ML18033A619: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(StriderTol Bot change)
 
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:Final ASP Program Analysis - Reject Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oconee Nuclear               Loss of both Keowee Hydroelectric Units due to Human Error Station LER: 269-2017-001 Event Date: 6/16/2017                                                      CDP = 6x10-7 IRs: TBD Plant Type: Babcock & Wilcox Lowered Loop Pressurized-Water Reactor with Dry, Ambient Pressure Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)
{{#Wiki_filter:1 Final ASP Program Analysis - Reject Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oconee Nuclear Station Loss of both Keowee Hydroelectric Units due to Human Error Event Date: 6/16/2017 LER: 269-2017-001 IRs: TBD CDP = 6x10-7 Plant Type: Babcock & Wilcox Lowered Loop Pressurized-Water Reactor with Dry, Ambient Pressure Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)
Analyst:                 Reviewer:               Contributors:             Approval Date:
Analyst:
Chris Hunter            Ian Gifford              N/A                        12/07/2017 EVENT DETAILS Event Description. On June 16, 2017, at approximately 7:40 a.m., workers were implementing a modification to governor actuator cabinets 1 and 2 located within the Keowee Hydroelectric Station. At approximately 9:07 a.m., alarm indications for a breaker on Keowee Hydroelectric Unit (KHU) 1 were received on the operator aid computer (OAC) alarm screens located in the Keowee control room (KCR). At 10:20 a.m., similar OAC alarm indications were received in the KCR associated with a breaker on KHU 2. However, the Keowee operator was performing his rounds and was not in the KCR to acknowledge these alarms.
Chris Hunter Reviewer:
Ian Gifford Contributors:
N/A Approval Date:
12/07/2017 EVENT DETAILS Event Description. On June 16, 2017, at approximately 7:40 a.m., workers were implementing a modification to governor actuator cabinets 1 and 2 located within the Keowee Hydroelectric Station. At approximately 9:07 a.m., alarm indications for a breaker on Keowee Hydroelectric Unit (KHU) 1 were received on the operator aid computer (OAC) alarm screens located in the Keowee control room (KCR). At 10:20 a.m., similar OAC alarm indications were received in the KCR associated with a breaker on KHU 2. However, the Keowee operator was performing his rounds and was not in the KCR to acknowledge these alarms.
Critical alarms associated with the KHUs are typically received in both the KCR and the Oconee main control rooms. In addition, critical alarms trigger an emergency lockout of the affected KHU. However, in this instance, alarms in the Oconee main control rooms were not generated and no emergency lockout condition on the KHUs was triggered due to the failure mode design of the repositioned breakers.
Critical alarms associated with the KHUs are typically received in both the KCR and the Oconee main control rooms. In addition, critical alarms trigger an emergency lockout of the affected KHU. However, in this instance, alarms in the Oconee main control rooms were not generated and no emergency lockout condition on the KHUs was triggered due to the failure mode design of the repositioned breakers.
At 1:21 p.m. of the same day, while attempting to start KHU 2 for commercial generation, an "incomplete start" alarm was received in the KCR. Subsequent investigation revealed that both KHUs would not have been able to fulfil their safety function due to the breakers being out of position. As required by technical specifications, the standby buses were energized from a dedicated Lee Station combustion turbine generator (CTG) from an isolated power path at 5:15 p.m. Subsequent troubleshooting efforts concluded that the two KHU breakers were fully functional and had likely been inadvertently repositioned during work being performed in the area. Both breakers were returned to the closed position and the KHUs were successfully tested with KHU 1 declared operable at 9:50 p.m. and KHU 2 declared operable at 11:51 p.m.
At 1:21 p.m. of the same day, while attempting to start KHU 2 for commercial generation, an "incomplete start" alarm was received in the KCR. Subsequent investigation revealed that both KHUs would not have been able to fulfil their safety function due to the breakers being out of position. As required by technical specifications, the standby buses were energized from a dedicated Lee Station combustion turbine generator (CTG) from an isolated power path at 5:15 p.m. Subsequent troubleshooting efforts concluded that the two KHU breakers were fully functional and had likely been inadvertently repositioned during work being performed in the area. Both breakers were returned to the closed position and the KHUs were successfully tested with KHU 1 declared operable at 9:50 p.m. and KHU 2 declared operable at 11:51 p.m.
Additional information is provided in licensee event report (LER) 269-2017-001 (Ref. 1).
Additional information is provided in licensee event report (LER) 269-2017-001 (Ref. 1).
Cause. The direct cause of both KHUs being unable to fulfill their safety function is attributed to the two breakers being out of position due to human error.
Cause. The direct cause of both KHUs being unable to fulfill their safety function is attributed to the two breakers being out of position due to human error.  
1


LER 269-2017-001 MODELING SDP Results/Basis for ASP Analysis. To date, no inspection reports have been released that provided additional information on this event. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.
LER 269-2017-001 2
MODELING SDP Results/Basis for ASP Analysis. To date, no inspection reports have been released that provided additional information on this event. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.
Analysis Type. A test/limited use version of the Oconee standardized plant analysis risk (SPAR) model, created in November 2017, was used for this condition assessment. The key model changes in this test/limited used model included revised fault tree logic for the safety-related alternating current (AC) buses and credit for the Lee Station CTGs for certain station blackout (SBO) sequences.1 SPAR Model Modifications. The following modifications were required for this condition assessment:
Analysis Type. A test/limited use version of the Oconee standardized plant analysis risk (SPAR) model, created in November 2017, was used for this condition assessment. The key model changes in this test/limited used model included revised fault tree logic for the safety-related alternating current (AC) buses and credit for the Lee Station CTGs for certain station blackout (SBO) sequences.1 SPAR Model Modifications. The following modifications were required for this condition assessment:
* In ASP analyses, recovery/repair credit for backup emergency power sources is limited to cases where event information supports its inclusion. For Oconee, the maximum time allowed for potential recovery/repair of the KHUs is 4 hours during a postulated loss of offsite power (LOOP) and subsequent SBO. During this event, it took Keowee operators approximately 13 hours to restore a KHU to operability; therefore, no recovery credit for the failure of the KHUs was provided in this analysis. The KEOWEE-4H (Keowee recovered in 4 hours) top event (including applicable event tree branching) was eliminated from the SBO event tree to remove this credit from the base SPAR model.
In ASP analyses, recovery/repair credit for backup emergency power sources is limited to cases where event information supports its inclusion. For Oconee, the maximum time allowed for potential recovery/repair of the KHUs is 4 hours during a postulated loss of offsite power (LOOP) and subsequent SBO. During this event, it took Keowee operators approximately 13 hours to restore a KHU to operability; therefore, no recovery credit for the failure of the KHUs was provided in this analysis. The KEOWEE-4H (Keowee recovered in 4 hours) top event (including applicable event tree branching) was eliminated from the SBO event tree to remove this credit from the base SPAR model.
The modified Oconee SBO event tree used in this analysis is shown in Figure A-2.
The modified Oconee SBO event tree used in this analysis is shown in Figure A-2.
* The base test/limited SPAR model includes fault tree logic associated with a 100-kilovolt (kV) offsite electrical power source from the Lee Station Switchyard; however, credit for this alternate source of power is not provided because of the uncertainty associated with electrical power during different LOOP types. For plant- and switchyard-centered LOOPs, it is expected that the 100 kV electrical power from the Lee Station Switchyard would be available, allowing operators to manual align this source to the safety-related AC buses (if needed).2 To provide this credit, the basic event ZV-TRUE (logical true event) was removed from the EPS-MFB1 (emergency power main feeder bus 1) and EPS-MFB2 (emergency power main feeder bus 2) fault trees.
The base test/limited SPAR model includes fault tree logic associated with a 100-kilovolt (kV) offsite electrical power source from the Lee Station Switchyard; however, credit for this alternate source of power is not provided because of the uncertainty associated with electrical power during different LOOP types. For plant-and switchyard-centered LOOPs, it is expected that the 100 kV electrical power from the Lee Station Switchyard would be available, allowing operators to manual align this source to the safety-related AC buses (if needed).2 To provide this credit, the basic event ZV-TRUE (logical true event) was removed from the EPS-MFB1 (emergency power main feeder bus 1) and EPS-MFB2 (emergency power main feeder bus 2) fault trees.
Exposure Period. Both KHUs were unable to fulfil their safety function for approximately 12 hours.3 In addition, KHUs 1 and 2 were unavailable individually for approximately 73 minutes and 121 minutes, respectively.4 Calculations show the short-term unavailability of a single KHU has a negligible impact on risk. As such, this analysis focuses only on the concurrent unavailability of both KHUs.
Exposure Period. Both KHUs were unable to fulfil their safety function for approximately 12 hours.3 In addition, KHUs 1 and 2 were unavailable individually for approximately 73 minutes and 121 minutes, respectively.4 Calculations show the short-term unavailability of a single KHU has a negligible impact on risk. As such, this analysis focuses only on the concurrent unavailability of both KHUs.
1   Credit for aligning the Lee Station CTGs is only provided for 4-hour SBO sequences. Credit for the CTGs for the 1-hour SBO sequences is not provided because of the uncertainty associated with the time required to start the CTGs and align them to the Oconee safety-related buses. The lack of credit for the CTGs for the 1-hour SBO sequences is potentially conservative. Consideration for crediting the CTGs for the 1-hour SBO sequences will be evaluated as part of future SPAR model changes.
1 Credit for aligning the Lee Station CTGs is only provided for 4-hour SBO sequences. Credit for the CTGs for the 1-hour SBO sequences is not provided because of the uncertainty associated with the time required to start the CTGs and align them to the Oconee safety-related buses. The lack of credit for the CTGs for the 1-hour SBO sequences is potentially conservative. Consideration for crediting the CTGs for the 1-hour SBO sequences will be evaluated as part of future SPAR model changes.
2   Note that the base test/limited use SPAR model has the necessary fault tree logic (EPS-LEE) to prevent any credit for the Lee Station Switchyard during grid- and weather-related LOOPs.
2 Note that the base test/limited use SPAR model has the necessary fault tree logic (EPS-LEE) to prevent any credit for the Lee Station Switchyard during grid-and weather-related LOOPs.
3   Both KHUs were concurrently unavailable from 10:20 a.m. to 9:50 p.m. on June 16th.
3 Both KHUs were concurrently unavailable from 10:20 a.m. to 9:50 p.m. on June 16th.
4   KHU 1 was unavailable by itself from 9:07 a.m. to 10:20 a.m. on June 16th. KHU 2 was unavailable by itself from 9:50 p.m. to 11:51 p.m. on June 16th.
4 KHU 1 was unavailable by itself from 9:07 a.m. to 10:20 a.m. on June 16th. KHU 2 was unavailable by itself from 9:50 p.m. to 11:51 p.m. on June 16th.  
2


LER 269-2017-001 Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this bounding condition assessment:
LER 269-2017-001 3
* Basic event EPS-HTG-CF-KEOS (common cause failure of Keowee hydro units to start) was set to TRUE because the out of position breakers would have prevented both KHUs from starting during a postulated LOOP.
Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this bounding condition assessment:
Basic event EPS-HTG-CF-KEOS (common cause failure of Keowee hydro units to start) was set to TRUE because the out of position breakers would have prevented both KHUs from starting during a postulated LOOP.
ANALYSIS RESULTS CDP. The increase in core damage probability (CDP) for this analysis is calculated to be 6.0x10-7. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions; therefore, this event is not a precursor. The dominant initiating events for this analysis are provided in the following table:
ANALYSIS RESULTS CDP. The increase in core damage probability (CDP) for this analysis is calculated to be 6.0x10-7. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions; therefore, this event is not a precursor. The dominant initiating events for this analysis are provided in the following table:
Event Tree       CDP     Percentage                     Description
Event Tree CDP Percentage Description LOOPGR 3.00x10-7 49.8%
                                -7 LOOPGR       3.00x10       49.8%     Loss of Offsite Power (Grid-Related)
Loss of Offsite Power (Grid-Related)
                                -7 LOOPWR       2.99x10       49.6%     Loss of Offsite Power (Weather-Related)
LOOPWR 2.99x10-7 49.6%
Loss of Offsite Power (Weather-Related)
Dominant Sequence. The dominant accident sequence is grid-related LOOP/SBO sequence 16-22 (CDP = 2.6x10-7), which contributes approximately 42 percent of the total internal events CDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1 and Figure A-2 in Appendix A.
Dominant Sequence. The dominant accident sequence is grid-related LOOP/SBO sequence 16-22 (CDP = 2.6x10-7), which contributes approximately 42 percent of the total internal events CDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1 and Figure A-2 in Appendix A.
Sequence           CDP     Percentage                         Description Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; LOOPGR 16-22        2.56x10-7    42.4%
Sequence CDP Percentage Description LOOPGR 16-22 2.56x10-7 42.4%
auxiliary feedwater (AFW) fails; and operators fail to restore offsite power within 1 hour Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in LOOPWR 16-22        1.45x10-7    24.1%
Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; auxiliary feedwater (AFW) fails; and operators fail to restore offsite power within 1 hour LOOPWR 16-22 1.45x10-7 24.1%
SBO; AFW fails; and operators fail to restore offsite power within 1 hour Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; safe shutdown facility (SSF) successfully provides reactor coolant pump (RCP) seal LOOPWR 16-02-04        1.15x10-7    18.9%    cooling; operators fail to restore offsite power within 4 hours; operators continue to feed the steam generators (SGs) via the SSF or the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail LOOPWR 16-08-04        2.16x10-8    3.6%
Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW fails; and operators fail to restore offsite power within 1 hour LOOPWR 16-02-04 1.15x10-7 18.9%
to restore offsite power within 4 hours; operators continue to feed the SGs using the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours 3
Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; safe shutdown facility (SSF) successfully provides reactor coolant pump (RCP) seal cooling; operators fail to restore offsite power within 4 hours; operators continue to feed the steam generators (SGs) via the SSF or the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours LOOPWR 16-08-04 2.16x10-8 3.6%
Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours; operators continue to feed the SGs using the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours  


LER 269-2017-001 Sequence         CDP     Percentage                           Description Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF successfully provides RCP seal LOOPGR 16-02-04    1.94x10-8    3.2%    cooling, operators fail to restore offsite power within 4 hours, operators continue to feed the SGs via the SSF or the turbine-driven AFW pump, operators fail to restore offsite power within 24 hours Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; LOOPGR 16-08-10    1.20x10-8    2.0%    RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours; operators fail to manually to feed the SGs using the turbine-driven AFW pump Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal LOOPWR 16-08-10    1.16x10-8    1.9%    cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours; operators fail to manually to feed the SGs using the turbine-driven AFW pump Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; LOOPGR 16-20      6.14x10-9    1.0%    AFW fails; power-operated relief valve fail to close resulting in a loss-of-coolant accident; and operators fail to restore offsite power within 1 hour REFERENCES
LER 269-2017-001 4
: 1. Oconee Nuclear Station, "LER 269/17-001 - Loss of both Keowee Hydroelectric Units Due to Human Error, dated August 9, 2017 (ML17256A516).
Sequence CDP Percentage Description LOOPGR 16-02-04 1.94x10-8 3.2%
4
Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF successfully provides RCP seal cooling, operators fail to restore offsite power within 4 hours, operators continue to feed the SGs via the SSF or the turbine-driven AFW pump, operators fail to restore offsite power within 24 hours LOOPGR 16-08-10 1.20x10-8 2.0%
Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours; operators fail to manually to feed the SGs using the turbine-driven AFW pump LOOPWR 16-08-10 1.16x10-8 1.9%
Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours; operators fail to manually to feed the SGs using the turbine-driven AFW pump LOOPGR 16-20 6.14x10-9 1.0%
Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW fails; power-operated relief valve fail to close resulting in a loss-of-coolant accident; and operators fail to restore offsite power within 1 hour REFERENCES
: 1. Oconee Nuclear Station, "LER 269/17-001 - Loss of both Keowee Hydroelectric Units Due to Human Error, dated August 9, 2017 (ML17256A516).  


LER 269-2017-001 Appendix A: Key Event Trees LOSS OF OFFSITE POWER     REACTOR PROTECTION     EMERGENCY POWER       EMERGENCY FEEDWATER   PORV/SRVS ARE CLOSED     LOSS OF RCP SEAL     HIGH PRESSURE INJECTION     FEED AND BLEED OFFSITE POWER RECOVERY OFFSITE POWER RECOVERY   SECONDARY SIDE RCS   DECAY HEAT REMOVAL   HPR PRESSURE RECIRC End State INITIATOR (GRID-RELATED)        SYSTEM                                                                                    COOLING                                                              IN 2 HRS              IN 6 HRS          COOLDOWN FAILS                                                (Phase - CD)
LER 269-2017-001 A-1 Appendix A: Key Event Trees Figure A-1. Oconee Grid-Related LOOP Event Tree IE-LOOPGR LOSS OF OFFSITE POWER INITIATOR (GRID-RELATED)
IE-LOOPGR                RPS                  EPS            FTF-SBO EFW                  PORV                   LOSC            FTF-LOSC HPI                      FAB                OPR-02H                OPR-06H                SSC                  DHR                  HPR 1       OK PORV-L                                                                                                                                                                                           2   LOOP-1 LOSC-L 3       OK 4       OK 5       CD EFW-L                                                                                                                                                                                                                  6       OK HPI-L PORV-L                                                                                                                                                                                            7       CD 8       OK 9       CD HPR-L 10     CD HPI-L 11     OK 12     CD FAB-L                                                                                                                  13     OK EFW-L 14     CD HPR-L 15     CD FAB-L 16     SBO 17   ATWS Figure A-1. Oconee Grid-Related LOOP Event Tree A-1
RPS REACTOR PROTECTION SYSTEM FTF-SBO EPS EMERGENCY POWER EFW EMERGENCY FEEDWATER PORV PORV/SRVS ARE CLOSED FTF-LOSC LOSC LOSS OF RCP SEAL COOLING HPI HIGH PRESSURE INJECTION FAB FEED AND BLEED OPR-02H OFFSITE POWER RECOVERY IN 2 HRS OPR-06H OFFSITE POWER RECOVERY IN 6 HRS SSC SECONDARY SIDE RCS COOLDOWN FAILS DHR DECAY HEAT REMOVAL HPR HPR PRESSURE RECIRC End State (Phase - CD)
EFW-L PORV-L 1
OK LOSC-L 2
LOOP-1 PORV-L HPI-L 3
OK 4
OK 5
CD 6
OK 7
CD 8
OK HPR-L 9
CD HPI-L 10 CD EFW-L FAB-L 11 OK 12 CD 13 OK HPR-L 14 CD FAB-L 15 CD 16 SBO 17 ATWS


LER 269-2017-001 EMERGENCY POWER       EMERGENCY FEEDWATER     PORV/SRVS ARE CLOSED SAFE SHUTDOWN FACILITY   CONTROLLED BLEEDOFF   REACTOR COOLANT       RCP SEAL INTEGRITY OFFSITE POWER RECOVERY   #      End State ISOLATED        SUBCOOLING MAINTAINED        MAINTAINED              (IN 4 HR)           (Phase - CD)
LER 269-2017-001 A-2 Figure A-2. Oconee SBO Event Tree (Modified)
EPS            FTF-SBO EFW-B          FTF-SBO PORV                  SSF                    CBO                  RSUB                  RCPSI                OPR-04H 1         OK 2       SBO-4 3         OK RCPSI01                              4       SBO-4 5       SBO-2 OPR-01H RCPSI01                              6         CD OPR-01H 7         OK RCPSI02                              8       SBO-4 9       SBO-2 OPR-01H RCPSI02                            10         CD OPR-01H 11         OK RCPSI03                            12       SBO-4 13       SBO-2 RCPSI03                            14        CD OPR-01H 15         OK RCPSI04                            16       SBO-4 17       SBO-2 OPR-01H RCPSI04                            18         CD OPR-01H 19       SBO-2 OPR-01H PORV-B                                                                                                                         20        CD OPR-01H 21       SBO-3 EFW-B OPR-01H 22         CD OPR-01H Figure A-2. Oconee SBO Event Tree (Modified)
FTF-SBO EPS EMERGENCY POWER FTF-SBO EFW-B EMERGENCY FEEDWATER PORV PORV/SRVS ARE CLOSED SSF SAFE SHUTDOWN FACILITY CBO CONTROLLED BLEEDOFF ISOLATED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED RCPSI RCP SEAL INTEGRITY MAINTAINED OPR-04H OFFSITE POWER RECOVERY (IN 4 HR)
A-2}}
End State (Phase - CD) 1 OK 2
SBO-4 RCPSI01 3
OK 4
SBO-4 RCPSI01 OPR-01H 5
SBO-2 OPR-01H 6
CD RCPSI02 7
OK 8
SBO-4 RCPSI02 OPR-01H 9
SBO-2 OPR-01H 10 CD RCPSI03 11 OK 12 SBO-4 RCPSI03 13 SBO-2 OPR-01H 14 CD RCPSI04 15 OK 16 SBO-4 RCPSI04 OPR-01H 17 SBO-2 OPR-01H 18 CD PORV-B OPR-01H 19 SBO-2 OPR-01H 20 CD EFW-B OPR-01H 21 SBO-3 OPR-01H 22 CD}}

Latest revision as of 02:06, 7 January 2025

Final Accident Sequence Precursor Analysis - Oconee Nuclear Station, Loss of Both Keowee Hydroelectric Units Due to Human Error (LER 269-2017-001) - Reject
ML18033A619
Person / Time
Site: Oconee Duke Energy icon.png
Issue date: 12/07/2017
From: Christopher Hunter
NRC/RES/DRA
To:
C. Hunter
References
LER 269-2017-001
Download: ML18033A619 (6)
v  d  e


Text

1 Final ASP Program Analysis - Reject Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oconee Nuclear Station Loss of both Keowee Hydroelectric Units due to Human Error Event Date: 6/16/2017 LER: 269-2017-001 IRs: TBD CDP = 6x10-7 Plant Type: Babcock & Wilcox Lowered Loop Pressurized-Water Reactor with Dry, Ambient Pressure Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst:

Chris Hunter Reviewer:

Ian Gifford Contributors:

N/A Approval Date:

12/07/2017 EVENT DETAILS Event Description. On June 16, 2017, at approximately 7:40 a.m., workers were implementing a modification to governor actuator cabinets 1 and 2 located within the Keowee Hydroelectric Station. At approximately 9:07 a.m., alarm indications for a breaker on Keowee Hydroelectric Unit (KHU) 1 were received on the operator aid computer (OAC) alarm screens located in the Keowee control room (KCR). At 10:20 a.m., similar OAC alarm indications were received in the KCR associated with a breaker on KHU 2. However, the Keowee operator was performing his rounds and was not in the KCR to acknowledge these alarms.

Critical alarms associated with the KHUs are typically received in both the KCR and the Oconee main control rooms. In addition, critical alarms trigger an emergency lockout of the affected KHU. However, in this instance, alarms in the Oconee main control rooms were not generated and no emergency lockout condition on the KHUs was triggered due to the failure mode design of the repositioned breakers.

At 1:21 p.m. of the same day, while attempting to start KHU 2 for commercial generation, an "incomplete start" alarm was received in the KCR. Subsequent investigation revealed that both KHUs would not have been able to fulfil their safety function due to the breakers being out of position. As required by technical specifications, the standby buses were energized from a dedicated Lee Station combustion turbine generator (CTG) from an isolated power path at 5:15 p.m. Subsequent troubleshooting efforts concluded that the two KHU breakers were fully functional and had likely been inadvertently repositioned during work being performed in the area. Both breakers were returned to the closed position and the KHUs were successfully tested with KHU 1 declared operable at 9:50 p.m. and KHU 2 declared operable at 11:51 p.m.

Additional information is provided in licensee event report (LER) 269-2017-001 (Ref. 1).

Cause. The direct cause of both KHUs being unable to fulfill their safety function is attributed to the two breakers being out of position due to human error.

LER 269-2017-001 2

MODELING SDP Results/Basis for ASP Analysis. To date, no inspection reports have been released that provided additional information on this event. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.

Analysis Type. A test/limited use version of the Oconee standardized plant analysis risk (SPAR) model, created in November 2017, was used for this condition assessment. The key model changes in this test/limited used model included revised fault tree logic for the safety-related alternating current (AC) buses and credit for the Lee Station CTGs for certain station blackout (SBO) sequences.1 SPAR Model Modifications. The following modifications were required for this condition assessment:

In ASP analyses, recovery/repair credit for backup emergency power sources is limited to cases where event information supports its inclusion. For Oconee, the maximum time allowed for potential recovery/repair of the KHUs is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> during a postulated loss of offsite power (LOOP) and subsequent SBO. During this event, it took Keowee operators approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> to restore a KHU to operability; therefore, no recovery credit for the failure of the KHUs was provided in this analysis. The KEOWEE-4H (Keowee recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) top event (including applicable event tree branching) was eliminated from the SBO event tree to remove this credit from the base SPAR model.

The modified Oconee SBO event tree used in this analysis is shown in Figure A-2.

The base test/limited SPAR model includes fault tree logic associated with a 100-kilovolt (kV) offsite electrical power source from the Lee Station Switchyard; however, credit for this alternate source of power is not provided because of the uncertainty associated with electrical power during different LOOP types. For plant-and switchyard-centered LOOPs, it is expected that the 100 kV electrical power from the Lee Station Switchyard would be available, allowing operators to manual align this source to the safety-related AC buses (if needed).2 To provide this credit, the basic event ZV-TRUE (logical true event) was removed from the EPS-MFB1 (emergency power main feeder bus 1) and EPS-MFB2 (emergency power main feeder bus 2) fault trees.

Exposure Period. Both KHUs were unable to fulfil their safety function for approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.3 In addition, KHUs 1 and 2 were unavailable individually for approximately 73 minutes and 121 minutes, respectively.4 Calculations show the short-term unavailability of a single KHU has a negligible impact on risk. As such, this analysis focuses only on the concurrent unavailability of both KHUs.

1 Credit for aligning the Lee Station CTGs is only provided for 4-hour SBO sequences. Credit for the CTGs for the 1-hour SBO sequences is not provided because of the uncertainty associated with the time required to start the CTGs and align them to the Oconee safety-related buses. The lack of credit for the CTGs for the 1-hour SBO sequences is potentially conservative. Consideration for crediting the CTGs for the 1-hour SBO sequences will be evaluated as part of future SPAR model changes.

2 Note that the base test/limited use SPAR model has the necessary fault tree logic (EPS-LEE) to prevent any credit for the Lee Station Switchyard during grid-and weather-related LOOPs.

3 Both KHUs were concurrently unavailable from 10:20 a.m. to 9:50 p.m. on June 16th.

4 KHU 1 was unavailable by itself from 9:07 a.m. to 10:20 a.m. on June 16th. KHU 2 was unavailable by itself from 9:50 p.m. to 11:51 p.m. on June 16th.

LER 269-2017-001 3

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this bounding condition assessment:

Basic event EPS-HTG-CF-KEOS (common cause failure of Keowee hydro units to start) was set to TRUE because the out of position breakers would have prevented both KHUs from starting during a postulated LOOP.

ANALYSIS RESULTS CDP. The increase in core damage probability (CDP) for this analysis is calculated to be 6.0x10-7. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions; therefore, this event is not a precursor. The dominant initiating events for this analysis are provided in the following table:

Event Tree CDP Percentage Description LOOPGR 3.00x10-7 49.8%

Loss of Offsite Power (Grid-Related)

LOOPWR 2.99x10-7 49.6%

Loss of Offsite Power (Weather-Related)

Dominant Sequence. The dominant accident sequence is grid-related LOOP/SBO sequence 16-22 (CDP = 2.6x10-7), which contributes approximately 42 percent of the total internal events CDP. The dominant sequences that contribute at least 1.0 percent to the total internal events CDP are provided in the following table. The dominant sequence is shown graphically in Figure A-1 and Figure A-2 in Appendix A.

Sequence CDP Percentage Description LOOPGR 16-22 2.56x10-7 42.4%

Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; auxiliary feedwater (AFW) fails; and operators fail to restore offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> LOOPWR 16-22 1.45x10-7 24.1%

Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW fails; and operators fail to restore offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> LOOPWR 16-02-04 1.15x10-7 18.9%

Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; safe shutdown facility (SSF) successfully provides reactor coolant pump (RCP) seal cooling; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; operators continue to feed the steam generators (SGs) via the SSF or the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> LOOPWR 16-08-04 2.16x10-8 3.6%

Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; operators continue to feed the SGs using the turbine-driven AFW pump; operators fail to restore offsite power within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

LER 269-2017-001 4

Sequence CDP Percentage Description LOOPGR 16-02-04 1.94x10-8 3.2%

Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF successfully provides RCP seal cooling, operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, operators continue to feed the SGs via the SSF or the turbine-driven AFW pump, operators fail to restore offsite power within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> LOOPGR 16-08-10 1.20x10-8 2.0%

Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; operators fail to manually to feed the SGs using the turbine-driven AFW pump LOOPWR 16-08-10 1.16x10-8 1.9%

Weather-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW succeeds; SSF fails to provide RCP seal cooling; RCP seal integrity is maintained; operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />; operators fail to manually to feed the SGs using the turbine-driven AFW pump LOOPGR 16-20 6.14x10-9 1.0%

Grid-related LOOP initiating event; successful reactor trip; emergency power system failure results in SBO; AFW fails; power-operated relief valve fail to close resulting in a loss-of-coolant accident; and operators fail to restore offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> REFERENCES

1. Oconee Nuclear Station, "LER 269/17-001 - Loss of both Keowee Hydroelectric Units Due to Human Error, dated August 9, 2017 (ML17256A516).

LER 269-2017-001 A-1 Appendix A: Key Event Trees Figure A-1. Oconee Grid-Related LOOP Event Tree IE-LOOPGR LOSS OF OFFSITE POWER INITIATOR (GRID-RELATED)

RPS REACTOR PROTECTION SYSTEM FTF-SBO EPS EMERGENCY POWER EFW EMERGENCY FEEDWATER PORV PORV/SRVS ARE CLOSED FTF-LOSC LOSC LOSS OF RCP SEAL COOLING HPI HIGH PRESSURE INJECTION FAB FEED AND BLEED OPR-02H OFFSITE POWER RECOVERY IN 2 HRS OPR-06H OFFSITE POWER RECOVERY IN 6 HRS SSC SECONDARY SIDE RCS COOLDOWN FAILS DHR DECAY HEAT REMOVAL HPR HPR PRESSURE RECIRC End State (Phase - CD)

EFW-L PORV-L 1

OK LOSC-L 2

LOOP-1 PORV-L HPI-L 3

OK 4

OK 5

CD 6

OK 7

CD 8

OK HPR-L 9

CD HPI-L 10 CD EFW-L FAB-L 11 OK 12 CD 13 OK HPR-L 14 CD FAB-L 15 CD 16 SBO 17 ATWS

LER 269-2017-001 A-2 Figure A-2. Oconee SBO Event Tree (Modified)

FTF-SBO EPS EMERGENCY POWER FTF-SBO EFW-B EMERGENCY FEEDWATER PORV PORV/SRVS ARE CLOSED SSF SAFE SHUTDOWN FACILITY CBO CONTROLLED BLEEDOFF ISOLATED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED RCPSI RCP SEAL INTEGRITY MAINTAINED OPR-04H OFFSITE POWER RECOVERY (IN 4 HR)

End State (Phase - CD) 1 OK 2

SBO-4 RCPSI01 3

OK 4

SBO-4 RCPSI01 OPR-01H 5

SBO-2 OPR-01H 6

CD RCPSI02 7

OK 8

SBO-4 RCPSI02 OPR-01H 9

SBO-2 OPR-01H 10 CD RCPSI03 11 OK 12 SBO-4 RCPSI03 13 SBO-2 OPR-01H 14 CD RCPSI04 15 OK 16 SBO-4 RCPSI04 OPR-01H 17 SBO-2 OPR-01H 18 CD PORV-B OPR-01H 19 SBO-2 OPR-01H 20 CD EFW-B OPR-01H 21 SBO-3 OPR-01H 22 CD

Retrieved from "https://kanterella.com/w/index.php?title=ML18033A619&oldid=5032614"