Text

Final ASP Analysis - D.C. Cook 1 and 2 (LER 316-01-003)
	ML20112F482
Person / Time
Site:	Cook
Issue date:	05/12/2020
From:	Christopher Hunter; NRC/RES/DRA/PRB
To:	;
	Hunter C (301) 415-1394
References
	IR 2001017, IR 2001019, LER 316-01-003
	Download: ML20112F482 (83)
	v • d • e

1 Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research D.C. Cook Units 1& 2

1. Degraded ESW Flow Renders Both Unit 2 Emergency Diesel Generators Inoperable

2. Turbine Driven AFW failed due to insufficient engagement of the trip latch mechanism for the turbine trip throttle valve Event Date

1. 08/29/2001

2. 08/09/2001 1-LER 316/01-003-01 &

Inspection Report No:

50-315/01-17 & 50-316/01-17 2-Inspection Report No:

50-315/01-19 & 50-316/01-19 Unit 1 Importance 1.0x10-5 Unit 2 Importance 6.6x10-6 December 10, 2003 Condition Summary 1.

On August 29, 2001 (References 1 & 2), Cook Unit 1 was in MODE 5 for a planned maintenance outage and Unit 2 was in MODE 1. Unit 2 Operations personnel were performing a routine surveillance test of the Essential Service Water (ESW) system in accordance with approved plant procedures. At approximately 2255 hours0.0261 days 0.626 hours 0.00373 weeks 8.580275e-4 months , Unit 2 Operations personnel noted low ESW flow to both of the Unit 2 Emergency Diesel Generator (EDG) heat exchangers. The Unit 1 ESW flows were also checked and it was determined that ESW flow to both Unit 1 EDG heat exchangers was low. All four EDGs were declared inoperable. After flushing the ESW side of the associated heat exchangers both Unit 2 EDGs were declared OPERABLE at 2350 hours0.0272 days 0.653 hours 0.00389 weeks 8.94175e-4 months . These efforts were mostly successful with the exception of ESW flow to one of the two Unit 1 D/Gs.

Also, on August 29th and early on August 30th, the licensee observed abnormally low ESW flow to a Unit 2 component cooling water (CCW) heat exchanger. In response, the licensee cycled the ESW flow inlet and outlet valves associated with the heat exchanger. Following the opening and closing of the valves, flow increased; however, the resultant flow was less than the expected levels.

Because the reasons for the degraded D/G and CCW ESW heat exchanger flow conditions were not fully understood, the licensee shut down Unit 2.

Cause. Following the shutdown, the licensee determined that debris in the ESW system likely was the result of a deformed strainer basket associated with the Unit 1 East ESW pump. Through a review of records, the licensee determined that the Unit 1 East ESW pump discharge strainer basket was likely deformed during installation in 1989. The licensee also determined that an inadequate understanding of the safety function of the strainer baskets and application of the single failure criteria to the ESW system contributed to the event.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 2

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 2.

On August 9, 2001(Reference 3), the licensee removed the Turbine Driven Auxiliary Feedwater Pump (TDAFWP) from service from Unit 2 to perform several pre-planned maintenance activities. Following completion of these activities on August 10, the licensee performed two unsuccessful TDAFWP start attempts in accordance with their operating procedure. A subsequent TDAFWP start attempt for troubleshooting on August 10, 2001 was also unsuccessful. The licensee investigated the failure and determined that the cause of the failure to start was due to insufficient engagement of the trip latch mechanism for the turbine trip throttle valve. The licensee repaired the trip throttle valve and returned the TDAFWP to an operable status on August 11, 2001.

Cause. The Licensee Procedure 12-MHP 5021.056.007, "Auxiliary Feed Pump Trip and Throttle Valve Linkage Adjustment," specified a trip throttle valve contact alignment criterion, that was less conservative than the contact alignment specified in vendor TDAFWP trip throttle valve test instructions. Alignment of the trip throttle valve using a less conservative contact acceptance criterion could result in less latch engagement than required by a surface contact area acceptance criterion and a greater potential for inadvertent disengagement of the trip throttle latching mechanism. On June 14, 2000, the Unit 2 TDAFWP trip throttle valve was adjusted in accordance with 12-MHP 5021.056.007. Subsequently, on August 10, 2001, the Unit 2 TDAFWP trip throttle valve failed to adequately engage during three start attempts. The licensee determined that the apparent cause of the August 2001 failure was insufficient engagement of the trip throttle valve latching mechanism. The inspectors concluded that an apparent event occurred due to the failure to include appropriate quantitative acceptance criteria in maintenance procedure.

Condition Duration.

1.

Low ESW Flow to EDGs (Units 1&2)

The licensee determined that the Unit 1 East ESW pump discharge strainer basket was likely deformed during installation in 1989. Based on the information in the licensee event report (LER) and the NRC Inspection Report(Reference 2), the assumption was made that the failure could have occurred anytime during full power operation from June 1989 to August 29, 2001. Therefore, the condition duration in this analysis for full power operation was taken as 1 year (8760 hours0.101 days 2.433 hours 0.0145 weeks 0.00333 months ), the maximum time period used for a condition assessment for the Accident Sequence Precursor (ASP) Program.

2.

Unavailability of TDAFWP (Unit 2)

The licensee determined that the TDAFWP was previously tested satisfactorily on May 18, 2001. Because the TDAFWP was not tested between May 18 and August 10, 2001, and there is uncertainty about when the failure cause actually rendered the TDAFW Pump unable to perform its design function, the time for the condition assessment is taken as one-half of the interval (May 18, 2001, to August 10, 2001), or 42 days (1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months ).

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 3

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 3.

Low ESW Flow to EDGs and Unavailability of TDAFWP (Unit 2)

The condition on EDGs also existed from May 18 and August 10, 2001 when the TDAFWP was not tested and it was determined that TDAFWP was in failed condition. In ASP analysis the unavailability of both EDGs and TDAFWP are considered.

Recovery Opportunities.

1.

Low ESW Flow to EDGs Credit is given to the restoration of ESW flow to the EDG coolers after a flow blockage event. The amount of credit is dependent on the number of EDGs degraded. As part of SDP, the licensee had presented an evaluation of recovery actions associated with this event. The NRC analysts agree that some credit for recovery can be taken even though the actions described are not proceduralized and there are no operator training for this scenario on the basis that these actions were actually carried out during the August 2001 event at the plant, albeit, not during a single or dual-unit LOOP.

2.

Unavailability of TDAFW Recovery of the Unit 2 TDAFWP was not possible following the failure to start. This conclusion was based on the inability of the licensee to start successfully the TDAFWP during three start attempts on August 10, 2001. Additionally, the NRC inspectors concluded that, due to the nature of the TDAFWP trip throttle valve repair activities required, it was not credible to conclude that the pump could be returned to service within the first several hours of an accident.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 1 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

4 Analysis Results Importance1 1.

Low ESW Flow to EDGs - Units 1 and 2 The risk significance of the EDGs being unavailable is determined by subtracting the nominal core damage probability from the conditional core damage probability. For Unit 1, the results are as follows:

conditional core damage probability (CCDP) - mean 8.4E-05 nominal core damage probability (CDP) - mean 7.4E-05 Importance ( CDP):

8.9E-06 95% percentile 2.6E-05 mean 1.0E-05 5% percentile 1.6E-06 This is an increase of 1.0E-5 over the nominal CDP for the 1 year period when the EDGs are assumed to be in a degraded condition and susceptible to failure.

For Unit 2, the mean increase in nominal CDP for the 1 year period is 6.6E-6. The difference between this result and the result from Unit 1 stems from the fact that debris dispersion was estimated to be less likely on the Unit 2 side, thus, the failure probability of the Unit 2 EDGs was estimated to be half that for the Unit 1 EDGs (0.25 versus 0.5).

This is discussed more in detail in Appendix A.

Dominant sequences The dominant core damage sequence for this assumed condition assessment is a station blackout (SBO) sequence (sequence No. 25-02). The events and important component failures in this sequence (highlighted Sequence 25, Figure 1 and Sequence 2, Figure 2)) include:

- A loss of offsite power (LOOP) initiating event,

- Successful reactor trip,

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 5

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

- Failure of the emergency power system due to common cause failure of the emergency diesel generator,

- Successful auxiliary feedwater,

- PORVs are not challenged,

- RCP seals cooling not challenged, and

- Operator fails to recover offsite power before battery depletion The next dominant sequence is also an SBO sequence (Sequence No. 25-09). The events and important component failures in this sequence include:

- A loss of offsite power (LOOP) initiating event,

- Successful reactor trip,

- Failure of the emergency power system due to common cause failure of the emergency diesel generator,

- Successful auxiliary feedwater,

- PORVs are not challenged,

-- RCP seals fail to lack of cooling, and

- Operator fails to recover offsite power before core uncovery, given an RCP seal LOCA.

Results tables

- Table 1-a provides the importance values for some dominant sequences.

- Table 2a-a provides the event tree sequence logic for the dominant sequences.

- Table 2b-a defines the nomenclature used in Table 2a-a.

- Table 3-a provides the conditional cut sets for the dominant sequences.

- Table 4 provides the definitions and probabilities for selected events.

2.

Unavailability of TDAFWP-Unit 2 The risk significance of turbine-driven AFW pump being unavailable for 1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months is determined by subtracting the total nominal core damage probability from the total conditional core damage probability.

conditional core damage probability (CCDP) - mean 9.7E-06 nominal core damage probability (CDP) - mean 8.7E-06 Importance ( CDP):

1.1E-06 95% percentile 1.7E-06 mean 1.1E-06 5% percentile 2.0E-07

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 6

SENSITIVE - NOT FOR PUBLIC DISCLOSURE This is an increase of 1.1E-6 over the nominal CDP for the analyzed 1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months period when the TDAFW Pump is assumed to be in a degraded condition and susceptible to failure.

Dominant sequences The dominant core damage sequence for this assumed condition assessment is a station blackout (SBO) sequence (sequence No. 25-02). The events and important component failures in this sequence (highlighted Sequence 25, Figure 1 and Sequence 2, Figure 2)) include:

- A loss of offsite power (LOOP) initiating event,

- Successful reactor trip,:

- Failure of the emergency power system due to common cause failure of the emergency diesel generator,

- Successful auxiliary feedwater,

- PORVs are not challenged,

- RCP seals cooling not challenged, and

- Operator fails to recover offsite power before battery depletion Results tables

- Table 1-b provides the importance values for some dominant sequences.

- Table 2a-b provides the event tree sequence logic for the dominant sequences.

- Table 2b-b defines the nomenclature used in Table 2a-b.

- Table 3-b provides the conditional cut sets for the dominant sequences.

- Table 4 provides the definitions and probabilities for selected events.

3.

TDAFWP Unavailability Duration Overlapped by Low ESW Flow to EDGs Duration For a Dual Event LOOP - Unit 2 For the period of 1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months where both the potential of ESW clogging event and the TDAFW pump unavailability event could occur concurrently, the SPAR results show a mean CDP of 1.1E-06. For the remaining 7753 hours0.0897 days 2.154 hours 0.0128 weeks 0.00295 months of the year, the TDAFW pump was available and the mean CDP was calculated for the ESW event by itself. This CDP is of 4.3E-06. Therefore, over a 1-year period used to describe this ASP event for Unit 2, the mean CDP was estimated to be 5.6E-6.

Dominant sequences The dominant core damage sequence for this assumed condition assessment is a station blackout (SBO) sequence (sequence No. 25-02). The events and important

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 7

SENSITIVE - NOT FOR PUBLIC DISCLOSURE component failures in this sequence (highlighted Sequence 25, Figure 1 and Sequence 2, Figure 2)) include:

- A loss of offsite power (LOOP) initiating event,

- Successful reactor trip,:

- Failure of the emergency power system due to common cause failure of the emergency diesel generator,

- Successful auxiliary feedwater,

- PORVs are not challenged,

- RCP seals cooling not challenged, and

- Operator fails to recover offsite power before battery depletion Results tables

- Table 1-c provides the importance values for some dominant sequences.

- Table 2a-c provides the event tree sequence logic for the dominant sequences.

- Table 2b-c defines the nomenclature used in Table 2a-b.

- Table 3-c provides the conditional cut sets for the dominant sequences.

- Table 4 provides the definitions and probabilities for selected events.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 8

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Modeling Assumptions Assessment summary 1.

Low ESW Flow to EDGs This event was modeled as an at-power condition (dual unit LOOP) assessment with probability that the emergency diesel generators unavailable for 1 year and clogging of emergency diesel generators in 30 minutes to one hour.

2.

Unavailability of TDAFW Unit 2 This event was modeled as an at-power condition assessment with the TDAFW pump unavailable for 42 days (1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months ).

The Revision 3i Standardized Plant Analysis Risk (SPAR) model for D.C. Cook (Ref. 4) was used for these assessments. The Revision 3i SPAR model includes event trees for transients (including loss of feedwater and a transfer tree for anticipated transient without scram or ATWS), loss of offsite power (including a transfer tree for station blackout), small loss-of-coolant accident, and steam generator tube rupture. These event trees were used in the analysis. The discussion below provides the bases for significant changes to the model.

Basic event probability changes Table 4 provides the basic events that were modified to reflect the conditions being analyzed. The bases for these changes are as follows:

1.

Low ESW Flow to EDGs Probability of failure of the Emergency Diesel Generators 1A and 1B During a Dual Unit LOOP. The probability that the EDGs would clog was set as shown in Appendix A.

The uncertainty distributions for failure probabilities and initiating event frequencies were updated so that the analysis of parameter uncertainty can be performed.

2.

Unavailability of TDAFW Unit 2 Probability of failure of the TDAFW pump (AFW-TDP-FR-P1A, and AFW-XHE-XL-TDFR ). The probability that the pump would fail to run and that there will be no recovery was set to TRUE (failure probability of 1.0) to reflect the failure of the train to provide flow.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 9

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Non-recovery probabilities for the auxiliary feedwater system. Based on the failure cause (oil leak), the TDAFW pump was not considered recoverable within the time period available for a LOOP event (dominant sequence). The sequence non-recovery probabilities for the dominant sequences were modified to account for the non-recovery of the AFW system during a LOOP (see Table 4).

Model update The SPAR model for D.C. Cook was updated to account for:

Updates of system/component failure probabilities and initiating event frequencies based on recent operating experience, Initiating event frequency updates-Generic PWR Loss of offsite power initiating event frequency update-Plant specific Changes in the probability of failing to recover AFW in 1007 hours0.0117 days 0.28 hours 0.00167 weeks 3.831635e-4 months to account for estimated core uncovery times for conditional assessment sequences (Ref. 4),

The bases for these updates are described in the footnotes to Table 4.

SPAR model used in the analysis D.C. Cook Units 1&2 Version 3.01, 3/2003 (Reference 4).

Unique system and operational considerations None Modifications to event tree and fault tree models Modifications to the emergency power fault tree models. The fault trees for emergency power were modified to add the capability of recovery of each EDG during silt intrusion. This modification added a number of basic events to the 3.01 model for recovery of EDGs (see Figures 3 through 14). The following basic events added:

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 10 SENSITIVE - NOT FOR PUBLIC DISCLOSURE EPS-STRAINER-FAILED PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP EPS-DGN-CLOGG-1ADG PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN UNIT 1 EPS-DGN-CLOGG-2ADG PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN EACH UNITS EPS-DGN-CLOGG-2BDG PROBABILITY OF DEBRIS CARRY OVER TO BOTH EDGS IN ONE UNIT EPS-DGN-CLOGG-3ADG PROBABILITY OF DEBRIS CARRY OVER TO 2 EDGS IN U1 AND 1 IN U2 EPS-DGN-CLOGG-3BDG PROBABILITY OF DEBRIS CARRY OVER TO 1 EDG IN U1 AND 2 IN U2 EPS-DGN-CLOGG-4DG PROBABILITY OF DEBRIS CARRY OVER TO TWO EDGS IN EACH UNITS EPS-DEBRIS-INTAKE PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE Initiating event probability changes Updating initiating event frequencies for dual LOOP based on recent operating experience The initiating event frequency for a dual LOOP used a generic value of 1.0E-06 per hour for the case of silt intrusion (see Appendix A). No other changes were made to the other initiating events Recovery Rules The following sequence recovery rule is added, since with failure of service water pump 1E, no clogging can be occured (the defected strainer is on service water pump 1E) if (ESW-MDP-FR-1E

EPS-DGN-CLOGG-2ADG+

ESW-MDP-FR-1E

EPS-DGN-CLOGG-2BDG+

ESW-MDP-FR-1E

EPS-DGN-CLOGG-3ADG+

ESW-MDP-FR-1E

EPS-DGN-CLOGG-3BDG+

ESW-MDP-FR-1E

EPS-DGN-CLOGG-4DG+

ESW-MDP-FS-1E

EPS-DGN-CLOGG-2ADG+

ESW-MDP-FS-1E

EPS-DGN-CLOGG-2BDG+

ESW-MDP-FS-1E

EPS-DGN-CLOGG-3ADG+

ESW-MDP-FS-1E* EPS-DGN-CLOGG-3BDG+

ESW-MDP-FS-1E

EPS-DGN-CLOGG-4DG+

ESW-MDP-TM-1E

EPS-DGN-CLOGG-2ADG+

ESW-MDP-TM-1E

EPS-DGN-CLOGG-2BDG+

ESW-MDP-TM-1E

EPS-DGN-CLOGG-3ADG+

ESW-MDP-TM-1E

EPS-DGN-CLOGG-3BDG+

ESW-MDP-TM-1E

EPS-DGN-CLOGG-4DG) then DeleteRoot; endif

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 11 SENSITIVE - NOT FOR PUBLIC DISCLOSURE References 1.

Licensee Event Report 316/00-003 Revision 1, Degraded ESW Flow Renders Both Unit 2 Emergency Generators Inoperable, report date October 25, 2001(ADAMS Accession No. ML020220028)..

2.

Inspection Report No 50-315/01-17, 50-316/01-17 March 21, 2002 (ADAMS Accession No. ML020940050).

3.

Inspection Report No: 50-315/01-19, 50-316/01-19, January 10, 2002 (ADAMS Accession No. ML020600192).

4.

Scott T. Beck, Standardized Plant Analysis Risk Model for D. C. Cook Units 1 & 2 (ASP PWR B), Revision 3.01, INEEL, March 2003.

5.

J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.

6.

J. P. Poloski, et. al., Reliability Study: Auxiliary/Emergency Feedwater System, 1987-1995, NUREG/CR-5500, Vol. 1, U. S. Nuclear Regulatory Commission, Washington, DC, August 1998.

7.

C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.

8.

F. M. Marshall, et al., Common-Cause Failure Parameter Estimations, NUREG/CR-5497, U.S. Nuclear Regulatory Commission, Washington, DC, October 1998.

9.

G. M. Grant, et al., Reliability Study: Emergency Diesel Generator Power System, 1987-1993, NUREG/CR-5500, Vol. 5, U.S. Nuclear Regulatory Commission, Washington, DC, September 1999.

6.

Scott T. Beck, Standardized Plant Analysis Risk Model for D. C. Cook Units 1 &2 (ASP BWR C), Revision 3i, INEEL, July 2000.

10.

Debris Intrusion into the Essential Service Water System, Probabilistic Evaluation April 2002. Donald C. Cook Nuclear Plant NTS-2002-010-REP, Rev. 0 11.

Human Reliability Analysis of the Recovery of ESW Flow to Emergency Diesel Generators after Blockage at Cook Nuclear Plant, Donald C. Cook Nuclear Plant 12.

ASP guidelines Fire-induced accident sequence precursor analysis methodology (draft)

Prepared By: J. R. Houghton and E. B. Goldfeiz.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 12 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 13 Docket 50-315 and 50-316, AEP NRC-2003, Donald C. Cook Nuclear Plant Unit 1 and Unit 2 review of preliminary accident sequence precursor analysis of August 2001, operational condition.

14.

A memo from Cynthia D. Pederson, Director, Division of Reactor Safety (DRS), Region III, to Patrick Baranowsky, Chief, Operating Experience Risk Analysis Branch (OERAB),

Division of Risk Analysis and Application (DRAA), Office of Nuclear Regulatory Research (RES) (dated July 30, 2003), provided review comments on the Preliminary Precursor Analysis of the condition reported in LER 315/01-017.

15.

A memo from Michael Tschiltz, Chief, Probabilistic Safety Assessment Branch, Division of Safety System Analysis (DSSA), Office of Nuclear Reactor Regulation (NRR), to Patrick Baranowsky, Chief, OERAB, DRAA, RES (dated August 26, 2003), provided peer review comments on the Preliminary Precursor Analysis of the condition reported in LER 315/01-017.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 13 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 1-a. Importance associated with the highest probability sequences.1 Event tree name Sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance(mean)

(CCDP - CDP)3 LOOP 25-02 6.6E-006 9.4E-007

LOOP 25-09 1.8E-006 2.9E-007

Total (all sequences)2 8.6E-005 7.6E-005 1.0E-005 1(File Name: (Case2(0.5,0.25,0.3).wpd) 2Total importance includes all sequences (including those not shown in this table).

3Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a. Event tree sequence logic for dominant sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for fault tree names)

LOOP 25-02

/RPS EPS, /AFW3, /PORV4, /RCPSL, OEP-BD LOOP 25-09

/RPS EPS, /AFW3, /PORV4, RCPSL, OEP-SL Table 2b. Definitions of top events listed in Table 2a.

Top event Definition RPS REACTOR FAILS TO TRIP EPS EMERGENCY POWER IS UNAVAILABLE AFW3 AFW USING SBO-FT FAULT TREE FLAGS PORV4 PORVs/SRVs OPEN DURING STATION BLACKOUT RCPSL REACTOR COOLANT PUMP SEALS FAIL FROM LACK OF COOLING OEP-SL OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

OEP-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTER DEPLETION

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 14 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 3-a. Conditional cut sets for the dominant sequences.1 CCDP/hr Percent contribution Minimum cut sets Event Tree: LOOP, Sequence 25-02 2.6E-010 38 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-2BDG 2.2E-010 31.9

/OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-3ADG 5.8e-011 8.5 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-4DG HEP-DGNS-4 6.8E-010 Total2 Event Tree: LOOP, Sequence 25-09 7.8E-011 38 OEP-XHE-NOREC-SL RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-2BDG 6.5E-011 31.9

/OEP-XHE-NOREC-SL RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-3ADG 1.8e-011 8.5 OEP-XHE-NOREC-SL RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-4DG HEP-DGNS-4 2.1E-010 Total2 1See Table 4 for definitions and probabilities for the basic events.

2Total CCDP includes all cut sets (including those not shown).

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 15 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 1-b. Importance associated with the highest probability sequences.1 Event tree name Sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance(mean)

(CCDP - CDP)3 LOOP 25-02 4.9E-007 1.1E-007

Total (all sequences)2 9.7E-006 8.6E-006 1.1E-006 1(File Name: GEM TDAFW1007.wpd) 2Total importance includes all sequences (including those not shown in this table).

3Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a-b. Event tree sequence logic for dominant sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b-b for fault tree names)

LOOP 25-02 RPS EPS, /AFW3, /PORV4, /RCPSL, OEP-BD Table 2b-b. Definitions of top events listed in Table 2a-a.

Top event Definition RPS REACTOR FAILS TO TRIP EPS EMERGENCY POWER IS UNAVAILABLE AFW3 AFW USING SBO-FT FAULT TREE FLAGS PORV4 PORVs/SRVs OPEN DURING STATION BLACKOUT RCPSL REACTOR COOLANT PUMP SEALS FAIL FROM LACK OF COOLING OEP-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTER DEPLETION

SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 16 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 3-b. Conditional cut sets for the dominant sequences.1 CCDP/hr Percent contribution Minimum cut sets Event Tree: LOOP 25-02 2.0E-010 44.8 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-3ADG 6.5E-011 13.4 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-2BDG 5.8E-011 12 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-4DG HEP-DGNS-4 4.8E-010 Total2 1See Table 4 for definitions and probabilities for the basic events.

2Total CCDP includes all cut sets (including those not shown).

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 17 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 1-c. Importance associated with the highest probability sequences.1 Event tree name Sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance(mean)

(CCDP - CDP)3 LOOP 25-02 3.8E-006 8.4E-007

Total (all sequences)2 7.1E-005 6.8E-005 5.6E-006 1(File Name: GEM TDAFWEDG7753.wpd) 2Total importance includes all sequences (including those not shown in this table).

3Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a-c. Event tree sequence logic for dominant sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b-b for fault tree names)

LOOP 25-02

/RPS EPS, /AFW3, /PORV4, /RCPSL, OEP-BD Table 2b-c. Definitions of top events listed in Table 2a-a.

Top event Definition RPS REACTOR FAILS TO TRIP EPS EMERGENCY POWER IS UNAVAILABLE AFW3 AFW USING SBO-FT FAULT TREE FLAGS PORV4 PORVs/SRVs OPEN DURING STATION BLACKOUT RCPSL REACTOR COOLANT PUMP SEALS FAIL FROM LACK OF COOLING OEP-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTER DEPLETION

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 18 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 3-c. Conditional cut sets for the dominant sequences.1 CCDP/hr Percent contribution Minimum cut sets Event Tree: LOOP, Sequence 25-02 2.2E-010 44.8 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-3ADG 6.5E-011 13.5 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED HEP-DGNS EPS-DGN-CLOGG-2BDG 5.8E-011 12 OEP-XHE-NOREC-BD /RCP-MDP-LK-SEALS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-4DG HEP-DGNS-4 4.8E-010 Total2 1See Table 4 for definitions and probabilities for the basic events.

2Total CCDP includes all cut sets (including those not shown).

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 19 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 4. Definitions and probabilities for modified or dominant basic events.

Event name Description Probability/

Frequency Modified IE-DUAL-LOOP DUAL UNIT LOSS OF OFFSITE POWER INITIATING EVENT FREQUENCY PER HOUR 1.0E-06 YES1 AFW-TDP-FR-1 TURBINE-DRIVEN AFW PUMPS FAILURE PROBABILITY 2.8E-02 NO AFW-MDP-FS-1 MOTOR-DRIVEN PUMPS COMMON CAUSE FAILURE 6.83E-3 NO RCS-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 1.1E-01 NO AFW-TDP-FR-1 TURBINE-DRIVEN AFW PUMPS FAILURE PROBABILITY TRUE YES2 AFW-MDP-FS-1 MOTOR-DRIVEN PUMPS COMMON CAUSE FAILURE TRUE YES2 OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA) 1.1E-01 NO HEP-DGN-1A PROBABILITY TO RECOVER 1 EDG (ONE EDG CLOGGED IN EACH UNIT) 7.0E-02 YES3 HEP-DGNS PROBABILITY TO RECOVER ONE EDG( 2 OR 3 EDGS CLOGGED) 2.2E-01 YES3 HEP-DGNS-4 PROBABILITY TO RECOVER 1 EDG(TWO EDGS CLOGGED IN EACH UNITS) 4.0E-01 YES3 EPS-DGN-FR-1AB DIESEL GENERATOR 1AB FAILS TO RUN 1.1E-002 NO EPS-DGN-FR-1CD GENERATOR 1CD FAILS TO RUN 1.1E-02 NO EPS-DGN-FS-1AB DIESEL GENERATOR 1AB FAILS TO START 9.9E-003 NO EPS-DGN-FS-1CD DIESEL GENERATOR 1CD FAILS TO START 9.9E-003 NO EPS-DGN-TM-1AB DIESEL GENERATOR 1AB UNAVAILABLE DUE TO TEST 3.1E-002 NO EPS-DGN-TM-1CD DIESEL GENERATOR 1CD UNAVAILABLE DUE TO TEST 3.1E-002 NO EPS-STRAINER-FAILED PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP 0.77 YES4 EPS-DGN-CLOGG-1AD G

PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN UNIT 1 1.8E-001 YES4 EPS-DGN-CLOGG-2AD G

PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN EACH UNITS 2.5E-001 YES4 EPS-DGN-CLOGG-2BD G

PROBABILITY OF DEBRIS CARRY OVER TO BOTH EDGS IN ONE UNIT 1.3E-001 YES4 EPS-DGN-CLOGG-3AD G

PROBABILITY OF DEBRIS CARRY OVER TO 2 EDGS IN U1 AND 1 IN U2 1.1E-001 YES4 EPS-DGN-CLOGG-3BD G

PROBABILITY OF DEBRIS CARRY OVER TO 1 EDG IN U1 AND 2 IN U2 5.3E-002 YES4 EPS-DGN-CLOGG-4DG PROBABILITY OF DEBRIS CARRY OVER TO TWO EDGS IN EACH UNITS 1.6E-002 YES4 EPS-DEBRIS-INTAKE PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE 0.3 YES4 OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTERY DEPLETION 4.5E-002 NO OEP-XHE-NOREC-ST OPERATOR FAILS TO RECOVER OFFSITE POWER IN SH 1.1E-001 NO PPR-SRV-CO-SBO PORVS/SRVS OPEN DURING STATION BLACKOUT 3.7E-001 NO

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 Event name Description Probability/

Frequency Modified 20 SENSITIVE - NOT FOR PUBLIC DISCLOSURE PPR-SRV-OO-PRV1 PORV 1 FAILS TO RECLOSE AFTER OPENING 3.0E-002 NO PPR-SRV-OO-PRV2 PORV 2 FAILS TO RECLOSE AFTER OPENING 3.0E-002 NO PPR-SRV-OO-PRV3 PORV 3 FAILS TO RECLOSE AFTER OPENING 3.0E-002 NO Notes:

1.

Base model updated based on NUREG/CR-5750, Table H-3(Reference 4)and NUREG/CR-5496 2.

Basic event was changed to reflect condition being analyzed. TRUE has a failure probability of 1.0. FALSE has a probability of 0.0.

3.

SPAR HRA Worksheet 4.

See Appendix A

HPR HIGH PRESSURE RECIRC RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN SGCOOL SECONDARY COOLING RECOVERED OEP-6H OFFSITE POWER REC IN 6 HRS OEP-2H OFFSITE POWER REC IN 2 HRS FAB1 FEED AND BLEED HPI2 HIGH PRESSURE INJECTION RCPSL3 RCP SEALS SURVIVE LOSS OF COOLING PORV3 PORVs ARE CLOSED AFW2 AUXILIARY FEEDWATER EPS EMERGENCY POWER RPS REACTOR PROTECTION SYSTEM IE-LOOP LOSS OF OFFSITE POWER END-STATE 1

OK 2

OK 3

OK 4

CD 5

OK 6

CD 7

OK 8

CD 9

CD 10 OK 11 OK 12 CD 13 OK 14 CD 15 OK 16 CD 17 CD 18 OK 19 OK 20 CD 21 OK 22 OK 23 CD 24 CD 25 T SBO 26 CD HPR1 Figure 1 LOOP Sequence 25 21 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

HPR HIGH PRESSURE RECIRC RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN FAB FEED AND BLEED HPI HIGH PRESSURE INJECTION OEP-BD OFFSITE PWR RECOVERY BEFORE BAT DEPL OEP-SL OFFSITE POWER REC DURING SEALLOCA RCPSL RCP SEALS SURVIVE SBO OEP-1H OFFSITE POWER RECOVERY IN 1 HR PORV4 PORVs ARE CLOSED AFW3 AUXILIARY FEEDWATER EPS FAILURE OF EMERGENCY POWER END-STATE 1

OK 2

CD 3

OK 4

OK 5

CD 6

OK 7

CD 8

CD 9

CD 10 OK 11 CD 12 CD 13 CD 14 OK 15 CD Figure 2 SBO Sequence 25-02 22 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

EPS ACP-T11AB ACP-T11CD EMERGENCY POWER IS UNAVAILABLE 4160 VAC BUS T11A/B IS UNAVAILABLE 4160 VAC BUS T11C/D IS UNAVAILABLE Figure 3 Emergency Power 23 I SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

ACP-T11AB ACP-BAC-LP-1AB ACP-A-AC-1 LOOP-A EPS-DGNAB 4160 VAC BUS T11A/B FAILS AC POWER 4160V T11A/B BUS FAILS LOSS OF POWER TO T11A/B 4160V AC BUS LOSS OF DIV A OFFSITE POWER FLAG FAILURE OF DIESEL GENERATOR AB Figure 4 BUS TA11/AB 24 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

ACP-T11CD ACP-BAC-LP-1CD ACP-B-AC-1 EPS-DGNCD LOOP-B 4160 VAC BUS T11C/D FAILS AC POWER 4160V T11C/D BUS FAILS LOSS OF POWER TO T11C/D 4160V AC BUS FAILURE OF DIESEL GENERATOR CD LOSS OF DIV B OFFSITE POWER FLAG Figure 5 BUS TA11/CD 25 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

EPS-DGNCD EPS-DGNB-1 EPS-DGN-FS-1CD EPS-DGN-FR-1CD EPS-DGN-TM-1CD EPS-XHE-XR-1CD EPS-DGNB-2 DCP-BDC-LP-1CD DCP-BAT-LP-CD DCP-BAT-CF-ALL DGN-ESW-B EPS-DGN-CF-STRT EPS-DGN-CF-RUN ACP-BAC-LP-1CD DGN-CLOGG-B ESW LOOP B FAILS TO DIESEL GENERATOR 1CD ELECTRICAL FAILURES OF DIESEL GENERATOR 1CD FAILURES OF DIESEL ENGINE 1CD DIESEL GENERATOR 1CD FAILURES COMMON CAUSE FAILURE OF DIESEL GENERATORS TO RUN COMMON CAUSE FAILURE OF DIESEL GENERATORS TO START OP FAILS TO RESTORE DIESEL GENERATOR 1CD DIESEL GENERATOR 1CD UNAVAILABLE DUE TO TEST AND MAINTENANCE DIESEL GENERATOR 1CD FAILS TO RUN DIESEL GENERATOR 1CD FAILS TO START CCF OF 250VDC BATTERYS AB AND CD FAILURE OF 250VDC BATTERY CD FAILURE OF 250VDC BUS TDCD 4160 V AC T11C/D BUS FAILS DIESEL GENERATOR 1B CLOGGED DUE TO DEBRIS Figure 6 DIESEL GENERATOR 1CD 26 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-A DGN-CLOGG-1A DGN-CLOGG-2A DGN-CLOGG-2B DGN-CLOGG-3A DGN-CLOGG-3B DGN-CLOGG-4 DIESEL GENERATOR 1AB CLOGGED DUE TO DEBRIS DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-2A DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-2B DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-3A DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-3B DIESEL GENERATO R CLOGGED DUE TO DEBRIS CASE-4 DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-1A Figure 7 EDG 1AB 27 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-B DGN-CLOGG-2B DGN-CLOGG-3A DGN-CLOGG-4 DIESEL GENERATOR 1B CLOGGED DUE TO DEBRIS DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-2B DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-3A DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-4 Figure 8 EDG 1CD 28 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-1A HEP-DGN-1A EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-1ADG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-1A PROBABILITY TO RECOVER 1 EDG (ONE EDG CLOGGED IN EACH UNIT)

PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN UNIT 1 Figure 9 29 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-2A HEP-DGNS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-2ADG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-2A PROBABILITY OF DEBRIS CARRY OVER TO ONE EDG IN EACH UNITS PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY TO RECOVER ONE EDG( 2 OR 3 EDGS CLOGGED)

Figure 10 30 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-2B HEP-DGNS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-2BDG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-2B PROBABILITY OF DEBRIS CARRY OVER TO BOTH EDGS IN ONE UNIT PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP PROBABILITY TO RECOVER ONE EDG( 2 OR 3 EDGS CLOGGED)

Figure 11 31 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-3A HEP-DGNS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-3ADG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-3A PROBABILITY OF DEBRIS CARRY OVER TO 2 EDGS IN U1 AND 1 IN U2 PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP PROBABILITY TO RECOVER ONE EDG( 2 OR 3 EDGS CLOGGED)

Figure 12 32 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-3B HEP-DGNS EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-3BDG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-3B PROBABILITY OF DEBRIS CARRY OVER TO 1 EDG IN U1 AND 2 IN U2 PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY TO RECOVER ONE EDG( 2 OR 3 EDGS CLOGGED)

PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP Figure 13 33 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

DGN-CLOGG-4 HEP-DGNS-4 EPS-DEBRIS-INTAKE EPS-STRAINER-FAILED EPS-DGN-CLOGG-4DG DIESEL GENERATOR CLOGGED DUE TO DEBRIS CASE-4 PROBABILITY OF DEBRIS CARRY OVER TO TWO EDGS IN EACH UNITS PROBABILITY THAT DEBRIS WITHIN INTAKE STRUCTURE PROBABILITY THAT FAILED STRAINER IN SERVICE DURING A LOOP PROBABILITY TO RECOVER 1 EDG(TWO EDGS CLOGGED IN EACH UNITS)

Figure 14 34 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-1 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Appendix A Details of the Inputs Used and Results from the Best Estimate and Sensitivity Analyses A.1 Analysis Inputs and Assumptions Key Assumptions ASP Analysis Input Basis Initiating event modeled Dual unit LOOP Section A.2 discusses the initiating event modeled and frequency used for this event.

Debris entrainment probability 0.3 The ASP analysis uses a probability of 0.3 based on operating experiences at the site. From 1996 to May 2002 there has been 10 reactor trips at D. C. Cook. In three of these cases there was sufficient disturbance in the forebay to cause in silt injection to ESW or CCW systems that resulted in system perturbations. Section A.3 discusses this in more detail.

Failed strainer in-service during a LOOP 0.77 Same as value used in SDP analysis.

EDG failure probability 0.5 for unit 1 EDGs 0.25 for unit 2 EDGs Based on ESW flow rates during the August 2001 event.

Section A.4 discusses this in more detail.

Accident scenarios modeled Given a dual unit LOOP, the following scenarios were modeled: all four EDGs are failed by the debris entrainment; and also accident scenarios where debris entrainment only fails 3 of the 4 EDGs, 2 of the 4 EDGs, and 1 of the 4 EDGs.

The total )CDP is the sum of each of these individual scenarios weighted by their probability of occurrence.

Combinations of EDGs failure probabilities are as follows:

0 of 4 fails (i.e. 4 successes) = 0.1406 1 of 4 fails = 0.181if failure in unit 1, 0.091if failure in unit 2 2 of 4 fails = 0.2539 (one failure in each unit)

= 0.1269 (both failures in Unit 1)

= 0.0317 (both failures in Unit 2) 3 of 4 fails = 0.1064 (2 failures in Unit 1 and 1 failure in Unit 2)

= 0.0532, (1 failure Unit 1 and 2 failures in Unit 2) 4 of 4 fails = 0.01563 Section A.5 provides more detail.

Credit for operator recovery HEPs are dependent on the accident scenario modeled:

0.07 (1 of 4 EDGs failed) 0.22 (2 or 3 EDGs failed) 0.4 (all 4 EDGs failed)

The SPAR HRA worksheets were used to calculate the HEPs.

Section A.6 provides details.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-2 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Other assumptions:

All service water system (SWS) pumps and all CWS pumps in both units trip simultaneously. All SWS pumps restart on EDG load sequencing.

The intake bed (silt/mussels) lifts and is ingested in the SWS pumps (suction bell of these pumps is at the same elevation as the CWS pumps),

Debris is transmitted via the damaged strainer element via the open crossover valve(s) to each EDG.

Debris entrainment into the ESW system is assumed to only affect EDG operation. Effects on other system operations is not modeled.

Operator recovery is credited for flushing the EDG coolers and cycling of the valves.

Although these actions are not proceduralized, credit was taken since these recovery actions were carried out during the August 2001 event.

A.2 Single Unit LOOP Vs. Dual Unit LOOP A dual unit LOOP assumption is considered enveloping in the ASP analysis. Recovery actions are more probable in a single unit LOOP (e.g., ESW and electrical cross ties from the opposite unit can be used to recover from the debris clogging at the affected unit). It is also postulated that the debris disturbance in the forebay (and subsequent entrainment into the ESW system) would be greater during a dual unit LOOP since all CW pumps will trip (resulting in a backwash into the forebay) at approximately the same time that the ESW pumps will start.

LOOP Initiating Event Frequency Estimate Data sources. For this condition assessment, a frequency estimate for a dual unit loss of offsite power was developed that is based on events identified in NUREG/CR-5496, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980-1996, and updated to include LER data through 2001. A search of the SCSS database was conducted to select LERs involving loss offsite power for the years 1997 through 2002. The total time period reviewed is 1980-2002.

Review criteria. Because of the design for the diesel generator coolers at D.C. Cook, loss of emergency service water to all four diesel generator coolers will only occur if power is lost to both units. The types of LOOP events that would involve both units include dual-unit, plant-centered LOOPs, grid-related LOOPs, and severe weather-related LOOPs. Other considerations include:

Causes of weather-related and grid-related LOOP events are independent of plant mode; therefore, both operating and shutdown experience were included.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-3 SENSITIVE - NOT FOR PUBLIC DISCLOSURE LOOP events that occurred when all units at the site were shut down were not included.

LOOP caused by outage maintenance activity on one shutdown unit (even though the activity not performed while the plant operating) were included. This type of LOOP will be used to calculate a dual-unit, plant-centered LOOP frequency for the fraction of time that one unit at D.C. Cook is shutdown.

Hurricane-related LOOP events were not included since the region around Cook are not usually susceptible to hurricane events.

Results. The results of the review of LOOP events during the 1980-2002 period are given in the table below.

Events selected for dual-unit LOOP frequency assessment.

LOOP type No. events LER Grid-related 1

395/89-012

Weather-related 5

333/88-011, 282/96-012, 346/98-006 302/93-002, 325/93-008 Dual-unit, plant-centered Both units operating 2

317/87-012, 327/92-027 One unit shutdown 1

334/93-013

Exclude: Pilgrim (outlier from NUREG/CR-5496); 2 of 3 events at Crystal River (302/93-002) caused by the same storm; hurricane events when plant was shutdown prior to the hurricane-induced LOOP.

Frequency calculation. The LOOP frequency is estimated by:

FLOOP = FGrid + FSevere weather + FDual

Where, FGrid = frequency of grid-related LOOPs FSevere weather = frequency of weather-related LOOPs FDual = frequency of plant-centered, dual-unit LOOPs The total operating and shutdown time for all sites (single and multi-unit sites) during 1987-2002 is 1,080 site calendar years, as shown in Table A3.2. The operating and shutdown time for only multi-unit sites during the same time is 570.9 site calendar years. Using the

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-4 SENSITIVE - NOT FOR PUBLIC DISCLOSURE criticality factor calculated in Table A3.3 of 0.78, the multi-unit critical time is 0.78 x 570.9 calendar year = 445 critical year Therefore, the mean frequency is FGrid = 1/1,018 yr = 9.8E-4/yr or 1.1E-7/hr FSevere weather = 5/1,018 yr = 4.9E-3/yr or 5.6E-7/hr FDual = 3/445 yr = 6.7E-3/yr or 7.7E-7/hr The dual LOOP frequency (per site calendar year) is:

FLOOP = 1.1E-7/hr + 5.6E-7/hr +7.7E-7/hr = 1.4E-6/hr or 1.2E-2/yr Probability Distribution. In order to obtain a probability distribution for FLOOP, a numeric analysis of each parameter would be required. Since the number of events controls the uncertainty bounds, a reasonable distribution can be created from an approximate analysis for the purpose of ASP uncertainty analysis. The number of LOOP events (9) and the LOOP frequency (8.8E-3/yr) are used to estimate a pseudo-exposure (732 yr.) so that a probability distribution can be created to express the uncertainty in the estimate.

The constrained non-informative prior distribution (Atwood 1996) was used. The distribution is given by:

(

)

Gamma Gamma F

=

05 1 2

Grid reliability and severe weather frequency varies between plants, so a more diffuse prior distribution is appropriate. The Gamma distribution parameters (in years) of the prior are =0.5 and =41. Performing a Bayesian update on the above distribution with D. C. Cook 12 operating years without a LOOP event since the installation of faulty strainer, the mean LOOP frequency for D.C. Cook is 8.8E-3/yr or 1.0E-6/hr. The Gamma distribution parameters of the posterior are =0.5 and =57. The 5th percentile of this distribution is 3.5E-5/yr. and the 95th percentile is 3.4E-2/yr.

A.3 Debris Entrainment Probability This analysis uses a probability of 0.3 based on operating experiences at the site. Since 1996 until May 2002 there has been 10 reactor trips in D. C. Cook. In three of these cases there was sufficient disturbance in the forebay to cause in silt injection to ESW or CCW systems, that resulted in system perturbations.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-5 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Events Selected for the Probability of Debris in Forebay Event Date Unit LER or Event number 6/10/1996 Unit 2 316/99-001 8/29/2001 Both Units 316/01-003 6/14/2002 Unit 1 38993 A.4 EDG Failure Probability The EDG coolers low flow event, dated August 29, 2001 resulted from carryover of debris (silt/mussels) from the intake through a damaged element of a twin basket strainer via open crossover valves to the EDG coolers in each unit (2 coolers/unit) resulting in low flow and inoperability (lower than Technical Specification and minimum design flow). None of the EDGs were operating (therefore, the intake manifold was in bypass for this nonoperating mode). The lowest cooler flows prior to recovery attempts were as follows: 1AB cooler - no flow detected; 1CD cooler - 350 gpm; 2AB cooler - 350 gpm; and 2CD cooler - 250 gpm.

These reduced flows were recorded at 9:00 P.M. following a period of degradation that began with sequential circulating water system (CWS) pump shutdown at approximately 1:30 p.m.

Based on the August 2001 event, the ASP analysis uses an EDG failure probability of 0.5 for the Unit 1 EDGs. (EDG 1AB is assumed failed due to low flow rates in the cooler while EDG 1CD was assumed operable due to the stabilized flow rate at the cooler. The operability of the Unit 2 EDGs was more difficult to determine since the cooler flow rates have not stabilized during the August 2001 event.)

The probability of failure of the Unit 2 EDGs was determined to be less likely than for Unit 1 (Unit 2 EDG failure probability estimated to be 0.25) for the following reason. During the August 2001 event, one of the two Unit 2 ESW pumps was not started. Since both Unit 1 ESW pumps were operating during that event, it was postulated that the flow differential between the Unit 1 and Unit 2 ESW headers facilitated debris migration from the failed Unit 1 strainer to the Unit 2 ESW header and the Unit 2 EDG coolers. Based on this information, with all four ESW pumps operating during a hypothetical dual unit LOOP event, it is estimated that the amount of debris dispersion onto the Unit 2 side from a failed Unit 1 strainer would be half as much as the debris dispersion onto the Unit 1 side.

A.5 Conditional Probability of Accident Scenarios Modeled Consider two diesel generators, denoted by A and B. We are interested in estimating the conditional core damage probability of the case of either one diesel not working or both diesels not working. Let A denote the event that A is not working, B the event that B is not working and C the event that both A and B are not working. Define

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-6 SENSITIVE - NOT FOR PUBLIC DISCLOSURE S

A B

C

=

P T S P T A or B or AB P S P TA TB TAB P S

( l )

( (

))

( )

(

)

( )

=

+

P T A P A P S P T B P B P S P T AB P AB P S

( l

) ( )

( )

( l ) ( )

( )

( l

) (

)

( )

=

+

P A P S P T A P B P S P T B P AB P S P T AB

( )

( l

)

( )

( l )

(

)

( )

( l

)

=

+

P A P S CCDP P B P S CCDP P AB P S CCDP A

B AB

( )

(

)

( )

=

+

W CCDP W CCDP W CCDP A

B AB 1

2 3

Note that A, B, and C are mutually exclusive, that is A

B A

C B

C

=

Let T denote the event core damage. Thus, we want to calculate

. Then, we

[

]

P T S have the following:

where w1+w2+w3 = 1 By assuming success probability p and failure probability q and considering random failure of four diesel generators due to low ESW flow to EDG heat exchangers, by using the binomial random failure we arriver at p = probability of success q = 1 - p = probability of failure (p + q )4 = p4 + 4p3q + 6p2q2 + 6pq3 + q4 p4 = four successes 4p3q = three successes and one failure 6p2q2 = two successes and two failures 6pq3 = one success and three failures q4 = four failures if we assume p = 0.5, then

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-7 SENSITIVE - NOT FOR PUBLIC DISCLOSURE p4 = 0.0625 4p3q = 0.25 6p2q2 = 0.375 6pq3 = 0.25 q4 = 0.0625 By using binomial, we assuming the no dependency between failure of diesel generators, that means if the first diesel generator fails with the probability of 0.5, the second EDG will also fail with 0.5 probability.

P (failure of A or B) = P(AcB) = P(A) + P(B), and no dependency between them or P (failure of A or B) = P(AcB) = P(A) + P(B) - P(A1B), which is there is dependency between them.

The other way to model failure of these EDGs is by using the exact solution in order to consider dependencies between them.

P ( failure of A, B, C, or D) = P(AcB c CcD) = P(A) + P(B) + P(C) + P (D) - P(A1B) -

P(A1C)-P(A1D) - P(B1C) - P(B1D) - P(C1D) - P(A1B1C) - P(A1B1B) - P(B1C1D) +

P(A1B1C1D)

Four fault trees were constructed (Figures A.5 through A.8) and by using the Min/Max engine (which gives the exact solution of fault tree) of SAPHIRE code the following results were obtained

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-8 SENSITIVE - NOT FOR PUBLIC DISCLOSURE By assuming the failure of 0.5 for both units 1 and 2 for each diesel the following results are obtained Probability of Cumulative Probability four successes (1- 0.9375) = 0.0625 One or more failure(s) 0.9375 one failure (0.9375- 0.822) = 0.1155 Two or more failures 0.822 two failures (0.822 - 0.4138) = 0.4082 Three or four failures 0.4138 three failures (0.4138 - 0.0625) = 0.3513 Four failures 0.0625 four failures 0.0625 Sum 1

P = 0.5 Probability of Scenario 0 out of 4 0a (no failure) 0.0625 1 out of 4 1a(failure in unit 1) 0.1155*1/2 = 0.05775 1b (failure in unit 2) 0.1155*1/2 = 0.05775 2 out of 4 2a(one in each unit) 0.4082*4/6 = 0.2721 2b (two in unit 1) 0.4082*1/6 = 0.068 2c(two in unit 2) 0.4082*1/6 = 0.068 3 out of 4 3a(two in unit 1and one in unit 2) 0.3513*1/2 = 0.1756 3b(one in unit 1 and two in unit 2) 0.3513*1/2 = 0.1756 4 out of 4 4 (two in each unit) 0.0625 Sum = 1

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-9 SENSITIVE - NOT FOR PUBLIC DISCLOSURE By assuming the failure of 0.25 for both units 1 and 2 for each diesel generator the following results are obtained:

Probability of Cumulative Probability four successes (1 - 0.6836) = 0.3164 One or more failure(s) 0.6836 one failure (0.6836 - 0.3211) = 0.3625 Two or more failures 0.3211 two failures (0.3211 - 0.06105) = 0.26005 Three or four failures 0.06105 three failures (0.06105 - 0.003906) = 0.057144 Four failures 0.003906 four failures 0.003906 Sum 1

P =0.25 Probability of failure 0 out of 4 0a (no failure) 0.3164 1 out of 4 1a(failure in unit 1) 0.3625*1/2 = 0.18125 1b (failure in unit 2) 0.3625*1/2 = 0.18125 2 out of 4 2a(one in each unit) 0.26005*4/6 = 0.1734 2b (two in unit 1) 0.26005*1/6 = 0.0433 2c(two unit 2) 0.26005*1/6 = 0.0433 3 out of 4 3a(two unit 1 and one in unit 2) 0.057144*1/2 = 0.02857 3b(one in unit 1 and two in unit 2) 0.057144*1/2 = 0.02857 4 out of 4 4 (two in each unit) 0.003906 Sum = 1

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-10 SENSITIVE - NOT FOR PUBLIC DISCLOSURE By assuming the failure of 0.5 for unit 1 each diesel generator and 0.25 for unit 2 each diesel generator the following results are obtained:

Probability of Cumulative Probability four successes (1 -0.8594) 0.1406 One or more failure(s) 0.8594 one failure (0.8594- 0.5878) = 0.2716 Two or more failures 0.5878 two failures (0.5878 - 0.1752) = 0.4126 Three or four failures 0.1752 three failures (0.1752 - 0.01563) = 0.1595 Four failures 0.01563 four failures 0.01563 Sum 1

P = 0.5, 0.25 Probability of failure 0 out of 4 0a (no failure) 0.1406 1 out of 4 1a(failure in unit 1) 0.2716*0.671 = 0.181 1b (failure in unit 2) 0.2716*0.33 = 0.091 2 out of 4 2a(one in each unit) 0.4126*0.61541 = 0.2539 2b (two in unit 1) 0.4126*0.3081 = 0.1269 2c(two in unit 2) 0.4126*0.07691 = 0.0317 3 out of 4 3a(two in unit 1 and one in unit 2) 0.15957*0.671 = 0.1064 3b(one in unit 1 and two in unit 2) 0.15957*0.371 = 0.0532 4 out of 4 4 (two in each unit) 0.01563 Sum = 1 1-see the tables in the next two pages for original of these numbers

For 0.5, 0.25 EDGAB U1 EDGAB U1 EDG CD U1 EDG CD U1 EDGAB U2 EDGAB U2 EDG CD U2 EDG CD U2 S

0.5 S

0.75 S

0.75 NO FAILURE 0

S 0.5 F

0.5 S

0.75 S

0.75 1 IN UNIT 1 1

F 0.5 S

0.5 S

0.75 S

0.75 1 IN UNIT 1 1

F 0.5 F

0.5 S

0.75 S

0.75 2 IN UNIT 1 2

S 0.5 S

0.5 F

0.25 S

0.75 1 IN UNIT 2 1

S 0.5 S

0.5 S

0.75 F

0.25 1 IN UNIT 2 1

S 0.5 S

0.5 F

0.25 F

0.25 2 IN UNIT 2 2

F 0.5 S

0.5 F

0.25 S

0.75 1 IN UNIT 1 1 IN UNIT 2 2

F 0.5 S

0.5 S

0.75 F

0.25 1 IN UNIT 1 1 IN UNIT 2 2

S 0.5 F

0.5 F

0.25 S

0.75 1 IN UNIT 1 1 IN UNIT 2 2

S 0.5 F

0.5 S

0.75 F

0.25 1 IN UNIT 1 1 IN UNIT 2 2

F 0.5 F

0.5 F

0.25 S

0.75 2 IN UNIT 1 1 IN UNIT 2 3

F 0.5 F

0.5 S

0.75 F

0.25 2 IN UNIT 1 1 IN UNIT 2 3

S 0.5 F

0.5 F

0.25 F

0.25 1 IN UNIT 1 2 IN UNIT 2 3

F 0.5 S

0.5 F

0.25 F

0.25 1 IN UNIT 1 2 IN UNIT 2 3

F 0.5 F

0.5 F

0.25 F

0.25 2 IN UNIT 1 2 IN UNIT 2 4

A-11 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

1 Failure 1 Failure (Normalized) 2 Failures 2 Failures (normalized) 3 Failures 3 failures (normalized)

NO FAILURE 0

1 IN UNIT 1 1

0.5 1/1.5 =0.67 1 IN UNIT 1 1

0.5 2 IN UNIT 1 2

sum (U1) = 1 0.5*0.5 =0.25 0.25/0.8125=0.307692 3 (U1) 1 IN UNIT 2 1

0.25 1 IN UNIT 2 1

0.25 2 IN UNIT 2 2

sum (U2) =0.5 sum(U1+U2)

=1.5 (1 failure) 0.5/1.5=0.33 0.25*0.25 = 0.0625 0.0625/0.8125

=0.07692308 (U2) 1 IN UNIT 1 1 IN UNIT 2 2

0.5*0.25 = 0.125 0.125/0.8125

=0.15384615 1 IN UNIT 1 1 IN UNIT 2 2

0.5*0.25 = 0.125 0.125/0.8125

=0.15384615 1 IN UNIT 1 1 IN UNIT 2 2

0.5*0.25 = 0.125 0.125/0.8125

=0.15384615 1 IN UNIT 1 1 IN UNIT 2 2

0.5*0.25 = 0.125 0.125/0.8125

=0.15384615 2 IN UNIT 1 1 IN UNIT 2 3

sum(all 2 failures) =

0.8125 0.15384615*4

=0.61538462 (one in each unit) 0.5*0.5*25=0.0625 =0.0625*2/0187 5=0.67 2 IN UNIT 1 1 IN UNIT 2 3

0.5*0.5*25=0.0625 1 IN UNIT 1 2 IN UNIT 2 3

0.5*0.25*25=0.0312 5

=0.03125*2/0.1 875=0.33 1 IN UNIT 1 2 IN UNIT 2 3

0.5*0.25*25=0.0312 5

2 IN UNIT 1 2 IN UNIT 2 4

sum =0.1875 (3 failures)

A-12 IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

For 0.5, 0.25 Case A-13 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-14 SENSITIVE - NOT FOR PUBLIC DISCLOSURE A.6 Credit for Operator Recovery This analysis used the SPAR HRA methodology to estimate the probability of operator recovery action. The results of these operator recoveries are provided in HRA worksheets attached to end of this Appendix.

The analysis assumes that the operator only flushes the instrument lines when the symptom is low ESW flow indication (as was done during the August 2001 event). Flushing the instrument lines will add 30 to 40 minutes to the recovery time. It is also assumed that the operators focus on ESW flow faults, and not on instrument line faults when there are high CCW or ESW temperature alarms.

The analysis assumes that it is physically possible to recover the heat exchangers after blockage occurs. In the August 2001 event, the heat exchanger that was flushed was either the jacket water or the lube oil heat exchanger. In a LOOP event, the ESW passes through aftercooler and three way manifold, then through jacket water and lube oil cooler. Flushing the air aftercooler is not physically possible afer it is plugged.

Using the August 2001 event to illustrate feasibility of the operator recovery action may be somewhat optimistic. During that event, the EDGs were not operating, and therefore there was no potential trip of any EDG. Also, during the August 2001 event, power was available to assist valve cycling. During a LOOP, the valves have to be manually operated, thus requiring more effort and time.

The estimated HEP is dependent on the different scenarios and how many diesel generators will be lost, upon loss or low flow ESW to EDG coolers. For case when only one diesel generator will be lost, credit is given for valve cycling or heat exchanger flushing from water available when one ESW loaded on one of remaining diesel generators. The HEP of 0.07 is reasonable when sufficient time is available (i.e., time from initiating event to clogging of EDG heat exchanger exceeds 5 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ). This 0.07 is probably somewhat optimistic for recovery times of two hours or less. For cases when two or three diesel generators will be lost (August 2001 event),

still one diesel generator available for loading one ESW pump and valve cycling or heat exchanger flushing actions, the probability of recovery is 0.22. For the case when all diesel generator will be lost with a dual unit LOOP, a HEP of 0.4 is likely due to the lack of time (approximately less than1 hour available for recovery) and due to the fact that ESW flow unit cannot be credited for the valve cycling or heat exchanger flushing actions.(see attached SPAR HRA worksheets)

The estimated HEPs are also subject to the uncertainties. The analysis assumes that the time available for operator action during a dual unit LOOP is adequate, i.e., there will be more than 75 minutes available for operator recovery(actual time for diagnosis and flushing). This timing is sufficient for the recovery of ESW flow to EDG heat exchangers prior to the initiating event.

However, it is not obvious that the operator actually trips the EDGs during a LOOP event (even if procedures instructs him to do so) since this results in a SBO event.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-15 SENSITIVE - NOT FOR PUBLIC DISCLOSURE A.7 Results for the Best Estimate Case and Sensitivity Analyses The results for the best estimate case is show in Table A.1. This best estimate case represents the scenario where the probability of debris entrainment in the ESW system was estimated to be 0.3, and the probability of EDG failure as a result of the entrainment was estimated to be 0.5 per diesel for the Unit 1 EDGs and 0.25 per diesel for the Unit 2 EDGs.

The CDP for this case is estimated using a dual unit loss of offsite power initiator, and multiple diesel failure combinations and associated operator recovery probabilities.

Sensitivity analyses were performed for debris entrainment probabilities of 0.09 and 0.5. [The probability of 0.09 is based on the final Significance Determination Process (SDP) estimate, and the probability of 0.5 is based on the original SDP estimate as determined by information obtained from NRR analysts and the Resident Inspector.] The results of this sensitivity study are also show in Table A.1.

Sensitivity analyses were also performed for EDG failure probabilities of 0.5 for all four EDGs and 0.25 for all four EDGs. The results of these studies are shown in Tables A.2 and A.3 respectively.

An additional sensitivity was performed using HEP values of 0.13 for all cases. This HEP corresponds to the value proposed by the licensee as part of the SDP process. Results of this sensitivity case are show in Table A.4.

The mean CDPs for the best estimate and sensitivity cases are shown in Figure A.1. The distributions around the mean values (i.e., parameter uncertainty) for each of these cases are show in A.2 to A.4.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-16 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table A.1 P = 0.5, 0.25 Probability of failure HEP EDG 1AB1 HEP EDG 1CD1 0 out of 4 0a (no failure) 0.1406 0

0 1 out of 4 1a(failure in unit 1) 0.2716*0.67 =

0.181 0.07 NA 1b (failure in unit 2) 0.2716*0.33 =

0.091 2 out of 4 2a(one in each units) 0.4126*0.6154 =

0.2539 0.22 NA 2b (two in unit 1) 0.4126*0.308 =

0.1269 0.22 0.22 2c(two in unit 2) 0.4126*0.0769 =

0.0317 3 out of 4 3a(two in unit 1 and one in unit 2) 0.15957*0.67 =

0.1064 0.22 0.22 3b(one in unit 1 and two in unit 2) 0.15957*0.37 =

0.0532 0.22 NA 4 out of 4 4 (two in each unit) 0.01563 0.4 0.4 Sum = 1 1-From SPAR HRA worksheet P =0.5, 0.25 Debris entrainment (0.09)

Debris entrainment (0.3)

Debris entrainment (0.5)

Importance Importance Importance Point Estimate 2.21E-06 8.86E-06 1.23E-05 Mean 3.71E-06 1.00E-05 1.38E-05 5th percentile 5.51E-07 1.62E-06 1.50E-06 95th Percentile 1.18E-05 2.64E-05 3.53E-05

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-17 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table A.2 P = 0.5 Probability of Scenario HEP EDG 1AB1 HEP EDG 1CD1 0 out of 4 0a (no failure) 0.0625 0

0 1 out of 4 1a(failure in unit 1) 0.1155*1/2 =

0.05775 0.07 NA 1b (failure in unit 2) 0.1155*1/2 =

0.05775 2 out of 4 2a(one in each units) 0.4082*4/6 =

0.2721 0.22 NA 2b (two in unit 1) 0.4082*1/6 = 0.068 0.22 0.22 2c(two in unit 2) 0.4082*1/6 = 0.068 3 out of 4 3a(two in unit 1and one in unit) 0.3513*1/2 =

0.1756 0.22 0.22 3b(one in unit 1 and two in unit 2) 0.3513*1/2 =

0.1756 0.22 NA 4 out of 4 4 (two in each unit) 0.0625 0.4 0.4 Sum = 1 1-From SPAR HRA worksheet P = 0.5 Debris entrainment (0.09)

Debris entrainment (0.3)

Debris entrainment (0.5)

Importance Importance Importance Point Estimate 3.00E-06 1.00E-05 1.88E-05 Mean 4.50E-06 1.15E-05 1.93E-05 5th percentile 6.87E-07 1.38E-06 2.15E-06 95th Percentile 1.43E-05 2.44E-05 5.24E-05

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-18 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table A.3 P =0.25 Probability of failure HEP EDG 1AB1 HEP EDG 1CD1 0 out of 4 0a (no failure) 0.3164 0

0 1 out of 4 1a(failure in unit 1) 0.3625*1/2 =

0.18125 0.07 NA 1b (failure in unit 2) 0.3625*1/2 =

0.18125 2 out of 4 2a(one in each units) 0.26005*4/6 =

0.1734 0.22 NA 2b (two in unit 1) 0.26005*1/6 =

0.0433 0.22 0.22 2c(two unit 2) 0.26005*1/6 =

0.0433 3 out of 4 3a(two unit 1 and one in unit 2) 0.057144*1/2 =

0.02857 0.22 0.22 3b(one in unit 1 and two in unit 2) 0.057144*1/2 =

0.02857 0.22 NA 4 out of 4 4 (two in each unit) 0.003906 0.4 0.4 Sum = 1 1-From SPAR HRA worksheet P = 0.25 Debris entrainment (0.09)

Debris entrainment (0.3)

Debris entrainment (0.5)

Importance Importance Importance Point Estimate 1.81E-06 2.44E-06 4.06E-06 Mean 2.65E-06 3.94E-06 5.58E-06 5th percentile 7.59E-07 7.82E-07 8.27E-07 95th Percentile 1.07E-05 1.24E-05 1.52E-05

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-19 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table A.4 P = 0.5, 0.25 0.3 debris entrainment Probability of failure HEP EDG 1AB HEP EDG 1CD

)CDP 0 out of 4 0a (no failure) 0.1406 0

0 0

1 out of 4 1a(failure in unit 1) 0.2716*0.67 = 0.181 0.13 NA 1.2E-06 1b (failure in unit 2) 0.2716*0.33 = 0.091 0

2 out of 4 2a(one in each unit) 0.4126*0.6154 = 0.2539 0.13 NA 1.3E-06 2b (two in unit 1) 0.4126*0.308 = 0.1269 0.13 0.13 3.1E-6 2c(two in unit 2) 0.4126*0.0769 = 0.0317 0

3 out of 4 3a(two in unit 1 and one in unit 2) 0.15957*0.67 = 0.1064 0.13 0.13 2.8E-06 3b(one in unit 1 and two in unit 2) 0.15957*0.37 = 0.0532 0.13 NA 1.1E-06 4 out of 4 4 (two in each unit) 0.01563 0.13 0.13 1.3E-06 Sum = 1 Mean 1.0E-05

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-20 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Figure A.1

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-21 SENSITIVE - NOT FOR PUBLIC DISCLOSURE CDP CDP Figure A.2

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-22 SENSITIVE - NOT FOR PUBLIC DISCLOSURE CDP CDP Figure A.3

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-23 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Figure A.4

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-24 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Unit 2 results The risk significance of the EDGs being unavailable is determined by subtracting the nominal core damage probability from the conditional core damage probability:

conditional core damage probability (CCDP) - mean 7.09E-05 nominal core damage probability (CDP) - mean 6.06E-05 Importance ( CDP):

5.33E-06 95% percentile 1.41E-05 mean 6.62E-06 5% percentile 8.21E-07 This is an increase of 1.1E-5 over the nominal CDP for the 1 year period when the EDGs are assumed to be in a degraded condition and susceptible to failure.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-25 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Diagnostic task failure probabilities. SPAR model human error worksheet for one EDG failure Performance Shaping Factors (PSF)

PSF Levels Multiplier Basis U

1.

Avail able Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1

U Extra > 60 m 0.1 Expansive > 24 h 0.01

2. Stress Extreme 5

High 2

Nominal 1

U

3. Complexity Highly 5

Moderately 2

Nominal 1

U 4.

Exper ience

/Train ing Low 10 Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5 7.

Fitne ss for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U 8.

Work Proce sses Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 5 Nominal Failure Probability 1.0E-2 Adjusted Probability = Total x Nominal 5X1.0E-02 = 5E-02

a. Task failure probability is 1.0 regardless of other PSFs.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-26 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Physical operator actions failure probabilities. SPAR model human error worksheet for one EDG failure.

Performance Shaping Factors (PSF)

PSF Levels Multiplier[b]

Basis U

1. Available Time Inadequate 1.0a Time available. time required 10 Nominal 1

U Available > 50x time required 0.01

2. Stress Extreme 5

High 2

Nominal 1

U

3. Complexity Highly 5

Moderately 2

U Nominal 1

4. Experience/

Training Low 3

Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U

8. Work Processes Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 10 Nominal Failure Probability 1.0E-3 Adjusted Probability = Total x Nominal 20X1.0E-03 = 2.0E-02

a. Task failure probability is 1.0 regardless of other PSFs.

b. Legend:

Total = Adjusted Probability of Diagnostic task + Adjusted Probability of Physical operator actions = 5E-02 + 2E-02 =

7E-02

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-27 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Diagnostic task failure probabilities. SPAR model human error worksheet for 2 or 3 EDGs failure Performance Shaping Factors (PSF)

PSF Levels Multiplier Basis U

1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1

U Extra > 60 m 0.1 Expansive > 24 h 0.01

2. Stress Extreme 5

High 2

U Nominal 1

3. Complexity Highly 5

Moderately 2

U Nominal 1

4. Experience

/Training Low 10 Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U

8. Work Processes Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 20 Nominal Failure Probability 1.0E-2 Adjusted Probability = Total x Nominal 20X1.0E-02 = 2E-01

a. Task failure probability is 1.0 regardless of other PSFs.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-28 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Physical operator actions failure probabilities. SPAR model human error worksheet for 2 or 3 EDGs failure Performance Shaping Factors (PSF)

PSF Levels Multiplier[b]

Basis U

1. Available Time Inadequate 1.0a Time available. time required 10 Nominal 1

U Available > 50x time required 0.01

2. Stress Extreme 5

High 2

U Nominal 1

3. Complexity Highly 5

Moderately 2

U Nominal 1

4. Experience/

Training Low 3

Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U

8. Work Processes Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 20 Nominal Failure Probability 1.0E-3 Adjusted Probability = Total x Nominal 20X1.0E-03 = 2.0E-02

a. Task failure probability is 1.0 regardless of other PSFs.

b. Legend:

Total = Adjusted Probability of Diagnostic task + Adjusted Probability of Physical operator actions = 2E-01 + 2E-02 =

2.2E-01

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-29 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Diagnostic task failure probabilities. SPAR model human error worksheet for all EDGs failure Performance Shaping Factors (PSF)

PSF Levels Multiplier Basis U

1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1

U Extra > 60 m 0.1 Expansive > 24 h 0.01

2. Stress Extreme 5

High 2

U Nominal 1

3. Complexity Highly 5

Moderately 2

U Nominal 1

4. Experience

/Training Low 10 Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U

8. Work Processes Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 20 Nominal Failure Probability 1.0E-2 Adjusted Probability = Total x Nominal 20X1.0E-02 = 2E-01

a. Task failure probability is 1.0 regardless of other PSFs.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 A-30 SENSITIVE - NOT FOR PUBLIC DISCLOSURE XHE--Physical operator actions failure probabilities. SPAR model human error worksheet for all EDGs failure Performance Shaping Factors (PSF)

PSF Levels Multiplier[b]

Basis U

1. Available Time Inadequate 1.0a Time available. time required 10 U

Nominal 1

Available > 50x time required 0.01

2. Stress Extreme 5

High 2

U Nominal 1

3. Complexity Highly 5

Moderately 2

U Nominal 1

4. Experience/

Training Low 3

Nominal 1

U High 0.5

5. Procedures Not available 50 Available, but poor 5

U Nominal 1

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

U

8. Work Processes Poor 2

Nominal 1

U Good 0.8 Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 200 Nominal Failure Probability 1.0E-3 Adjusted Probability = Total x Nominal 200X1.0E-03 = 2.0E-01

a. Task failure probability is 1.0 regardless of other PSFs.

b. Legend:

Total = Adjusted Probability of Diagnostic task + Adjusted Probability of Physical operator actions = 2E-01 + 2E-01 =

4E-01

TEST1 EPS-DGN-CLOGG-2CD EPS-DGN-CLOGG-2AB EPS-DGN-CLOGG-1CD EPS-DGN-CLOGG-1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE ONE OUT OF FOUR EDG COOLERS PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1CD PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2CD Figure A.5 A-31 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

2 4

TEST2 EPS-DGN-CLOGG-2CD EPS-DGN-CLOGG-2AB EPS-DGN-CLOGG-1CD EPS-DGN-CLOGG-1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE TWO OUT OF FOUR EDG COOLERS PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1CD PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2CD Figure A.6 A-32 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

3 4

TEST3 EPS-DGN-CLOGG-2CD EPS-DGN-CLOGG-2AB EPS-DGN-CLOGG-1CD EPS-DGN-CLOGG-1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE THREE OUT OF FOUR EDG COOLERS PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1CD PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2CD Figure A.7 A-33 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

TEST4 EPS-DGN-CLOGG-2CD EPS-DGN-CLOGG-2AB EPS-DGN-CLOGG-1CD EPS-DGN-CLOGG-1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE FOUR OUT OF FOUR EDG COOLERS PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 1CD PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2AB PROBABILITY THAT DEBRIS CARRY OVER TO THE EDG COOLER 2CD Figure A.8 A-34 SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-1 Appendix B - Resolution of Comments A letter from American Electric Power (AEP) to the NRC dated August 26, 2003 (Ref. 13),

describes Donald C. Cook Unit 1 and Unit 2 review of and comments on the Preliminary Precursor Analysis of the condition reported in LER 50-315/01-17.

The licensee reviewed the preliminary ASP analysis and determined that the analysis is satisfactory as written.

A memo from Cynthia D. Pederson, Director, Division of Reactor Safety (DRS), Region III (Ref. 14), to Patrick Baranowsky, Chief, Operating Experience Risk Analysis Branch (OERAB), Division of Risk Analysis and Application (DRAA), Office of Nuclear Regulatory Research (RES) (dated July 30, 2003), provided review comments on the Preliminary Precursor Analysis of the condition reported in LER 315/01-017.

Region III reviewed the preliminary analysis and found it to be satisfactory.

A memo from Michael Tschiltz, Chief, Probabilistic Safety Assessment Branch (Ref. 15),

Division of Safety System Analysis (DSSA), Office of Nuclear Reactor Regulation (NRR),

to Patrick Baranowsky, Chief, OERAB, DRAA, RES (dated August 26, 2003), provided peer review comments on the Preliminary Precursor Analysis of the condition reported in LER 3156/01-017. The comments have been reviewed and the following responses provided.

DSSA/NRR Comment 1: The cutsets for sequences 19-08 and 19-17 do not match the sequence logic. The sequence logic indicates that off-site AC power has been recovered following a loss-of-off-site power initiating event and failure of the EDGs. As a result, an RCP seal LOCA occurs and HPI fails following recovery of AC power. However, the cutsets do not contain HPI failure events. It appears that the flags LOSP-A and LOSP-B in sub-fault trees DIV-A-AC and DIV-B-AC have not been appropriately reset to false for these sequences. Thus, the EDG failures from the EP fault tree incorrectly render HPI and HPR inoperable. With that as a minimal cutset, other cutsets involving HPI equipment failures as well as the EDG failures appear to be non-minimal and are eliminated from the solution.

Response Agreed. The flags LOSP-A and LOSP-B in sub-fault trees DIV-A-Ac and DIV-B-AC were fixed. The fault trees reset to false for the sequences that off site power are recovered. The HPI and HPR are no longer render as inoperable after off site power recovery.

DSSA/NRR Comment 2: The additional fault tree logic (and its quantification) are not easy to understand and may be eliminating some of the cutsets that belong in the solution for the CDP. Because recovery of EDGs with clogged heat exchangers depends on the combined number of EDGs still operating in the two units, the additional logic needs to address multiple combinations of EDG failures and recoveries for each of the 4 EDGs.

Because all of the debris that causes the clogging enters the ESW system through one

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-2 failed strainer on ESW pump 1E, and that pump is powered by EDG 1A, failure of that EDG by causes other than clogging would preclude clogging of any of the other EDGs.

So, basic events EPS-DGN-FS-1A and EPS-SG-TM-1A (and, perhaps EPS DGN-FR-1A) should not appear in cutsets with any clogging events. The additional fault tree logic provided for this analysis seems to have accomplished that by means of the fault tree structure, without using the mutually-exclusive top event list. However, that approach compounds the difficulty of obtaining the correct recovery actions for the combinations of clogging events (see next comment). Use of the mutually exclusive top event technique would be a cleaner approach.

Response: We agree that the use of the mutually exclusive top event technique is one approach. However, the use of fault trees as was done in the Asp analysis is another approach that would accomplish the same objectives. Since the deformed strainer is on the essential service water pump 1E, and with random failure of Service water pump 1E, the stainer will not be in service to cause clogging of EDG coolers. Therefore, there will not be any clogging of any EDG cooler when the EDG 1AB fails randomly. The sequence recovery rule is now added to the text for clarification. The text and fault trees description have revised for better understanding of logic and its quantification.

DSSA/NRR Comment 3: (3-a) The additional fault tree logic in the draft analysis is intended to accommodate different recovery probabilities for various numbers of EDGs that have failed due to heat exchanger clogging. Because of the availability of cross-ties between the two units, the additional logic needs to address failures of EDGs in the opposite unit. The draft analysis derives non-recovery probabilities for cases where 1, 2, 3 or all 4 of the EDGs have failed due to clogging. However, the fault tree logic does not appear to recognize that failures of a certain number of EDGs by a mixture of clogging and non-clogging related failures would be at least as hard to recover as the same number of failures due to clogging. The analysis report is also unclear how the probabilities were derived for the basic events in Table 4 that represent combinations of EDG failures due to clogging. In particular, it appears that incorrectly derived conditional probabilities were used to calculate the probabilities for events EPS-DGN-CLOGG-1ADG, EPS-DGNCLOGG-2ADG, EPS-DGN-CLOGG-2BDG, EPS-DGN-CLOGG-3ADG, and EPS-DGNCLOGG-3BDG. The probability for EPS-DGN-CLOGG-4DG appears to be calculated correctly.

(3-b) A clearer way to build the logic would be to add independent clogging failure events to sub-fault trees EP-DGNA and EP-DGNB, then use rules to apply the proper recovery events for the various combinations of EDGs in the cutsets obtained. For all of the 19-xx sequences, which are SBO sequences involving failure of at least the two EDGs in unit 1, the recovery logic should recognize that at least two EDGs must be failed. (For all other LOSP sequences, only one EDG in unit 1 can be failed at a time, but the non-SBO LOOP sequences appear to add little to the results.) The logic for the additional clogging events in unit 2 could be constructed as follows.

(3-c) For independent clogging events with probabilities of 0.5 for each unit 1 EDG and 0.25 for each unit 2 EDG, the probabilities for the possible clogging failure combinations are:

SENSITIVE - NOT FOR PUBLIC DISCLOSURE IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-3 Unit 1 Unit 2 EDG A EDG B EDG A EDG B Probability Failure Combination S (.5)

S (.5)

S (.75) S (.75) 0.140625 none fail S (.5)

F (.5)

S (.75) S (.75) 0.140625 1 in unit 1 F (.5)

S (.5)

S (.75) S (.75) 0.140625 1 in unit 1 F (.5)

F (.5)

S (.75) S (.75) 0.140625 2 in unit 1 S (.5)

S (.5)

F (.25) S (.75) 0.046875 1 in unit 2 S (.5)

S (.5)

S (.75) F (.25) 0.046875 1 in unit 2 S (.5)

S (.5)

F (.25) F (.25) 0.015625 2 in unit 2 F (.5)

S (.5)

F (.25) S (.75) 0.046875 1 in unit 1 &1 in unit 2 F (.5)

S (.5)

S (.75) F (.25) 0.046875 1 in unit 1 & 1 in unit2 S (.5)

F (.5)

F (.25)

S (.75) 0.046875 1 in unit 1 &1 in unit 2 S (.5)

F (.5)

S (.75) F (.25) 0.046875 1 in unit 1 & 1 in unit2 F (.5)

F (.5)

F (.25) S (.75) 0.046875 2 in unit 1 &1 in unit 2 F (.5)

F (.5)

S (.75) F (.25) 0.046875 2 in unit 1 & 1 in unit2 S (.5)

F (.5)

F (.25)

F (.25) 0.015625 1 in unit 1 &2 in unit 2 F (.5)

S (.5)

F (.25)

F (.25) 0.015625 1 in unit 1 & 2 in unit2 F (.5)

F (.5)

F (.25)

F (.25) 0.015625 all fail 1.000000 Conditional probabilities can be determined from this table by adding all of the probabilities that have the desired outcome under the desired conditions and dividing by the sum of all the probabilities of the desired condition. For all of the cases where there is only one failure (by clogging) in unit 1, there is a conditional probability of [0.1835 / 0.5 =]

0.367 that there will also be one EDG failed in unit 2 by clogging and a probability of

[0.03125 / 0.5 =] 0.0625 that there will also be two EDGs failed in unit 2 by clogging. The same thing can be done without the table by using the mathematical expressions for the conditions, but the table is a good means of assuring that parts of the solution are not overlooked.

For cases where both EDGs in unit 1 have failed due to clogging, the conditional probability for one unit 2 EDG to be failed by clogging is [0.09375 / 0.25 =] 0.375 and the conditional probability for both unit 2 EDGs to be failed by clogging is [0.015625 / 0.25 =]

0.0625.

(3-d)As discussed in comment 2, cutsets where unit 1 EDG A has failed by a mechanism other than clogging precludes clogging events in the other EDGs, so no special clogging recovery probabilities are needed for those cutsets.

(3-e) For cases where unit 1 EDG A has failed by clogging, and unit 1 EDG B has failed by some mechanism other than clogging (i.e., failed to start, failed to run, or unavailable due to test and maintenance), it is not determined whether unit 1 EDG B would have failed by clogging if it had not failed first due to another cause. The probability that it would have failed by clogging if it had not failed by the other failure event in the cutset is the same clogging failure probability, because the degree of clogging is independent of whether the EDG is running. So, the conditional probabilities for failure of unit 2 EDGs are based on all of the combinations where unit 1 EDG has not failed. For one EDG failed in unit 2, the conditional probability is [0.1875 / 0.5 =] 0.375, and for both unit 2 EDGs clogged, the conditional probability is [0.03125 / 0.5 =] 0.0625.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-4 (3-f) Similarly, non-SBO cutsets involving success of unit 1 EDG A and failure of EDG B by other means involve the other half of all of the combinations, where unit 1 EDG A has not failed. Those cutsets have a conditional probability of [0.1875 / 0.5 =] 0.375 for failure of one EDG in unit 2, and a conditional probability of [0.03125 / 0.5 =] 0.0625 for failure of both EDGs in unit 2. However, non-SBO cutsets are expected to contribute little to the result. Cutsets involving no EDG failures in unit 1 would not contribute to the CDP for the ASP analysis of the clogging condition.

(3-g) Because the recoveries of clogged unit 1 EDGs depend on the number of EDGs available in both units, failure of unit 2 EDGs by mechanisms other than clogging should also be considered. So, the conditional failure of one unit 2 EDG should be increased by the FR, FS and TM probabilities for both EDG 2A and EDG 2B. These increases should be calculated probabilistically to assure that only one unit 2 EDG is failed, so the products of the independent failures need to be subtracted from the total. Specifically, for P2A-total = P2A-clog + (P2A-FS +P2A-FR + P2A-TM) - P2A-clog x P2A-FR and P2B-total = P2B-clog + (P2B-FS +P2B-FR + P2B-TM) - P2B-clog x P2B-FR, the probability of the conditions with only one unit 2 EDG being failed is P2A-total x (1 - P2B-total) + P2B-total x ( 1 - P2A-total) - P2A-total x P2B-total.

(This assumes that the usual PRA basic events have probabilities that were already derived in a manner to make them independent.)

Similarly, the conditional failure probabilities for two unit 2 EDGs would be increased by the (other than clogging) common-cause failure probabilities for the unit 2 EDGs as well as by the appropriate combinations of independent failures by FR, FS and TM.

(3-h)The resulting conditional probabilities can be used to construct appropriate non-recovery probabilities for the clogged EDGs in unit 1, which can then be applied to the appropriate cutsets by rules. For example, the combined non-recovery probability for application to SBO cutsets can use the knowledge that both unit 1 EDGs must be failed for those cutsets. The issue is to apportion the non-recovery probability properly for cases where two, one and no unit 2 EDGs are also failed. Those conditional probabilities have been calculated such that they are mutually exclusive, so they can simply be used to weight the non-recovery probabilities that are calculated for the availability of specific numbers of EDGs. The calculation is further simplified by the fact that the non-recovery probability is the same for cases with 2 and 3 EDGs not available. So the effective non-recovery probability for the SBO cutsets becomes P[all l 2 in unit 1] x NRall!failed +(1 - CP[all l 2 in unit 1]) x NR2 or 3 failed. As discussed above, the cutsets with two EDG clogging basic events would use one value of P[all l 2 in unit 1] and the cutsets with EDG 1A clogged and EDG 1B failed by a different mechanism would use another value. (Cutsets with EDG1B clogged and EDG1A failed by another mechanism would be eliminated because EDG1A powers the ESW pump with the failed strainer.)

(3-i) Similar logic can be used to calculate the appropriate non-recovery value for the non-SBO cutsets. For those cases, only one EDG in unit 1 can be failed (otherwise, it would be an SBO cutset), so the computation involves only the non-recovery values NR1!failed and NR2!or!3!failed. Also, because the EP-DGNx fault trees in the basic model contain the non-

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-5 recovery basic events EPS-XHE-XR-1x, it will be necessary to use a mutually exclusive rule for this nonclogging recovery and the clogging failure event for the same EDG.

Response: (3-a) The fault tree logic addresses failures in all EDGs including those in the opposite unit. The fault tree takes into account the failures of the different combinations both the clogging and non-clogging mechanisms. It also recognizes that if the essential service water 1E fails due to random failure, there is no clogging. In the case when there is a mixture of failures due to clogging and non-clogging (random failure), we do not believe that the HRA methodology is sufficiently precise to establish failure probabilities which would discriminate between the clogging or mixture of clogging and non-clogging failures.

(3-b) The independent clogging and non clogging failures are built in the fault tree logic.

This includes failures of EDGs due to cross-tie in service water. However, it should be noted that the failures just due to non-clogging are not significant with respect to clogging and mixture of clogging and non-clogging. The logic that built into the fault trees, will eliminate non-logical cutsets ( i.e., random failure of service water pump 1E and failure of the other diesels due to clogging)

(3-c) The probabilities for different combinations of EDG failures in the ASP analysis are derived from fault trees. These probabilities are the same or very close to those that are derived by NRR. (see Appendix A) (The number 0.1835 does not match with the table that provided by NRR).

(3-d) As discussed previously, eliminates non-logical cutsets for the case when EDG 1AB fails by a mechanism other than clogging. In these cases recovery action is not included.

(3-e) See response to comment (3-c)

(3-f) We agree that the non-SBO cutsets contribute only a little to results. Our GEM output shows this.

(3-g) The failure of unit 2 EDGs by mechanisms other than clogging are considered (fail to run, TM,...) In the ASP analysis. These cutsets are shown in GEM output. The fault trees logic includes all failure mechanisms of EDGs, i.e., fail to run, fail to start, common cause failures, and test and maintenance.

(3-h) Agree. The fault tree logic addresses these concerns and the fault tree logic eliminates all non-logical cutsets when pump 1E fails by other mechanism like fail to start,

run and test and maintenance, since no clogging is possible.

(3-I) Agree. In the Asp analysis, the recovery values are dependent on whether there is one EDG failure, two or three EDG failures, or failure of all four EDGs. The analysis uses the same HEP for cases where 2 or 3 EDG failures.

DSSA/NRR Comment 4: Recently, the SDP notebook for Cook was modified to reflect a finding made during the SDP notebook/SPAR benchmarking site visit conducted in July,

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-6 2002. The licensee already had this logic in the plant PRA to reflect the plant procedures.

These procedures involve restart of the CCW pumps following Station Blackout. Copies of the notebook pages and licensees PRA pages are attached. Also, the operators are instructed per EOP step 7 (ECA 0.0 Loss of All AC Power) to "pull to lockout:

MDAFPs CCPs RHR pumps SI pumps CTS pumps CCW pumps NON running NESW pumps" Operators must manually restart CCW following recovery of AC power. It is not clear if the most recent SPAR model has been revised to reflect this information. The CCW issue is important in the model because it makes the recovered station blackout sequences more risk significant by reflecting an additional failure mode for HPI / HPR. Those sequences are important to both CDF and LERF.

Response: Agree. The Version 3.01 of the D.C. Cook SPAR model reflects your comments. This is the version used in the ASP analysis.

DSSA/NRR Comment 5: Although not pertinent to the dual-LOOP sequences that are evaluated for this ASP analysis, the following comment applicable to single-unit-LOOP sequences is provided because the licensees analysis for this event has substantial contributions from single-unit-LOOP initiators. During a July 11, 2003 telecon with the licensee regarding a potential emergency technical specification amendment (failure of Unit 2 EDG 2CD), the OST discussed potential use of the CVCS cross-tie during a single unit SBO. For a single unit SBO, use of the opposite/unaffected unit's CVCS cross-tie for RCP seal LOCA prevention may be operationally inappropriate. Use of the CVCS cross-tie would require use of the unaffected unit's RWST which has approximately 2500 ppm boron and would result in a transient/shutdown of the unaffected unit through RCS boration. This has an accelerated affect during middle to end-of-life core conditions.

Shutdown of the operating unit may complicate power recovery to the unit experiencing the SBO. Based on this information, the SPAR 3i model may be non-conservative since CVCS cross-tie is credited for a single unit SBO (see Appendix F of the SPAR manual).

Response: Comment noted. This ASP did not analyze the single unit LOOP., since the risk of this scenario is relatively low due to the availability of cross-tie.

DSSA/NRR Comment 6: Because the strainer failure increased the core damage frequency for both units, the risk of a core damage accident in one or more units is a combination of the CDP values calculated for unit 1 and unit 2. However, because of the mixture of correlated (between the two units) and random events that create the two CDP values, it is not clear how to calculate the combination. However, the combination is clearly somewhere between the values obtained by treating them as totally random and completely correlated. For completely random CDPs, the combined result would be CDP1 + CDP2 - CDP1 x CDP2, which would be 3.1 x 10-6 for the values in the

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-7 current draft report. For completely correlated CDPs, the combined result would be only the higher of the two individual values, 1.6 x 10-6 Response: Agree. It should be noted that the ASP analysis reports individual unit CDPs.

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-8 GEM Output C O N D I T I O N A S S E S S M E N T Code Version: 6:75 Model Version : 1998/11/05 Project : COOK_3I Duration (hrs) : 8.8E+003 User Name : INEEL Total CCDP : 8.4E-005 Event ID : CASE (0.5, 0.25, 0.3) Total CDP : 7.5E-005 Description : Condition Assessment Mean CDP : 1.1E-005 BASIC EVENT CHANGES Event Name Description Base Prob Curr Prob Type AFW-XHE-XM-XTIEUNIT OPERATOR FAILS TO XTIE OPPOS 1.5E-001 1.0E+000 TRUE EPS-DEBRIS-INTAKE PROBABILITY THAT DEBRIS WITH +0.0E+000 3.0E-001 EPS-DGN-CLOGG-1ADG PROBABILITY OF DEBRIS CARRY +0.0E+000 1.8E-001 EPS-DGN-CLOGG-2ADG PROBABILITY OF DEBRIS CARRY +0.0E+000 2.5E-001 EPS-DGN-CLOGG-2BDG PROBABILITY OF DEBRIS CARRY +0.0E+000 1.3E-001 EPS-DGN-CLOGG-3ADG PROBABILITY OF DEBRIS CARRY +0.0E+000 1.1E-001 EPS-DGN-CLOGG-3BDG PROBABILITY OF DEBRIS CARRY +0.0E+000 5.3E-002 EPS-DGN-CLOGG-4DG PROBABILITY OF DEBRIS CARRY +0.0E+000 1.6E-002 EPS-STRAINER-FAILED PROBABILITY THAT FAILED STRA +0.0E+000 7.7E-001 SEQUENCE PROBABILITIES Truncation : Cummulative : 100.0% Individual : 0.0%

Event Tree Name Sequence Name CCDP CDP Importance LOOP 25-02 6.0E-006 9.4E-007 5.0E-006 LOOP 25-09 1.8E-006 2.9E-007 1.5E-006 LOOP 25-15 7.0E-007 2.3E-008 6.7E-007 LOOP 25-13 5.9E-007 9.4E-008 5.0E-007 TRANS 18 3.7E-007 8.3E-008 2.9E-007 LOCCW 29 3.4E-007 7.8E-008 2.6E-007 LOESW 29 3.4E-007 7.8E-008 2.6E-007 LOOP 25-12 1.1E-007 2.3E-008 8.7E-008 LOOP 24 8.2E-008 1.7E-008 6.5E-008 LOOP 25-05 6.3E-008 8.7E-009 5.4E-008 NOTE: Percent contribution to total Importance.

SEQUENCE LOGIC Event Tree Sequence Name Logic LOOP 25-02 /RPS EPS

/AFW3 /PORV4

/RCPSL OEP-BD LOOP 25-09 /RPS EPS

/AFW3 /PORV4 RCPSL OEP-SL LOOP 25-15 /RPS EPS AFW3 OEP-1H LOOP 25-13 /RPS EPS

/AFW3 PORV4 OEP-1H

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-9 TRANS 18

/RPS AFW MFW FAB LOCCW 29

/RPS AFW1 MFW CCW-NR LOESW 29

/RPS AFW1 MFW ESW-NR LOOP 25-12

/RPS EPS

/AFW3 PORV4

/OEP-1H FAB LOOP 24

/RPS

/EPS AFW2 FAB1 LOOP 25-05

/RPS EPS

/AFW3

/PORV4 RCPSL

/OEP-SL

/HPI

/COOLDOWN RHR HPR Fault Tree Name Description AFW AFW IS UNAVAILABLE AFW1 AFW USING LOESW-FT FAULT TREE FLAGS AFW2 AFW USING LOOP-FT FAULT TREE FLAGS AFW3 AFW USING SBO-FT FAULT TREE FLAGS CCW-NR LOSS OF COMPONENT COOLING WATER IS NOT RECOVERED COOLDOWN RCS COOLDOWN TO RHR PRESSURE USING TBVs, ETC.

EPS EMERGENCY POWER IS UNAVAILABLE ESW-NR OPERATOR FAILS TO RECOVER ESSENTIAL SERVICE WATER FAB FEED AND BLEED COOLING FAILS FAB1 FEED AND BLEED USING LOOP-FTF FAULT TREE FLAGS HPI NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM HPR NO OR INSUFFICIENT HPR FLOW MFW MAIN FEEDWATER IS UNAVAILABLE OEP-1H OFFSITE POWER RECOVERY IN ONE HOUR OEP-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTER OEP-SL OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

PORV4 PORVs/SRVs OPEN DURING STATION BLACKOUT RCPSL REACTOR COOLANT PUMP SEALS FAIL FROM LACK OF COOLING RHR NO OR INSUFFICIENT FLOW FROM THE RHR SYSTEM RPS REACTOR FAILS TO TRIP SEQUENCE CUT SETS Truncation: Cummulative: 100.0% Individual: 1.0%

Event Tree: LOOP CCDF: 6.8E-010 Sequence: 25-02 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-10 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-11 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-12 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-13 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-14 Cutsets removed during SUNSI review

IR No: 50-315/01-17, 50-316/01-17 & LER 316/01-003 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE B-15 Cutsets removed during SUNSI review

ML20112F482

Text

Navigation menu

Search