ML20140A205
| ML20140A205 | |
| Person / Time | |
|---|---|
| Site: | Harris  |
| Issue date: | 05/19/2020 |
| From: | NRC/RES/DRA/PRB |
| To: | |
| Littlejohn J (301) 415-0428 | |
| References | |
| LER 400-1991-010 | |
| Download: ML20140A205 (4) | |
Text
B-410 ACCIDENT SEQUENCE PRECURSOR PROGRAM EVENT ANALYSIS LER No.: 400/91-010 Event
Description:
Reactor trip breaker fails to open on trip Date of Event: June 3, 1991 Plant: Harris 1 Summary During performance of a calibration procedure on reactor coolant system (RCS) flow instrumentation, a reactor trip signal was inadvertently generated. The "B" reactor trip breaker correctly responded to the signal, opening to cause insertion of control rods, but the "A" reactor trip breaker failed to operate. It was subsequently determined that circuitry in the "A" train solid state protection system (SSPS) had failed in a way that prevented it from responding to automatic reactor trip signals.
The conditional probability of subsequent core damage estimated for the event is 6.6 XlO- 6 . The relative significance of the event compared to other postulated events at Harris 1 is shown below.
LER 400/91-010 1E-7 IE-6 ]1E-5 IE-4 IE-3 1E-2 LOOP+1 TInp MTX AFW LO I..precursor cutoff 360 h AFW Event Description While performing a calibration procedure on an RCS loop "A" flow instrument, personnel at Harris inadvertently caused a pressure spike in the common reference leg to the three "A" loop flow transmitters. The two inservice flow transmitters falsely sensed a low-flow condition and generated a reactor trip signal. "B" reactor trip breaker responded correctly, opening to deenergize the control rod drives and allowing the control rods to insert. "A" reactor trip breaker failed to open, however.
Investigation revealed that the "A" reactor trip breaker failed to respond to the automatic trip signal because an undervoltage output driver circuit board in the SSPS had failed as a
B-411 result of previous improper maintenance actions performed on the breaker. This type of failure, discussed in IEN 85-13, Westinghouse Technical Bulletin NSID-TB-85-16, and NUREG-1341 (-Regulatory Analysis for the Resolution of Generic Issue -115, Enhancement of the Reliability of the Westinghouse Solid State Protection System, January 1989), results in output voltage being maintained from the SSPS even if automatic trip signals are present. This failure prevents both automatic undervoltage and automatic shunt trips of the associated reactor trip breaker, 'although manual trips are still possible.
While little information was available concerning the specific maintenance procedure that caused the failure of SSPS "A", NUREG- 1341 indicates that a number of earlier failures resulted from "... poor maintenance and test related practices." "These practices involved the inadvertent shorting of the scram breaker's [undervoltage] UV trip coil, causing a shorted failure of the output transistor in the UV driver card." In 1985, as a result of the earlier failures, Westinghouse recommended that maintenance practices be changed and that the UV driver card be replaced with a new-card containing a fuse that would open if the UV coil was shorted. Corrective actions identified by the utility indicate that the existing UV driver cards are to be replaced with fused cards.
ASP Modeling Assumptions and Approach While the initial reactor trip demand resulted from a spurious signal, the assumption was made that, once trip was demanded, a trip or shutdown by alternate means was required to prevent core damage.
The current Accident Sequence Precursor (ASP) models do not address the anticipated transient without scram (ATWS) issues of concern in this event. Instead, the following model was used to estimate the conditional core damage probability associated with the event:
Manual Primary Emergency PORV/
ATWS Rod Pressure AFW Boration SRV Reseat P Insertion Limited (A'1WS) (HPI +
Boron) (AIWS) END SEQ.
STATE No.
Transient response with challenged primary relief valves OK OK CD 1 CD 2 CD 3 CD 4 In this model, branches and associated probabilities were defined as follows.
B-412 Branch Anticipated Transient Scram demand with failure of the control rods to Without Scram (ATWS) automatically insert into the core. A combined probability was calculated for this branch and the next branch and is discussed under Manual Rod Insertion.
Manual Rod Insertion Failure of the operator to manually scram the reactor or failure of both trip breakers to open after manual actuation. A combined probability for this branch and ATWS was calculated by assuming that the probability for both scram breakers failing to open (either automatically or manually) is 1.0 X 1i-5. Since the manual trip function was not impacted during the event, this probability was also not impacted by the SSPS circuit board failure. The conditional probability of SSPS "B" failing, given SSPS "A" failed, was assumed to be 0.1. Manual scram as a backup to automatic scram was considered highly reliable (it is proceduralized, addressed extensively in training, and practiced at each scram); a failure probability of 4.0 x 10-4 was assumed.
The resulting probability of failing to automatically or manually trip the reactor during this event is therefore pffail of SSPS "B")
- p(fail to manually trip) +
pffail of both scram breakers) =0.1
- 4.0 x 10-4 +
1.0OX 1O- 5 =5.0 x 1i-5.
Primary Pressure Limited Unfavorable moderator temperature coefficient results in RCS pressures greater than -3200 psi. Above this pressure, unpredictable pressure boundary and component failures are assumed to occur. A branch probability of 8.8 x 10-3 was assumed, based on information provided in the NUREG- 1150 probabilistic risk assessment for Sequoyah.
AFW (ATWS) Failure of auxiliary feedwater (AFW) flow and secondary heat removal using the steam generator relief valves and atmospheric dump valves. Flow from at least two AFW pumps was assumed to be required. A branch probability of 2.3 x 10-3 was estimated.
B-413 Eme'rgency Boration (HPI Failure to inject concentrated boric acid via the
+ Boron) charginglHPl system to terminate the fission process. A failure probability of 0.12 was used in this analysis. This.
probability was assumed to be dominated by operator error in a high-stress situation.
PORV/SRV resea t (ATWS) Failure of one or more primary relief valves to close following ATWS pressure relief. A branch probability of 0.1 was assumed.
Failure of high-pressure A failure probability of 1.1 x 10-3 was used in the recirculation (HPR) analysis, consistent with the nominal ASP model value
'for Harris.
Analysis Results Based on the event tree model and branch probabilities described above, a conditional probability of subsequent core damage of 6.6 x 10-6 was estimated. The dominant core damage sequence (sequence 2 on the previous event tree) involves failure of automatic and manual trip, and failure to initiate emergency boration.