ML22201A002

From kanterella
Jump to navigation Jump to search
Enclosure 2: Risk Insights Based on Ope Including ASP
ML22201A002
Person / Time
Issue date: 07/22/2022
From: Reinaldo Rodriguez, Sunil Weerakkody
NRC/NRR/DRA, NRC/NRR/DRA/APOB
To: Mike Franovich, Chris Miller
NRC/NRR/DRA, NRC/NRR/DRO
Weerakkody S
References
Download: ML22201A002 (11)
v  d  e


Text

Enclosure 2:

Risk Insights Based on Accident Sequence Precursors, other Oper ating Experience, and Review of Reference Plant High Energy Arcing Faults

I. Introduction

The purpose of this document is to provide a summary of qualita tive and quantitative risk-insights that the staff obtained by reviewing operating experie nce including events that occurred at nuclear power plants (NPPs) both inside and outside the Unit ed States. It also includes a summary of qualitative and quantitative risk-informed insights obtained from high-energy arcing fault events (HEAFs) that are documented in the U.S. Nuclear Re gulatory Commissions (NRCs) Accident Sequence Precursor (ASP) database as well as q ualitative risk insights obtained by reviewing HEAF scenarios of the reference plants f ire PRAs. Risk insights discussed in this enclosure are mostly qualitative. These insig hts will be used in a knowledge management activity consistent with the Teaching element of the NRCs Be riskSMART framework. They are included for informational purposes and do not constitute regulatory requirements. Rather, they are observations that highlight pot ential preventive and mitigative measures that could further reduce HEAF related risk.

One of the main objectives of a probabilistic risk assessment ( PRA) is to gain insights about a facilitys response to initiating events and accident progressi on, including the expected interactions among facility structures, systems, and components, and the operating staff. Risk-informed insights are derived by systematically investigating: (1) what can go wrong, (2) how likely it is, and (3) what are the consequences. Risk-informed insights can be obtained via both quantitative and qualitative investigations. Quantitative risk results from PRA calculations are useful, but they are generally s upplemented by qualitative risk insights and traditional engineering analysis. Qualitative risk insights include generic results (i.e., results that have been compiled from numerous PRAs performed in the past) and from ope rational experience that is applicable to a group of similar plants. Risk-informed insights are an important part of risk-informed regulation, in which r egulatory decisions are made by integrating risk insights with considerations of defense-in-depth and safety margins. A summa ry of the various sections of this document is provided below:

This enclosure is organized as follows:

  • Section II provides sources of information and distinguishes b etween risk-informed insights and other observations for the purposes of this report.
  • Section III summarizes risk-informed insights obtained from th e Electric Power Research Institute (EPRI) Report No. 3002015459, Critical Maintenance I nsights on Preventing HEAF, issued March 2019.
  • Section IV summarizes observations and risk-informed insights from visits to the two reference plants.
  • Section V describes risk-informed insights and observations ob tained from the NRCs ASP database and the Maanshan Station Blackout Event (SBO), (Ag encywide Document Access and Management Systems (ADAMS) Accession No. ML 021290364),

issued February 2002.

  • Section VI documents observations obtained from the Organizati on for Economic Cooperation and Development (OECD) Fire Project - Topical Repo rt No. 1, Analysis of High Energy Arcing Faults, June 2013.
  • Section VII summarizes observations and risk-informed insights obtained from some HEAF events with enterprise risk management.

1 II. Sources of Information used to Develop Qualitative Risk Ins ights

NRC staff reviewed information from the following sources to ob tain qualitative risk-informed insights and observations related to HEAFs.

  • Nine HEAF events from the NRCs ASP Database.
  • NRC report entitled, Operating Experience Assessment: Energet ic Faults in 4.16 kV to 13.8 kV Switchgear and Bus Ducts That Caused Fires in Nuclear P ower Plants

[NPPs]1986-2001, February 2002 (ADAMS Accession No. ML 0212903 64).

  • HEAF events described in the OECD report entitled Fire Protec tion Topical Report No. 1, Analysis of High Energy Arcing Faults, June 2013.
  • Six HEAF events discussed NRC Information Notice IN 2017-04, High Energy Arcing Faults in Electrical Equipment Containing Aluminum Component, August 2017.
  • EPRI Report No. 3002015459 entitled Critical Maintenance Insi ghts on Preventing HEAF, March 2019.
  • Information gathered from the two reference plants.

It is important to note that some HEAF events were included in more than one of the above sources. For example, several HEAF events in the ASP database also appeared in the report compiled by the OECD. Since this report focuses on generating qualitative insights, duplication of events in various databases was not a concern to the risk in sights based on operating experience including the Accident Sequence Precursors.

Each of the events reviewed provided one or more insights relat ing to measures that a licensee may adopt to minimize the likelihood of HEAFs or to mitigate th e consequences if a HEAF were to occur. Since the staff reviewed many events, there was the p otential to generate and list a large number of observations. However, a lengthy list of observ ations might be too unwieldy and inhibit the readers ability to bring focus on a handful of ris k-informed insights. Therefore, the staff differentiated risk-informed insights from other observat ions that might be useful.

For the purposes of this paper, the staff used the following de finitions to distinguish between observation and risk-informed insights:

  • An observation is any information that a reader could learn by reviewing operating experience and using it to impl ement preventive and mitigative measures with the goal of reducing the likelihood of an occurrence of a HEAF event or mitigate its consequence at an NPP.
  • A risk-informed insight is an observation that has the poten tial to significantly reduce risk by implementing preventive and mitigative measures with th e goal of significantly reducing the risk associated with HEAF sequences.

Risk-informed insights are identified by using the best availab le quantitative or qualitative information from HEAF sequences that make a dominant contributi on to risk.

III. Summary of Risk-Informed Insights from EPRI 3002015459

In March 2019, EPRI published a report entitled Critical Maint enance Insights on Preventing HEAFs. The Executive Summary of that report noted that HEAFs c an occur, and when combined with latent protective device or switchgear issues, th is could escalate and cause significant equipment damage and impact to the licensees capab ility to generate electrical

2 power at the NPP. The Executive Summary also noted that (1) an analysis of industry data demonstrates that an effective preventive maintenance program i s important in minimizing the likelihood and severity of HEAF events, (2) 64 percent of HEAF events were considered preventable, and (3) the most prevalent cause of failure due to HEAFs was inadequate maintenance.

The report examined four types of electrical equipment. These a re circuit breakers/switchgear, bus ducts, protective relays, and cables. In addition to discus sing the general importance of maintenance, the report provided insights on one of the compone nt types (circuit breakers/switchgear). The staff characterizes two key findings of the EPRI report as risk-informed insights because these insights are focused on a subs et of components that are likely to be of relatively high risk-significance. These two risk-info rmed insights from the EPRI report are provided below:

  • With respect to circuit breakers, the report noted that mainte nance of the Unit Auxiliary Transformer (UAT) breaker is particularly important because its failure can lead to an extended duration generator-fed fault at the first switchgear b us. Operating experience has shown this breaker to fail during automatic bus transfers. The report acknowledged the challenges that licensees confront in performing preventive maintenance because constraints associated with outage schedules and offered risk-i nformed guidance so that licensees may focus their maintenance on the risk critical subs et of maintenance activities.
  • With respect to switchgear, the report noted that for critical switchgear, such as feeder circuit breakers that carry higher currents and switchgear that is part of a bus transfer scheme, proper maintenance of connections on both the bus side and the circuit breaker side is especially important.

IV. Risk-Informed Insights and Observations from Reference Plant s

The NRC staff visited two reference plant sites to support the LIC-504 effort. The site visits enabled the staff to collect necessary information to perform a risk assessment using the best available information provided by the licensees. The primary ob jective of these site visits was to gather information to examine the magnitude of HEAF related ris k resulting from the new PRA methodology on HEAF. However, the staff also collected informa tion from these sites that may be germane to qualitative risk insights. The information collec ted pertained to the following:

a) practices for the use of PRA insights to prioritize the freq uency or nature of preventive maintenance or breaker coordination issues b) HEAF scenarios from the licensees Fire PRA models c) practices relating to treatment of HEAF operating experience d) use of protective barriers to reduce HEAF related risks e) licensees training programs to mitigate fires caused by HEA F events

The risk-informed insights given below are based on the informa tion obtained from the two reference plants. It is important to emphasize that since the HEAF related risks are highly plant specific they may not be applicable to other plants.

The licensees for both the reference plants noted that, at pres ent, they do not use PRA insights to modify the frequency or nature of their preventive maintenan ce practices. However, when the staff reviewed the HEAF scenarios for both plants, the staff no ted that a significant fraction of

3 HEAF related risks were associated with only a handful of HEAF scenarios. Since significant fractions of the HEAF related risk is distributed among a very small number of HEAF scenarios, it may be possible to use these scenarios to identify the subse t of components, which dominate the HEAF risks and focus maintenance or other related resources on that subset. This information led to the following risk-informed insight:

  • HEAF scenarios generated by licensees using the fire PRA model s may enable them to identify the subset of plant components whose design and mainte nance dominates the HEAF related risks. This information may allow licensees to min imize HEAF risks by focusing their resource (e.g., preventive maintenance) on that subset of components.

V. Risk-Informed Insights and Observations from Accident Sequen ce Precursor Events and the Maanshan Nuclear Power Plant Station Balckout Event

The NRCs ASP program evaluates potentially risk-significant ev ents and degraded conditions that occur at NPPs. To assess the risk significance of events t he ASP uses conditional core damage probability (CCDP). To assess the risk significance of d egraded conditions that exist for a specific exposure time, the ASP program uses the change in co re damage probability (CDP). Events or degraded conditions for which CCDP or CDP ex ceed a set threshold are identified as precursors and saved in the ASP database. Irrespe ctive of the metric used, events documented in the ASP Program provide a basis to identify the s ubset of risk-significant HEAF events, and consequently, to generate risk-informed insights. T herefore, HEAF events or degraded conditions associated with HEAFs in the ASP database c an be characterized as the subset of HEAF events that had the highest impact on safety. Th e Office of Nuclear Regulatory Research instruction TEC-005 provides additional details about NRCs ASP program.

Table 1 summarizes nine HEAF events in the ASP database and the 2001 Maanshan NPP HEAF event. The staff added the 2001 Maanshan NPP event to the mix of ASP database events because (1) the Maanshan NPP design (a power plant with two Westinghouse three loop pressurized-water reactors) is similar to a number of U.S. plan t designs, (2) the event constitutes the most risk-significant HEAF event and as such ha s the potential to be a rich source of risk-insights, and (3) a precursor-like analysis had been performed on the Maanshan NPP event1. To emphasize the highly approximate nature of the analyses, n umerical results in the Table are provided with a single significant digit. The tab le lists the ADAMS accession numbers for the Maanshan NPP event as well the as the other nin e risk-significant events in the ASP Database for the benefit of readers who wish to obtain more details on these events.

1 The NRC staff did not perform the ASP type analysis for the Maanshan NPP event. The staffs ASP analyses undergo multiple peer reviews including peer reviews performed by the licensees cognizant staff. Since the NRC staff did not perform the ASP analyses for the Maanshan NPP event, the staff is unaware of the pedigree of the risk assessment of the Maanshan NPP event. The NRC report entitled Operating Experience Assessment: Energetic Faults in 4.16 kV to 13.8 kV Switchgear and Bus Ducts That Caused Fires in Nuclear Power Plants 1986-2001, issued in February 2002 (ADAMS Accession No. ML021290358) provides additional PRA and design details about the Maanshan NPP event and a comparison of that event to several other HEAF events at U.S. plants.

4 Table 1: Summary of HEAF Events in the ASP Database and the Maanshan NPP Event

Plant/ Consequential (or Other Event Date Risk Metric and Impact Initial Fault and Cause Unrelated (ADAMS on Plant Concurrent) Failures Accession No.)

1 Maanshan CCDP = 2x10-3 Energetic electric fault in The arcing, smoke, ionized 3/18/2001 SBO feeder breaker to 4kV gases, and fire released by the (ML021290364) bus. energetic electrical fault inside the breaker compartment propagated and caused collateral damage to other switchgear compartments leading to the SBO.

2 Fort Calhoun CDP = 4x10-4 Deficient design controls Arc sustained for an extended 6/7/11 The issue was modeled as in 480V load center period and led to significant (ML12101A193) a degraded condition that during breaker damages, smoke, etc.

considered the potential for modifications.

common cause failures of other breakers associated with the degraded condition.

3 Robinson CCDP = 4x10-4 A feeder cable to 4kV 4kV Bus 5 failed to isolate from 3/28/10 Partial loss of offsite power non-vital bus (Bus 5) non-vital 4kV Bus 4 due to a (ML112411359) (LOOP) and potential loss caused an arc flash and a failure of circuit breaker 52/24 to of reactor coolant pump fire. open, which resulted in reduced (RCP) seal cooling power to 'B' RCP and a subsequent reactor trip on reactor coolant system (RCS) loop low flow. The estimated CCDP captures the impact of HEAF as well as the concurrent operator performance deficiency that led to potential loss of RCP seal cooling.

4 Diablo Canyon, CCDP = 4x10-4 Phase-to-phase fault in Arcing/fire damaged nearby Unit 1 LOOP 12kV bus due to non-vital 4kV buses.

5/15/00 (speculated) aging and (ML20112H532) inadequate maintenance.

5 Brunswick, Unit 1 CCDP = 3x10-5 A lockout of startup No consequential failures. LOOP 2/7/16 LOOP auxiliary transformer occurred because operators (ML17109A269) occurred due to electrical tripped reactor after the startup bus faults caused by auxiliary transformer failed.

water intrusion.

6 Waterford CCDP = 3x10-5 A lightning arrestor failed Delayed opening of the 4kV unit 6/10/95 Partial LOOP at the Waterford auxiliary transformer (UAT)

(ML20140A222) substation causing a grid feeder breaker paralleled the grid disturbance and trip of with the main generator, which main generator output was speeding up and therefore, breaker. out of phase with the grid due to the load rejection.

7 Cooper CDP =4x10-5 A phase-to-phase fault of Arc had the potential to damage 1/17/17 Partial LOOP. the non-segregated bus an adjoining bus duct. If that (ML18068A724) This event was evaluated duct had degraded due to occurred, the event would have as concurrent degraded inadequate maintenance. led to a full LOOP.

conditions and, therefore, used a CDP as the metric.

5 Plant/ Consequential (or Other Event Date Risk Metric and Impact Initial Fault and Cause Unrelated (ADAMS on Plant Concurrent) Failures Accession No.)

8 Shearon Harris CCDP = 4x10-6 Multiple ground faults in None 10/9/89 Reactor and turbine trip main transformer (ML20156A243) resulting from aluminum debris.

9 Turkey Point 3 CCDP = 3x10-6 Trip of RCPs caused by a None 3/18/17 Loss of a 4kV Bus HEAF on 4kV safety bus; (ML18038B063) foreign material (carbon fiber mesh reinforcement material) was identified in the current limiting reactor cubicle.

10 Arkansas CCDP = 2x10-6 Catastrophic failure of the Failure of the UAT protective Nuclear One 2 Partial LOOP UAT and subsequent relays.

12/9/13 failure of its protective (ML15238B714) relays to isolate a bus fault due to improper installation of a differential current relay output wire.

Maanshan NPP Event The NRC staff reviewed the HEAF event that occurred at the Maan shan NPP for this report because it appears to be the most risk significant HEAF event e xperienced at any light water reactor. That event provides information that helps licensees t o determine whether the potential exists at their facilities for HEAF related SBOs to occur and m inimize the likelihood of such occurrences.

On March 18, 2001, Maanshan Unit 1, a nuclear power plant in Ta iwan that was designed to U.S. regulations and standards, experienced a fire and a SBO du e to an energetic electrical fault. The fire started as the result of a fault in the safety-related 4 kilovolt (kV) switchgear supply circuit breaker. The initial fault caused explosions, ar cing, smoke, and ionized gases, which propagated to adjacent safety-related 4kV switchgear and damaged six switchgear compartments. The damage resulted in the complete loss of the f aulted safety bus and its emergency diesel generator (EDG) and a LOOP to the undamaged sa fety bus because of faulting of its offsite electrical feeder circuit. An independe nt failure of the redundant EDG resulted in loss of all alternating current (AC) power. Smoke h indered access to equipment, delaying the investigation and repair of the failures. The SBO was terminated after about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> when an alternate AC EDG was started and connected to the undamaged safety bus.

When CCDP is used as the metric, the Maanshan NPP event can be characterized as the most risk-significant event documented in operating experience assoc iated with HEAFs. This event prompted the following risk-informed insight:

  • HEAFs that can lead to SBOs are likely to initiate at buses or switchgear that are essential to supply AC power from both offsite power and emerge ncy diesels (or other emergency supply). Resources focused to minimize the likelihoo d of HEAF occurrence at those switchgear and buses (e. g., improved preventive and predictive electrical maintenance) can reduce HEAF related risks. Measures taken to minimize the possibility of a HEAF at one emergency bus causing failure of t he redundant electrical

6 train due to consequential failures (e.g., due to smoke, or des ign deficiencies), will also minimize the SBO related HEAF risks.

Of the 10 events identified in Table 1, above, 8 are associated with actual or potential LOOPs or loss of emergency buses. Specifically, the plant impact of the se risk significant events included LOOP events, partial LOOP events, and the loss of a single 4kV emergency bus. These events, in conjunction with other consequential failures have the poten tial to lead to SBO events such as that at Maanshan. Therefore, plant features that could miti gate SBOs can be used to further mitigate SBO risks. In light of that, the staff offers the fol lowing risk-informed insight:

  • In general, HEAFs leading to station blackouts (SBOs) constitu te the highest HEAF related risks. Plant design and operational changes that have been adopted to enhance the mitigation of beyond design basis accidents rule (10 CFR 50.155) are likely to reduce HEAF related risks.

In addition, based on review of the ASP events, the staff offer s the following additional observations:

  • Of the nine events screened into the ASP database, eight event s occurred in high-or medium-voltage equipment. The other event occurred at a 480V lo ad center.
  • The staff investigated whether there were predominant root cau ses of the HEAFs that appeared in the ASP database. The root causes variedfour of th e events occurred because of inadequate maintenance {two due to presence of forei gn material (carbon fiber, aluminum debris), two events occurred due to other unspe cified inadequate maintenance practices}; and other causes included deficient des ign controls, water intrusion, random failures, and faulty protective relay coordin ation.
  • Low voltage (480V or less) components cannot be screened out a s negligibly risk significant. Particularly, HEAFs at low voltage load centers ca n lead to moderately risk significant events unless the sy stems are designed to prevent l ong duration arcing.
  • Ingestion of dust or any other material to bus ducts creates t he potential for multiple concurrent HEAFs.

To assess the risk of HEAF events in a more generic manner, the staff used a subset of the nine ASP events, and outputs of its suite of Standard Plant Ana lysis Risk (SPAR) models to develop a HEAF related average core damage frequency (CDF) for U.S. NPPs. The estimate is based on the frequency of risk-significant ASP events multiplie d by a suitably bounding CCDP.

That estimate, however, is simply an approximation, and is not representative of HEAF related risk at any U.S. NPP since HEAF risks are highly plant specific. As illustrated by the HEAF operating experience, the plant and operator response to the HE AF event can lead to other failures and conditions that are unrelated to the initial HEAF and are difficult to capture in a risk assessment.

Of the nine ASP events listed in Table 1, six occurred between 2010 and 2021. One occurred between 2000 and 2009 and two occurred before 2000. The staff n oted that most of the ASP HEAF events occurred after 2010. There could be variety of poss ible explanations for this, including under-reporting of HEAF events before 2010 or changes in the ASP risk assessment process over time. Although it did not investigate the reason f or this trend, the staff is confident that risk significant HEAF events occurring since 2010 have bee n captured in the ASP database. Therefore, to prevent inappropriately biasing the ris k significant HEAF event frequency, the staff assumed operating experience of the last t welve years is most

7 representative of current risk. That assumption yields 6 events over approximately 1200 reactor years (or ~5x10-3 events/year).

The staff noted that the ASP HEAF events led to a variety of in itiating events, including transients (reactor or turbine generator trips); LOOPs; or loss of a vital emergency AC power bus. Based on a review of SPAR model results, the most limiting CCDP for these initiating events is associated with a loss of a vital AC bus with a CCDP value of ~1x10-3 (representing a 95 percent upper bound value for all SPAR model results). The S PAR model CCDP results for transients and LOOPs were all below a CCDP value of 1x10 -3. Based on these estimates, the staff concluded that a reasonably bounding average HEAF CDF val ue, based on ASP events, is approximately 5x10-6 per reactor year. This value is generally considered to be a s mall risk impact compared NRCs safety goals for NPPs and yet constitutes a non-negligible fraction of the risk. Furthermore, on a plant-specific basis, HEAFs may con tribute to a substantial fraction of the fire risk. As mentioned earlier, HEAF risk is highly pl ant specific. For instance, for Reference Plant No. 1, the HEAF related CDF was about 2x10 -6/year. For Reference Plant No.

2, the HEAF related CDF was about 3x10 -5/year.

Considering the above analyses, the staff offers the following risk-informed insight is offered:

  • Based on the U.S. operating history of HEAF since 2010, HEAF e vents that constitute accident sequence precursor are likely to occur once in every t wo years, i.e., the average HEAF related CDF based on the ASP database is about 5x1 0-6/year. In comparison, the estimation of the HEAF related CDF using the ne w HEAF method for Reference Plant No. 1 was 2x10 -6/year and for Reference Plant No. 2 was 3x10 -5/year.

VI. Observations from the OECD Report

The staff reviewed the OECD report on HEAF events. The report i ncluded information on 48 HEAF events. Eleven events at U.S. NPPs are included in the OEC D report.

The definition of HEAF events used by the NRC is narrower than that used in the OECD report.

For example, the OECD report includes many HEAF events that too k place within large transformers installed outdoors which are not included in the N RC HEAF definition.

The large number of events included in the OECD report generate d several potential observations. Based on the review of the events from the OECD r eport, the staff identified the following observations relating to HEAF event prevention and mi tigation:

Equipment Side

  • Proper maintenance practices: several HEAF events were attribu ted to poor, or lack of maintenance.
  • Aging management for electrical components: some HEAF events w ere caused by age-related degradation of protective components, for example of bu s insulation.
  • Post maintenance testing and inspection to ensure as-left cond itions: the root cause of some HEAF events was identified as components not being left in the correct condition post-maintenance.

8 Operations Side

  • Housekeeping to prevent dust and other foreign matter accumula tion: the root cause of many events was identified as the build-up and presence of dust, debris, and other foreign material inside bus ducts or breaker enclosures.
  • Identification and correction of existing design issues: the s everity of many of the reported events was exacerbated by long-standing design errors or problems.
  • Understanding of the electrical system and event conditions to prevent incorrect operator actions: the severity of some of the reported events was increa sed by operators taking incorrect actions or not understanding what the correct actions were.

The report did not provide any screening criteria to distinguis h between risk-significant versus non-risk-significant events. This made it challenging to identi fy a set of risk-significant insights from the report. Even though the OECD report did not distinguis h between risk-significant versus non-risk-significant events, characteristics of the nine ASP events and the Maanshan NPP HEAF event offered a mechanism for identifying a set of ris k-significant events from the OECD report. Unfortunately, the lack of detail given for most o f the events prevented the staff from successfully completing this task.

However, the staff identified the following characteristics tha t may increase the risk-significance of HEAF events:

  • HEAF events that are initiated by smoke and other effects of f ires in other components; and
  • failure of other components due to smoke, ionized air, etc., r esulting from the HEAF event.

VII. Insights on Enterprise Risk

Enterprise risk management (ERM) is the process of planning, or ganizing, directing and controlling the activities of an organization to minimize the d eleterious effects of risks. ERM goes beyond risks imposed on the public due to NPP operation an d includes financial risks, strategic risks, reputational risks, operational risks and risk s associated with accidental losses.

In Office of Management and Budget (OMB) Circular A-123, Manag ements Responsibility for Enterprise Risk Management (ERM) and Internal Control, dated J uly 15, 2016, risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organizations goals and objectives. ERM is an eff ective agencywide approach to addressing the full spectrum of the organizations external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rath er than addressing risks only within silos. In accordance with procedural guidance in LIC-504, in th e staffs use of ERM, associated with HEAFs, both qualitative and quantitative risk results were used in the assessment of the agency enterprise risks and its recommendations for management consideration. It is noted that ERM is a process for how the NRC manages its activities bu t is not a basis for imposing or assessing new burdens on licensees, such as backfits.

Operating experience has demonstrated that HEAF events can init iate chains of events resulting in both safety and/or asset protection impacts and th us poses risks to the enterprise, even for HEAF events that may not be risk significant. Because of multiple failures as well as

9 consequences such as smoke and ionized metal vapor, these event s have the potential to challenge plant operators in unexpected ways.

Examples of three events that set off a chain of consequential events are provided below:

Fort Calhoun Station, Unit 1: On June 7, 2011, a switchgear fire occurred at the Fort Calhoun Station while the plant was shut down for a planned refueling o utage. The fire resulted in a loss of power to six of nine safety-related 480V AC electrical distr ibution buses, one of two safety-related 4kV buses and one of two non-safety related 4kV AC buses. The event resulted in the loss of the spent fuel pool cooling function and could h ave resulted in the loss of a safety function or multiple failures in systems used to mitigate a sit uation had the event occurred at power. Significant unexpected system interactions also occurred. Specifically, combustion products from the fire caused a fault across an open bus-tie br eaker on an island bus. As a result, a feeder breaker tripped unexpectedly resulting in loss of power to the opposite train bus.

Also, the event resulted in grounds on both trains of safety-re lated direct current (DC) power used for breaker operation and electrical protection. The fire was caused by the catastrophic failure of the feeder breaker for 480V AC load center 1B4A in t he west switchgear room. A large quantity of soot and smoke was produced by the fire, which migr ated into the conducting connections associated with the non-segregated bus duct, a meta l enclosure containing the bus bars for all three electrical phases, connecting to island bus 1B3A-4A, even though the bus-tie breaker was open. The smoke and soot were sufficiently conducti ve that arcing occurred between the bus bars such that island bus 1B3A-4A was affected and the other connected train load center, 1B3A, was affected by incorrect breaker sequencing.

Diablo Canyon Power Plant: On May 15, 2000, Diablo Canyon power plant, Unit 1 experienced a turbine/reactor trip. The cause of the unit trip was an electrical phase-to-phase fault on the 12kV bus in an overhead bus duct, supplied by Auxi liary Transformer 1-1. The switchyard and main generator field breaker opened immediately following unit trip. However, coast down of the main generator continued to feed the arc faul t. A 4kV startup bus duct located immediately above the faulted 12kV bus was damaged by the fault and subsequent arcing.

Damage to the 4kV bus induced a second arcing fault in the 4kV bus duct resulting in a differential trip of Startup Transformer 1-2, 11 seconds after the initial fault. The loss of both offsite sources of power to all 4kV loads resulted in an underv oltage condition, causing the EDGs to start and load successfully.

H.B. Robinson Steam Electric Plant: On March 28, 2010, with the H. B. Robinson Steam Electric Plant, Unit No. 2, operating in Mode 1 at approximatel y 100 percent power, an electrical feeder cable failure to 4kV non-vital Bus 5 caused an arc flash and fire. Bus 5 failed to isolate from non-vital 4kV Bus 4 due to a failure of Breaker 52/24 to o pen, which resulted in reduced voltage to RCP B and a subsequent reactor trip on RCS loop low flow. After the reactor trip, an automatic safety injection (SI) occurred due to RCS cooldown. P lant response was complicated by equipment malfunctions and failure of the operating crew to understand plant symptoms and properly control the plant. During plant restoration, the opera ting crew attempted to reset an electrical distribution system control relay prior to isolating the fault, which re-initiated the electrical fault and caused a second fire. The chain of events that was onset by the fire included temporary loss of all RCP seal cooling (seal injection as well as cooling via component cooling water). The loss of seal injection flow instrumentation within the main control room and an inadequate emergency operating procedure (EOP) step for determi ning seal injection flow contributed to operators failing to determine that seal injecti on was inadequate. In addition, the charging pump suction source failed to automatically switch-ove r from the Volume Control Tank (VCT) to the Reactor Water Storage Tank upon a low level in the VCT level. Various electrical

10 system equipment was unavailable as a result of the transient a nd electrical faults. Offsite power was lost to vital Bus E2. Recovery of offsite power to th is bus was possible almost immediately after the event occurred.

Based on these events, the staff has the following observation regarding HEAF related Enterprise Risk:

  • Frequently, HEAF events, even those that are not initially risk significant, can cause subsequent failures due to explosion effects, smoke, and ionize d gases. These subsequent failures can create a chain of consequential events that can pose special challenges to operators. In addition, several HEAF events invol ved operator errors that further contributed to the risk significance of the event. Thes e subsequent failures often involve complex interactions between the operators, fire phenom enology, and mitigation capability, and can be extremely challenging to predict. Due to these factors, it is impossible to predict, and therefore mitigate, all consequences of a HEAF. Therefore, a focus on prevention of HEAF events remains an important aspect of balancing HEAF risk management.

The staff examined additional events that occurred in the U.S. since 1985 from the ASP database, NRC IN 2017-04, and NUREG/CR-6850 Appendix M to obtai n additional insights relating to enterprise risk. Based on this review, the staff fo und that some events involving high voltage components such as transformers or electrical buses wer e not of high safety significance. On the other hand, these events may be of intere st to stakeholders for their own enterprise risk. For example, the staff found that the impacts of smoke, ionized metal vapor, and collateral damage to key plant assets (such as turbines, th e main generator, or large transformers) could lead to extended plant outages. This obser vation aligns with the general findings noted in the OECD report based on their review of 48 H EAF events.

11

Retrieved from "https://kanterella.com/w/index.php?title=ML22201A002&oldid=3724149"