ML22201A002

From kanterella
Jump to navigation Jump to search
Enclosure 2: Risk Insights Based on Ope Including ASP
ML22201A002
Person / Time
Issue date: 07/22/2022
From: Reinaldo Rodriguez, Sunil Weerakkody
NRC/NRR/DRA, NRC/NRR/DRA/APOB
To: Mike Franovich, Chris Miller
NRC/NRR/DRA, NRC/NRR/DRO
Weerakkody S
References
Download: ML22201A002 (11)
v  d  e


Text

Enclosure 2:

Risk Insights Based on Accident Sequence Precursors, other Operating Experience, and Review of Reference Plant High Energy Arcing Faults I. Introduction The purpose of this document is to provide a summary of qualitative and quantitative risk-insights that the staff obtained by reviewing operating experience including events that occurred at nuclear power plants (NPPs) both inside and outside the United States. It also includes a summary of qualitative and quantitative risk-informed insights obtained from high-energy arcing fault events (HEAFs) that are documented in the U.S. Nuclear Regulatory Commissions (NRCs) Accident Sequence Precursor (ASP) database as well as qualitative risk insights obtained by reviewing HEAF scenarios of the reference plants fire PRAs. Risk insights discussed in this enclosure are mostly qualitative. These insights will be used in a knowledge management activity consistent with the Teaching element of the NRCs Be riskSMART framework. They are included for informational purposes and do not constitute regulatory requirements. Rather, they are observations that highlight potential preventive and mitigative measures that could further reduce HEAF related risk.

One of the main objectives of a probabilistic risk assessment (PRA) is to gain insights about a facilitys response to initiating events and accident progression, including the expected interactions among facility structures, systems, and components, and the operating staff. Risk-informed insights are derived by systematically investigating: (1) what can go wrong, (2) how likely it is, and (3) what are the consequences. Risk-informed insights can be obtained via both quantitative and qualitative investigations. Quantitative risk results from PRA calculations are useful, but they are generally supplemented by qualitative risk insights and traditional engineering analysis. Qualitative risk insights include generic results (i.e., results that have been compiled from numerous PRAs performed in the past) and from operational experience that is applicable to a group of similar plants. Risk-informed insights are an important part of risk-informed regulation, in which regulatory decisions are made by integrating risk insights with considerations of defense-in-depth and safety margins. A summary of the various sections of this document is provided below:

This enclosure is organized as follows:

  • Section II provides sources of information and distinguishes between risk-informed insights and other observations for the purposes of this report.
  • Section III summarizes risk-informed insights obtained from the Electric Power Research Institute (EPRI) Report No. 3002015459, Critical Maintenance Insights on Preventing HEAF, issued March 2019.
  • Section IV summarizes observations and risk-informed insights from visits to the two reference plants.
  • Section V describes risk-informed insights and observations obtained from the NRCs ASP database and the Maanshan Station Blackout Event (SBO), (Agencywide Document Access and Management Systems (ADAMS) Accession No. ML021290364),

issued February 2002.

  • Section VI documents observations obtained from the Organization for Economic Cooperation and Development (OECD) Fire Project - Topical Report No. 1, Analysis of High Energy Arcing Faults, June 2013.
  • Section VII summarizes observations and risk-informed insights obtained from some HEAF events with enterprise risk management.

1

II. Sources of Information used to Develop Qualitative Risk Insights NRC staff reviewed information from the following sources to obtain qualitative risk-informed insights and observations related to HEAFs.

  • Nine HEAF events from the NRCs ASP Database.
  • NRC report entitled, Operating Experience Assessment: Energetic Faults in 4.16 kV to 13.8 kV Switchgear and Bus Ducts That Caused Fires in Nuclear Power Plants

[NPPs]1986-2001, February 2002 (ADAMS Accession No. ML021290364).

  • HEAF events described in the OECD report entitled Fire Protection Topical Report No. 1, Analysis of High Energy Arcing Faults, June 2013.
  • Six HEAF events discussed NRC Information Notice IN 2017-04, High Energy Arcing Faults in Electrical Equipment Containing Aluminum Component, August 2017.
  • EPRI Report No. 3002015459 entitled Critical Maintenance Insights on Preventing HEAF, March 2019.
  • Information gathered from the two reference plants.

It is important to note that some HEAF events were included in more than one of the above sources. For example, several HEAF events in the ASP database also appeared in the report compiled by the OECD. Since this report focuses on generating qualitative insights, duplication of events in various databases was not a concern to the risk insights based on operating experience including the Accident Sequence Precursors.

Each of the events reviewed provided one or more insights relating to measures that a licensee may adopt to minimize the likelihood of HEAFs or to mitigate the consequences if a HEAF were to occur. Since the staff reviewed many events, there was the potential to generate and list a large number of observations. However, a lengthy list of observations might be too unwieldy and inhibit the readers ability to bring focus on a handful of risk-informed insights. Therefore, the staff differentiated risk-informed insights from other observations that might be useful.

For the purposes of this paper, the staff used the following definitions to distinguish between observation and risk-informed insights:

  • An observation is any information that a reader could learn by reviewing operating experience and using it to implement preventive and mitigative measures with the goal of reducing the likelihood of an occurrence of a HEAF event or mitigate its consequence at an NPP.
  • A risk-informed insight is an observation that has the potential to significantly reduce risk by implementing preventive and mitigative measures with the goal of significantly reducing the risk associated with HEAF sequences.

Risk-informed insights are identified by using the best available quantitative or qualitative information from HEAF sequences that make a dominant contribution to risk.

III. Summary of Risk-Informed Insights from EPRI 3002015459 In March 2019, EPRI published a report entitled Critical Maintenance Insights on Preventing HEAFs. The Executive Summary of that report noted that HEAFs can occur, and when combined with latent protective device or switchgear issues, this could escalate and cause significant equipment damage and impact to the licensees capability to generate electrical 2

power at the NPP. The Executive Summary also noted that (1) an analysis of industry data demonstrates that an effective preventive maintenance program is important in minimizing the likelihood and severity of HEAF events, (2) 64 percent of HEAF events were considered preventable, and (3) the most prevalent cause of failure due to HEAFs was inadequate maintenance.

The report examined four types of electrical equipment. These are circuit breakers/switchgear, bus ducts, protective relays, and cables. In addition to discussing the general importance of maintenance, the report provided insights on one of the component types (circuit breakers/switchgear). The staff characterizes two key findings of the EPRI report as risk-informed insights because these insights are focused on a subset of components that are likely to be of relatively high risk-significance. These two risk-informed insights from the EPRI report are provided below:

  • With respect to circuit breakers, the report noted that maintenance of the Unit Auxiliary Transformer (UAT) breaker is particularly important because its failure can lead to an extended duration generator-fed fault at the first switchgear bus. Operating experience has shown this breaker to fail during automatic bus transfers. The report acknowledged the challenges that licensees confront in performing preventive maintenance because constraints associated with outage schedules and offered risk-informed guidance so that licensees may focus their maintenance on the risk critical subset of maintenance activities.
  • With respect to switchgear, the report noted that for critical switchgear, such as feeder circuit breakers that carry higher currents and switchgear that is part of a bus transfer scheme, proper maintenance of connections on both the bus side and the circuit breaker side is especially important.

IV. Risk-Informed Insights and Observations from Reference Plants The NRC staff visited two reference plant sites to support the LIC-504 effort. The site visits enabled the staff to collect necessary information to perform a risk assessment using the best available information provided by the licensees. The primary objective of these site visits was to gather information to examine the magnitude of HEAF related risk resulting from the new PRA methodology on HEAF. However, the staff also collected information from these sites that may be germane to qualitative risk insights. The information collected pertained to the following:

a) practices for the use of PRA insights to prioritize the frequency or nature of preventive maintenance or breaker coordination issues b) HEAF scenarios from the licensees Fire PRA models c) practices relating to treatment of HEAF operating experience d) use of protective barriers to reduce HEAF related risks e) licensees training programs to mitigate fires caused by HEAF events The risk-informed insights given below are based on the information obtained from the two reference plants. It is important to emphasize that since the HEAF related risks are highly plant specific they may not be applicable to other plants.

The licensees for both the reference plants noted that, at present, they do not use PRA insights to modify the frequency or nature of their preventive maintenance practices. However, when the staff reviewed the HEAF scenarios for both plants, the staff noted that a significant fraction of 3

HEAF related risks were associated with only a handful of HEAF scenarios. Since significant fractions of the HEAF related risk is distributed among a very small number of HEAF scenarios, it may be possible to use these scenarios to identify the subset of components, which dominate the HEAF risks and focus maintenance or other related resources on that subset. This information led to the following risk-informed insight:

  • HEAF scenarios generated by licensees using the fire PRA models may enable them to identify the subset of plant components whose design and maintenance dominates the HEAF related risks. This information may allow licensees to minimize HEAF risks by focusing their resource (e.g., preventive maintenance) on that subset of components.

V. Risk-Informed Insights and Observations from Accident Sequence Precursor Events and the Maanshan Nuclear Power Plant Station Balckout Event The NRCs ASP program evaluates potentially risk-significant events and degraded conditions that occur at NPPs. To assess the risk significance of events the ASP uses conditional core damage probability (CCDP). To assess the risk significance of degraded conditions that exist for a specific exposure time, the ASP program uses the change in core damage probability (CDP). Events or degraded conditions for which CCDP or CDP exceed a set threshold are identified as precursors and saved in the ASP database. Irrespective of the metric used, events documented in the ASP Program provide a basis to identify the subset of risk-significant HEAF events, and consequently, to generate risk-informed insights. Therefore, HEAF events or degraded conditions associated with HEAFs in the ASP database can be characterized as the subset of HEAF events that had the highest impact on safety. The Office of Nuclear Regulatory Research instruction TEC-005 provides additional details about NRCs ASP program.

Table 1 summarizes nine HEAF events in the ASP database and the 2001 Maanshan NPP HEAF event. The staff added the 2001 Maanshan NPP event to the mix of ASP database events because (1) the Maanshan NPP design (a power plant with two Westinghouse three loop pressurized-water reactors) is similar to a number of U.S. plant designs, (2) the event constitutes the most risk-significant HEAF event and as such has the potential to be a rich source of risk-insights, and (3) a precursor-like analysis had been performed on the Maanshan NPP event1. To emphasize the highly approximate nature of the analyses, numerical results in the Table are provided with a single significant digit. The table lists the ADAMS accession numbers for the Maanshan NPP event as well the as the other nine risk-significant events in the ASP Database for the benefit of readers who wish to obtain more details on these events.

1 The NRC staff did not perform the ASP type analysis for the Maanshan NPP event. The staffs ASP analyses undergo multiple peer reviews including peer reviews performed by the licensees cognizant staff. Since the NRC staff did not perform the ASP analyses for the Maanshan NPP event, the staff is unaware of the pedigree of the risk assessment of the Maanshan NPP event. The NRC report entitled Operating Experience Assessment: Energetic Faults in 4.16 kV to 13.8 kV Switchgear and Bus Ducts That Caused Fires in Nuclear Power Plants 1986-2001, issued in February 2002 (ADAMS Accession No. ML021290358) provides additional PRA and design details about the Maanshan NPP event and a comparison of that event to several other HEAF events at U.S. plants.

4

Table 1: Summary of HEAF Events in the ASP Database and the Maanshan NPP Event Plant/

Consequential (or Other Event Date Risk Metric and Impact Initial Fault and Cause Unrelated (ADAMS on Plant Concurrent) Failures Accession No.)

1 Maanshan CCDP = 2x10-3 Energetic electric fault in The arcing, smoke, ionized 3/18/2001 SBO feeder breaker to 4kV gases, and fire released by the (ML021290364) bus. energetic electrical fault inside the breaker compartment propagated and caused collateral damage to other switchgear compartments leading to the SBO.

2 Fort Calhoun CDP = 4x10-4 Deficient design controls Arc sustained for an extended 6/7/11 The issue was modeled as in 480V load center period and led to significant (ML12101A193) a degraded condition that during breaker damages, smoke, etc.

considered the potential for modifications.

common cause failures of other breakers associated with the degraded condition.

3 Robinson CCDP = 4x10-4 A feeder cable to 4kV 4kV Bus 5 failed to isolate from 3/28/10 Partial loss of offsite power non-vital bus (Bus 5) non-vital 4kV Bus 4 due to a (ML112411359) (LOOP) and potential loss caused an arc flash and a failure of circuit breaker 52/24 to of reactor coolant pump fire. open, which resulted in reduced (RCP) seal cooling power to 'B' RCP and a subsequent reactor trip on reactor coolant system (RCS) loop low flow. The estimated CCDP captures the impact of HEAF as well as the concurrent operator performance deficiency that led to potential loss of RCP seal cooling.

4 Diablo Canyon, CCDP = 4x10-4 Phase-to-phase fault in Arcing/fire damaged nearby Unit 1 LOOP 12kV bus due to non-vital 4kV buses.

5/15/00 (speculated) aging and (ML20112H532) inadequate maintenance.

5 Brunswick, Unit 1 CCDP = 3x10-5 A lockout of startup No consequential failures. LOOP 2/7/16 LOOP auxiliary transformer occurred because operators (ML17109A269) occurred due to electrical tripped reactor after the startup bus faults caused by auxiliary transformer failed.

water intrusion.

6 Waterford CCDP = 3x10-5 A lightning arrestor failed Delayed opening of the 4kV unit 6/10/95 Partial LOOP at the Waterford auxiliary transformer (UAT)

(ML20140A222) substation causing a grid feeder breaker paralleled the grid disturbance and trip of with the main generator, which main generator output was speeding up and therefore, breaker. out of phase with the grid due to the load rejection.

7 Cooper CDP =4x10-5 A phase-to-phase fault of Arc had the potential to damage 1/17/17 Partial LOOP. the non-segregated bus an adjoining bus duct. If that (ML18068A724) This event was evaluated duct had degraded due to occurred, the event would have as concurrent degraded inadequate maintenance. led to a full LOOP.

conditions and, therefore, used a CDP as the metric.

5

Plant/

Consequential (or Other Event Date Risk Metric and Impact Initial Fault and Cause Unrelated (ADAMS on Plant Concurrent) Failures Accession No.)

8 Shearon Harris CCDP = 4x10-6 Multiple ground faults in None 10/9/89 Reactor and turbine trip main transformer (ML20156A243) resulting from aluminum debris.

9 Turkey Point 3 CCDP = 3x10-6 Trip of RCPs caused by a None 3/18/17 Loss of a 4kV Bus HEAF on 4kV safety bus; (ML18038B063) foreign material (carbon fiber mesh reinforcement material) was identified in the current limiting reactor cubicle.

10 Arkansas CCDP = 2x10-6 Catastrophic failure of the Failure of the UAT protective Nuclear One 2 Partial LOOP UAT and subsequent relays.

12/9/13 failure of its protective (ML15238B714) relays to isolate a bus fault due to improper installation of a differential current relay output wire.

Maanshan NPP Event The NRC staff reviewed the HEAF event that occurred at the Maanshan NPP for this report because it appears to be the most risk significant HEAF event experienced at any light water reactor. That event provides information that helps licensees to determine whether the potential exists at their facilities for HEAF related SBOs to occur and minimize the likelihood of such occurrences.

On March 18, 2001, Maanshan Unit 1, a nuclear power plant in Taiwan that was designed to U.S. regulations and standards, experienced a fire and a SBO due to an energetic electrical fault. The fire started as the result of a fault in the safety-related 4 kilovolt (kV) switchgear supply circuit breaker. The initial fault caused explosions, arcing, smoke, and ionized gases, which propagated to adjacent safety-related 4kV switchgear and damaged six switchgear compartments. The damage resulted in the complete loss of the faulted safety bus and its emergency diesel generator (EDG) and a LOOP to the undamaged safety bus because of faulting of its offsite electrical feeder circuit. An independent failure of the redundant EDG resulted in loss of all alternating current (AC) power. Smoke hindered access to equipment, delaying the investigation and repair of the failures. The SBO was terminated after about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> when an alternate AC EDG was started and connected to the undamaged safety bus.

When CCDP is used as the metric, the Maanshan NPP event can be characterized as the most risk-significant event documented in operating experience associated with HEAFs. This event prompted the following risk-informed insight:

  • HEAFs that can lead to SBOs are likely to initiate at buses or switchgear that are essential to supply AC power from both offsite power and emergency diesels (or other emergency supply). Resources focused to minimize the likelihood of HEAF occurrence at those switchgear and buses (e.g., improved preventive and predictive electrical maintenance) can reduce HEAF related risks. Measures taken to minimize the possibility of a HEAF at one emergency bus causing failure of the redundant electrical 6

train due to consequential failures (e.g., due to smoke, or design deficiencies), will also minimize the SBO related HEAF risks.

Of the 10 events identified in Table 1, above, 8 are associated with actual or potential LOOPs or loss of emergency buses. Specifically, the plant impact of these risk significant events included LOOP events, partial LOOP events, and the loss of a single 4kV emergency bus. These events, in conjunction with other consequential failures have the potential to lead to SBO events such as that at Maanshan. Therefore, plant features that could mitigate SBOs can be used to further mitigate SBO risks. In light of that, the staff offers the following risk-informed insight:

  • In general, HEAFs leading to station blackouts (SBOs) constitute the highest HEAF related risks. Plant design and operational changes that have been adopted to enhance the mitigation of beyond design basis accidents rule (10 CFR 50.155) are likely to reduce HEAF related risks.

In addition, based on review of the ASP events, the staff offers the following additional observations:

  • Of the nine events screened into the ASP database, eight events occurred in high- or medium-voltage equipment. The other event occurred at a 480V load center.
  • The staff investigated whether there were predominant root causes of the HEAFs that appeared in the ASP database. The root causes variedfour of the events occurred because of inadequate maintenance {two due to presence of foreign material (carbon fiber, aluminum debris), two events occurred due to other unspecified inadequate maintenance practices}; and other causes included deficient design controls, water intrusion, random failures, and faulty protective relay coordination.
  • Low voltage (480V or less) components cannot be screened out as negligibly risk significant. Particularly, HEAFs at low voltage load centers can lead to moderately risk significant events unless the systems are designed to prevent long duration arcing.
  • Ingestion of dust or any other material to bus ducts creates the potential for multiple concurrent HEAFs.

To assess the risk of HEAF events in a more generic manner, the staff used a subset of the nine ASP events, and outputs of its suite of Standard Plant Analysis Risk (SPAR) models to develop a HEAF related average core damage frequency (CDF) for U.S. NPPs. The estimate is based on the frequency of risk-significant ASP events multiplied by a suitably bounding CCDP.

That estimate, however, is simply an approximation, and is not representative of HEAF related risk at any U.S. NPP since HEAF risks are highly plant specific. As illustrated by the HEAF operating experience, the plant and operator response to the HEAF event can lead to other failures and conditions that are unrelated to the initial HEAF and are difficult to capture in a risk assessment.

Of the nine ASP events listed in Table 1, six occurred between 2010 and 2021. One occurred between 2000 and 2009 and two occurred before 2000. The staff noted that most of the ASP HEAF events occurred after 2010. There could be variety of possible explanations for this, including under-reporting of HEAF events before 2010 or changes in the ASP risk assessment process over time. Although it did not investigate the reason for this trend, the staff is confident that risk significant HEAF events occurring since 2010 have been captured in the ASP database. Therefore, to prevent inappropriately biasing the risk significant HEAF event frequency, the staff assumed operating experience of the last twelve years is most 7

representative of current risk. That assumption yields 6 events over approximately 1200 reactor years (or ~5x10-3 events/year).

The staff noted that the ASP HEAF events led to a variety of initiating events, including transients (reactor or turbine generator trips); LOOPs; or loss of a vital emergency AC power bus. Based on a review of SPAR model results, the most limiting CCDP for these initiating events is associated with a loss of a vital AC bus with a CCDP value of ~1x10-3 (representing a 95 percent upper bound value for all SPAR model results). The SPAR model CCDP results for transients and LOOPs were all below a CCDP value of 1x10-3. Based on these estimates, the staff concluded that a reasonably bounding average HEAF CDF value, based on ASP events, is approximately 5x10-6 per reactor year. This value is generally considered to be a small risk impact compared NRCs safety goals for NPPs and yet constitutes a non-negligible fraction of the risk. Furthermore, on a plant-specific basis, HEAFs may contribute to a substantial fraction of the fire risk. As mentioned earlier, HEAF risk is highly plant specific. For instance, for Reference Plant No. 1, the HEAF related CDF was about 2x10-6/year. For Reference Plant No.

2, the HEAF related CDF was about 3x10-5/year.

Considering the above analyses, the staff offers the following risk-informed insight is offered:

  • Based on the U.S. operating history of HEAF since 2010, HEAF events that constitute accident sequence precursor are likely to occur once in every two years, i.e., the average HEAF related CDF based on the ASP database is about 5x10-6/year. In comparison, the estimation of the HEAF related CDF using the new HEAF method for Reference Plant No. 1 was 2x10-6/year and for Reference Plant No. 2 was 3x10-5/year.

VI. Observations from the OECD Report The staff reviewed the OECD report on HEAF events. The report included information on 48 HEAF events. Eleven events at U.S. NPPs are included in the OECD report.

The definition of HEAF events used by the NRC is narrower than that used in the OECD report.

For example, the OECD report includes many HEAF events that took place within large transformers installed outdoors which are not included in the NRC HEAF definition.

The large number of events included in the OECD report generated several potential observations. Based on the review of the events from the OECD report, the staff identified the following observations relating to HEAF event prevention and mitigation:

Equipment Side

  • Proper maintenance practices: several HEAF events were attributed to poor, or lack of maintenance.
  • Aging management for electrical components: some HEAF events were caused by age-related degradation of protective components, for example of bus insulation.
  • Post maintenance testing and inspection to ensure as-left conditions: the root cause of some HEAF events was identified as components not being left in the correct condition post-maintenance.

8

Operations Side

  • Housekeeping to prevent dust and other foreign matter accumulation: the root cause of many events was identified as the build-up and presence of dust, debris, and other foreign material inside bus ducts or breaker enclosures.
  • Identification and correction of existing design issues: the severity of many of the reported events was exacerbated by long-standing design errors or problems.
  • Understanding of the electrical system and event conditions to prevent incorrect operator actions: the severity of some of the reported events was increased by operators taking incorrect actions or not understanding what the correct actions were.

The report did not provide any screening criteria to distinguish between risk-significant versus non-risk-significant events. This made it challenging to identify a set of risk-significant insights from the report. Even though the OECD report did not distinguish between risk-significant versus non-risk-significant events, characteristics of the nine ASP events and the Maanshan NPP HEAF event offered a mechanism for identifying a set of risk-significant events from the OECD report. Unfortunately, the lack of detail given for most of the events prevented the staff from successfully completing this task.

However, the staff identified the following characteristics that may increase the risk-significance of HEAF events:

  • HEAF events that are initiated by smoke and other effects of fires in other components; and
  • failure of other components due to smoke, ionized air, etc., resulting from the HEAF event.

VII. Insights on Enterprise Risk Enterprise risk management (ERM) is the process of planning, organizing, directing and controlling the activities of an organization to minimize the deleterious effects of risks. ERM goes beyond risks imposed on the public due to NPP operation and includes financial risks, strategic risks, reputational risks, operational risks and risks associated with accidental losses.

In Office of Management and Budget (OMB) Circular A-123, Managements Responsibility for Enterprise Risk Management (ERM) and Internal Control, dated July 15, 2016, risk management is a series of coordinated activities to direct and control challenges or threats to achieving an organizations goals and objectives. ERM is an effective agencywide approach to addressing the full spectrum of the organizations external and internal risks by understanding the combined impact of risks as an interrelated portfolio, rather than addressing risks only within silos. In accordance with procedural guidance in LIC-504, in the staffs use of ERM, associated with HEAFs, both qualitative and quantitative risk results were used in the assessment of the agency enterprise risks and its recommendations for management consideration. It is noted that ERM is a process for how the NRC manages its activities but is not a basis for imposing or assessing new burdens on licensees, such as backfits.

Operating experience has demonstrated that HEAF events can initiate chains of events resulting in both safety and/or asset protection impacts and thus poses risks to the enterprise, even for HEAF events that may not be risk significant. Because of multiple failures as well as 9

consequences such as smoke and ionized metal vapor, these events have the potential to challenge plant operators in unexpected ways.

Examples of three events that set off a chain of consequential events are provided below:

Fort Calhoun Station, Unit 1: On June 7, 2011, a switchgear fire occurred at the Fort Calhoun Station while the plant was shut down for a planned refueling outage. The fire resulted in a loss of power to six of nine safety-related 480V AC electrical distribution buses, one of two safety-related 4kV buses and one of two non-safety related 4kV AC buses. The event resulted in the loss of the spent fuel pool cooling function and could have resulted in the loss of a safety function or multiple failures in systems used to mitigate a situation had the event occurred at power. Significant unexpected system interactions also occurred. Specifically, combustion products from the fire caused a fault across an open bus-tie breaker on an island bus. As a result, a feeder breaker tripped unexpectedly resulting in loss of power to the opposite train bus.

Also, the event resulted in grounds on both trains of safety-related direct current (DC) power used for breaker operation and electrical protection. The fire was caused by the catastrophic failure of the feeder breaker for 480V AC load center 1B4A in the west switchgear room. A large quantity of soot and smoke was produced by the fire, which migrated into the conducting connections associated with the non-segregated bus duct, a metal enclosure containing the bus bars for all three electrical phases, connecting to island bus 1B3A-4A, even though the bus-tie breaker was open. The smoke and soot were sufficiently conductive that arcing occurred between the bus bars such that island bus 1B3A-4A was affected and the other connected train load center, 1B3A, was affected by incorrect breaker sequencing.

Diablo Canyon Power Plant: On May 15, 2000, Diablo Canyon power plant, Unit 1 experienced a turbine/reactor trip. The cause of the unit trip was an electrical phase-to-phase fault on the 12kV bus in an overhead bus duct, supplied by Auxiliary Transformer 1-1. The switchyard and main generator field breaker opened immediately following unit trip. However, coast down of the main generator continued to feed the arc fault. A 4kV startup bus duct located immediately above the faulted 12kV bus was damaged by the fault and subsequent arcing.

Damage to the 4kV bus induced a second arcing fault in the 4kV bus duct resulting in a differential trip of Startup Transformer 1-2, 11 seconds after the initial fault. The loss of both offsite sources of power to all 4kV loads resulted in an undervoltage condition, causing the EDGs to start and load successfully.

H.B. Robinson Steam Electric Plant: On March 28, 2010, with the H. B. Robinson Steam Electric Plant, Unit No. 2, operating in Mode 1 at approximately 100 percent power, an electrical feeder cable failure to 4kV non-vital Bus 5 caused an arc flash and fire. Bus 5 failed to isolate from non-vital 4kV Bus 4 due to a failure of Breaker 52/24 to open, which resulted in reduced voltage to RCP B and a subsequent reactor trip on RCS loop low flow. After the reactor trip, an automatic safety injection (SI) occurred due to RCS cooldown. Plant response was complicated by equipment malfunctions and failure of the operating crew to understand plant symptoms and properly control the plant. During plant restoration, the operating crew attempted to reset an electrical distribution system control relay prior to isolating the fault, which re-initiated the electrical fault and caused a second fire. The chain of events that was onset by the fire included temporary loss of all RCP seal cooling (seal injection as well as cooling via component cooling water). The loss of seal injection flow instrumentation within the main control room and an inadequate emergency operating procedure (EOP) step for determining seal injection flow contributed to operators failing to determine that seal injection was inadequate. In addition, the charging pump suction source failed to automatically switch-over from the Volume Control Tank (VCT) to the Reactor Water Storage Tank upon a low level in the VCT level. Various electrical 10

system equipment was unavailable as a result of the transient and electrical faults. Offsite power was lost to vital Bus E2. Recovery of offsite power to this bus was possible almost immediately after the event occurred.

Based on these events, the staff has the following observation regarding HEAF related Enterprise Risk:

  • Frequently, HEAF events, even those that are not initially risk significant, can cause subsequent failures due to explosion effects, smoke, and ionized gases. These subsequent failures can create a chain of consequential events that can pose special challenges to operators. In addition, several HEAF events involved operator errors that further contributed to the risk significance of the event. These subsequent failures often involve complex interactions between the operators, fire phenomenology, and mitigation capability, and can be extremely challenging to predict. Due to these factors, it is impossible to predict, and therefore mitigate, all consequences of a HEAF. Therefore, a focus on prevention of HEAF events remains an important aspect of balancing HEAF risk management.

The staff examined additional events that occurred in the U.S. since 1985 from the ASP database, NRC IN 2017-04, and NUREG/CR-6850 Appendix M to obtain additional insights relating to enterprise risk. Based on this review, the staff found that some events involving high voltage components such as transformers or electrical buses were not of high safety significance. On the other hand, these events may be of interest to stakeholders for their own enterprise risk. For example, the staff found that the impacts of smoke, ionized metal vapor, and collateral damage to key plant assets (such as turbines, the main generator, or large transformers) could lead to extended plant outages. This observation aligns with the general findings noted in the OECD report based on their review of 48 HEAF events.

11

Retrieved from "https://kanterella.com/w/index.php?title=ML22201A002&oldid=3450843"