LESSONS LEARNED FROM THE CASE STUDIES - Use of Plant Specific PSA to Evaluate Incidents at Nucl

The analyses performed and described in the previous sections resulted in the identification of several lessons which are as follows:

1. A reasonable and défendable evaluation of safety significance of incidents using PSA is possible if the incident documentation is well prepared and if a well-documented PSA study exists.

2. In cases where the reports do not provide all the information to accurately structure the event (sequence timing, equipment

identification, flowsheet diagrams, etc.), PSA experience can be used to develop bounding models that encompass the range of reasonable

possibilities.

3. In some cases it was not possible to perform the evaluation using only the existing PSA model results because:

- the event reported was different from those considered in the PSA (new scenarios created by operator action, unexpected system interactions, different recovery actions).

in some cases it was necessary to recreate previously insignificant accident sequences which required additional evaluation and

calculation.

18 In such cases experts were needed with both PSA background to do the

necessary additional analysis and with a plant design and operations background to provide additional information concerning the event (level of dependency, common mode, etc.).

4. When the event assessment is aimed at an analysis of the behaviour of the plant as a whole, simultaneous occurrence of additional dependent or independent events have to be considered. The plant-specific PSA is the most appropriate tool for the selection of other credible occurrences since it models the plant design and operation in an integrated way.

5. If the analysis is to be done on a plant for which there is no PSA study available, a simplified model may be used. An example of this approach is the US ASP program. However, the lack of plant-specific details in the models precludes drawing many of the insights associated with risk reduction and component level contributors to risk. Accurate modeling of a specific incident at a specific plant is hindered due to the inability

to properly apply revised failure probabilities and recovery actions.

6. Several lessons were related specifically to PSA studies:

- It was generally concluded that PSA studies vary in the handling of system dependencies (which were not considered in the design phase) and common mode failures. The process of conducting incident

evaluations will highlight common mode failures that have occurred but were not properly modeled in the PSA.

Event reporting systems such as the 1RS and the LER system in the US could be beneficial for PSA practitioners to identify new sequences, new failure modes of components and new recovery actions.

Incident evaluations using plant-specific PSAs could be more easily accomplished if the PSA:

(1) Retained more details of the plant systems and components in the cut sets.

(2) Retained the logic of the sequences in the event trees, even for sequences truncated out of the PSA.

(3) Retained the failure data for all basic events in the fault trees, even if they do not show up in any of the sequence cut sets retained after truncation.

Appendix

DETAILS OF CASE STUDIES

CASE STUDY 1

POTENTIAL BMOPERABILITY OF BOTH CHARGING PUMPS

Sequoyah Unit 2 (12 February 1988) LER 328/88-005 Rl

Description

While shut down, smoke was discovered coming from the speed increaser

unit of centrifugal charging pump (CCP) 2A-A of the charging system. The pump was shut down and pump 2B-B was started.

Upon disassembly of the speed increaser, internal component damage was discovered. Two gland seal retaining bolts inside the lube oil pump had

backed out, one bolt coming disengaged and falling to the bottom of the pump casing. The seal allowed air in-leakage and oil outflow resulting in

insufficient flow to the speed increaser unit. After pump 2A-A was repaired and returned to service, pump 2B-B was also found to have the same problem.

The two trains of the lower head SI system were available.

Additionally, it was discovered that the speed increaser lube oil pumps (1800 rpm) had been mistakenly replaced with lower rated (900 rpm) pumps.

These lower rpm pumps had two problems: 1) the type of gears used in the 900 rpm pumps might not be able to adequately pump the oil when being driven at 1800 rpm, causing potential cavitation, and 2) the compression packing seal used in these pumps requires occasional adjustment as the packing wears. If these adjustments are not made, the gland seal bolts will become loose, allowing air in-leakage and resulting in insufficient oilflow to the speed increaser unit.

Corrective action was taken to replace the 900 rpm pumps with the proper

1800 rpm pumps, and the speed increaser internals were inspected and replaced

as necessary.

NOTE: In this document the units used are:

psi [6.895 x 103 Pa], ° F [-32 x 5/9 °C] and rpm [1 rev./rain].

A summary of initial conditions and equipment failures is provided in Table Al-1. The full incident description (LER 328/88-005 Rl) is attached to this case study.

TABLE Al-1

INCIDENT CHRONOLOGY, EQUIPMENT FAILURES, AND OPERATOR ACTIONS

Initial Conditions

Mode 4, 0% power

Reactor Coolant Pressure 350 psi Reactor Coolant Temperature 247 F Equipment Failures

2A-A CCP failed on February 12 at 11.33 repaired/operable on February 15 at 18.57 2B-B CCP started on February 12 at about 11.33 tagged out of service on February 17

incipient failure condition noted

Plant Design and Operational Considerations

The charging system consists of two indépendant trains with high head centrifugal charging pumps. A simplified schematic of the system is shown in Figure Al-1. The charging system, in conjunction with the safety injection system, is used to maintain adequate reactor coolant system inventory for a spectrum of small break loss-of-coolant accidents. If a small break LOCA occurred at full operating pressure and the CCPs were not available, then the operator could depressurize the RCS if necessary, via the pressurizer spray

system or by opening the power-operated relief valves, to achieve 1,400 psi

RCS pressure where the safety injection (SI) pumps could be utilized for emergency core cooling. The charging system also serves to provide emergency boration for a number of transients including anticipated transients without scram (ATWS) and main steam line break (MSLB).

24

PS-01

FO FO FCV FCV (2 132 tt til

FKMfHR PUMP IB B <, DISCHARGE

flWST j

icveTi»

£^3 PS-04 LCV U 136 Ei

PS- H J?-É PS-» PS-gt PS-23

— Q rj O

S »?« • C*3 ' "^^ -1 FCV FCV

£311 634a

FKCI

asctPUM

fcJue PS-15

^9^

504

PS-)7

~ Fcv " Fcv" " "Lô"

tH7 U7 63 131

£|f

HAflGE ' FCVIZ>

PS-OS

uizi 05:!4

TONOfltW.

hMXEUPANO FO" Û si SEAL KIECTION

amFCV

PS->g

NOTES: (I)NOHMALLY OPEN, POWER REMOVED

(2) WILL " '— ——... — - — - — -NOT OPEN UNLESS TRAINED SUMP ISO. VALVE (FCV 63-73 OR 63-72) IS FULLY OPEN, AND SI M INFLOW VALVE 63-3 IS FULLY CLOSED OR BOTH SI M INFLOW VALVES 63-175 AND 63-4 ARE FULLY CLOSED

FIG. A1-1. Simplified schematic of charging system.

Incident Modeling

This incident has been modeled as a failure of both CCPs. The failure probabilities were calculated assuming that a degraded condition which would result in pump failure on demand, would exist for one-half of a surveillance period (360 h) on the average. Since the second pump actually performed its function when demanded while in an incipient failure condition, its failure probability was looked at both assuming that it would have failed on demand if required for a transient or LOCA and with the assumption that the incipient failure condition would not alter appreciably the failure probability derived in the PSA. These two cases provide an upper and lower bound treatment of the potential common mode failure indicated by the incident.

The failure of one or both CCPs potentially affects sequences in the following event trees: T , T„, T , T , T , ATWS, Sⁿ, S_ and S_.

1 2 3 s g r d e 1 2 3 Both high pressure injection (D , D , D , D ) and high pressure recirculation (H ) functions are potentially affected by the failure of

CCPs. The potentially affected sequences have been identified in Figures Al-2 through Al-10. Because the CCPs were of limited importance in the original

PSA, the dominate accident sequence results (cut sets) did not contain terms

with basic events involving CCP failure to adequately cover the sequences with functions impacted by CCP failures. Therefore, the original system and

function fault trees were reanalysed with high failure probabilities for the CCPs. A revised set of dominant accident sequences and associated cut sets were derived.

The failure of the CCPs was considered to be non-recoverable, and as such, no pump recovery analysis was required. Operator actions involving

reactor depressurization and use of the SI system were already included in the

model and also required no further analysis. It was recognised that sequences

involving top event H were only possible if top event D was successful. In the original PSA, H was mainly composed of operator errors and common cause failures affecting the charging system and safety injection system in the initiation of the recirculation mode. CCP failure to start and failure to run were included in top event D. Since the CCP failure to run considerations were included in the injection phase (D), it is apparent that H sequences will not be noticably impacted as currently modeled in the PSA. Therefore,

H sequences were not reanalysed. Also, since the S and S sequences

were functionally the same, these two LOCA initiators were combined.

26

LOSP

H2 Sequence (CORE) COHHENTS |

1 T1

FIG. A1-2. Event tree for T] — loss of offsite power.

LOSS

HZ Sequence (CORE) COHHENTS |

1. T2 OK

FIG. A1-3. Event tree for T, — loss of main feedwater.

JtlENt

H2 Sequence |COREJ COMMENTS |

-«. T3L1

FIG. A1-4. Event tree for T3 — turbine trip with MFW initially available.

LOSS

H2 Sequence |CORE| COMMENTS |

• ——— - ——— 1. TPC

FIG. A1-6. Event tree for steam generator tube rupture.

MED

H2 Sequence | CORE

OR CD CD CD

FIG. A1-7. Event tree for S, — medium LOCA.

SMALL

H2 Sequence {CORBJ COMMENTS |

1. 82_

pr

H3 HZ Sequence |CORE| COMMENTS i .... 1. S3 OK

... . . . » «"« «*

3. S3U1H1 m

.. .. A. SJOOH3 rn

-_| ——— ..7. S30C OK Lmmm 8. [SSOCHZJ CO

9. S30CH3 CD

04 Sequence ] COR^

1 & t ivo tw L^— .18. |TKRPtQ204| CD

19." TKRPL12 CD ... _ 20. TKRPLP2 0)

FIG. A1-10. Event tree for TK — anticipated transient without scram.

No accident sequence initiators occurred during the interval in which the CCPs were potentially inoperable.(i.e. incapable of performing their design basis function given the occurence of an accident initiator). Therefore it was necessary to estimate the likelihood of an accident sequence initiator occuring during that interval. It was assumed that the CCPs were shown to be fully operational during the previous surveillance test about one month

earlier. It was further assumed that the CCP degradation occured as a

constant failure rate process. Under these conditions the CCPs would be in a failed state for one-half the surveillance interval at one month or

4.1 x 10 years. The frequency of each accident sequence initiator_2 (years ) was multiplied by the calculated exposure interval to derive an estimate of their probability of occurance during the time the CCPs were assumed to be inoperable.

The basic event and initiating event probabilities used in the analysis are provided in Table Al-2.

TABLE Al-2. BASIC EVENT PROBABILITIES

Event PSA Incident

CHP-MDP-FR-2AA 3 x 10~ house event (1.0) charging pump 2A-A

fails to run

CHP-MDP-FS-2BB 3 x 10~ house event (1.0)

charging pump 2B-B 4.1 x 10_2

fails to start (sensitivity 1) 3 x 10~3

(sensitivity 2)

IE IE x 4.1 x 10~2

Initiating Events

Analysis Results

The conditional probability associated with this incident is about 1 x 10 . The dominant sequences involve ATWS and small LOCAs including steam generator tube ruptures. A listing of the dominant sequences and

associated probabilities is provided in Table Al-3. Supplemental sensitivity analyses were performed to investigate the sensitivity of the assumption that the 2B-B CCP would have failed if demanded during an accident. This pump

TABLE Al-3. ACCIDENT SEQUENCE CONDITIONAL PROBABILITIES

Sequence Conditional

Probability

Sequence Conditional Probability

3.3 x 10-9

1.0 x 10-10

Sl°2 2.1 x 10-7 5.9 x 10-7

^ -, , de l l T D, Q

sg l s T D, Q1

sg 1 1 T D, ÖD

sg l

T D, L sg l

T R D k 4

R Q

2.0 x 10-11

6.3 x 10^-7 1.9 x 10-9

1.3 x 10-8 7.8 x 10-10 4.5 x 10-6

6.2 x 10-7

Total 9.6 x 10-6 Sensitivity 1 5.9 x 10-7 Sensitivity 2 2.4 x 10^-7

2.2 x 10-6

Q4 °4 T R PL D

R PL

3.1 x 10-7

4.5 x 10-7

6.2 x 10-8

Note: S includes S initiator frequency

32

actually did operate after pump 2A-A failed, but was not subjected to accident demands. In the first sensitivity case, the coincident failure of CCP 2B-B was assumed to be loosely coupled to that of CPP 2A-A with an independent probability of failure represented by the unavailability equal to one-half the surveillance interval. This value is 4.1 x 10 . When this value is used,-2 the conditional core damage probability becomes 5.9 x 10 . For the second sensitivity case, the failure probability of pump CCP 2B-B was assumed to be essentially unaffected by the degraded condition that was found during

subsequent inspection of the pump. The base PSA failure probability of -3 -7 3 x 10 was used. The resultant core damage probability is 2.4 x 10

The importance of the CCP failures(s) associated with this event is approximately bounded by the common mode failure case of 10 and the

independent failure case of 2.4 x 10 . The available evidence implies that-7 the common mode failure assumption most closely represents the risk

implications of the incident as reported.

Since the charging pumps have a significant impact on emergency boration, it is not surprising that ATWS sequences become most important with the

failure of both CCPs. This is followed by the much less significant small LOCA and steam generator tube rupture with safety injection system failure.

The reactor protection system, which was already of relatively high

importance, rises even higher. This is also true for a number of potential common cause failure points in the safety injection system (i.e. MOV-63-22, CKV - 6351, and both SI pumps).

It is interesting to note that the original PSA did not include a common cause failure of the charging pumps in the logic model. Only failure to run for the operating CCP and an independent failure to start, run or test and maintenance unavailability was included for the standby pump.

LICENSEE EVENT REPORT (1ER»

Of Gland Seal Bolts On Speed Increaser Lube Oil Pumpe Causes A Potentia I n o p e r a b i l i t y Of Both U n i t 2 Centrifugal Chare ing Pumps

. KilKore. Plant Operations Review Staff

AREA CODE

6 1 1 1 5 ₈!⁷ ^{0[ -|7} ^{0, 8| 7}

CO*WICTI ONC LIMi 'OH fACH COMPONfNT PAILUfll DftCMIttD IN TMI» MFOHT (III

t VIS Ht v* ta^»* fX'fCTlo SUIUISSIOH OATft 13 *°

MANU* AC

AMTHACT U."<VT M '«00 I0*CM >

On February 12. 1988, *t approximately 1133 EST, smoke wa> discovered coming from the speed increaser unit for the 2A-A centrifugal charging pump (CCP).

Immediately, the 2B-B CCP was started, and the 2A-A CCP was stopped. Upon disassembly of the 2A-A CCP speed increaser. much of the internals were found damaged. Further investigation found the two gland seal (GS) retaining bolts inside the speed increaser lube oil pump (SILOP) backed out allowing the GS to loosen. The GS being loosened caused reduced oil flow to the speed increaser internals and ultimate damage. The 2B-B and 1B-B SILOPs were inspected, and the same GS bolts as on the 2A-A pump were found loosened. The cause of the bolts backing out was determined to be lack of a periodic adjustment of the GS bolts. It was discovered during investigation that the original SILOPs for 2A-A. 2B-B. and 1B-B CCPs had been replaced with incorrect SILOPs. The original 1A-A SILOP was not replaced with an incorrect SILOP. The replacement SILOPs had been ordered using an incorrect part number in April 1985. The replacement SILOPs for 1B-B, 2A-A. and 2B-B were rated for 900 rpm and incorporated a compression packing seal which requires periodic adjustment as the packing wears. The original SILOPs were rated for 1.800 rpm and incorporated a mechanical seal which does not require

adjustment. The major cause of this event was that the replacement SILOPs for 1B-B, 2A-A. and 2B-B were the wrong SILOPs that incorporated the packing seal, and no program was in place to periodically tighten the gland bolts. The 2A-A SILOP was replaced with an 1,800 rpm pump on February 15, 1988, and two new pumps (1,800 rpm) were procured for 1B-B and 2B-B and installation was completed on March 7. 1988. The 1A-A SILOP mechanical GS bolts were insepcted on April 7, 198B, and found to be satisfactory. To prevent recurrence, TVA has a new procurement program in place which provides additional independent review/verification of all plant initiated procurement documents.

»•CH.ITV NAMt (II

Sequoyah, Unit 2

DOC«! T NUMMlIt (21

o |S (0 |o | 0 | 3 | 2| 8 8|8 LICENSEE EVENT REPORT ILERI TEXT CONTINUATION

•fUCKAl MGULAfO«v COMMtcstON

AP**ovtO OMt NO

3IW-010-This revision is being submitted to provide »n update of completed corrective actions and a restatement of the event analysis.

DESCRIPTION OF EVENT

On February 12, 1988, at approximately 1133 EST with unit 2 in node 4 (0 percent power, 350 psig, 2*7 degrees F) and unit 1 in mode 5 (0 percent power, 4 psig, 123 degrees F), «moke was discovered coming from the speed increaser unit on the 2A-A (unit 2, train "A") CCP (EUS Code BQ). Immediately, the 2B-B (unit 2, train "fl") CCP was started, and the 2A-A CCP was chut down.

The CCPs are utilized in the boron injection system for reactivity control and in the emergency core cooling system (ECCS) (EUS Code BQ). Both pumps are required to be operable in modes 1 through 4 by the plant technical

specifications (TSs). Since unit 2 was in mode 4 at the time, the action statement for TSs 3.1.2.2 and 3.1.2.4 were complied with immediately. This involved restoring both charging pumps to operable status within seven days or bring the unit to cold shutdown within the next 30 hours.

Disassembly of the 2A-A CCP speed increaser box was started later the same night, and upon disassembly, much of the internals were found damaged. Upon further investigation of the cause, it was discovered that the two gland seal retaining bolts inside the speed increaser lube oil pump had backed out with one bolt completely disengaged from the bolt hole and lying in the bottom of the pump casing. The lube oil pump is mounted on the side of the speed increaser and is driven by the speed inereaser low speed shaft. The pump recirculates oil in the speed increaser to lubricate the internal moving parts and to serve as a cooling medium in removing heat. The lube oil pump is a rotary gear type and incorporates a gland seal to seal around the shaft. The seal is provided to isolate the pump internal pressure from the external atmosphere.

The bolts being backed out allowed the gland seal to loosen and not provide the seal in which it was designed to perform. After evaluation of the pump design and discussions with the supplier (Westinghouse), it is theorized that the loosening of the gland seal allowed air to be drawn in, via the speed increaser housing, mixing with the oil and/or allowed oil from the pump to be forced through the loosened gland seal bypassing the normal flow path to the speed increaser internals. These conditions caused reduced oil flow to the speed increaser internals and ultimate damage to the internals. The speed increaser internals were replaced as necessary, and the lube oil pump was replaced with one from a spare speed increaser unit. After reassembly, postmaintenance tests were performed on the 2A-A CCP and speed increaser unit, and the pump was returned to operable status at 1857 EST on February IS, 1988.

f A C I L I T V NAMI (11

Sequoyah, Unit 2

OOCKCT MUM*!* »)t

o |5 |o |o |o | 3j 2|8 8 |8

——

M *U*W(« It»

0 I 01 5 _ 0| 1

0 | 3

0 |8 LICENSEE EVENT REPORT (LERt TEXT CONTINUATION vfO OMI NO ÎISO-0'O*

• 11 •

As additional preventive actions, the 2B-B (unit 2, train B) CCP was tagged out of service on February 17. 1988, to inspect the lube oil pump gland seal for a similar condition. Upon disassembly, the gland seal bolts were also found backed out similarly to the train A pump. The bolts were retightened and a locktite sealant installed to prevent the bolts from loosening again during operation. Concurrence was obtained from Westinghouse that this would be an acceptable method for securing the bolts.

The 2B-B CCP was declared operable at OSOO EST on February 18. 1988. After evaluation of the similar condition on both unit 2 CCP*, it was determined that this condition alone could have prevented the fulfillment of this system's safety function. At 1218 EST on February 19, 1988, NRC was notified by phone of this condition in accordance with 10 CFR 50.72, paragraph b.2.iii. As further preventive measures, work requests (WRs) were prepared to inspect the speed

Dans le document Use of Plant Specific PSA to Evaluate Incidents at Nuclear Power Plants | IAEA (Page 18-66)