ML13199A503

From kanterella
Revision as of 15:50, 4 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Final ASP Analysis - Oyster Creek Nuclear Generating Station (219-12-001)
ML13199A503
Person / Time
Site: Oyster Creek
Issue date: 07/23/2012
From:
NRC/RES/DRA
To:
Tetter K
Shared Package
ML13199A502 List:
References
IR-12-004, LER 12-001-02
Download: ML13199A503 (11)


Text

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oyster Creek Nuclear Turbine-Generator Trip and Reactor Scram Following a Generating Station Transmission Line Trip Causing a Loss of Offsite Power LER: 219/12-001-02 Event Date: 07/23/2012 CCDP = 5x10-5 IR: 50-219/12-04 EVENT

SUMMARY

Event Description. At 3:29 am on July 23, 2012, Oyster Creek experienced a complete loss of offsite power (LOOP) for about one and a half hours. With the loss of the 230 kV transmission path following a single phase-to-ground fault on one of the three lines, the loading on the main generator was significantly reduced. The reduction in loading resulted in an increase in turbine speed, prompting the reactor protection system to scram the reactor in anticipation of a turbine trip.

Shortly after the loss of the three 230 kV transmission lines, the 34.5 kV sub-transmission line tripped due to the attempt to carry full main generator capacity. The loss of the 34.5 kV line resulted in an interruption of the only remaining off site power source. With the main generator still online and output breakers remaining closed, the main generator began feeding the startup transformers as it coasted down. Soon thereafter, the Main Generator Digital Protection Relay System sensed an under-frequency condition which tripped the main generator and opened the generator output breakers. With the generator output breakers open, the only remaining source of power to the safety buses was lost and the buses were disconnected from their off-site source, non-safety loads were shed, and both emergency diesel generators (EDGs) fast started carrying the loads on the safety buses as designed.

A root cause investigation was performed and determined that the two energized 230 kV transmission lines spuriously tripped following the ground fault on one of the lines. The cause of the spurious trip was an improperly installed sensing device. After the trip of the three 230 kV transmission lines, the plant and switchyard performed as designed.

Additional information is provided in References 1-2.

Enclosure 1

LER 219/12-001-02 MODELING ASSUMPTIONS Analysis Type. The Oyster Creek SPAR model, created in June 2012, was used for this event analysis. This event was modeled as a grid-related LOOP initiating event.

Analysis Rules. The ASP program uses Significance Determination Process results for degraded conditions when available. However, the ASP Program performs independent analysis for initiating events.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

  • Offsite power was restored in approximately one and a half hours after the grid-related LOOP occurred. However, offsite power was available within thirty minutes and operators could have restored power earlier, if needed (i.e., during a postulated station blackout). See the section on Recovery Analysis for further details.

Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

  • This analysis models the July 23, 2012 reactor trip at Oyster Creek as a grid-related LOOP initiating event.

- The probability of IE-LOOPGR (Loss of Offsite Power Initiator (Grid-Related)) was set to 1.0; all other initiating event probabilities were set to zero.

  • The offsite power was recovered to the essential buses in about one and a half hours after the reactor trip and grid-related LOOP occurred; therefore, the default EDG mission times were changed to reflect the actual time offsite power was restored to the essential buses.

Since the overall fail-to-run is made up of two separate factors, the mission times for these factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 0.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

Offsite Power Recovery Analysis. The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. The LOOP/Station Blackout (SBO) modeling within the SPAR models include various sequence-specific power recovery factors that are based on the time available to recover offsite power to prevent core damage. Depending on the (1) availability of the isolation condenser; (2) the success or failure to depressurize the reactor coolant system (RCS); (3) the integrity of the recirculation pump seals; (4) the availability of the EDGs; and (5) the battery depletion time; the time available to restore offsite power prior to core damage during a postulated SBO for Oyster Creek ranges from 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

In this analysis, offsite power recovery probabilities are based on:

  • Known information about when offsite power was available and when power was restored to the essential buses,
  • A determination on whether offsite power could have been restored sooner given a postulated SBO, and 2

LER 219/12-001-02

  • Estimated probabilities of operators failing to realign offsite power to an essential bus.

During the event, operators restored power (via the 230 kV offsite power sources) to the essential buses in one hour and 28 minutes after the LOOP occurred. However, offsite power via the 34.5 kV was available within one minute of the event and power could have been restored within 30 minutes. To restore offsite power (if needed because EDGs fail to supply the loads), operators would need to:

  • Determine that LOOP and subsequent (postulated) SBO occurred. In addition, the operators would need to determine that offsite power was available via the 34.5 kV portion of the substation. The correct determination will lead operators to enter ABN-36, Loss of Offsite-Power.
  • Startup Transformers would need to be aligned to supply offsite power to 4160 V Buses 1A and 1B and Essential Buses 1C and 1D. Operators would need to use Procedure 337, 4160 Volt Electrical System to properly align power to the buses.

The SPAR-H Human Reliability Analysis Method (References 3 and 4) was used to estimate non-recovery probabilities as a function of time following restoration of offsite power to the switchyard. Tables 1 and 2 provide the key qualitative information for these recovery human failure events (HFEs) and the performance shaping factor (PSFs) adjustments required for the quantification of the human error probabilities (HEPs) using SPAR-H.

Table 1. Qualitative Evaluation of HFEs for Recovery of Offsite Power to an Essential Bus.

The definition for these recovery HFEs is the operators failing to restore offsite Definition power within 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (depending on the sequence) given a postulated SBO.

Depending on availabilities of the isolation condenser, EDGs, and RCS Description and depressurization, the integrity of the recirculation pump seals, and the time until Event Context the station batteries are depleted, operators would have between 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to restore power prior to core uncovery.

For successful recovery, operators would have to align offsite power prior to core Operator Action uncovery. The time available for operators to perform this action would be a Success Criteria minimum of 15 minutes (given the failure of the isolation condenser and RCS depressurization and/or recirculation pump seal failure).

  • Startup Transformer Circuit Breaker S1A Low Voltage
  • Startup Transformer Circuit Breaker S1B Low Voltage
  • 4160V Bus 1A Under-voltage Nominal Cues
  • 4160V Bus 1B Under-voltage
  • Essential Bus 1C Low-Low Voltage
  • Essential Bus 1D Low-Low Voltage Procedural ABN-36, Loss of Off-site Power Guidance Procedure 337, 4160V Electrical System Diagnosis/Action These recovery HFEs contain sufficient diagnosis and action components.

3

LER 219/12-001-02 Table 2. SPAR-H Evaluation of HEPs for Recovery of Offsite Power to an Essential Bus.

Diagnosis / Action PSF Notes Multiplier The operators would need approximately 15 minutes to perform the action component of time to restore power to an essential bus. Therefore, the minimum time for diagnosis is approximately 15 minutes.

Therefore, available time for the diagnosis component for thirty minute recovery is assigned as Nominal Time (i.e.,

x1). Available time for the diagnosis component for recoveries with at least one hour is assigned as Expansive Time Available 1 or 0.01 / 1 Time (i.e., x0.01; time available is >2 times nominal and

>30 minutes).

Since sufficient time was available for the action component of the recovery, the available time for the action component for all recovery times is evaluated as Nominal (i.e., x1). See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the postulated SBO.

Stress 2/1 The PSF for action stress was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities and the concurrent actions/multiple procedures during a Complexity 2/1 postulated SBO.

The PSF for action complexity was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

There are two procedures (ABN-36 and 337) necessary to Procedures 1/1 align power to restore offsite power.

Procedures Experience/Training No event information is available to warrant a change in Ergonomics/HMI 1/1 these PSFs (for diagnosis and action) from Nominal for Fitness for Duty these HFEs.

Work Processes HEPs evaluated using SPAR-H are calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Basic event OEP-XHE-XL-NR30MGR (Operator Fails to Recover Offsite Power in 30 Minutes (Grid-Related)) was set to 4x10-2.

Basic events OEP-XHE-XL-NR01HGR (Operator Fails to Recover Offsite Power in 1 Hour (Grid-Related)), OEP-XHE-XL-NR04HGR (Operator Fails to Recover Offsite Power in 4 Hours (Grid-Related)), OEP-XHE-XL-NR08HGR (Operator Fails to Recover Offsite Power in 8 Hours (Grid Related)), OEP-XHE-XL-NR10HGR (Operator Fails to Recover Offsite Power in 10 Hours 4

LER 219/12-001-02 (Grid-Related)), and OEP-XHE-XL-NR12HGR (Operator Fails to Recover Offsite Power in 12 Hours (Grid-Related)) were set to 1x10-3.

Dependency. A review of the dominant cutsets was performed to determine if/how potential dependency between key HFEs was accounted for in the Oyster Creek SPAR model.1 This review revealed some cutsets in LOOPGR Sequence 25 in which a potential dependency exists. These cutsets contained multiple HFEs causing the failure of the isolation condenser (IC) and manual RCS depressurization, which would lead to core damage in approximately 30 minutes.

Other boiling-water reactor (BWR) SPAR models were reviewed to determine if similar HFEs were evaluated as dependent. There are only three SPAR models with ICs; Dresden has a dependency relationship between a HEP for IC operations and a HEP for depressurization while Oyster Creek and Nine Mile Point have dependencies between HEPs for high pressure operations and depressurization instead. This review determined several instances in which dependency was modeled between HFEs of high-pressure decay heat removal [e.g., high-pressure coolant injection (HPCI)] and manual RCS depressurization. In these cases, the dependency of the HFE of the failure to manually depressurize RCS was determined to have low dependence with the HFE involving failure of HPCI (when both HFEs were in the same cutset). Since no two SPAR models are identical, the HFE for HPCI was considered sufficiently similar to the HFE for IC operation to equate the two for the purpose of determining the degree of dependency because of similar actions and time involved. It was determined that if an operator fails to start/control the isolation condenser then there is an increased likelihood, due to the proximity of actions in time, that the operator may also fail to depressurize the reactor or transfer power. Thus, these HFEs were determined to be dependent. The degree of dependency between HFEs involving IC operation and manual RCS depressurization was determined using THERP as noted below, and was consistent with the numerical values used for the SPAR models modeling the low dependency HFE for HPCI operation and RCS depressurization. Therefore, the following post-processing rules were added to the Oyster Creek SPAR model to account for dependence between HFEs leading to failure of the isolation condenser and manual RCS depressurization:

if Init(IE-LOOPGR)* ADS-XHE-XM-MDEPR *ISO-XHE-XE-ERROR then DeleteEvent = ADS-XHE-XM-MDEPR; AddEvent = ADS-XHE-XM-MDEPR1; endif if Init(IE-LOOPGR)* ADS-XHE-XM-TRNSFR *ISO-XHE-XE-ERROR then DeleteEvent = ADS-XHE-XM-TRNSFR; AddEvent = ADS-XHE-XM-TRNSFR1; endif

  • The HFEs ADS-XHE-XM-MDEPR (Operator Fails to Depressurize the Reactor after Failing to Start/Control Isolation Condenser) of 5x10-4 and ADS-XHE-XM-TRNSFR (Operator Fails 1

The dependencies modeled between HFEs in the SPAR models are based solely on the human reliability analysis (HRA) performed as part of the licensee probabilistic risk assessment (PRA). This can be important in cases like this one where the dependency between two (or more) HFEs will increase the total likelihood above the value that would otherwise be used if they were treated as completely independent of each other. NRC ASP risk analysts using the SPAR models must determine case-by-case whether dependencies between HFEs exist and, if they do, to what degree.

5

LER 219/12-001-02 to Transfer Power after Failing to Start/Control Isolation Condenser) of 1x10-3 were determined to have low dependence when coincident with ISO-XHE-XE-ERROR (Operator Fails to Start/Control Isolation Condenser) in the same cutset.2 Using the THERP dependency equation, the dependent HFEs ADS-XHE-XM-MDEPR1 and ADS-XHE-XM-TRNSFR1 were calculated to have a HEP of 5x10-2. These changes were necessary because, as mentioned in footnote 1, the SPAR model HFEs are based solely on the licensee PRA and some changes are required to make the model more accurately represent this actual event.

For THERP Low Dependence the probability of failure is (1+19*(Pwithout dependence))/20 (Reference 3).

ANALYSIS RESULTS Conditional Core Damage Probabilities. The point estimate conditional core damage probability (CCDP) for this event is 5x10-5. Without considering HFE dependency, the CCDP for this event could be non-conservatively estimated at 1x10-5 and without crediting the recovery of offsite power one half hour after the trip the CCDP could be estimated at just below 1x10-4 The Accident Sequence Precursor Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feed water and condensate), whichever is greater. This CCDP equivalent for Oyster Creek is 1x10-6.

Dominant Sequence. The dominant accident sequence is LOOP Sequence 25 (CCDP =

5x10-5) which contributes 95.8% of the total internal events CCDP. Additional sequences that contribute greater than 1% of the total internal events CCDP are provided in Appendix A.

The dominant sequence is shown graphically in Figures B-1 and B-2 in Appendix B. The events and important component failures in LOOP Sequence 25 are:

  • Grid-related LOOP occurs,
  • Emergency power succeeds,
  • Steam relief valves succeed,
  • Isolation condenser fails, and
  • Manual reactor depressurization fails.

REFERENCES

1. Oyster Creek Nuclear Generating Station, "LER 219/12-001 Turbine-Generator Trip and Reactor Scram Following a Transmission Line Trip, dated December 12, 2012.

(ML13108A130)

2. U.S. Nuclear Regulatory Commission, Oyster Creek Generating Station NRC Integrated Inspection Report 05000219/2012004, dated November 7, 2012. (ML12312A094) 2 The HFEs ADS-XHE-XM-MDEPR and ADS-XHE-XM-TRNSFR are modeled as independent in the base Oyster Creek SPAR model. The dependent HFEs (e.g., ADS-XHE-XM-MDEPR1 and ADS-XHE-XM-TRNSFR1) are substituted for the independent HFEs when the post-processing rule logic is satisfied (i.e., when the independent basic events are in the same cutset with HFE ISO-XHE-XE-ERROR).

6

LER 219/12-001-02

3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).

7

LER 219/12-001-02 Appendix A: Analysis Results Summary of Conditional Event Changes Event Description Cond Nominal Value Value OPERATOR FAILS TO DEPRESSURIZE THE Not ADS-XHE-XM-MDEPR1 REACTOR AFTER FAILING TO START/CONTROL 5.00E-2 Modeled ISOLATION CONDENSER (DEPENDENT)

OPERATOR FAILS TO TRANSFER POWER AFTER Not ADS-XHE-XM-TRNSFR1 FAILING TO START/CONTROL ISOLATION 5.00E-2 Modeled CONDENSER (DEPENDENT)

LOSS OF OFFSITE POWER INITIATOR (GRID-IE-LOOPGR 1.00E+0 1.22E-2 RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR01HGR 1.00E-3 6.59E-1 1 HOUR (GRID-RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR04HGR 1.00E-3 1.69E-1 4 HOURS (GRID-RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR08HGR 1.00E-3 5.00E-2 8 HOURS (GRID-RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR10HGR 1.00E-3 3.11E-2 10 HOURS (GRID-RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR12HGR 1.00E-3 2.04E-2 12 HOURS (GRID-RELATED)

OPERATOR FAILS TO RECOVER OFFSITE POWER IN OEP-XHE-XL-NR30MGR 4.00E-2 8.63E-1 30 MINUTES (GRID-RELATED)

ZT-DGN-FR-L DIESEL GENERATOR FAILS TO RUN 5.43E-4 2.47E-2 Dominant Sequence Results Only items contributing at least 1.0% to the total CCDP are displayed.

Event Tree Sequence CCDP  % Contribution Description LOOPGR 25 5.15E-5 95.8% /RPS, /EPS, /SRV, ISO-HW, DEP LOOPGR 16 1.33E-6 2.5% /RPS, /EPS, /SRV, /ISO-HW, ISO-MU, CRD, DEP Total 5.37E-5 100%

Referenced Fault Trees Fault Tree Description CRD CRD INJECTION DEP MANUAL REACTOR DEPRESS EPS EMERGENCY POWER ISO-HW ISOLATION CONDENSER ISO-MU ISO-COND MAKEUP RPS REACTOR PROTECTION SYSTEM SRV SRVs ARE CLOSED Cut Set Report - LOOPGR 25

  1. CCDP Total % Cut Set 5.15E-5 100 Displaying 68 of 68 Cut Sets.

1 5.00E-5 97.1 IE-LOOPGR,ADS-XHE-XM-MDEPR1,ISO-XHE-XE-ERROR 2 7.18E-7 1.39 IE-LOOPGR,ADS-XHE-XM-TRNSFR1,EPS-DGN-TM-DG2,ISO-XHE-XE-ERROR Cut Set Report - LOOPGR 16

  1. CCDP Total % Cut Set 1.33E-6 100 Displaying 367 of 367 Cut Sets.

1 2.39E-7 18 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-ARUN,EPS-DGN-TM-DG2 2 2.39E-7 18 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-BRUN,EPS-DGN-TM-DG2 3 1.39E-7 10.4 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-XHE-XM-V1530,EPS-DGN-TM-DG2 A-1

LER 219/12-001-02 4 1.01E-7 7.61 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-ARUN,EPS-DGN-FR-DG2 5 1.01E-7 7.61 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-BRUN,EPS-DGN-FR-DG2 6 5.86E-8 4.41 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-XHE-XM-V1530,EPS-DGN-FR-DG2 7 4.82E-8 3.63 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-ARUN,EPS-DGN-FS-DG2 8 4.82E-8 3.63 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-MDP-FC-BRUN,EPS-DGN-FS-DG2 9 3.98E-8 3 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-OO-DG2,CRD-MDP-FC-BRUN 10 3.98E-8 3 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-CC-M1B,CRD-MDP-FC-BRUN 11 3.98E-8 3 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-OO-DG2,CRD-MDP-FC-ARUN 12 3.98E-8 3 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-CC-M1B,CRD-MDP-FC-ARUN 13 2.79E-8 2.1 IE-LOOPGR,ACP-BAC-LP-1A2,CRD-XHE-XM-V1530,EPS-DGN-FS-DG2 14 2.31E-8 1.74 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-OO-DG2,CRD-XHE-XM-V1530 15 2.31E-8 1.74 IE-LOOPGR,ACP-BAC-LP-1A2,ACP-CRB-CC-M1B,CRD-XHE-XM-V1530 Referenced Events Event Description Probability ACP-BAC-LP-1A2 480 VAC MCC 1A2 IS UNAVAILABLE 3.33E-5 ACP-CRB-CC-M1B MAIN GENERATOR CIRCUIT BREAKER 1B FAILS TO OPEN (PRA) 2.39E-3 ACP-CRB-OO-DG2 DG2 BREAKER FAILS TO REMAIN CLOSE (PRA) 2.39E-3 OPERATOR FAILS TO DEPRESSURIZE THE REACTOR AFTER ADS-XHE-XM-MDEPR1 FAILING TO START/CONTROL ISOLATION CONDENSER 5.00E-2 (DEPENDENT)

OPERATOR FAILS TO TRANSFER POWER AFTER FAILING TO ADS-XHE-XM-TRNSFR1 5.00E-2 START/CONTROL ISOLATION CONDENSER (DEPENDENT)

CRD-MDP-FC-ARUN CRD PUMP A IS RUNNING, PUMP B IS IN STANDBY 5.00E-1 CRD-MDP-FC-BRUN CRD PUMP B IS RUNNING, PUMP A IS IN STANDBY 5.00E-1 CRD-XHE-XM-V1530 OPERATOR FAILS TO OPEN MANUAL VALVE 15 PRA 2.90E-1 EPS-DGN-FR-DG2 DIESEL GENERATOR DG2 FAILS TO RUN 6.06E-3 EPS-DGN-FS-DG2 DIESEL GENERATOR DG2 FAILS TO START 2.89E-3 EPS-DGN-TM-DG2 DG2 IS UNAVAILABLE DUE TO TEST OR MAINTENANCE 1.43E-2 IE-LOOPGR LOSS OF OFFSITE POWER INITIATOR (GRID-RELATED) 1.00E+0 ISO-XHE-XE-ERROR OPERATOR FAILS TO START/CONTROL ISOLATION CONDENSER 1.00E-3 A-2

LER 219/12-001-02 Appendix B: Key Event Trees Figure B-1. Oyster Creek Nuclear Generating Station Grid-related LOOP event tree.

B-1

LER 219/12-001-02 Figure B-2. Oyster Creek Nuclear Generating Station SBO event tree.

B-2