Final ASP Analysis- Millstone (LER 336/06-002)

ML071930281
Person / Time
Site:	Millstone
Issue date:	04/11/2007
From:	NRC/NRR/ADRO/DORL/LPLI-2
To:
Sanders, Carleen, NRR/DORL 415-1603
Shared Package
ML072910721	List: ML071930281 ML072910733
References
IR-06-002, IR-06-005, LER 06-002-00
Download: ML071930281 (9)
v • d • e

Text

Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Millstone Power Manual Reactor Trip Due to Trip of Both Feed Pumps Following a Station (Unit 2) Loss of Instrument Air LER 336/06-002; Event Date 02/23/2006 IR 05000336/2006-02; CCDP = 8x10-6 IR 05000336/2006-05 April 11, 2007 Event Summary On February 23, 2006, with the plant in Mode 1 and 100% power, a manual reactor trip was initiated following an instrument air (IA) leak that occurred while replacing a pipe clamp on a two-inch copper IA header in the Turbine Building. An inadequately soldered joint failed on a 1/2-inch tee connection from a two-inch IA line that resulted in rapidly lowering Instrument Air pressure that caused the excess flow check valve to shut. Numerous air operated valves shifted to their loss-of-air position. Feedwater heater high-level dump valves opened causing a reduction of heater drain flow and a loss of suction pressure to the steam generator feed pumps (SGFP). Both SGFPs tripped and a manual reactor trip was initiated. Non-Vital 120V AC Regulated AC Panels VR11' and VR21' shifted to backup power supplies as expected due to the transfer of station power from the Normal Station Service Transformer (NSST) to the Reserve Station Service Transformer (RSST) following a reactor trip. The momentary loss of power to VR11' during this transfer resulted in a loss of letdown and indication of pressurizer power operated relief valves (PORV) and main steam safety valves (MSSV) position changes.

Operators subsequently restored letdown and confirmed no actuation of either PORVs or MSSVs had occurred during the event.

Following the reactor trip, control element assembly position display system (CEAPDS) indicated CEA 7' was not fully inserted and the core mimic indicated CEA 44' was not fully inserted. Upon further review, it was confirmed that both CEA 7' and 44' had fully inserted and the indication anomalies were due to reed switch indication behavior. Additionally following the trip, the auxiliary feedwater (AFW) system was automatically actuated but the plant experienced an abnormal cool down to 526 o F in part due to excessive AFW flow to Steam Generator (SG) 1'. An operator was dispatched to take manual control of the regulating valve at which point RCS temperature was restored to the normal post-trip band of 530-535o F. It was subsequently determined that AFW Regulating Valve 1' was incorrectly set. This resulted in the Auxiliary Feed Regulating Valve 1' going to its failed position (i.e., full open). All other safety systems functioned as designed, and the plant was stabilized in Mode 3 at normal operating temperature and pressure.

More details of the event can be found in the References 1, 2, and 3.

Cause. The cause of this event was determined to be an already weakened solder joint which was disturbed while attempting to repair an incorrectly installed clamp, not designed for IA piping. This in turn, resulted in a 1/2-inch copper line separating from a tee connection causing a partial loss of IA in the Turbine Building.

1

LER 336/06-002 Recovery opportunities. Following the leakage of air from a two-inch instrument air line due to failure of an inadequately soldered joint, maintenance personnel quickly reconnected the air line and applied a temporary wooden wedge to support the air line (see Reference 2). However, this recovery is not credited in the event assessment because: 1) numerous air operated valves already shifted to their loss-air-failure position; and 2) recovery of air to the secondary systems in the turbine building, including condensate pumps, requires quite complicated manipulations outside of the control room taking quite a long time.

Other concurrent or windowed events. No other significant operating events existed at Millstone 2 according to the LER Search Database.

Analysis Results C Importance The conditional core damage probability (CCDP), for this event is 8x10-6. The results of an uncertainty assessment on the CCDP are summarized below.

CCDP 5% Mean 95%

Millstone 2 1.2x10-7 7.6x10-6 3.3x10-5 The Accident Sequence Precursor Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feedwater and condensate). This CCDP equivalent for Millstone 2 is 6x10-6.

C Dominant Sequences The dominant core damage sequence for this event is Loss of Main Feedwater (LOMFW) Sequence 17. The events and important component failures for LOMFW Sequence 17 shown in Figure 1 (Appendix A) include:

! LOMFW initiating event,

! successful reactor trip,

! failure of steam generator cooling, and

! failure of once through cooling.

C Results Tables

! The conditional probabilities for the dominant sequences are shown in Table 1.

! The event tree sequence logic for the dominant sequences is presented in Table 2a.

! Table 2b defines the nomenclature used in Table 2a.

! The most important cut sets for the dominant sequences are listed in Table 3.

! Definitions and probabilities for modified or dominant basic events are provided in Table 4.

2

LER 336/06-002 Modeling Assumptions C Analysis Type The Revision 3-Plus (Change 3.21) of the Millstone 2 Standardized Plant Analysis Risk (SPAR) model (Reference 4) created in October 2005 was used for this assessment.

This event was modeled as an at-power initiating event assessment for the manual reactor trip due to a trip of both main feedwater pumps following a loss of instrument air to the turbine building.

C Modeling Assumptions Summary The key modeling assumptions are listed below. These assumptions are important contributors to the overall risk.

- Recovery of condensate injection availability. At Millstone 2, a condensate pump can be used for injection to at least one SG when both main and auxiliary feedwater systems are not available to remove decay heat from the steam generators. However, the condensate system flow path for injection into the steam generators was lost during the event as a result of loss of instrument air to the turbine building. For this analysis, it was assumed that the condensate system could not be recovered within the required time frame to be used for injection into the SGs because:

a) Numerous air operated valves already shifted to their loss-air-failure position which would lengthen and complicate the alignment of the condensate pump SG injection flow path; and b) The time to initiate condensate system injection is relatively short and would need to be recovered before the operator initiates feed and bleed operation (i.e., within 1 or 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />).

- Impact of missing PORV indication on feed and bleed operation. At Millstone 2, feed and bleed operation using high pressure injection and PORVs is required to remove decay heat when secondary cooling is needed but fails. Reference 1 points out that the indication of PORV position changes was lost due to a momentary loss of power to 120VAC Regulated AC panel VR11', although the operators subsequently confirmed no actuation of PORVs had occurred during the event. The loss of PORV position indications in the control room could have adverse impact on the manual operation of feed and bleed. The SPAR model human error probability (HEP) for feed and bleed (HPI-XHE-XM-FAB) is estimated at a value of 0.1 assuming the availability of the PORV position indicators.

However, operators can infer the position of PORVs by alternative indications (e.g.,

temperature gauge downstream of the PORV block valves, integrity of the rupture discs, etc.) and the PORV position indication was lost only temporarily. Therefore, the best-estimate event assessment was performed without any change to the HEP of 0.1 for feed and bleed operation despite the temporary loss of the PORV position indication.

3

LER 336/06-002

- Potential RCS Overcooling due to failure of the AFW Regulating Valve.

Reference 1 indicates that SG AFW Regulating Valve 1' went to its failed position (i.e., full open) allowing excessive flow to the SG 1', which contributed to a greater than expected, cool down of the RCS. The RCS temperature was restored to the normal post-trip band by dispatching an operator to take manual control of the regulating valve. The AFW system fault tree has been modified to include manual control of AFW flow to SG 1'.

C Fault Tree Modifications AFW System Fault Tree. The fault tree was modified to account for operators having to take manual control of AFW flow to SG 1'. Basic event, AFW-XHE-XM-CONTROL, was added under the AND Gate AFW-2 (see Figure 2). For the base case, this event was set to IGNORE.

C Basic Event Changes

- AFW-XHE-XM-CONTROL. This HEP was set to 1.1x10-2 based on evaluation using the SPAR-H Method (Reference 5). It was assumed that diagnostic activities were needed for this event, but the performance shaping factors (PSF) for the diagnosis and action portions of HEP were set to their nominal values (i.e., set to 1).

- CDS-XHE-XM-ERROR. The HEP was set TRUE because the condensate system was assumed to be unavailable to provide injection into the SG. This determination was made due to the insufficient time operators would have to perform this action. See the Modeling Assumptions Summary for further details.

- IE-LOMFW. The initiating event frequency was set 1.0. All other initiating event frequencies were set to zero.

References

1. LER 336/06-002, Revision 00, Manual Reactor Trip Due to Trip of Both Feed Pumps Following a Loss of Instrument Air, Event Date: February 23, 2006.

2. NRC Inspection Report, Millstone Power Station - NRC Integrated Inspection Report 05000336/2006002 and 05000423/2006002, May 5, 2006.

3. NRC Inspection Report, Millstone Power Station - NRC Integrated Inspection Report 05000336/2006005 and 05000423/2006005, January 30, 2007.

4. Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Millstone 2, Revision 3 Plus (Change 3.21), October 2005.

5. Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method, INEEL/EXT-02-01307, May 2004.

4

LER 336/06-002 Table 1. Conditional core damage probabilities of dominating sequences.

Event tree Sequence CCDP1 Contribution name no.

LOMFW 17 7.0E-6 97.2 Total (all sequences)2 7.2E-6 100

1. Values are point estimates.

2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominating sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

LOMFW 17 /RT, SGC, OTC Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition RT REACTOR TRIP SGC SECONDARY SIDE COOLDOWN OTC ONCE THROUGH COOLING Table 3. Conditional cut sets for the dominant sequences.

Percent CCDP Minimum Cut Sets (of basic events)

Contribution Event Tree: LOMFW, Sequence 17 3.4E-006 48.21 AFW-FCV-CF-AB HPI-XHE-XM-FAB 9.0E-007 12.96 AFW-AOV-CC-FW43B AFW-XHE-XM-CONTROL HPI-XHE-XM-FAB 2.8E-007 3.97 AFW-CKV-CF-SGS HPI-XHE-XM-FAB 2.4E-007 3.46 AFW-TNK-FC-CST HPI-XHE-XM-FAB 1.7E-007 2.41 AFW-FCV-CF-AB HPI-MDP-TM-1A 1.7E-007 2.41 AFW-FCV-CF-AB HPI-MDP-TM-1C 5.8E-006 100 Total (all cutsets)1

1. Total CCDP includes all cutsets (including those not shown in this table).

5

LER 336/06-002 Table 4. Definitions and probabilities for modified and dominant basic events.

Probability/

Frequency Event Name Description Modified (per year)

AFW-AOV-CC-FW43B DISCHARGE TO SG1 AOV 2-FW-43B FAILS 9.0E-004 No AFW-CKV-CF-SGS CCF OF STEAM GENERATOR CHECK VALVES 2.8E-006 No COMMON CAUSE FAILURE OF FLOW CONTROL AFW-FCV-CF-AB 3.4E-005 No VALVES AFW-TNK-FC-CST AFW CONDENSATE STORAGE TANK FAILURES 2.4E-006 No OPERATORS FAIL TO MANUALLY CONTROL LEVEL OF AFW-XHE-XM-CONTROL 1.0E-002 Yes SG 1 OPERATORS FAIL TO ALIGN CONDENSATE FOR CDS-XHE-XM-ERROR TRUE Yes DECAY HEAT REMOVAL HPI-MDP-TM-1A HPI MDP-P41A UNAVAILABLE DUE TO T & M 5.0E-003 No HPI-MDP-TM-1C HPI MDP-P41C UNAVAILABLE DUE TO T & M 5.0E-003 No OPERATOR FAILS TO INITIATE FEED AND BLEED HPI-XHE-XM-FAB 1.0E-001 No COOLING IE-LOMFW LOSS OF MAIN FEEDWATER INITIATING EVENT 1.0 Yes1

1. Set the IE frequency to 1.0. All other initiating event frequencies were set to zero.

6

LER 336/06-002 Appendix A Event Tree and Fault Tree Figures 7

LER 336/06-002 LOSS OF REACTOR STEAM PORVs RCP SEAL HIGH ONCE SECONDARY SHUTDOWN SUMP CONTAINMENT FEEDWATER TRIP GENERATOR ARE INTEGRITY PRESSURE THROUGH SIDE COOLING RECIRC COOLING TRANSIENTS COOLING CLOSED MAINTAINED INJECTION COOLING COOLDOWN IE-LOMFW RT SGC PORV RCPSL HPI OTC SSC SDC HPR CSR # ENDSTATE 1 OK 2 OK 3 CD 4 CD 5 CD 6 OK 7 OK 8 CD 9 CD 10 OK 11 CD 12 CD 13 CD 14 OK 15 CD 16 CD 17 CD 18 T ATWS Figure 1. Millstone 2 Loss of Main Feedwater Event Tree (with dominant sequence highlighted).

8

LER 336/06-002 NO OR INSUFFICIENT AFW FLOW AFW CCF OF STEAM COMMON CAUSE AFW CONDENSATE AFW PUMP TRAIN GENERATOR CHECK FAILURE OF FLOW STORAGE TANK FAILURES VALVES CONTROL VALVES FAILURES 2.760E-6 3.348E-5 2.400E-6 AFW-CKV-CF-SGS AFW-FCV-CF-AB AFW-TNK-FC-CST AFW-1 NO AFW FLOW NO AFW FLOW TO STEAM GENERATOR TO STEAM GENERATOR SG1 SG2 AFW-2 AFW-3 DISCHARGE TO DISCHARGE TO OPERATORS FAIL TO NO FLOW FROM DISCHARGE TO DISCHARGE PATH SG1 AOV 2-FW-43A SG1 AIR ASSISTED MANUALLY CONTROL PUMP TRAINS TO SG1 AOV 2-FW-43B TO SG2 FAILURES CHECK VALVE 2-FW-12A SG 1 LEVEL SG1 9.000E-4 1.000E-4 IGNORE 9.000E-4 1.000E-4 AFW-AOV-CC-FW43A AFW-CKV-CC-FW12A AFW-XHE-XM-CONTROL AFW-4 AFW-AOV-CC-FW43B AFW-CKV-CC-FW12B Figure 2. Modified Millstone 2 AFW Fault Tree (with added basic event circled).

9