fails to open) was moved under MFW-AOV-SP7B. In addition, a new basic event MFW-XHE-XM-SP7B (operators fail to manually open/control SP7B) was added under gate MFW-AOV-SP7B.

The modified MFW-SG11-Feed fault tree is shown Figure B-1 in Appendix B.

  • Failure of AVVs. After the MSIVs closed, the AVVs should have automatically opened by the plants ICS. However, failure of two limit switches that provide position indication of the MSIVs resulted in the failure of the AVVs to automatically open. Operators attempted to take control of the AVVs from the main control room (MCR). Subsequently, AVV 2 partially opened and could not be controlled from the MCR due to failure its controllers feedback arm. Operators subsequently isolated its instrument air supply to close AVV 2, and then stationed an operator locally to control the valve via its handwheel, as directed by procedures and training. To account for the failures and operator actions, the SG-HEAT-RELEASE fault tree was modified. Specifically, new AND gates SSC-5A and SSC-7A were inserted under existing gates SSC-5 and SSC-7, respectively. A new basic event MSS-ICS-LIMITSWITCHES (ICS limit switches fail resulting is loss of automatic AVV control) was inserted under both gates SSC-5A and SSC-7A. In addition, new basic events MSS-XHE-XM-AVV2 (operators fail to manually control AVV2 locally) and MSS-XHE-XM-AVV1 (operators fail to manually control AVV1 from MCR), were inserted under existing gates SSC-5a and SSC-7a, respectively. In addition, new house event HE-LOCHS (loss of condenser heat sink initiating event has occurred) was inserted under gates SSC-4 and SSC-6. House event HE-LOCHS was also added to the LOCHS flag set. The modified SG-HEAT-RELEASE fault tree is shown Figure B-2 in Appendix B.
  • Fault Tree Correction. House event HE-LOCHS was added under the top gate of the MFW fault tree to ensure that the MFW system was considered unavailable given a LOCHS during a postulated anticipated transient without scram (ATWS).

3.4 Analysis Assumptions The following modeling assumptions were determined to be significant to the modeling of this initiating event assessment:

  • The probability of IE-LOCHS (loss of condenser heat sink) was set to 1.0 due to automatic SI actuation. All other initiating event probabilities were set to zero.
  • Basic event MFW-AOV-CC-SP7B was set to TRUE due to the failure SP7B to automatically open when SG 1 experienced low level.

4

LER 346-2021-003

  • Basic event MSS-ICS-LIMITSWITCHES was set to TRUE due the failure of two limit switches that provide position indication of the MSIVs, which resulted in the failure of the AVVs to automatically open.
  • Basic events MFW-XHE-XM-SP7B and MSS-XHE-XM-AVV1 were set to a screening probability of 0.1. NUREG-1792, Good Practices for Implementing Human Reliability Analysis, (ML051160213) states that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator human failure events. Basic event MSS-XHE-XM-AVV2 was set to an elevated screening probability of 0.5 due to it being a local action. A review of the results show that further reduction of these human error probabilities would result in a negligible change in the CCDP for this event.
  • The human error probability (HEP) for existing human failure event SFAS-XHE-XL-HPI was set to 0.23 based on an evaluation using IDHEAS-ECA. Details regarding this evaluation are provided in the following tables.

Table 1. IDHEAS-ECA Evaluation of SFAS-XHE-XL-HPI Name SFAS-XHE-XL-HPI Given an overcooling event (i.e., a stuck-open steam valve), operators would need to initiate HPI in piggy-back mode (i.e., taking a suction off the RHR pumps) to prevent an automatic SFAS actuation on low RCS pressure that would result in a loss of RCP seal Definition cooling/injection. The starting point for this task is when the reactor trip with stuck-open steam valve occurs (i.e., T = 0). The ending point for this task is when operators complete the initiation of the HPI in piggy-back mode of operation.

An overcooling event occurred when MS199 failed to automatically close after the reactor trip. Given the rapidly decreasing RCS temperature, operators are procedurally directed to terminate the cause of the overcooling and to initiate HPI in piggy-back mode of operation.

Description/

Completion of this task quickly will prevent an SFAS signal, which would increase the Event Context complexity of the event response by causing a loss of RCP seal cooling and injection. This event context was assumed for the evaluation of the cognitive failure modes (CFMs) and performance influencing factors (PIFs).

Operators successfully initiate HPI in piggy-back mode prior to SFAS signal during the Success Criteria overcooling event.

  • Rapidly decreasing RCS temperature Key Cue(s)
  • SG pressure less than 960 psig Procedural
  • Emergency Procedure DB-OP-02000, RPS, SFAS, SFRCS Trip, or SG Tube Rupture Guidance
  • DBOP02000, Attachment 8, Place HPI/LPI/MU In Service Critical Task(s) Operators manually initiate HPI in piggy-back mode prior to SFAS signal.

5

LER 346-2021-003 Detection - This task requires the operators to detect the key alarms and annunciators given the reactor trip and stuck-open steam valve.

Understanding - This task requires the operators to integrate the various cues to determine that an overcooling event has occurred, which requires operators to initiate HPI quickly to prevent an SFAS signal.

Decisionmaking - Decisionmaking is not required for this task because with correct understanding of the event, operators would have an obvious decision to manually initiate HPI in piggy-back mode of operation per plant procedures. Therefore, this CFM is not applicable for this task.

Task Analysis Action Execution - This task requires the operators to manually initiate HPI piggy-back mode of operation.

Interteam Coordination - Interteam coordination is not required for this task because multiple teams would not be involved. Therefore, this CFM is not applicable for this task.

The applicable CFMs are:

CFM1 - Failure of Detection CFM2 - Failure of Understanding CFM4 - Failure of Action Execution Detection (PCFM1 = 3x10-3)

  • Scenario Familiarity - No impact because operators are routinely trained in response to reactor trip with secondary transients.
  • Task Complexity - C1: Detection overload with multiple competing signals (1: Few < 7);

Multiple annunciators associated with reactor and turbine trips.

  • The other PIFs were evaluated to not have a significant impact on this task.

Understanding (PCFM2 = 1x10-3)

  • Scenario Familiarity - No impact because a stuck-open steam valve is not an uncommon event and is covered in the reactor trip response procedure that is routinely trained.

Evaluation of

  • Information Completeness and Reliability - No impact because the MCR indications are PIFs for the deemed sufficient that an overcooling event has occurred.

Applicable CFMs

  • Task Complexity - No impact because an overcooling event is relatively basic plant operation concept that is specifically covered by plant procedures.
  • The other PIFs were evaluated to not have a significant impact on this task.

Action Execution PCFM4 = 1x10-3)

  • Scenario Familiarity - No impact because the execution steps are routinely trained.
  • Task Complexity - No impact because the execution steps are straight-forward and proceduralized.
  • Procedures and Guidance - C31: Straightforward procedure with many steps.
  • The other PIFs were evaluated to not have a significant impact on this task.

Using these assumptions, Pc was calculated as 5x10-3.

Based on RCS pressure plot from the event, operators had approximately 5 minutes to initiate HPI in piggy-back mode to prevent an SFAS signal, which occurs at an RCS pressure of 1600 psi. During the actual event, operators were able to complete this action in 4 minutes. Therefore, the Treqd = 4 minutes (median) and the Tavail = 5 minutes (single value).

Timing The current IDHEAS-ECA guidance recommends using a lognormal distribution for the time Evaluation values that use a distribution; however, the current IDHEAS-ECA software does not have this capability yet. So, Pt was calculated using an OpenBUGS script using lognormal distribution parameters recommended by PNNL-32384 for Treqd ( = 0.28 and = 1.4). Using these assumptions, Pt was calculated as 0.23.

Recovery Recovery credit is not provided for this task.

Calculated HEP HEP = 1 (1 Pc) (1 Pt) = 1 (1 5x10-3) (1 - 0.23) = 0.23 6

LER 346-2021-003 4 ANALYSIS RESULTS 4.1 Results The mean CCDP for this analysis is calculated to be 2.6x10-6. The ASP Program threshold for initiating events is a CCDP of 10-6 or the plant-specific CCDP of an uncomplicated reactor trip with a non-recoverable loss of feedwater or the condenser heat sink, whichever is greater. This CCDP equivalent for Davis-Besse Nuclear Power Plant is 1.2x10-6. Therefore, this event is a precursor. The parameter uncertainty results for this analysis provided below:

Table 2. Parameter Uncertainty (CDP) Results 5% Median Point Estimate Mean 95%

1.2x10-7 1.1x10-6 2.4x10-6 2.6x10-6 9.8x10-6 4.2 Dominant Sequences 4 The dominant accident sequence is a LOCHS sequence 4-9-2 (CCDP = 1.2x10-6), which contributes approximately 48 percent of the total CCDP. The sequences that contribute at least 5.0 percent to the total CCDP are provided in the following table. The event tree with the dominant sequence is shown graphically in Figure A-1 of Appendix A.

Table 3. Dominant Sequences Sequence CDP  % Description LOCHS 4-9-2 1.2x10-6 48.2% Loss of condenser heat sink initiating event; successful reactor trip; offsite power is available; AFW is successful; operators fail to initiate HPI prior to an SFAS signal, which results in a loss of RCP seal cooling and injection; operators fail to trip the RCPs resulting in a LOCA, HPI is successful, but recirculation fails resulting in core damage.

LOCHS 14 7.3x10-7 30.2% Loss of condenser heat sink initiating event; successful reactor trip; offsite power is available; AFW fails; and feed and bleed fails resulting in core damage.

LOCHS 4-8-2 1.5x10-7 6.1% Loss of condenser heat sink initiating event; successful reactor trip; offsite power is available; AFW is successful; operators fail to initiate HPI prior to an SFAS signal, which results in a loss of RCP seal cooling and injection; operators successfully trip the RCPs, but the RCP seals fail resulting in a LOCA, HPI is successful, but recirculation fails resulting in core damage.

4.3 Key Uncertainties The analysis models this event as loss of condenser heat sink initiating event. However, the condenser heat sink was not lost until approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the reactor trip. This difference could potentially affect the risk of the LOCHS sequence 14 in that there would be some additional time for operator actions. However, since the CCDP would still exceed the ASP 4 The CCDPs in this section are point estimates.

7

LER 346-2021-003 threshold regardless of the potential risk reduction of LOCHS sequence 14, further model refinements were not pursued.

8

LER 346-2021-003 Appendix A: Key Event Tree LOSS OF CONDENSER HEAT REACTOR TRIP OFFSITE ELECTRICAL AUXILIARY FEEDWATER PORV/SRVS ARE CLOSED NO SFAS ACTUATION RCP SEAL INTEGRITY HIGH PRESSURE INJECTION FEED AND BLEED SECONDARY COOLING SECONDARY SIDE RCS DECAY HEAT REMOVAL HPR PRESSURE RECIRC # End State SINK POWER OCCURS MAINTAINED RECOVERED COOLDOWN (Phase - CD)

FS = FTF-LOSC IE-LOCHS RPS OEP AFW PORV SFAS LOSC HPI FAB SSCR SSC DHR HPR 1 OK 2 LOSC 3 OK LOSC-ISINJ 4 LOSC LOSC-ISINJ 5 OK 6 OK SSC1 7 CD 8 OK 9 CD SSC1 10 CD 11 OK 12 OK 13 CD HPR-PORV 14 CD 15 LOOPPC 16 ATWS 17 LOOPPC Figure A-1. Modified Davis-Besse LOCHS Event Tree A-1

LER 346-2021-003 Appendix B: Modified Fault Trees Figure B-1. Modified MFW-SG11-Feed Fault Tree B-1

LER 346-2021-003 Figure B-2. Modified SG-HEAT-RELEASE Fault Tree B-2

Retrieved from "https://kanterella.com/w/index.php?title=ML22125A048&oldid=3443988"