ML20129D790
| ML20129D790 | |
| Person / Time | |
|---|---|
| Site: | Catawba  |
| Issue date: | 10/24/1996 |
| From: | Tam P NRC (Affiliation Not Assigned) |
| To: | Mccollum W DUKE POWER CO. |
| References | |
| TAC-M95254, NUDOCS 9610250138 | |
| Download: ML20129D790 (25) | |
Text
-
' Jir. William R. McCollua October 24, 1996 Site Vice President Catawba Nuclear Station l
Duke Power Company j
4800 Concord Road York, South Carolina 29745-9635
SUBJECT:
CATAWBA NUCLEAR STATION - FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT AT CATAWBA NUCLEAR STATION, UNIT 2 (TAC M95254) l
Dear Mr. McCollum:
i Enclosed for your information is a copy of the final Accident Sequence Precursor (ASP) analysis of the operational event at Catawba Nuclear Station, r
Unit 2, reported in Licensee Event Report (LER) No. 414/96-001. This final analysis (Enclosure 1) was prepared by our contractor at the Oak Ridge National Laboratory (ORNL), based on review and evaluation of your comments on the preliminary analysis and comments received from the NRC staff and from our independent contractor, Sandia National Laboratories (SNL).
contains our responses to your specific comments, transmitted by your letter of June 11, 1996.
Our review of your comments employed the criteria contained in the material which accompanied the preliminary analysis. The results of the final analysis indicate that this event is a precursor for 1996.
Please contact me at 301-415-1451 if you have any questions regarding the enclosures. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
Sincerely, Original si ned b Peters. Tam,SeniorihojectManager Project Directorate II-2 Division of Reactor Projects - I/II Office of Nuclear Reactor Regulation Docket No. 50-414
Enclosures:
(1) Final ASP (2) Review of DPC's 6/11/96 response cc:
See next page DISTRIBUTION.
Docket File-PUBLIC f
PDII-2 Reading S:l'Ai'nski MC M CMB WY E. Merschoff, RII 1
RCrlenjak, RII OGC, 0-15B18 950 n l'3 e
ACRS, TWF DOCUMENT NAME: G:\\ CATAWBA \\ CAT 95254.LTR To receive a copy of this document, indicate in the box:
"C" = Copy without attachment / enclosure "E" = Copy with attachment /entinsv e "N" - No co )y 0FFICE DRPE\\POII-2\\PM l
Poll-2\\LA M
l PD1Ij@O l
l j
NAME Pian:ces /V M LBerry.
/ ' l' d
./f7 Hig[Med DATE 10/2,)/%
M' I
10/V/%
// '~10/23 /96 10/ /%
OFFICIAL RECORD COPY 9610250138 961024 PDR ADOCK 05000414 S
- f "*%
g-4 UNITED STATES
~ j NUCLEAR REGULATORY COMMISSION g
- g WASHINGTON, D.C. 20655-0001 g
October 24, 1996 1
Mr. William R. McCollum Site Vice President Catawba Nuclear Station Duke Power Company 4800 Concord Road York, South Carolina 29745-9635
SUBJECT:
CATAWBA NUCLEAR STATION - FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF EVENT AT CATAWBA NUCLEAR STATION, UNIT 2 (TAC M95254)
Dear Mr. McCollum:
4 Enclosed for your information is a copy of final Accident Sequence Precursor (ASP) analysis of the operationai event at Catawba Nuc'2ar Station, Unit 2, reported in Licensee Event Report (LER) No. 414/96-001.
This final analysis (Enclosure 1) was prepared by our contractor at the Oak Ridge National Laboratory (0RNL), based on review and evaluation of your comments on the preliminary analysis and comments received from the NRC staff and from our independent contractor, Sandia National Laboratories (SNL).
contains our responses to your specific comments, transmitted by your letter of June 11,-1996.
Our review of your comments employed the criteria contained in the material which accompanied the preliminary analysis. The results of the final analysis indicate that this event is a precursor for 1996.
Please contact me at 301-415-1451 if you have any questions regarding the enclosures. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.
Sincerely, r
k Pete
. Tam, Senior Project Manager Project Directorate 11-2 Division of Reactor Projects - 1/II Office of Nuclear Reactor Regulation Docket No. 50-414
Enclosures:
(1) Final ASP (2) Review of DPC's 6/11/96 response cc:
See next page
Mr. W. R. McCollum Duke Power Company Catawba Nuclear Station cc:
Mr. M. S. Kitlan North Carolina Electric Membership Regulatory Compliance Manager Corporation Duke Power Company P. O. Box 27306 4800 Concord Road Raleigh, North Carolina 27611 York, South Carolina 29745 Senior Resident Inspector Mr. Paul R. Newton 4830 Concord Road Legal Department (PB05E)
York, South Carolina 29745 Duke Power Company 422 South Church Street Regional Administrator, Region 11 Charlotte, North Carolina 28242-0001 U. S. Nuclear Regulatory Commission 101 Marietta Street, NW. Suite 2900 J. Michael McGarry, III, Esquire Atlanta, Georgia 30323 Winston and Strawn 1400 L Street, NW Max Batavia, Chief Washington, DC 20005 Bureau of Radiological Health South Carolina Department of North Carolina Municipal Power Health and Environmental Control Agency Number 1 2600 Bull Street 1427 Meadowwood Boulevard Columbia, South Carolina 29201 P. O. Box 29513 Raleigh, North Carolina 27626-0513 Mr. G. A. Copp Licensing - EC050 Mr. Peter R. Harden, IV Duke Power Company Account Sales Manager 526 South Church Street Westinghouse Electric Corporation Charlotte, North Carolina 28242-0001 Power Systems Field Sales P. O. Box 7288 Saluda River Electric Charlotte, North Carolina 28241 P. O. Box 929 Laurens, South Carolina 29360 County Manager of York County York County Courthouse Ms. Karen E. Long York, South Carolina 29745 Assistant Attorney General North Carolina Department of Justice Richard P. Wilson, Esquire P. O. Box 629 Assistant Attorney General Raleigh, North Carolina 27602 South Carolina Attorney General's Office Elaine Wathen, lead REP Planner P. O. Box 11549 Division of Emergency Management Columbia, South Carolina 29211 116 West Jones Street Raleigh, North Carolina 27603-1335 Piedmont Municipal Power Agency 121 Village Drive Dayne H. Brown, Director Greer, South Carolina 29651 Division of Radiation Protection N.C. Derartment of Environment, i
Mr. T. Richard Puryear Health and Natural Resources Owners Group (NCEMC)
P. O. Box 27687 Duke Power Company Raleigh, North Carolina 27611-7687 4800 Concord Road York, South Carolina 29745
LER No. 414/96-00I LER No. 414/96-001 Event
Description:
Loss of Offsite Power (LOOP) with Emergency Diesel Generator (EDG)B Unavailable Date ofEvent: February 6,19%
Plant: Catawba 2 Event Summary At 1231 hours0.0142 days <br />0.342 hours <br />0.00204 weeks <br />4.683955e-4 months <br />, on February 6,1996 Unit 2 was at 100% power when ground faults on the 2A main transformer X-phase and 2B main transformer Z-phase potential transformers resulted in a loss of offsite power (LOOP). The reactor scrammed and emergency diesel generator (EDG) 2A (train A) started and loaded. EDG 2B was out of-senice because of a faulty ac capacitor in the battery charger for that diesel generator. EDG 2B (train B) was returned to senice and its emergency bus (2ETB) energized at 1522 hours0.0176 days <br />0.423 hours <br />0.00252 weeks <br />5.79121e-4 months <br /> (2 h 51 min into the event). Using parts from the 2A main transformer, the 2B main transfonner was repaired and offsite power restored to Unit 2 on February 8,1996, at 0120 hours0.00139 days <br />0.0333 hours <br />1.984127e-4 weeks <br />4.566e-5 months <br /> (36 h 49 min into the event). The conditional core damage probability estimated for this event is 2.1 = 104 Event Description At 1231 hours0.0142 days <br />0.342 hours <br />0.00204 weeks <br />4.683955e-4 months <br />, on February 6,1996, Unit 2 was at 100% power when ground faults on the resistor bushings for the 2A main transformer X-phase and 2B main transformer Z-phase potential transfonners resulted in a LOOP. The reactor I
scrammed, and EDG 2A started and loaded. EDG 2B was out-of-service because of a faulty ac capacitor in the diesel battery charger. EDG 2B was returned to senice and its emergency bus (2ETB) energized at 1522 hours0.0176 days <br />0.423 hours <br />0.00252 weeks <br />5.79121e-4 months <br /> (2 h 51 min into the event). Not all emergency loads on bus 2ETB were energized due to activities in progress to implement a cross-tie to Unit 1. At 1800 hours0.0208 days <br />0.5 hours <br />0.00298 weeks <br />6.849e-4 months <br /> (5 h 29 min into the event), the cross-tie activities for train B were completed and the source for bus 2ETB was transferred to transformer SATB (a Unit i B-train offsite power source supplied power to Unit 2 transformer SATB). Initial efforts to complete the cross-tie to bus 2ETB were unsuccessful because of a procedural inadequacy. At 2000 (7 h 29 min into the esent), cross-tic activities were completed for EDG Train A and power was transferred to transformer SATA (a Unit 1 A-train offsite power source supplied power to Unit 2 transformer SATA).
Personnel repaired the 2B main transformer using parts from the 2A transformer and restored offsite power to Unit 2 on February 8,1996, at 0120 hours0.00139 days <br />0.0333 hours <br />1.984127e-4 weeks <br />4.566e-5 months <br /> (36h 49 min into the event) Repairs on the 2A main transformer were not completed until 0327 hours0.00378 days <br />0.0908 hours <br />5.406746e-4 weeks <br />1.244235e-4 months <br /> on February 11,1996 (62 h 56 min from the start of the event).
At 1236 hours0.0143 days <br />0.343 hours <br />0.00204 weeks <br />4.70298e-4 months <br />, or 5 min after the LOOP, operators manually closed the Main Steam Isolation Valves (MSIVs). At 1238 hours0.0143 days <br />0.344 hours <br />0.00205 weeks <br />4.71059e-4 months <br />, a safety injection (SI) actuation occurred because oflow steam line pressure in the 2A steam generator (SG). At 1247 hours0.0144 days <br />0.346 hours <br />0.00206 weeks <br />4.744835e-4 months <br />, the pressunzer power operated relief valve (PORV) 2NC34A began to cycle; at 1310 hours0.0152 days <br />0.364 hours <br />0.00217 weeks <br />4.98455e-4 months <br /> (39 min into the event), the pressunzer level went off-scale high as the reactor coolant system (RCS) became water solid. At 1320
]
hours, the pressunzer relief tank (PRT) pressure increased and the PRT rupture disc ruptured as PORV 2NC34A continued to cycle. A steam bubble was reestablished in the pressunzer at 1926 hours0.0223 days <br />0.535 hours <br />0.00318 weeks <br />7.32843e-4 months <br /> (6 h 55 min into the event or 6 j
h 16 min after becommg water solid). PORV 2NC34A fully stroked approximately 43 times on steam and an additional 31 times on water. A Nuclear Regulatory Commission (NRC) Inspection Team estimated that this PORV came offits closed seat about 110 times. (Evaluations by the licensee of stroke-time tests and visual extemal inspection concluded that no damage to PORV 2NC34 A occurred. The PORV was supplied by Control Omoonents Incorporated. The PRT rupture disc was replaced on February 9,1996 at 1428 hours0.0165 days <br />0.397 hours <br />0.00236 weeks <br />5.43354e-4 months <br />.)
I bc fosure.
l
=
LER Na 414664ml At 1641 hours0.019 days <br />0.456 hours <br />0.00271 weeks <br />6.244005e-4 months <br /> (4 h 1 I min into the event), control room operators received a report of a leak in the penetration room.
[!t was subsequently determined that three pit sump check valves from the turbine-driven auxiliary feedwater pump (TDAFWP) were leaking into the penetration room.] The TDAFWP was semred at 1759 hours0.0204 days <br />0.489 hours <br />0.00291 weeks <br />6.692995e-4 months <br /> (5 h 29 min into the event). Water in the pit sump for the TDAFWP was pumped to the turbine buildmg sump. Back leakage through check valves 2WL894,2WL836, and 2WL834 allowed the discharge from the sump for the TDAFWP to fill floor drain sump "C," which overflowed onto the Auxiliary Feedwater (AFW) pump rcom floor to a level of several inches. (This area is separated from the AFW pump pits by a concrete curb approximately 18 inches high. The floor drain sump "C" is not powered by emergency power and, therefore, would be unavailable until offsite power is restored.) Operators manually closed valves 2WL835 and 2WL836, thereby stopping the water leakage.
Because of a leak in the instrument air system, the containment was purged by using the Containment Air Release and Addition System on February 7,1990, at 1033 hours0.012 days <br />0.287 hours <br />0.00171 weeks <br />3.930565e-4 months <br />. Air leakage was a recurrmg problem, as shown by venting data.
This data shows that Unit 2 was being vented every 12 h prior to this event. During this event, containment temperature increased in response to the loss of containment chilled water to th ventilation units (containment chilled water is not a diesel-backed load) When the PRT rupture disc ruptured, containment pressure increased further (pressure peaked at 0.9 psig). This pressure increase was suflicient to pvtially open some-but not all-of the ice condenser lower inlet doors. Energy absorption was limited to contact with ice in the lowest portion of the ice condenser. Because there was no flow through the ice condenser, the intermediate and upper deck doors did not open Additional Event-Related Information Each AFW pump is mounted in a separate pit for Net Positive Suction Head (NPSH) requirements. To prevent flooding of these pits, each motor-driven pump pit is supplied with a 50-gpm sump pump that discharges to the Liquid Radwaste System. For the TDAFWP, the turbine oil is cooled through the lube oil cooler by a small portion of the discharge flow.
The *IDAFWP turbine oil cooler flow and a ponion of the turbine seal water empty directly into the pit for the TDAFWP.
If the sump is not drained, failure of the TDAFWP could occur in as early as three hours. To provide extra assurance that the TDAFWP will not fail as a result of flooding, the pit for the TDAFWP is outfitted with two 50-gpm samp pumps.
One of these sump pumps can be powered durmg a LOOP from either EDG 2A or from the standby shutdown facility; the other sump pump is powered from EDG 28.
A standby shutdown facility (SSF) is located in a separate building on the Catawba site. This facility, which is not normally manned, is capable of providing limited high-pressure injection for RCS makeup and reactor coolant pump (RCP) seal cooling (provided an RCP weal bss-of-coolant accident (LOCA) does not occur]. The SSF includes a separate diesel generator that can power SSFB loads in the event of a station blackout. The diesel generator for the SSFC can also power one of the sump pumps for the TDAFWP. The SSF systems are single trains and, therefore, are susceptib:e to a single failure. In conjunction with the TDAFWP and the availaHlity of SGs, the SSFs can maintain hot standby conditions for both units. An operator was sent to man the SSF facility dunng this event, however, the SSF was never started.
The licensee evaluated the flooding of the AFW pump room in its Individual Plant Examination (IPE). (Recall, the AFW pump room was in danger of being flooded by operating the TDAFWP.) The IPE flood analysis for the AFW pump room evaluates a break in a pipe outside of the sump pits. Water will reach the base of the Auxiliary Shutdown Panel at the same time it reaches the top of the curb around the AFW pump pits. (The curb walls around the pit are 18 inches high ) The lowest point of switches, fuses, or terminal strips within the Auxiliary Shutdown Panel is 8 inches from the base. When v< ster reaches this level, the IPE assumes that equipment controlled from the Auxiliary Shutdown Panel is unavailable. E ccause the floor area outside the AFW pump room is about 2,2316 square feet and the curb is 18 in. high, the estimated time to flood the turbine-driven pump pit area is about 33 h. The leakage into the t;.rbine-driven pump pit is within the capability of the operating sump pump. If this pump failed, an additional 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> would be available before 2
i LER No. 414/96-001 l
l the leakage or the water accumulation in the turbine driven pump pit could fail the pump. After the pump pits are l
flooded, there is an additional area of 1,110 square feet in the room for water to cover. The IPE funher estimates that l
there is 41.6 min available to isolate a flood of 2,429 gpm. Therefore, flooding of the TDAFWP is not considered l
credible because considerable time was available to mitigate the flooding.
Modeling Assumptions l
This event was modeled as a LOOP initiator with failure of train B of the emergeacy power system. Because offsite l
power was not restored for about 1 % days and both offsite power transformers required major repairs before power could be restored through these transformers, it was assumed that operators could not have restored offsite power during the event. Therefore, the following basic events were set to "TRUE" (i c., failed):
(l) s :ratorfalls to ncover ofsate power within 2 h (OEP-X1E-NOREC-2H),
(2) operatorfails ta ncover ofsitepower within 6 h (OEP XlE-NOREC-6H),
1 (3) operatorfails to recover offsite power before battery depletion (OEP-X1E NOREC-BD), and (4) operatorfails to recover offsite power given a sealLOCA (OEP X)E-NOREC-SL).
In addition, the probability that the PORVs open during a transient (PORV) was set to "TRUE" because one PORV (2NC34A)lified more than 74 times.
AC power to the emergency buses was assumed to be potentially recoverable to the emergency buses by implementing f
a cross-tie to Unit I and by recovering EDG 28. These actions were assumed to be independent for this analysis given that the event occurred during the day shift (This assumption would have to be confirmed for an event occurring outside W the day shift because it was unknown if suflicient personnel would be availabic during the period between 5:00 pm and 8:00 am to perform all the actions in parallel that were performed during this event.)
i The LOOP event tree for Catawba is shown in Fig.1. Credit for the SSF at Catawba was accounted for by adding the fault tree shown in Fig. 2 at the SSF branch point in the event tree shown in Fig.1. The failure probabilities for the basic l
events SSFB and SSFC were obtained from the Catawba IPE. Basic event SSFB is the failure to provide seal cooling I
to the reactor coolant pumps; basic event SSFC is the failure to provide power to the sump pump for the TDAFWP.
The recovery of power by implementing a cross-tic to Unit I was modeled by adding the basic eventfailure to cross-tie EDG B emergency bus within 3 h [OEP XIE-NOCRS-B] to the Catawba fault trees for failure to recover power prior to core uncovery given an RCP seal LOCA (OP-SL, see Fig. 3) and prior to battery depletion given no seal LOCA (OP-l BD, see Fig. 4). Failure to cross-tie to Unit I was modeled as a time-reliability correlation (TRC) as described in l
" Human Reliability Analysis," E. M. Dougheny and J. R. Fragola, John Wiley and Sons, New York,1988. Because sequences of concern in the analysis involve a station blackout, the " recovery with hesitancy" TRC-as described in Chapter 1I of the reference-was used in the analysis. The probability distribution for this TRC is lognormal, with an error factor of 6.4. To reflect the observed time to implement the cross-tie, a median response of 60 min was assumed, following a 30 minute delay. The probability of crew failure at 3 h, estimated using this TRC and response time, is 0.27, i
A single sump pump must be available (requiring emergency power or power from the SSF) within 3 h to prevent failure l
of the TDAFWP as a result offlooding.
5 The probability of 3 acal LOCA was obtained from NUREG 1032," Evaluation of Station Blackout at Nuclear Power Plants," and RCP seal LOCA models were developed as pan of the NUREG-1150 probabilistic risk assessment effons, i
I as described in " Revised LOOP Recovery and PWR Seal LOCA Models" (ORNL/NRC/LTR-89/11, August 1989). This l
model assumes that it would take 2 h to uncover the core given a seal LOCA and that the seal LOCA would occur within 3
LER No. 414/96-001 4
I h of the station blackout. Therefore, the assumption was made that the core would be uncovered 3 h after the initiation of the station blackout.
The basic event for failing to recover EDG 2B was developed with an exponential repair model with a median repair time of 140 min and a delay of 30 min (EPS-XHE EDGB NOR). (EDG 2B was recovered within 3 h.) Based on this repair model, the probability of failing to recover EDG 2B is 0.48.
3 To account for the longer run time of EDG 2A during this event, the failure probability was modtfied from 0.042 to j
0.045. Hence, the mission time for this event was increased from 6 h to 7.5 h while maintaining the same failure to start probability (0.03) and the same failure to run failure rate (0.002/h), as reported in the " ASP Models, PWR B, Catawba Units I and 2 " Revision 1, November 1994.
Although the AFW pump room was flooding and the source of the flooding was bearing and oil cooling water from the TDAFWP via the sump to the TDAFWP, the TDAFWP was considered operable with no change in the failure probability because (1) operators isolated the leak. s%2) operators would have had at least 33 h to isolate the leak if
)
the TDAFWP had been required to mn. The 33 h estimate was obtained by multiplying the time provided in the IPE for isolating a flood (41.6 min) by the assumed flooding rate in the IPE (2,429 gpm) and dividing t y the maximum sump pump flow for the TDAFWP. This result is then convened to hours by dividmg by 60 min /h [ii. (41.6 min) = (2429 gpm / 50 gpm) /(60 min /h) = 33 hl.
Analysis Results The conditional core damage probability estimated for this event is 2.1 x 10 The dominant core damage sequence, 4
highlighted as sequence number 39 on the event tree in Fig.1 involves the following:
given the loss of offsite power, the reactor successfully trips, j
both trains of emergency power fail, AFW prmides sufficient flow, the PORVs open and then successfully rescat, e
the safe shutdown facility fails, the RCP seals fail, and e
offsite power is not recovered after the RCP seal failure.
The second highest core damage sequence (No. 41) involves the following:
given the loss of offsite power, the reactor successfully trips, both trains of emergency power fail, and AFW fails to provide sufficient flow.
Definitions and probabilities for selected basic events are shown in Table 1. The conditional probabilities associated with the highest probability sequences are shown in Table 2. Table 3 lists the sequence logic associated with the sequences listed in Table 2. Table 4 describes the system names associated with the dominant sequences. Mmtmal cut sets associated with the dominant sequences are shown in Table 5.
Acronyms ac altemating current AFW Auxiliary Feedwater 4
I l
LER No 414/96401 EDO Emergency Diesel Generator HPI High Pressure injection HPR High Pressure Recirculation IPE Individual Plant Examination LOCA Loss ofCoolant Accident LOOP Loss of Offsite Power MOV Motor operated Valve MSIV Main SteamIsolation Valve NPSH Net Positive Suction Head j
PORV Power Operated Relief Valve
-PRT Prmurizer Relief Tank PWR Pressurized Water Reactor RCP
~ Reactor Coolant Pump RCS Reactor Coolant System RHR ResidualHeat Removal
.SG Steam Generator SI Safety Injection SSF Standby Shutdown Facility TRC Time Reliability Correlation TDAFWP Turbine Driven Auxiliary Feedwater Pump References
't.
Memorandum from S. D. Ebneter, Regional Administrator, to E. L. Jordan Director, Office for Analysis ead Evaluation of Operational Data, transmitting " Supporting Documents for the Catawba Loss of Offsite Power Event (February 6 - 8,19%)" February 15,1996 2.
U.S. Nuclear Regulatory Commission, "NRC Inspection Report Nos. 50-413/96-03 and 50-414/96-03 and Notice of Violation," March 12,19%.
3.
U.S. Nuclear Regulatory Commission, " Preliminary Notification of Event or Unusual Occurrence PNO-II 006," February 6,19%.
4 U.S. Nuclear Regulatory Commission, "Prelimmary Notification of Event or Unusual Occurrence PNO-II-%-
l 006A," February 7,19%.
5.
U.S. Nuclear Regulatory Commission, "Prelimin.ty Notification of Event or Unusual Occurrence PNO-Il-%-
006B," February 7,1996.
6.
U.S. Nuclear Regulatory Commission, " Preliminary Notification of Event or Unusual Occurrence PNO-II 96-006C," February 8,19%.
i 7.
50.72 Report Number 29945, February 6,19%.
\\
8.
LER 414/96-001," Loss of Offsite Power Due to Electrical Component Failures," March 7,1996.
i t
E l
5
LER No. 414/96-001 ll 5555858858855885588558Bd858885585585888888 s
--....~..e:e e:e ee er a su n amanan asu n a s s an n e va ll l
g,l g
i illi l l il l
ill s
ill 1
E E
lill
~
~~
EI
=
lli am till I
l2 ll!!
E lil i ;l i
il l
i i
l l
1 l11 ii e
llll1 I Fig.1 Dominant core damage sequences for LER No. 414/96-001.
6
LER No. 414/96-001 SAFE SHUTDOWN FACILITY FAILS
[N SliF SSFB FAILS WITH SSFC FAILS TO POWER NO POWER TO BUS SUMP PUMP FOR TDAF%
1TA WITHIN 15 MIN PUMP WITHIN 3 H l
i l
SSFB SSFC
. Fig. 2 Fault tree modeling the Standby Shutdown Facility (SSF).
7
LER No. 414/96-001 4
FAILURE TO RECOVER 3FFSITE POWER BEFORE SEAL LOCA
[\\
OP.SL I
I FAILURE TO RECOVER FAILURE TO CROSSTIE FAILURE TO RECOVER 3FFSITE POWER BEFORE EDG 28 EMERGENCY BUS EDG 2B WITHIN SEAL LOCA WITHIN 3 HOURS 3 HOURS l
1 l
\\
OEP-XHE-NOREC-SL OEP-XHE-NOCRS-B EPS-XHE-EDGB-NOR Fig. 3 Fault tree modeling the recoverj of offsite power before the core becomes uncovered iven a seal LOCA F
(OP-SL).
8
\\
LER No. 414/96-001 1
l l
FAILURE TO RECOVER 3FFSITE POWER BEFORE
{
BATTERY DEPLETED
)
[\\
op.BD l
l FAILURE TO RECOVER FAILURE TO CROSSTIE FAILURE TO RECOVER OFFSITE POWER BEFORE.
EDG 2B EMERGENCY BUS EDG 2B WITHIN BATTERY DEPLETED WITHIN 3 HOURS 3 HOURS l
1 1
i I
OEP-XHE-NOREC-BD OEP-XHE-NOCRS-B EPS-XHE-EDGB-NOR j
Fig. 4 Fault tree modeling the recovery of offsite power before the batteries are depleted (OP-BD).
9
I I
LER No. 414/96-001 Table 1. Definitions and Probabilities for Selected Basic Events for LER 414/96-001 Modified Event Base Current for this naene Description probability probability Type event ILIDOP less of Offsite Power initiating Event 6.9 E 006 1.0 E+000 TRUE Yes ILSGTR Steam Generator Tube Rupture 1.6 E 006 0.0 E+000 IGNORE No Initiatmg Event ILSIDCA Smalllas of Coolant Accident 1.0 E-006 0.0 E+000 IGNORE No butiating Event ILTRANS Transient initiating Event 5 3 E-004 0.0 E+000 JGNORE No AFW TDP FC 1 A AFW Turbine Dnven Pump Fails 3 2 E 002 3.2 E 002 No AFW XIIE-NOREC EP Operator Fails to Recover AFW 3 4 E-001 3 4 E-001 No During Station Blackout AFV' XllE XA-NWS Operator Fails to Ahgn Nuclear 1.0 E403 10 E 003 No Service Water EPS-DGN CF-ALL Common Cause Failure of Diesel 1.1 E 003 1.1 E 003 No Generators EPS-DGN FC-1 A Diesel Generator A Fails 4.2 E 002 4 5 E-002 Yes l
EPS-DON-FC 1B Diesel Generator B Fails 4.2 E 002 1.0 E+000 TRUE Yes j
EPS-X}IE-EDGB NOR Operator Fails to Recover EDO B 1.0 E+000 3.1 E-001 NEW Yes 1
Within 3 Hours EPS-XHE-NOREC Operator Fails to Recover Emergency g 0 E 001 1.0 E+000 Yes Power HP:-MDP-CF ALL Common Cause Failure of the High 7.8 E 004 7.8 E 004 No Pressure injection (HPI) Purnps HPI-MDP-FC-1 A HPI Motor-Driven Pump Train A Fails 4 0 E 003 4 0 E403 No HPI-MOV CC-DISCH HPI Cold Leg injection Valve Fails 3.0 E 003 3 0 E-003 No HPR-MOV CC-RHRB Residual Heat Removal (RHR) 3.1 E 003 3.1 E-003 No Ducharge Motor Operated Valve (MOV)into HPI Train B Fails HPR MOV CC-SMPA Sump Isolation MOV 15$ A Fails to 3.0 E403 3.0 E-003 No j
HPR-MOV CF-SUCA High Pressure Recirc (HPR) Suction 1.0 E+000 1.0 E+000 No MOVs from RHR Train A Fail to Open due to Common Cause HPR XHLNOREC-L Operator Fails to Recover the HPR 1.0 E+000 1.0 E+000 No System During a IDOP 10
LER No. 414/96-001 l
l Table 1. Definitions and Probabilities for Selected Basic Events for LER 414/96-001 l
Modified Event Base Current for tbla name Description probability probability Type event llPR XIIE-XM-L Operator Fails to trutiste llPR Dunng 1.0 E 003 1.0 E403 No I
aIDOP OEP-XHE-NOCRS B Failure to Cross-tie EDO B 1.0 E+000 2.7 E-001 NEW Yes Emergency Bus Within 3 llours OEP XIIE-NOREC-2H Operator Fails to Recover Offsite 1.4 E401 1.0 E+000 TRUE Yes Power Within 2 Houn OEP XIIE NOREC-6H Operator Fails to Recover Offsite 9.9 E 004 1.0 E+000 TRUE Yes Power Within 6 Ilours OEP XHE-NOREC BD Operator Fails to Recover Offsite 2.3 E-002 1.0 E+000 TRUE Yes Power Before Battery Depleted OEP-XIIE-NOREC SL Operator Fai!s to Recoser Offsite 4 8 E 001 1.0 E+000 TRUE Yes Power (SealIDCA)
PORV PORVs Open Dunng Transient 7.0 E 001 1.0 E+000 TRUE Yes PPR-SRV OO-PRV1 PORV i Fails to Reclose ARer 2 0 E-003 2.0 E-003 No Opening PPR-SdV OO PRV2 PORV 2 Fails to Reclose ARer 2.0 E 003 2.0 E 003 No Opening PPR SRV.OO-PRV3 PORY 3 Fails to Reclose ARer 2.0 E 003 2 0 E-003 No Opemng RCS MDP-LK SEALS RCP Seals Fail Without Cooling and 2.4 E 001 7.0 E 001 Yes tryection PJIR-MDP CF.ALL RER Pump Common Cause Failures 4.5 E 004 4.5 E-004 No RIIR-MDP-FC I A RHR MDP 1 A Fails 41 E-003 4.1 E 003 No SEALIDCA RCP Seals Fail DuringIDOP 2.4 E401 7.0 E401 Yes SSFB SSF Fails with No Power to Bus ITA 2.2 E 001 2.2 E 001 NEW Yes SSFC SC Fails to Power Sump Pump of 9.5 E 002 9.5 E402 NEW Yes TD/FW Pump l
l l
l 11
l LER No. 414/96-001 Table 2. Sequence Conditional Probabilities for LER 414/96-001 Conditional core Es ent tree damage Percent name Sequence name probability Contribution (CCDP)
LOOP 39 8.5 E-004 40.1 LOOP 41 5.3 E-004 25.0 LOOP 32 3.6 E-004 17.2 LOOP 40 2.7 E-004 13.0 LOOP 10 7.8 E-005 3.7 Total (all sequences)
- 2. I E-003 Table 3. Sequence logic for Dominant Sequences for LER 414/96-001 Es ent tree name Sequence name logic LOOP 39
/RT-L, EP, /AFW-L, PORV-L,
/PORV-RES, SSF, SEALLOCA, OP-SL LOOP 41
/PORV-RES, SSF,
/SEALLOCA, OP-BD LOOP 40
/RT-L, EP, /AFW-L, PORV-L, PORV EP LOOP 10
/RT-L, /EP, /AFW-L, PORV-L, PRV-L-EP, OP-211, /HPI L, HPR L I
l i
\\
\\
12
LER No. 414/96-001 i-Table 4. Systes Nasses for LER 414/96-001 i
f System asase Logie j
AFW-L No or Insufficient AFW Flow During LOOP AFW L-EP No or Insufficient AFW Flow During Station j-Blackout EP Failure of Both Trains of Emergency Power liPIL No or Insufficient Flow from IIPI System
{
During a LOOP l
IIPR-L No or Insufficient Flow from IIPR System j
Dunng a LOOP
[
OP-2H Operator Fails to Recover Offsite Power Within 2 liours OP-BD Operator Fails to Recover Offsite Power Before Battery is Depleted OP-SL Operator Fails to Recover Offsite Power (Seal LOCA)
PORV-EP PORVs Fail to Reclose (no Electric Power)
PORV-L PORVs Open During LOOP PORV-RES PORVs Fail to Rescat PRV-L-EP PORVs and Block Valves Fail to Reclose
[ Electric Power (EP) succeeds)
RT-L Reactor Fails to Trip During LOOP SEALLOCA RCP Seals FailDuring LOOP SSF Safe Shutdown Facility Fails 13
l l
l LER No. 414/96-001 t
Table 5. Conditional Cut Sets for Higher Probability Sequences for LER 414/96-001 Cut set Percent Conditional No.
Contribution Probability
- Cut sets
- LOOP Sequence 39 8.5 E-004 1
68.I 5.8 E-004 EPS-DGN-FC-1 A, EPS-DON-FC-1B, EPS-XIiE NOREC, SSFB, OEP XHE NOCRS-B, PORV, SEALWCA, OEP-XIIE-NOREC SL, EPS XIIE-EDGB-NOR 2
29 4 2.5 E-004 EPS DGN FC 1 A, EPS-DGN FC 1B, EPS-XIIE-NOREC, SSFC, OEP-XllE-NOCRS-B, PORV, SEALIDCA, OEP-X11E.NOREC-SL, EPS-XHE-EDGB NOR 3
1.7 1.4 E-005 EPS-DGN-CF.ALL, EPS-XHE NOREC, SSFB, OEP X11E-NOCRS-B, PORV, SEALLDCA, OEP X11E NOREC-SL, EPS XIIE EDGB NOR LOOP Sequence 41 5.3 E-004 1
94.6 5.0 E-004 EPS-DGN FC-1 A, EPS DON FC-1B, EPS XIIE-NOREC, AFW-TDP-FC-1 A. AFW-X11E NOREC-EP 2
2.8 1.5 E-005 EPS-DGN FC-1 A, EPS-DON FC 18 EPS-XHE-NOREC AFW-XHE NOREC EP. AFW XHE-XA-NWS 3
2.4 1.2 E-005 EPS-DGNCF-ALL, EPS-XHE NOREC, AFW.TDP FC-l A.
AFW-XHE.NOREC-EP LOOP Sequence 32 3.6 E-004 s
1 68.I 2.4 E-004 EPS-DGN-FC 1 A, EPS-DGN FC 1B, EPS XHE-NOREC, SSFB, OEP XHE-NOCRS-B, /SEALLOCA, OEP XHE-NOREC-BD, EPS-XHE EDGB-NOR 2
29.4 1.0 E-004 EPS-DON-FC-I A. EPS-DON FC-1B, EPS-XHE NOREC, SSFC, OEP-XHE-NOCRS-B, /SEALLOCA, OEP XHE-NOREC-BD, EPS-XHE-EDGB-NOR 3
1.7 6.3 E-006 EPS-DGN-CF-AIL EPS-XHE NOREC, SSFB, OEP XHE-NOCRS-B,
/SEALIDCA, OEP XHE-NOREC-BD, EPS-XHE-EDGB-NOR cw IAOP Sequence 40 2.7 E-004
'iAs 1
32.5 9.0 E-005 EPS-DGN-FC-1 A, EPS-DON-FC-1B, EPS-XHE-NOREC, PORV, PPR-SRV OO-PRV1 2
32.5 9.0 E-005 EPS-DGN FC-1 A. EPS-DGN FC 1B, EPS-XHE-NOREC, PORV, PPR-SRV OO PRV2
{
3 32.5 9.0 E-005 EPS-DON-FC-1 A, EPS-DGN FC 1B, EPS-XHE-NOREC, PORV PPR-SRV OO-PRV3 14 l
4 LER No. 414/96-001 l
l Table 5, Conditional Cut Sets for Higher Probability Sequences for LER 414/96-001 Cut set Percent Conditional No-Contribution Probability
- Cut sets
- LOOP Sequence 10 7.8 E-005 1
9.9 7.8 E-006 EPS-DON-FC-1 A. PORV, PPR-SRV OO-PRVI, OEP-XHE-NOREC-2H, EPS-DON-FC 1B, Rl!R MDP-FC 1 A.
HPR XHE-NOREC-L 2
9.9 7.8 E-006
/EPS-DGN-FC 1 A, PORV, PPR-SRV-OO-PRV3, OEP XHE-NOREC 2H, EPS-DON-FC lB, RllR-MDP-FC-1 A.
HPR XIIE-NOREC-L 3
9.7 7.6 E-006
/EPS-DGN-FC 1 A. PORV, PPR SRV-OO PRVI, OEP X11E-NOREC 2il, EPS DGN FC.IB,liPI MDP-FC.I A, llPR X11E NOREC-L 4
9.7 7.6 E-006 IPS-DGN FC 1 A, PORV, PPR-SRV.OO-PRV3, OEP-X11E-NOREC-211, EPS DGN-FC.IB HPI-MDP-FC.I A.
HPR X11E NOREC L 5
7.5 5.9 E-006
/EPS-DGN FC l A, PORV, PPR-SRV-OO-PRV1.
OEP-X11E NOREC-2H, EPS-DGN-FC 1B, HPR MOV-CF-SUCA, liPR MOV CC RHRB, HPR XHE NOREC-L 6
7.5 5.9 E 006
/EPS-DGN-FC-1 A, PORV, PPR-SRV-OO-PRV3, OEP XHE-NOREC-2H, EPS-DGN FC-1B, HPR MOV-CF SUCA, llPR MOV CC-RHRB, HPR XHE-NOREC-L 7
7.2 5.7 E-006
/EPS-DGN FC-1 A, PORV, PPR-SRV-OO-PRVI, OEP-XIIE NOREC-2H, EPS-DGN-FC 1B. HPR-MOV-CC-SMPA, HPR XHE.NOREC-L 8
7.2 5.7 E-006 EPS-DON FC-I A, PORV, PPR SRV OO PRV3, OEP XHE-NOREC-2H EPS-DGN FC-IB,HPR MOV-CC SMPA, HPR XHE-NOREC L l
9 7.2 5.7 E-006
/EPS-DGN-FC 1 A. PORV, PPR SRV-OO-PRVI, OEP XHE-NOREC-2H, EPS-DGN-FC-1B, HPI-MOV CC DISCH, HPR XHE-NOREC-L I0 7.2 5.7 E-006
/EPS-DGN-FC-1 A, PORV, PPR SRV OO-PRV3, OEP XHE-NOREC 211 EPS-DGN-FC 1B, HPI MOV CC DISCH, HPR-XIIE-NOREC-L II 2.4 1.9 E-006
/EPS-DGN-FC 1 A, PORV, PPR-SRV OO-PRVI, OEP-XHE-NOREC-2H, EPS-DGN-FC-1B, HPR XHE-XM L i
12 2.4 1.9 E-006
/EPS-DGN-FC 1 A. PORV, PPR SRV OO-PRV3, l
OEP-XHE-NOREC-2H, EPS-DGN-FC 1B, HPR XHE XM-L l
13 1.8 1.4 E-006
/EPS-DGN-FC-1 A. PORV, PPR-SRV OO PRVI, OEP XHE-NOREC-2H, EPS-DGN-FC-1 B, HPI MDP CF-ALL HPR XHE-NOREC-L I
15 1
1 l
l
LER No. 414/96-001 Table 5. Conditional Cut Sets for Higher Probability Sequences for LER 414/96-001 Cut set Percent Conditional No.
Contribution Probability
- Cut sets" 14 1.8 1.4 E-006
/EPS-DGN-FC 1 A, PORV, PPR SRV OO-PRV3, OEP XHE-NOREC-2H, EPS-DON-FC 1B, ilPl MDP-CF-ALL, HPR-XHE-NOREC L 15 1.0 8.6 E-007
/EPS-DON-FC-1 A, PORV PPR SRV OO-PRVI, OEP X}iE-NOREC 2il, EPS DON-FC.1B, RllR MDP CF-AL1, HPR-XHE-NOREC-L 16 1.0 8.6 E-007
/EPS-DGN-FC 1 A, PORV PPR-SRVMPRV3, OEP XIIE-NOREC 2H EPS-DGN-FC 1B, RilR-MDP-CF-ALL, HPR XHE NOREC-L Total (all sequences) 2.1 E-003
- The conditional probability for each cut u' is determined by multiplying the probability of the initiatir.g event by the probabilities of the basic esents in that minirnal cut set. The probability of me b tiating events are given in Table I and begin with the designator "lE". ne probabihties for the basic events are also given in Table 1.
- Basic events IE-LOOP, EPS DON-FC-1B OPE-X1tE-NOREC 2il, OEP XllE NOREC.6H, OEP-XHE.NOREC BD, OEP-XHE-NOREC-SL, and PORY are all type TRUE events which are not normally included in the output of fault tree reduction programs. Dese events have been added to aid in understanding the sequences to potential core damage associated with the event.
16
LER No. 414/96-001 Event
Description:
Loss of Offsite Power (LOOP) with Emergency Diesel Generator (EDG)B Unavailable Date of Event: February 6,1996 Plant: Catawba 2 Licensee Comments I
Reference:
Letter from W. R. McCollum, Jr., Catawba Nuclear Station, to U. S. Nuclear Regulatory Commission, transmitting " Response to the Preliminary Accident Sequence Precursor Analysis of Loss of Offsite Power Event at Catawbe Wit 2 (TAC M95254)," Duke Power, June 11,1996.
Comment 1:
In the preliminary ORNL analysis only Emergency Diesel Generator (EDG) 2A was considered available for the mission time (7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />) ofinterest. EDG 2B, which was in maintenance at the time of the event but retumed to senice at about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, is treated as in maintenance but potentially recoverable, with a recovery probability of 0.48. [This is basic event EPS-XHE-EDGB-NOR.]
An alternate approach, which perhaps more closely resembles the actual post-event condition, would be to consider only one EDG to be available during the first three hours, with potential recovery of the other EDG, and both EDGs to be available subsequently. Attachment B [of McCollum's letter]
presents the development of the dominant related sequence.
At the time of the event, EDG 2B was out of senice to perform maintenance on the EDG 2B battery charger. In the event EDG 2B was needed after the LOOP event because no other source of ac power was readily available, plant personnel would have attempted to place EDG 2B into service by clearing the out-of-senice tags and closing the breakers. EDG 2B battery is considered to have adequate capacity to start the EDG without the charger. The estimated time to place EDG 2B into a functional status for this scenario is estimated to be in the range of 1 to 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> Since EDG 2A was supplying the load, EDG 2B was not needed. It was placed into operation at 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and 51 minutes after the initiating event.
Response 1:
The modeling approach taken assumes that EDG 2A is available with a failure probability of 0.045 (EPS-DGN-FC-1 A). Not only is the ability to recover EDG 2B within the first 3 h of the event considered (EPS-XHE-EDGB-NOR), it also credits the potential for restoring offsite power (OEP-XHE-NOREC-SL and OPE-XHE-NGREC-BD) and for powering the Unit 2 emergency bus by EDG 2B from the corresponding Unit 1 emergency power bus (OEP-XHE-NOCRS-B) (see Figs. 3 and 4).
The Unit 1 emergency power bus remained powered from its normal offsite ac power source.
The nonrecovery probability of 0.48 for EPS-XHE-EDGB-NOR was obtained using a value of 140 min as the median time to repair EDG 2B with a 30-min delay to allow for the decision process to decide to repair EDG 2B. Based on Comment 1, this repair time was adjusted to 90 min with a 30-min delay required for the decision process to reach completion. The value of 3 h for the time available to restora EDG 2B (in case EDG 2A becomes unavailable) was based on the ability of the Standby Shutdown Facility (SSF) to prevent a seal-LOCA and the turbine-driven AFW pump to provide feedwater for decay heat removal. Using the exponential repair model with a repair time of 90 min and a 30-min delay, in combination with the time available to restore EDG 2B (3 h), results in a revised nonrecovery probability of 0.31 for EPS-XHE-EDGB-NOR.
1 Lb-c ( 0 swe d
Modeling the event in two phases would require revising all basic event (super component) failure probabilities that are dommated by failure to start and failure to run to account for the shorter mission times for the first phase (0 to 3 h). The second phase analysis (3 to 7.5 h) would require revising all basic event failure probabilities that are dominated by failure to start and failure to run to account for this mission time and removing the failure to start probability for those basic dvents that would be running at the end of the first phase. The fmal core damage probability would be the sum of the probabilities fcr each phase developed. Based on an approach identicalto that provided in Attachment B of McCollum's letter, cut set number 1 in Sequence 39 would be First 3 h following LOOP event Next 4.5 h 7.5 h mission Basic Event Probability Basic Event Probability Current Value EPS-DON-FC-I A 0.036 EPS-DGN-FC 1 A 0.009 0.045 EDG 2A fails to start or run EDG 2A fails to run
.03 + (3 h
- 0.002h)
(4.5 h ' O 002h)
EPS-XIIE EDGB-NOR 0.31 EPS X1tE-EDGB-NOR n/a 0.31 recovery of EDG 2B recovery of EDG 2B EPS-DON-FC-1B 1.0 EPS-DGN-FC-1B 0.039 1.0 EDG 2B is in maintenance EDG 2B fails to start or run
.03 + (4.5 h
- 0.002.h)
OEP-XIIE-NOCRS-B 0.27 OEP XIIE-NOCRS B 0.27 0.27 failure to recover using failure to recover using Unit I power Unit I power SSFB o.22 SSFB 0.22 0.22 SSF fails to provide wal SSF fails to provide seal irdection injection PORV 1.0 PORV 1.0 1.0 SEALLOCA 0.7 SEAT 10CA 0.7 0.7 OEP-XilE-NOREC SL 1.0 OEP-XIIE-NOREC-SL 1.0 1.0 failure to recover offsite failure to recover offsite power power 4.6 E-004 1.5 E-005 s
4.8 E-004 5.8 E-004 The difference in the total cut set probability from an unphased approach (5.8 x 10 ) to a phased d
d approach (4.8 x 10 ) for this cut set is 17%. Because the other cut sets that are affected by this phased approach are similar to the above cut set, it is expected that the CCDP would be affected similarly (e.g., about 17%). The sequences affected by this approach (sequences 39 and 32) contribute 57.3%
to the overall CCDP. A phased approach then, would result in a new CCDP of CCDP = 1.9 x 10 ' = [(1 - 0.17)(0.573) + (1 0.573)] x 2.1 x 10
Using the Catawba IPE values for EDO start and mn probabilities (0.007 and 0.0046/h) with a phased approach reduces the CCDP by 46% for cut set I for Sequence 39 (to 2.9 x 10d). Because the other cut sets that are affected by this phased approach are similar to the above cut set, it is expected that the CCDP would be affected similarly (e.g., about 46%). The sequences affected by this approach (sequences 39 and 32) contribute 57.3% to the overall CCDP. A phased approach then, would result in a new CCDP of 2
l l
CCDP = 1.6 x 10-$ = [(1 - 0.46)(0.573) + (1 - 0.573)] x 2.I x 10-$
However, ifIPE values are accepted, then the failure probability of the TDAFWP must be adjusted to the IPE value of 0.083 versus the 0.032 used in this analysis. This affects LOOP Sequence 41, cut sets 1 and 3. The CCDP for Sequence 41 becomes 1.3 x 10'$ versus 5.3 x 10" The total CCDP then becomes TOTAL CCDP = 2.9 x 10 = 1.6 x 10'$ + 1.3 x 10~$
Hence, using a " phased" approach appears to provide no more accurate a core damage probability, yet requires considerably more effort.
Comment 2.
The preliminary ORNL analysis uses the EDO start and run failure probabilities of 0.03 and 0.002/hr, respectively. The estimated Catawba EDG start and run failure probabilities, as reported in the Catawba IPE are 0.007 and 0.0046/hr, respectively. In fact, the current 3-year average values, as shown in Attachment C, are 0.003 and 0.0015/hr. Use of the current plant-specific values should change the preliminary conditional core damage probability from 0.0033 to approximately 0.001 without any other changes.
Response 2:
The basic event for EDG 2A in the ASP model (EPS DGN-FC-l A) has an EDG failure probability based on its failure to start (0.03/d) and its failure to run [(0.002/h)(7.Sh)). However, this is really a
" super component" because the failure to start probability includes the contribution of all other major components in the safety system train and the contribution from any support systems (e.g., EDG in maintenance, fuel unavailabilities, load sequencer, etc.). Therefore, the 0.03/d is appropriate. The failure to run probability of 0.002/h is consistent with the current 3-year average and about one-half the Catawba IPE value. Regardless, use of the IPE values themselves provides a failure probability consistent with the ORNL analysis (0.0415 vs. 0.045).
l Comment 3a:
The preliminary ORNL analysis attempts to include the Standby Shutdown Facility (SSF) feature to mitigate a loss of all ac power condition. However, inclusion of both the SSFB and SSFC logic is not corTect. The SSFC cut sets are a subset of the SSFB cut sets. (Please see Table A.18-7 of the Catawba j
IPE.) The main differences between SSFB and SSFC are that (i) SSFB requires operator action within 15 minutes, while for the SSFC case, action can be delayed for up to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, and (ii) SSFB contains additional failure modes involving the Reactor Coolant pump seal injection components. In the i
Catawba Probabilistic Risk Assessment (PRA), success of SSFC does not prevent a core melt; it simply changes the plant damage state.
Comment 3h:
In addition, cut sets representing unavailability of the SSF due to maintenance (2.57E-2) and maintenance on the SSF diesel generator (2.96E 3) could be deleted when determmmg the probability associated with SSFB, since this equipment was available during the event.
Comment 3e:
Thus SSFC cut sets and SSF maintenance events should be deleted from the ORNL preliminary analysis. Incorporating these suggestions results in an SSF failure probability of 0.19.
Response 3a:
The original fault tree model of the SSF was misleading. The original figure (Fig. 2) simply had l
"SSF" without identifying B" or "C." This has been corrected. The placement of the SSF in the event tree (Fig.1) is such that the SSF is not needed to mitigate core damage until the remaining EDG 3
fails (EDO 2A) and the turbine-driven AFW pump starts and runs successfully. As indicated on page 35 of. Figure A.5-7 in the AFW system fault tree for the Catawba IPE, SSFC is used to ensure power to the turbine-driven pump (TDAFWP) pit sump pump (sump pump 1 Al) given a station blackout (SBO) condition. A station blackout would have occurred if EDO 2A failed during this event.
Because the motor-driven AFW pumps are unavailable, success of the AFW is dependent on the success of the TDAFWP. The success of the TDAFWP is now dependent on tis SSFC to provide power to the TDAFWP pit sump pump because the TDAFWP oil cooler flow and a pu: tion of the turbine seal water empties directly into the pit for the TDAFWP. SSFC must be available within 3 h before the leakage or the water accumulation in the TDAFWP pit would fail the pump. The SSFB, on the other hand,is modeled as providing seal cooling in the event of a station blackout. Specifically, l
4 page A.18-15 in the SSF insight section for the Catawba IPE indicates that SSFB is used to provide a means of seal cooling to prevent a seal LOCA in the event of an SBO. SSFB must be available within 15 min of station blackout. The ORNL analysis is consistent with the Catawba PRA.
j Response 3b:
Because a component successfully performed its function during an event is no reason to reduce or change the failure probability or unavailability of that component. Similarly, it is inappropriate to remove the unavailability due to potential maintenance activities on these components just because i
no maintenance was being performed on them during the event.
Response 3c:
Based on the responses to 3a and 3b, the SSF model appears to be appropriate, and no changes were made to that portion of the analysis.
Comment 4:
Catawba has two 4 kV transformers (SATA and SATB) which can power the two essential 4 kV switchgears in one unit from the ac power system from the other unit. The operator action to make use of this feature is contained in the plant emergency procedure, and operators are trained on this action.
Catawba's estimate to perform this action is 30 minutes to I hour. Considering that this action is required in the emergency procedure, that the operators are given training on it, and that the available time is about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, the operator failure probability is not considered to be significant. The Duke calculations use 0.17 as the failure probability of this event, derived primarily from the data on LOOP events where more than one unit suffered a LOOP in multi-unit sites. Even with the assumption of a 30 minute cognitive time and a 90 minute action time, the Human Cognitive reliability model (Hannaman et. al., " Human Cognitive Reliability Model for PRA Analysis," NUS-4531, December 1994) yields the operator failure probability as 0.03, with the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> available time. Therefore, the value of 0.35 used in the preliminary ORNL analysis for failure probability of using the Unit I ac power when it was indeed available seems a bit conservative. It should be noted that the procedural i
difficulty encountered during the event should not be viewed as a significant factor since one EDG was operating and supplying necessary loads and the use of Unit I ac power was not critically needed at that time.
The Duke analysis of this event, based on Catawba-specific EDG reliability data, the two distinct EDG availability representations, and the applicable SSF failure modes, yielded a conditional core damage probability of approximately 4 E-4. This calculation is based on a base case failure probability of Unit I power of 0.17. Since offsite power was available through Unit I throughout the mission time, the 0.17 value is conservative. As a sensitivity analysis, changing this value to 0.03 and then to 0.5 produces results of 7 E-5 and 1 E-3, respectively.
Response 4:
ORNL assumed that the recovery of emergency power by cross-ticing to the other unit would have been necessary only following the failure of EDG 2A. However, the time required to perform the cross-tie was changed from 90 min to 60 min. The parameters ofinterest in detemumng the failure probability are 4
Parameters ORNL avdleble time 3h ac ion time 90 min delay time 30 min mode!
E. M. Dougheny and J. R. Fragola, Human Reliabihty Analysis, Ch.10 & 11, John Wiley and Sons, New York,1988
" Recovery without Hesitancy" 0.16 time-reliability correlation
" Recovery with Hesitancy" 0.27 time-reliability correlation if the operator responds without hesitancy (i.e., although the problem is uncommon, procedures exist),
the operator failure probability would be 0.16. This is essentially the same number reponed by Duke (i.e., 0.17). The " recovery with hesitancy" time-reliability correlation is appropriate because it considers that although the problem is uncommon, the procedures are weak or sketchy. Because initial effons to complete the cross-tie to bus 2ETB were unsuccessful due to a procedural inadequacy and cross-tie activities were not completed until 7 h 29 min into the event, the recovery with hesitancy is appropriate. The resultant failure probability is 0.27 given that the cross-tie is an uncommon problem and an error existed in the procedure.
Comment 5:
The "Modeling Assumptions" section states that a mission time of 7.5 h was used for EDG 2B. It appears that this mission time was actually used to compute the failure probability of the EDG 2A.
Response 5:
This is correct. The mission time was increased from 6 h to 7.5 h for calculating the failure rate of EDG 2A, not EDG 28. EDG 2B was classified as a TRUE event because it was out-of-service due i
to a faulty ac capacitor in the battery charger for that EDG.
Comment 6:
The following description of the auxiliary feedwater (CA) pump room and associated floor drain j
system is provided to understand the significance ofleakage found in the floor drain sump.
The three CA pumps are located in the CA pump room, which has a floor drain sump (4x3x7 ft) with two load-shed floor drain sump pumps. Each CA pump is located in a pit (17x17x14.5 f1) with two sump pumps for the turbine driven pump and one sump pump for each of the motor driven CA pumps.
The CA pump pit sump pumps (each with 50 gpm capacity) are powered by the essential ac power system and one of the turbine driven CA pump sump pumps is backed up by the SSF power.
The CA pump pit sump pumps and the CA pump room sump pumps discharge into a common header.
During the LOOP event some water was found to be accumulating in the CA pump room floor and is attributed to leakage of check valves between the room sump pumps and the common header for 5
i this floor drain system. The leakage was estimated to be no greater than 20 gpm, the expected l
maximum floor drain requirernent for the turbine driven CA pump pit. Considering that the floor area l
outside the CA pump pits is about 2231.6 square foot and that the curb is about 1.5 feet high, the estimated time for the leakage to spill into the CA pump pits is about 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />. The leakage into the i
turbine driven pump pit is within the capability of the operating sump pump. If this pump failed, an additional 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> would be available before the leakage or the water accumulation in the tu bine driven pump pit could fail the pump.
For the motor driven CA pump B pit, the estimated time to fill the pump pit is about 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br /> once the leakage starts into the pit and if the sump pump is not operating.
Thus the leakage into the CA pump room from part of the CA pump pit floor discharge should not influence the mission times and success enteria for CA pumps or battery depletion time considerations.
Response 6:
The ORNL analysis assumed that the CA pump room flooding had no influence on the mission times, success criteria for the CA pumps, or battery depletion time considerations. The Additional Event-Related Infonnation section states that "Because the floor area outside the AFW pump room is about 2,231.6 square feet and the curb is 18 in. high, the estimated time to flood the turbine-driven pump pit area is about 33 h. The leakage into the turbine-driven pump pit is within the capability of the operating sump pump. If this pump failed, an additional 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> would be available before the leakage or the water accumulation in the turbine driven pump pit could fail the pump. After the pump pits are flooded, there is an additional area of 1,110 square feet in the room for water to cover. The IPE further estimates that there is 41.6 min available to isolate a flood of 2,429 gpm. Therefore, flooding of the TDAFWP is not considered credible because considerable time was available to mitigate the flooding." The concern with floodmg the pump pit was that given a LOOP and failure of the remaining EDG, the only means of decay heat removal was use of the turbine-driven AFW pump to provide makeup to the steam generators. The LER and preliminary information about the CA pump room flooding were sketchy, however, it was determined that the CA pump room flooding was oflittle consequence to this event.
6