ML050960263

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - Perry Grid Loop
ML050960263
Person / Time
Site: Perry FirstEnergy icon.png
Issue date: 12/17/2004
From: Christopher Hunter
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060030075 List:
References
LER 03-002
Download: ML050960263 (18)
v  d  e


Text

1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The value reported here is the mean.

1 Enclosure Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Perry Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout Event Date 8/14/2003 LER: 440/03-002 CCDP1 = 3x10-5 December 17, 2004 Event Summary At 1610 hours0.0186 days <br />0.447 hours <br />0.00266 weeks <br />6.12605e-4 months <br /> on August 14, 2003, Perry experienced a disturbance on the electrical grid and a subsequent main generator trip followed by a turbine trip and a reactor trip while operating at 100%

power. Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs.

1 and 2).

Cause. The reactor trip and loss of offsite power (LOOP) were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Other conditions, failures, and unavailable equipment. Residual heat removal (RHR) train A was inoperable for approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> because of air binding in the keep-fill system pump. The low-pressure core spray (LCS) system was also affected by the air binding in the keep-fill system pump, but the LCS system was recoverable from the start of the LOOP (Refs. 3 and 4).

Approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event, the reactor core isolation cooling (RCIC) turbine-driven pump was manually secured to prevent an automatic shutdown on high steam tunnel temperature. The steam tunnel temperature was caused by a loss of ventilation.

The Division 1 EDG tripped on reverse power while being removed from service. This had no effect on the conditional core damage probability (CCDP) for this event; it will be analyzed as a separate Accident Sequence Precursor (ASP) analysis.

Recovery opportunities. Offsite power was first available at 1737 hours0.0201 days <br />0.483 hours <br />0.00287 weeks <br />6.609285e-4 months <br /> when one transmission yard breaker was closed. Offsite power was restored to the Division 1 emergency bus at 1813 hours0.021 days <br />0.504 hours <br />0.003 weeks <br />6.898465e-4 months <br /> on August 14, to the Division 3 emergency bus at 1214 hours0.0141 days <br />0.337 hours <br />0.00201 weeks <br />4.61927e-4 months <br /> on August 15, and to the Division 2 emergency bus at 1548 hours0.0179 days <br />0.43 hours <br />0.00256 weeks <br />5.89014e-4 months <br /> on August 15.

LER 440/03-002 2

Analysis Results Conditional Core Damage Probability (CCDP)

The CCDP for this event is 3x10-5. The acceptance threshold for the ASP Program is a CCDP of 1x10-6. This event is a precursor.

Mean 5%

95%

Best estimate 3x10-5 1x10-6 1x10-4 Dominant Sequences The dominant core damage sequences for this assessment are LOOP sequences 30 (44.4% of the total CCDP) and LOOP sequence 21 (30.7% of the total CCDP). The LOOP event tree is shown in Figure 1.

The events and important component failures in LOOP Sequence 30 are:

S loss of offsite power occurs, S

reactor shutdown succeeds, S

emergency power is available, S

safety relief valves (SRVs) reclose after opening S

high-pressure core spray (HPCS) fails, S

reactor core isolation cooling (RCIC) fails, S

manual depressurization succeeds, and S

low pressure injection fails.

The events and important component failures in LOOP Sequence 21 are:

S loss of offsite power occurs, S

reactor shutdown succeeds, S

emergency power is available, S

SRVs reclose after opening, S

HPCS fails, S

RCIC succeeds, S

suppression pool cooling (SPC) fails, S

manual depressurization succeeds, S

low pressure injection fails, and S

alternate low pressure injection fails.

LER 440/03-002 3

Results Tables S

The CCDP values for the dominant sequences are shown in Table 1.

S The event tree sequence logic for the dominant sequences is presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequences are listed in Table 3.

S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that are important to the CCDP result.

Modeling Assumptions Assessment Summary This event was modeled as a LOOP initiating event. Rev. 3.10 (SAPHIRE 7) of the Perry SPAR model (Ref. 5) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.

RHR Train A, LCS, and RCIC were inoperable at various times during the LOOP. Since this event involves a LOOP of significant duration, probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best Estimate: Offsite power was available in the switchyard approximately 90 minutes after the LOOP. The first safety bus was returned to offsite power at 1813 (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the LOOP). Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes are necessary to restore power to an emergency bus given that offsite power is available in the switchyard. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 6). Assumptions described below, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.

Important Assumptions Important assumptions regarding power recovery modeling include the following:

S No opportunity for the recovery of offsite power to safety-related loads is considered for any time prior to power being available in the switchyard.

S At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

S SPAR models do not credit offsite power recovery following battery depletion.

LER 440/03-002 4

The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power was restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a procedure for analysis of LOOP events in the ASP Program. Attachment C is a description of the approach to estimating offsite power recovery probabilities.

Event Tree and Fault Tree Modifications Train A of RHR (RHR-A) was inoperable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of the event because of air binding in the keep-fill system pump. After 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A was operable. Failure of the keep-fill system is not modeled in the RHR-A fault tree of the base SPAR model; therefore, the RHR-A fault tree was updated to include this failure mode. The updated RHR-A fault tree is shown in Figure 2. For this analysis, the recovery of train A of RHR was credited for long-term LOOP sequences. The following project rules were created to apply the recovery to long-term LOOP sequences:

if INIT(IE-LOOP)

  • system(CVS)
  • RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC; elsif INIT(IE-LOOP)
  • RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC; endif Additionally, the LCS pump train was affected by the failure of the keep-fill system; however the LCS pump train was immediately recoverable. Like RHR-A, failure of the keep-fill system is not modeled in the LCS fault tree of the base SPAR model; therefore, the LCS fault tree was updated to include this failure mode. The updated LCS fault tree is shown in Figure 3. The three basic events involved in the these two changes are included in the basic event probability changes section.

Basic Event Probability Changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

S LCS pump train is unavailable because of keep-fill system failure (LCS-KEEP-FILL). This event represents the failure of the LCS pump train due to the keep-fill system failures. Since the LCS pump train was immediately recoverable, recovery of the system was credited. Using the SPAR human error model to determine the value (see Attachment D), LCS-KEEP-FILL was set to 2.1x10-1. This is assumed to be the mean of a constrained noninformative distribution.

S Probability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power was not available in the switchyard until

LER 440/03-002 5

1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 30 minutes and OEP-XHE-XL-NR30M was set to TRUE.

S Probability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).

During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.

S Probability of failure to recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (OEP-XHE-XL-NR03H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR03H was set to 1.0x10-2.

S Probability of failure to recover offsite power in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> (OEP-XHE-XL-NR07H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR07H was set to 1.0x10-3.

S Probability of failure to recover offsite power in 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> (OEP-XHE-XL-NR016H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 14.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR16H was set to 1.0x10-3.

S Probability that restart of RCI is required (RCI-RESTART). During the event, RCI and HPCS automatically started to provide flow to the reactor vessel. Upon reaching level 8 in the reactor, both systems were isolated. RCIC was later used to provide makeup inventory to the reactor. Since RCI restart occurred, RCI-RESTART was set to TRUE.

S Probability of RCI TDP failing to run (RCI-TDP-FR-TRAIN). Approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> into the event, the RCIC turbine-driven pump was automatically isolated because of high steam tunnel temperature due to a loss of ventilation. Therefore, RCI-TDP-FR-TRAIN was set to TRUE.

S Probability of operator failing to recover failure of RCI to run (RCI-XHE-XL-RUN). This event represents the probability that an operator fails to recover the failure of the RCI TDP to run. During this event, the RCI TDP was taken offline, not because of mechanical failure, but because of an inhospitable plant environment (high steam tunnel temperature). Therefore, for this analysis, RCI-XHE-XL-RUN was updated to represent a composite of two distinct failure modes, mechanical failure and inhospitable plant environment. The mechanical failure portion was calculated by multiplying the probability of mechanical failure (1.2x10-2) by the probability of operator recovery of mechanical failure (5.0x10-1), yielding an overall mechanical failure probability of 6.0x10-3. The probability of the operator failing to recover the RCI TDP from the inhospitable plant environment was calculated using

LER 440/03-002 6

the SPAR human error model to determine the diagnosis and recovery value, 5.5x10-3 (see Attachment C). RCI-XHE-XL-RUN was set to the sum of the two probabilities, 1.15x10-2.

S RHR-A is unavailable because of keep-fill system failures (RHR-A-KEEP-FILL).

This event represents the short-term failure-to-run (< 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) of the RHR train A.

Since the pump was unavailable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A-KEEP-FILL was set to 1.0. (Note: Due to the way that the GEM program applies recovery rules, RHR-A-KEEP-FILL must be set to 1.0, not TRUE.)

S RHR-A train keep-fill nonrecovery after 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (RHR-A-KEEP-FILL-REC). This event represents the long-term (> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) failure-to-recover the keep-fill system.

Since the RHR system was available after the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, long-term recovery of the system was credited. Using the SPAR human error model to determine the value (see Attachment D), RHR-A-KEEP-FILL-REC was set to 2.1x10-1. This is assumed to be the mean of a constrained noninformative distribution.

S Probability of diesel generators failing to run (ZT-DGN-FR-L). The default diesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 8.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />.

References 1.

Licensee Event Report 440/03-002, Revision 1, Reactor Scram Due to Electric Grid Disturbance, event date December 2, 2003 (ADAMS Accession No. ML033530117).

2.

NRC Region 1 Grid Special Report, October 15, 2003 (ADAMS Accession No. ML0324102160).

3.

NRC Special Inspection Report 440/03-009, October 10, 2003 (ADAMS Accession No. ML032880107).

4.

Licensee Event Report 440/03-005, Revision 1, Technical Specification Violation/Loss of Safety Function due to Air Bound Water-leg Pump, event date October 31, 2003 (ADAMS Accession No. ML040070073).

5.

J. A. Schroeder, Standardized Plant Analysis Risk Model for Nine Mile Point 2 (ASP BWR C), Revision 3.10, December 2004.

6.

D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November 2002 (ADAMS Accession No. ML0315400840).

LER 440/03-002 7

Table 1. Conditional probabilities associated with the highest probability sequences.

Event tree name Sequence no.

Conditional core damage probability (CCDP)1 Percentage contribution LOOP 30 1.2x10-5 44.4%

LOOP 21 8.3x10-6 30.7%

Total (all sequences)2 2.7x10-5

1. Values are point estimates. (File name: GEM 440-03-002 12-13-2004.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for top event names)

LOOP 30

/RPS, /EPS, /SRV, HCS, RCI, /DEP, LPI LOOP 21

/RPS, /EPS, /SRV, HCS, /RCI, SPC, /DEP, LPI, VA Table 2b. Definitions of fault trees listed in Table 2a.

DEP MANUAL DEPRESSURIZATION FAILS EPS LOSS OF ONSITE EMERGENCY POWER HCS HPCS FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL LPI LOW-PRESSURE INJECTION IS UNAVAILABLE RCI RCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL RPS REACTOR SHUTDOWN FAILS SPC SUPPRESSION COOLING MODE OF RHR FAILS SRV ONE OR MORE SRVS FAIL TO CLOSE VA ALTERNATE LOW-PRESSURE INJECTION FAILS

LER 440/03-002 8

Table 3. Conditional cut sets for dominant sequences.

CCDP1 Percent contribution Minimal cut sets2 Event Tree: LOOP, Sequence 30 5.0x10-7 4.1 SSW-MDP-TM-TRNC EPS-DGN-FR-DGB RCI-XHE-XL-RUN RHR-A-KEEP-FILL LCS-KEEP-FILL 2.9x10-7 2.4 RCI-XHE-XO-ERROR EPS-DGN-FR-DGB RHR-A-KEEP-FILL LCS-KEEP-FILL HCS-XHE-XO-ERROR1 2.5x10-7 2.1 ECW-MDP-TM-C001B SSW-MDP-TM-TRNC RCI-XHE-XL-RUN RHR-A-KEEP-FILL LCS-KEEP-FILL 2.5x10-7 2.1 SSW-MDP-TM-TRNC EPS-DGN-FR-DGB RCI-TDP-FS-RSTRT RCI-XHE-XL-RSTRT RHR-A-KEEP-FILL LCS-KEEP-FILL 1.2x10-5 Total (all cut sets)3 Event Tree: LOOP, Sequence 21 4.2x10-7 5.1 OPR-XHE-XM-ALPI SSW-MDP-TM-TRNC EPS-DGN-FR-DGB RHR-A-KEEP-FILL LCS-KEEP-FILL 2.1x10-7 2.5 OPR-XHE-XM-ALPI ECW-MDP-TM-C001B SSW-MDP-TM-TRNC RHR-A-KEEP-FILL LCS-KEEP-FILL 2.1x10-7 2.5 FWS-EDP-TM-TRN SPCAI SSW-MDP-TM-TRNC EPS-DGN-FR-DGB RHR-A-KEEP-FILL LCS-KEEP-FILL 2.1x10-7 2.5 OPR-XHE-XM-ALPI EPS-DGN-FR-DGB EPS-DGN-FR-DGC RHR-A-KEEP-FILL LCS-KEEP-FILL 8.3x10-6 Total (all cut sets)3

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

LER 440/03-002 9

Table 4. Definitions and probabilities for modified or dominant basic events.

Event name Description Probability/

frequency Modified ECW-MDP-TM-C001B ECW PUMP 1B IS IN TEST OR MAINTENANCE 5.0x10-3 No EPS-DGN-FR-DGB EDG B FAILS TO RUN 1.0x10-2 No EPS-DGN-FR-DGC EDG C FAILS TO RUN 1.0x10-2 No FWS-EDP-TM-TRAIN DIESEL FIREWATER PUMP UNAVAILABLE BECAUSE OF TEST AND MAINTENANCE 5.0x10-3 No HCS-XHE-XO-ERROR1 OPERATOR FAILS TO START/CONTROL HPCS INJECTION 1.4x10-1 No IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 1.0 Yes1 LCS-KEEP-FILL LCS PUMP TRAIN IS UNAVAILABLE BECAUSE OF KEEP-FILL SYSTEM FAILURES (OPERATOR FAILURE TO RECOVER) 2.1x10-1 Yes2 OEP-XHE-XL-NR30M OPERATOR FAILS TO RECOVER OFFSITE POWER IN 30 MINUTES TRUE Yes3 OEP-XHE-XL-NR01H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HOUR TRUE Yes3 OEP-XHE-XL-NR03H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 3 HOURS 1.0x10-2 Yes3 OEP-XHE-XL-NR07H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 7 HOURS 1.0x10-3 Yes3 OEP-XHE-XL-NR16H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 16 HOURS 1.0x10-3 Yes3 OPR-XHE-XM-ALPI OPERATOR FAILS TO ALIGN ALTERNATE LOW PRESSURE INJECTION 1.0x10-2 No RCI-RESTART RESTART OF RCIC IS REQUIRED TRUE Yes2 RCI-TDP-FR-TRAIN RCIC FAILS TO RUN GIVEN THAT IT STARTED TRUE Yes2 RCI-TDP-FS-RSTRT RCIC FAILS TO RESTART GIVEN START AND SHORT-TERM RUN 1.2x10-2 No RCI-XHE-XL-RSTRT OPERATOR FAILS TO RECOVER RCIC FAILURE TO RESTART 5.0x10-1 No RCI-XHE-XL-RUN OPERATOR FAILS TO RECOVER RCIC FAILURE TO RUN 1.2x10-2 Yes2 RCI-XHE-XO-ERROR OPERATOR FAILS TO START/CONTROL RCIC INJECTION 1.0x10-3 No RHR-A-KEEP-FILL RHR-A TRAIN IS UNAVAILABLE BECAUSE OF KEEP-FILL SYSTEM FAILURES 1.0 Yes2

LER 440/03-002 Event name Description Probability/

frequency Modified 10 RHR-A-KEEP-FILL-REC RHR TRAIN A KEEP-FILL NONRECOVERY AFTER 6 HOURS 2.1x10-1 Yes2 SPCAI SUPPRESSION POOL CLEANUP ALTERNATE INJECTION FAILS 1.0 No SSW-MDP-TM-TRNC SSW PUMP C IS UNAVAILABLE BECAUSE OF MAINTENANCE 2.0x10-2 No ZT-DGN-FR-L EDG FAILS TO RUN (LATE) 7.0x10-3 Yes4

1. Initiating event assessment-all other initiating event frequencies set zero.
2. Changed to reflect to the event being analyzed. See report and Basic Event Probability Changes for further details.
3. Evaluated per the SPAR-H method (Ref. 4). See report and Attachment C for further details.
4. Changed mission times to correspond to the time offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.

LER 440/03-002 11 Attachment A Event Timeline Table A.1 Timeline of significant events.

Date Time Event 8/14/03 1610 Generator, turbine, and reactor trip due to grid instability 1737 Offsite power is restored to the switchyard 1813 Division 1 emergency bus is switched to offsite power source 37847 1214 Division 3 emergency bus is switched to offsite power source 1548 Division 2 emergency bus is switched to offsite power source

LER 440/03-002 2 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

12 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis2. LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1.

Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2.

Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3.

Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

LER 440/03-002 13 Attachment C Power Recovery Modeling

Background

The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

Human Error Modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S

Probability of failure to successfully perform the desired action S

Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

The probability of failure to perform an action is the product of a nominal failure probability (1.0x10-3) and the following eight performance shaping factors (PSFs):

LER 440/03-002 14 S

Available time S

Stress S

Complexity S

Experience/training S

Procedures S

Ergonomics S

Fitness for duty S

Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0 (TRUE).

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities Nonrecovery Factor Nominal Value PSF Nonrecovery Probability Time Available Product of All Others OEP-XHE-XL-NR30M 1.0x10-3 Inadequate 10 TRUE OEP-XHE-XL-NR01H 1.0x10-3 Inadequate 10 TRUE OEP-XHE-XL-NR03H 1.0x10-3 1

10 1.0x10-2 OEP-XHE-XL-NR07H 1.0x10-3 0.1 10 1.0x10-3 OEP-XHE-XL-NR16H 1.0x10-3 0.1 10 1.0x10-2

LER 440/03-002 15 Attachment D Modified Human Error Events For this analysis, the values of two operator recovery events, LCS-KEEP-FILL and RHR-A-KEEP-FILL-REC, were updated using the standard SPAR Model Human Error Worksheet. A summary of the worksheet results are provided by table D.1.

Table D.1 Human Error Basic Event Probabilities Nonrecovery Factor Nominal Value PSF1 Nonrecovery Probability Time Stress Complexity Training Procedures LCS-KEEP-FILL (Diagnosis) 1.0x10-2

.1 2

2 1

50 2.0x10-1 2.1x10-1 (Total)

LCS-KEEP-FILL (Action) 1.0x10-3

.1 2

1 1

50 1.0x10-2 RHR-A-KEEP-FILL-REC (Diagnosis) 1.0x10-2

.1 2

2 1

50 2.0x10-1 2.1x10-1 (Total)

RHR-A-KEEP-FILL-REC (Action) 1.0x10-3

.1 2

1 1

50 1.0x10-2 1.

All other PSFs were set to nominal (i.e., 1.0).

LI LATE INJECTION CVS CONTAINMENT VENTING CSS CONTAINMENT SPRAY SPC SUPPRESSION POOL COOLING OPR-16H OFFSITE POWER RECOVERY IN 16 HRS VA ALTERNATE LOW PRESS INJECTION LPI LOW PRESSURE INJECTION DEP MANUAL REACTOR DEPRESS SPC SUPPRESSION POOL COOLING (EARLY)

RCI RCIC HCS HPCS SRV SRV'S CLOSE EPS EMERGENCY POWER RPS REACTOR SHUTDOWN IE-LOOP OSS OF OFFSITE POWER END-STATE 1

OK 2

OK 3

OK 4

OK 5

CD 6

OK 7

CD 8

OK 9

OK 10 OK 11 OK 12 CD 13 OK 14 CD 15 OK 16 OK 17 OK 18 CD 19 OK 20 CD 21 CD 22 CD 23 OK 24 OK 25 OK 26 OK 27 CD 28 OK 29 CD 30 CD 31 CD 32 T

LOOP-1 33 T

LOOP-2 34 T

SBO 35 T

ATWS P1 P2 LI01 LI00 LI01 LI00 LI01 LI01 LI00 LI00 Figure 1: Perry LOOP event tree with dominant sequences highlighted.

16 LER 440/03-002

LCS 2.1E-1 LCS-KEEP-F ILL 7.2E-5 LCS-STR-PG-LPCS 5.6E-8 RHR-STR-CF-SPOOL DIV-1-AC DIV-1-DC LCS-1 1.0E-4 LCS-CKV-CC-INJEC 1.0E-4 LCS-CKV-CC-PCKV 5.1E-4 LCS-MDP-FR-PUMP 1.2E-3 LCS-MDP-FS-PUMP DIVISION I 125 VDC POWER IS UNAVAILABLE LPCS PUMP TRAIN IS UNAVAILABLE DIVISION I AC POWER IS UNAVAILABLE LPCS SYSTEM FAILURES LCS IS UNAVAILABLE DUE TO KEEPF ILL SYSTEM FAILURES ECCS SUPPRESSION POOL STRAINERS FAIL FROM COMMON CAUSE LPCS PUMP DISCHARGE CKV FAILS TO OPEN LPCS INJECTION CKV F006 FAILS TO OPEN LPCS PUMP FAILS TO RUN LPCS PUMP FAILS T O START LPCS SUPPRESSION POOL STRAINER PLUGS Figure 2: Perry LCS Fault Tree (The figure is cropped to show event modification) 17 LER 440/03-002

RHR-A 1.0E+0 RHR-A-KEEP-FILL 1.0E-4 RHR-CKV-CC-PCKVA 5.1E-4 RHR-MDP-FR-PUMPA 1.2E-3 RHR-MDP-FS-PUMPA RHR PUMP TRAIN A IS UNAVAILABLE RHR-A IS UNAVAILABLE DUE TO KEEPFILL SYSTEM FAILURES RHR PUMP A DISCHARGE CKVS FAILS TO OPEN RHR PUMP A FAILS TO RUN RHR PUMP A FAILS TO START Figure 3: Perry RHR-A Fault Tree (The figure is cropped to show event modification) 18 LER 440/03-002

Retrieved from "https://kanterella.com/w/index.php?title=ML050960263&oldid=5385601"