ML072290167
| ML072290167 | |
| Person / Time | |
|---|---|
| Site: | Cooper  |
| Issue date: | 08/17/2007 |
| From: | Mallett B Region 4 Administrator |
| To: | Minahan S Nebraska Public Power District (NPPD) |
| References | |
| EA-07-090, IR-07-007 | |
| Download: ML072290167 (96) | |
See also: IR 05000298/2007007
Text
UNITED STATES . NUCLEAR REGULATORY
COMMISSION
REGION IV 611 RYAN PLAZA DRIVE, SUITE 400
ARLINGTON, TEXAS 76011-4005
August 17,2007 EA 07-090 Stewart B. Minahan, Vice President-Nuclear and CNO
Nebraska Public Power District 72676648AAvenue
Brownville, NE 68321 SUBJECT: FINAL SIGNIFICANCE DETERMINATION
FOR A WHITE FINDING AND NOTICE COOPER NUCLEAR STATION OF VIOLATION - NRC SPECIAL INSPECTION REPORT 05000298/2007007 - Dear Mr. Minahan: The purpose
of this letter
is to provide you the final results of
our significance
determination
of the preliminary
White finding identified in
the subject inspection report.
The inspection finding
was assessed using the
Significance Determination Process
and was preliminarily characterized as White, a
finding with low to moderate increased importance to safety, that may require additional
NRC inspections. This proposed White finding involved
an apparent violation
of IO CFR Part 50, Appendix B, Criterion VI "Instructions Procedures, and Drawings," involving
the failure to establish
procedural
controls for evaluating
the use of parts prior
to their installation
in safety-related applications, (e.g. the
At your request, a Regulatory Conference
was held on July 13, 2007. During
this conference
your staff presented information related
to the voltage regulator failures that
adversely
affected Emergency
Diesel Generator (EDG) 2. This included information
regarding the failure mechanism of the voltage regulator circuit
board, results of your root cause evaluations, and associated corrective actions.
The July 13, 2007, Regulatory Conference meeting summary, dated July 18, 2007 (ML072000280), includes a copy of the CNS presentation.
Based on NRC review
of all available information, including
the information
discussed
during the Regulatory Conference, the NRC has decided not
to pursue a violation
of 10 CFR Part 50, Appendix B, Criterion
V. However, the
NRC has determined a
violation
of 10 CFR Part 50, Appendix B, Criterion
XVI, "Corrective Action," did
occur in that CNS failed to
promptly identify a significant condition
adverse to quality that resulted
in the reduced reliability
of EDG 2. Two distinct and reasonable opportunities to identify
the condition
adverse to quality existed
yet the condition
was not promptly identified and corrected
to preclude recurrence.
Specifically, your inadequate procedural guidance
for evaluating
the suitability
of parts used in safety related
applications presented one missed
opportunity
to identify that
an EDG voltage regulating circuit
board was defective prior
to its installation
on November 8, 2006. Following
installation
of the defective EDG 2 voltage regulator circuit
board two high voltage conditions, one resulting in
an EDG automatic
high voltage trip, occurred on November 13, 2006. Your evaluation
of these high voltage events missed another
opportunity
to identify and correct the deficient condition.
Nebraska Public Power
District -2- The failure to identify and correct this
deficiency resulted in
an additional
high voltage trip of EDG 2 that occurred on January 18, 2007. This violation
is cited in the enclosed Notice of
Violation (Enclosure
I). The details describing the
10 CFR Part 50, Appendix B, Criterion XVI, "Corrective Action," violation are described
in Enclosure 2. The NRC's
preliminary
assessment
of the safety significance
of the inspection finding
is documented
in Attachment
3 of NRC Inspection
Report 05000298/2007007 (ML071430289).
This assessment
resulted in a change in core damage frequency (delta CDF) of 5.6E-6, being a finding of low to moderate safety significance, or White. Our preliminary
assessment
used the loss of offsite power (LOOP) initiating event frequency and EDG non-recovery/repair
probabilities, as described
in NUREG/CR-6890, "Reevaluation
of Station Blackout Risk at Nuclear Power Plants, Analysis of Loss of Offsite Power Events: 1986-2004." This
assessment
assumed that the voltage regulator
degraded only during times
that the EDG was
in operation.
The assessment
assumed the voltage regulator
could not be repaired or
replaced in time to affect the outcome of any core damage sequences.
The ability to take manual
control of EDG 2 was not credited because procedures did not exist and training was not
performed
in this EDG mode of operation.
As a sensitivity assessment a case
for diagnosing the
failure of the automatic
voltage regulator
and successfully
operating
the EDG in manual mode
was considered. A recovery failure probability
for EDG 2 of 0.3 was assumed that lowered the delta CDF to a value of 1.7E-6. A value characterized
as having low to moderate safety significance, or White. Based on additional information indicating that the
voltage regulator
card failure mechanism
was intermittent, the NRC determined
that a revised safety significance
assessment
was warranted. This
revised assessment
is provided as Enclosure
3. This assessment
was performed
assuming that the faulty voltage regulator card reduced the reliability
of EDG 2. The reduced reliability factor
was calculated
assuming that two failures resulting in
high voltage EDG trips occurred within a period of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> during which the subject voltage
regulator
card was energized.
This assumption
was made recognizing
that an additional
high voltage condition
occurred on November 13, 2006, that did not result
in an EDG trip because the duration of the high voltage
condition
was shorter than the time
delay setting. Additionally, the NRC revised
assessment
refined the probability
of failing to recover the
failed EDG 2 to a value of 0.275. This value corresponds
to an 83 percent probability for successfully diagnosing
the automatic voltage regulator failure, during
a station blackout event, and a 90 percent
probability
for successfully implementing recovery
actions. I During the Regulatory Conference, CNS asserted the finding was
of very low safety significance, or Green. On July 27, 2007, CNS provided
to the NRC their "Probabilistic
Safety Assessment" that is provided as Enclosure 4.
The CNS assessment of
very low safety significance
was made based
on five key assumptions that differed
from the NRC's. The first difference was that following failure
of EDG 2, CNS assumed recovery of EDG 2 prior to core damage occurring with
a failure probability
of 0.032. This failure probability of recovery significantly differed from the NRC assessment of
0.275. The NRC determined
that 0.275 was a more realistic
value after reviewing the human error factors present. Factors assessed
are discussed in detail in the NRC Phase
3 Analysis provided
in Enclosure 3. These
factors included:
Nebraska Public Power District
-3- I) the high complexity
of diagnosing an automatic voltage regulator failure during a station blackout event that
would involve the support of CNS engineering
staff; and 2) recovering
the failed EDG
in manual voltage control during a station blackout
event having incomplete procedural guidance
and a lack of operator training and experience involving operating
the EDG in manual voltage
control during loaded conditions.
The second difference was that CNS calculated the reduced reliability factor
for EDG 2 assuming that one failure was
the result of
the defective diode during
the 36-hour duration
the subject voltage regulator was energized.
CNS asserted that conclusive evidence did
not exist that
the cause of the November 13, 2006, event was the result
of intermittent voltage regulator card diode
failure. The NRC reviewed all available information provided
by CNS related to the November
13 event. This included
the apparent cause evaluation, the laboratory failure analysis report, industry operating experience, and electrical schematic review of
the EDG voltage regulating system. Based
on our reviews
the NRC determined that an intermittent diode failure
of the voltage regulator circuit board was
the most plausible failure
mechanism. Therefore, the NRC concluded that two failures should
be used in the EDG 2 reliability calculation.
The third difference involved CNS evaluating the
aspect of convolution related
to the probability
of recovering offsite power
or EDG 1 before or close
in time to the assumed failure of EDG
2. This consideration would render the safety consequences
of these events
to be less significant.
The NRC agreed that our
model was overly conservative
in this aspect, and performed an assessment that incorporated credit
for convolution. This resulted
in a reduction of delta CDF.
The fourth difference involved CNS crediting the station Class
1 E batteries
for periods greater
than the 8-hour duration utilized in the current risk model. Based on information reviewed
the NRC concluded that
extended battery operation beyond eight
hours was plausible, however, other operational challenges would be present
as described
in Appendix A, "Station Blackout Event Tree Adjustments,"
Table A-I of the CNS Probabilistic Safety Assessment (Enclosure
4). Based on these considerations the NRC adjusted
our model extending the Class
1 E batteries
to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. In addition, an adjustment was made
to account for the recovery dependency associated with
the failure of both EDGs. The fifth difference involved CNS asserting that implementation of specific station blackout mitigating actions, that were not currently credited in either the
NRC or the CNS risk models, would reduce the risk significance
of the finding. These specific actions included the use
of fire water injection to
the core, manual operation
of the reactor core isolation cooling (RCIC) system, and the ability to black
start an EDG following
battery depletion events. Based on our review, and as discussed
in the NRC Phase 3 Analysis (Enclosure
3), the NRC determined the success
of using these alternative mitigation strategies were offset by
the risk contribution of external events. After careful consideration of the information provided
at the Regulatory Conference, the information provided
in your risk assessment received on July 27, 2007, and the information developed during
the inspection, the NRC has concluded that
the best characterization of risk
for this finding is
of low to moderate safety significance (White), with a delta CDF
of 1.2E-6.
Nebraska Public Power District
-4- You have 30 calendar days from the
date of this letter
to appeal the
NRC's determination
of significance for the
identified White finding. Such appeals will be considered
to have merit
only if they meet the criteria given
in NRC Inspection Manual Chapter 0609, Attachment
2. In accordance with the NRC Enforcement
Policy, the Notice
of Violation
is considered
an escalated enforcement action
because it is associated with a
White finding. You are required
to respond to this letter and should
follow the instructions specified
in the enclosed Notice when
preparing
your response.
In addition, we will use the NRC Action
Matrix to determine the most appropriate NRC response
and any increase in NRC oversight, or actions you
need to take in response to the most recent performance deficiencies.
We will notify you by separate correspondence
of that determination. In accordance
with 10 CFR 2.390 of the NRC's "Rules
of Practice," a copy
of this letter, its enclosures, and
your response will
be made available electronically for
public inspection
in the NRC Public Document
Room or from the Publicly Available Records component
of NRC's document system (ADAMS).
ADAMS is accessible
from the NRC Web site at h t t P : //w. n rc . a ov/ r e a d i n a - r m/a d a m s . h t m I (the Pub I i c E I ec t ro n i c Read i n g Room ) . To the extent possible, your response
should not include any personal privacy, proprietary, or safeguards
information
so that it can be made available
to the Public without redaction.
Sincerely, Bru& S. Mallett Regional Administrator
Docket: 50-298 License: DPR-46
Enclosure
Enclosure
2: Notice of Violation Details
Enclosure
3: NRC Phase
3 Analysis Enclosure
4: CNS Probabilistic Safety Assessment cc w/Enclosures: Gene Mace Nuclear Asset Manager Nebraska Public Power District
P.O. Box 98 Brownville, NE 68321 John C. McClure, Vice President
Nebraska Public Power
District P.O. Box 499 Columbus, NE 68602-0499
and General Counsel
Nebraska Public Power
District -5- D. Van Der Kamp, Acting Licensing Manager
Nebraska Public Power
District P.O. Box 98 Brownville, NE 68321 Michael J. Linder, Director Nebraska Department
of Environmental
Quality P.O. Box 98922
Lincoln, NE 68509-8922
Chairman Nemaha County Board
of Commissioners Nemaha County Courthouse
1824 N Street Auburn, NE 68305 Julia Schmitt, Manager Radiation Control Program Nebraska Health
& Human Services
Dept. of Regulation
& Licensing
Division of Public Health Assurance 301 Centennial
Mall, South P.O. Box 95007 Lincoln, NE 68509-5007
H. Floyd Gilzow
Deputy Director for Policy Missouri Department
of Natural Resources
P. 0. Box 176 Jefferson
City, MO 651 02-01 76 Director, Missouri State Emergency
P.O. Box 11 6 Jefferson
City, MO 651 02-01
16 Management
Agency Chief, Radiation
and Asbestos Kansas Department
of Health Bureau of Air and Radiation
1000 SW Jackson, Suite 31 0 Topeka, KS 66612-1366 Control Section
and Environment Daniel K. McGhee, State Liaison Officer
Bureau of Radiological
Health Iowa Department
of Public Health Lucas State Office Building, 5th Floor 321 East 12th Street Des Moines, IA 50319 Melanie Rasmussen, Radiation
Control Bureau of Radiological
Health Iowa Department
of Public Health Lucas State Office Building, 5th
Floor 321 East 12th Street Des Moines, IA 50319 Program Director Ronald D. Asche, President
and Chief Executive
Officer Nebraska Public Power
District 141 4 15th Street Columbus, NE 68601 P. Fleming, Director of Nebraska Public Power
District P.O. Box 98 Brownville, NE 68321 Nuclear Safety Assurance
John F. McCann, Director, Licensing
Entergy Nuclear Northeast
Entergy Nuclear Operations, Inc. 440 Hamilton Avenue White Plains, NY 10601-1813
Keith G. Henke, Planner Division of Community
and Public Health Office of Emergency Coordination 930 Wildwood, P.O. Box 570 Jefferson City, MO 65102 Chief, Radiological
Emergency Preparedness Section
Kansas City Field Office
Chemical and Nuclear Preparedness
and Protection Division
Dept. of Homeland Security 9221 Ward Parkway Suite 300 Kansas City, MO 641 14-3372
Nebraska Public Power
District -6- I Distribution:
RIDSSECYMAILCENTER
RI DSEDOMAI LCENTER RI DSOGCMAILCENTER
R I DSNRRAD I P RI DSOIMAILCENTER
RIDSOCFOMAILCENTER
RI DSRGN2MAI
LCENTER RlDSNRRDlPMl
IPB OEMAIL /RA MCHay for/ IRA/ /RA/ /RA/ /RA/ 07/26/07 08/09/07 08/09/07 07/26/07
07130107 RIDSOCAMAILCENTER
RI DSOEMAILCENTER
RIDSNRROD
RlDSOPAMAl L
RlDSOlGMAl
LCENTER RlDSRGNl MAILCENTER
RIDSRGN3MAILCENTER
OEWEB RC:ACES DD:DRP KSFuller AVegel cc wlenclosures (via ADAMS e-mail distribution):
B. Mallett (BSMI) T.P. Gwynn (TPG) K. Fuller (KSF) W. Maier (WAM) A. Howell (ATH) T. Vegel (AXV) D. Chamberlain (DDC) R. Caniano (RJCI) W. Jones (WBJ) M. Hay (MCH2) N. Taylor (NHT) J. Wray, OE (JRW3) DRS BC's (DAP, LJS, ATG, MPSI) M. Herrera (MSH3) D. Starkey, OE (DRS) M. Ashley, NRR (MAB) N. Hilton, OE (NDH) M. Haire (MSH2) M. Vasquez (GMV) C. Carpenter, OE (CAC) V. Dricks (VLD) J. Cai, OE (JXCII) S. Farmer (SEFI) - ~- - - _- - NRR NRR NRR SMWong M Franovich
SARichards
SUNS1 Review Completed: MCH ADAMS:
Yes0 No Initials:
MCH 611 Publicly Available
Non-Publicly
Available
0 Sensitive
EI Non-Sensitive
/RA/ /RA electronic/
/RA electronic/
/RA ECollins for/
081 09 107 081 09 107 081 09 I07 081 09 I07 OFFICIAL RECORD COPY T=Telephone E=E-mail F=Fax
- Previous
Concurrence
Nebraska Public Power
District Cooper Nuclear
Station Docket No. 50-298 License No. DPR-46 EA-07-090
During an NRC inspection
completed on April 24, 2007, and following a Regulatory Conference
conducted
on July 13, 2007, a violation
of NRC requirements
was identified. In
accordance
with the NRC Enforcement Policy, the violation
is listed below: 10 CFR Part 50, Appendix B, Criterion
XVI, requires, in part, that
measures shall be established
to assure that conditions
adverse to quality, such as failures and malfunctions, are promptly
identified
and corrected.
In the case of significant conditions
adverse to quality, the measures
shall assure that the cause
of the condition
is determined and corrective action
taken to preclude repetition.
Contrary to the above, as of January 18, 2007, the licensee failed to establish
measures to promptly identify and correct a significant condition
adverse to quality, and failed to
assure that the cause of a significant condition
adverse to quality
was determined and that corrective action
was taken to preclude repetition. Specifically, the licensee's
inadequate procedural guidance for evaluating
the suitability
of parts used in safety related
applications
presented
an opportunity
in which the licensee failed to
promptly identify a defective
voltage regulator circuit board used
in Emergency
Diesel Generator (EDG) 2 prior to its installation
on November 8, 2006, a significant condition
adverse to quality. Following
installation
of the defective EDG
2 voltage regulator
circuit board, the licensee failed to determine
the cause of two high voltage conditions
which occurred on
November 13, 2006, and failed to
take corrective action to
preclude repetition.
As a result, an additional high
voltage condition
occurred resulting
in a failure of EDG 2 on January 18,2007. This violation
is associated
with a White SDP finding.
Pursuant to the provisions
of 10 CFR 2.201, Nebraska Public Power District is hereby required to submit a written statement
or explanation
to the U.S. Nuclear Regulatory Commission, ATN: Document Control Desk, Washington, DC 20555-0001
with a copy to the Regional Administrator, Region IV, and a copy to the NRC Resident Inspector
at the facility that
is the subject of this Notice, within 30 days of the date of the letter transmitting this
Notice of Violation (Notice).
This reply should be clearly marked as a "Reply to a Notice of Violation;
EA-07-090," and should include for
each violation: (1) the reason
for the violation, or, if contested, the basis for
disputing
the violation
or severity level, (2) the corrective
steps that have been taken and the results
achieved, (3) the corrective
steps that will be taken to avoid further violations, and (4) the date when
full compliance
will be achieved. Your response may reference
or include previous docketed correspondence, if the correspondence adequately addresses the required
response.
If an adequate reply is not received within the
time specified
in this Notice, an order
or a Demand for Information may
be issued as to why the license
should not be modified, suspended, or revoked, or why such other
action as may be
proper should not be taken. Where good cause is shown, consideration
will be given to extending
the response time. -1 - Enclosure
1
Because your
response will be made available
electronically
for public inspection
in the NRC Public Document Room or from the NRC's document system (ADAMS), accessible from
the NRC Web site at http://www.nrc.qov/readinq-rm/adams.html, to the extent possible, it
should not include any personal privacy, proprietary, or safeguards
information
so that it can be made
available to the public
without redaction.
If personal privacy or proprietary information
is necessary
to provide an acceptable response, then please provide a bracketed copy of your
response that identifies
the information that
should be protected and a redacted
copy of your response that deletes such
information.
If you request withholding
of such material, you must specifically
identify the portions of your response that you seek to have withheld and provide in detail the bases for your claim of withholding (e.g., explain why the disclosure of information
will create an unwarranted invasion
of personal privacy or provide the information required
by 10 CFR 2.390(b) to support a request
for withholding
confidential
commercial or financial information). If
safeguards
information
is necessary
to provide an acceptable response, please
provide the level
of protection
described
in 10 CFR 73.21. Dated this 17th day of August 2007.
-2- Enclosure
1
Notice of Violation Details
Scope Following
issuance of NRC Inspection Report 05000298/2007007 (ML071430289), that identified an apparent violation of
10 CFR Part 50, Appendix B, Criterion
V, "Instructions
Procedures, and Drawings," additional information was reviewed that included the CNS Probabilistic
Safety Assessment, laboratory information related to
the failure mechanism
of the voltage
regulator circuit board, and information discussed during
held on July 13, 2007, related to this potential finding. After
reviewing
all available information related
to the Emergency
Diesel Generator (EDG) 2 high voltage
events, the NRC decided not to pursue a violation
of 10 CFR Part 50, Appendix B, Criterion
V. However, the NRC determined
an apparent violation of
10 CFR Part 50, Appendix B, Criterion
XVI, "Corrective Action," did
occur in that CNS failed to promptly identify a significant condition
adverse to quality that resulted in the reduced
reliability
of EDG 2. Two distinct
and reasonable
opportunities
to identify the condition
adverse to quality existed yet the condition was not
promptly identified
and corrected
to preclude recurrence.
The following
details discuss the additional information reviewed and
provide the basis for our decision.
Details On November 8, 2006, .a potentiometer mechanically failed during planned maintenance
on the Emergency
Diesel Generator (EDG) 2 voltage
regulator. Work order 4514076 provided
the technical instructions
for this maintenance
activity and contained a contingency
for the replacement
of the voltage regulator printed circuit
board. Replacement
of the circuit board was performed on November
8, 2006. Following replacement, the
circuit board required tuning. The tuning process was conducted
on November 13, 2006, and included making incremental
adjustments
to the R13 feedback
adjust potentiometer
and then introducing
small voltage demand changes. Approximately
ten seconds after one voltage demand change EDG 2 experienced a
pair of output voltage spikes, the first to approximately
5500 volts, and the second
to greater than 5900
volts. The second voltage spike resulted in
a high voltage trip of EDG 2. The NRC noted that at the time the voltage spikes
occurred, maintenance personnel
were reviewing strip chart
recorder traces and no voltage
regulator components were being manipulated and
no changes in demanded voltage
were occurring.
The licensee conducted
a failure modes effects analysis (FMEA) and completed troubleshooting
activities
consisting
of diagnostic
tests and test runs of EDG 2 between November 13-15, 2006.
Based on the lack of any additional high
voltage events during
the test runs, completion
of the FMEA, and input from a vendor field representative, the
licensee concluded
that the high voltage events that occurred on November 13 were
attributable
to erratic behavior of the feedback potentiometer being adjusted
to tune the circuit board.
This conclusion
is described in the apparent cause evaluation attached
to Condition
Report CR-CNS-2006-09096.
After completion
of a subsequent
series of satisfactory surveillance test runs, EDG 2 was declared operable on
November 19,2006. Subsequently, on January 18, 2007, EDG 2 experienced another
high voltage trip during surveillance testing.
The licensee's root cause
evaluation
of this high
voltage trip, as described
in Condition
Report CR-CNS-2007-00480, determined
that a manufacturing
defect of a diode, attached to the printed circuit
board installed
on November 8, 2006, caused
the high voltage conditions
observed.
-1 - Enclosure
2
The NRC reviewed the Condition Report CR-CNS-2006-9096 apparent cause evaluation addressing the high voltage
conditions experienced on
November 13, 2006, conducted
interviews
with engineers and maintenance personnel, and reviewed applicable technical manuals. The
NRC determined that erratic
behavior of either
or both potentiometers
on the printed circuit
board was not a likely cause for the November 13, 2006, high voltage events. The NRC discussed
this observation with licensee
management
on February 1 , 2007, after which the licensee initiated Condition Report CR-CNS-2007-00959 documenting
the concern. Following
these discussions, the licensee completed a
more detailed evaluation of the apparent cause. This more
detailed evaluation
concluded
that the erratic behavior of the feedback potentiometer, combined
with the possibility that
an oxidation layer
could have built up on the potentiometer slide wire, could have caused an open circuit on the voltage regulator printed circuit board. The licensee believed
that this open circuit could have resulted in the
high voltage condition that EDG 2 experienced. The
NRC noted that this evaluation was
not based on direct observation or circuit
modeling, but on hypothetical information from a field service
vendor. The NRC questioned the licensee if the vendors were aware
of any similar EDG high voltage condition occurring due to erratic potentiometer operation during the
tuning process of the voltage regulator circuit
board. The licensee provided the NRC a
written response from the vendor that stated, "No.
In addition, we
have not seen or heard of such an event while adjusting the Range and/or
Stability
on any make or model of voltage regulator." The NRC noted that the November 13, 2006, high voltage trip of EDG 2 was not viewed by the licensee as a possible precursor
to the January 18, 2007, event until the receipt of a laboratory
report on May 8, 2007. This laboratory report contained the
results of destructive testing
of the VRI zener diode from the voltage
regulator
printed circuit board. This
report provided definitive
evidence that the January 18, 2007, overvoltage
trip of EDG 2 was caused by an intermittent
discontinuity
in the diode resulting from a manufacturing
defect. Based on this new information, the licensee revised
the root cause report in CR-CNS-2007-00480 and viewed
the November 13, 2006, EDG 2 high voltage trip as a possible precursor
to the January
18, 2007, EDG 2 high voltage trip. Additionally, the NRC noted that when the faulted circuit
board was being evaluated
at the laboratory, no actions were taken to validate if the potentiometers
on the card were potentially
the source of the high voltage events that occurred on November 13, 2006, as their FMEA
had concluded.
The NRC reviewed the FMEA performed
in Condition Report CR-CNS-2006-9096. The
NRC noted that operating and maintenance instructions of the EDG voltage
regulator
system are described
in the Basler Electric Company Operation and Service Manual, Series Boost
Exciter- Regulator, Type SBSR HV, dated November 1970. In addition, the NRC noted that Electric Power Research
Institute (EPRI) published a technical report, Basler SBSR Voltage Regulators
for Emergency
Diesel Generators, dated
November 2004, that provided updated
operating, maintenance, and troubleshooting
recommendations
to industry users.
The licensee used both
of these resources
extensively
for procedure development and
to guide troubleshooting
efforts. The NRC noted Section
5 of the Basler vendor manual provided recommendations
for maintenance
and troubleshooting.
Table 5-1 of this manual provided a
symptom based-probable
cause table for voltage regulator
problems. In the case of the November 13, 2006, EDG 2 high voltage trip, the following
guidance was applicable:
-2- Enclosure 2
Svmptom Voltage high, uncontrollable with voltage adjust
rheostat.
Remedy If no voltage control on automatic operation, replace
fuse F1. If no voltage control on
manual operation, replace fuse F2. Replace printed circuit board
assembly. Probable Cause Open fuse
F1 in voltage regulator power stage.
Defect in voltage regulator printed circuit board. No current indicated on saturable transformer control current meter.
Section 8 of the EPRl technical report also provided troubleshooting recommendations. The section of the table
that provided valuable insight for the November 13 trip is as follows: Symptom Voltage high
and uncontrollable with
motor operated potentiometer (MOP) Problem No or low voltage from sensing
potential
transformers Shorted MOP
T2 transformer set to wrong tap Faulty voltage regulator assembly
Solution Verify that there are no blown potential transformer fuses
and that there are good connections
at the potential
transformers
Replace R60 or entire MOP assern bly Verify tap setting of 120 VAC Replace voltage
regulator assembly
The NRC noted that
the FMEA discussed each
of the probable causes of
the uncontrollable high
voltage on EDG 2, but
that not all of the recommended actions were taken. Specifically, the licensee did not
replace the faulty voltage regulator assembly even though both the Basler technical manual and
the EPRl technical report recommended its replacement following uncontrollable high voltage conditions.
In addition, the NRC noted that Condition Report CR-CNS-2006-9096, contained a summary
of industry operating experience regarding failures
of Basler voltage regulators. Of the
58 Basler -3- Enclosure 2
failures listed in the report, 33 involved Basler
SBSR voltage regulators, the same type used at Cooper Nuclear Station. Of these, four involved manufacturing defects on the printed circuit boards. The
NRC identified another eight Basler voltage regulator failures
related to manufacturing quality
in publicly available sources
of operating experience.
The NRC also noted that none of these failures occurred due
to erratic potentiometer operation utilized during the tuning process.
As previously documented
in NRC Inspection Report 05000298/2007007, the licensee root
cause report evaluating
the January 18, 2007, EDG 2 high voltage event, documented
in CR-CNS-2007-00480, determined that the cause of the failure
was that the original procurement
process did not provide technical requirements
to reduce the probability of infant mortality failure
in the voltage regulator board.
The licensee determined that the failed circuit
board had been purchased from the Basler Electric Company
in 1973, but that the procurement of the part had not specified
any technical requirements from
the vendor. In effect, the part was purchased
as a commercial grade item
from a non-Appendix B source and placed into
storage as an essential component, ready for
use in safety-related applications, without
any documentation of
its suitability for that purpose.
The licensee determined that the specification of proper technical requirements, such
as inspections and/or testing, would have provided
an opportunity
to discover the latent defect prior
to installing the card
in an essential application. During the Regulatory
Conference
on July 13, 2007, the licensee stated that even if
they had performed additional testing, such
as a burn in, of
the voltage regulator card
prior to its installation on November 8, 2006, that such testing would probably not identify
the faulty diode.
In addition, the licensee stated that since
this card was purchased
in 1973, Generic Letter
91-05, "Licensee Commercial-Grade Procurement and Dedication
Programs," discussed that the
NRC did not expect licensee's
to review all past procurements.
With respect to these assertions, the NRC determined that had the licensee performed testing
of the card prior
to its installation
in accordance with standard industry recommendations, there
was some probability that
such a defect would have been identified. This conclusion was based on
the fact the laboratory
findings coupled with
the actual high voltage occurrences experienced
on November 13, 2006, and January 18, 2007, confirmed that the failure was of an intermittent nature and variations such as temperature alone could cause
the condition
to manifest itself.
With respect to the assertion that Generic Letter 91-05 did not require licensee's
to review past commercial grade procurements that may have been inappropriately dedicated suitable for
safety related applications, the NRC determined
the licensee missed an opportunity
to perform additional evaluations concerning
the suitability of the voltage regulating circuit
board prior to its installation. Specifically, Generic Letter 91-05 states, in part, that
the NRC does not
expect licensee's
to review all past procurements. However, if failure experience or current information on supplier adequacy indicates that a component
may not be suitable
for service, then
corrective actions are required
for all such installed and stored items
in accordance
with 10 CFR Part 50, Appendix B, Criterion
XVI, "Corrective Action." Based on
the previously discussed operating experience related
to quality concerns associated with Basler voltage regulating cards, the
NRC determined that the licensee missed an opportunity
to evaluate this information prior to installing
the EDG 2 voltage regulating card on November 8, 2006. Additionally, following
the high voltage conditions experienced
on November 13, 2006, this operating experience, although obtained, did not result
in the licensee questioning
the quality of the component as reflected in Item 10 of the licensee's Equipment
Failure Evaluation Checklist dated November 30, 2006, stating there
were no concerns associated with
the quality of
the part. -4- Enclosure 2
Additionally, the NRC reviewed Condition
Report CR-CNS-2007-04278, which reported that
the licensee had
failed to perform a required root cause analysis
following
the diesel generator
failure on November 13, 2006. Administrative Procedure
05.CR, "Condition Report
Initiation, Review, and Classification,"
Revision 7, requires that
a condition
report be classified
as Category A (root cause investigation)
for "repeat Critical 1 Component
equipment failures that have previously been addressed
with a root or apparent cause evaluation."
Voltage control problems on
EDG 2, a "critical
I component"
in the licensee's equipment reliability program, had been addressed using apparent cause evaluations
on four separate occasions
in the twelve months
prior to the November 13, 2006, high voltage
trip. Contrary to the guidance in Procedure
0.5CR, the November 13 trip was again assigned an apparent cause evaluation versus the required
root cause evaluation.
When EDG 2 subsequently
tripped again on January 18, 2007, a root cause team was assembled, which resulted in the identification
of a defective
diode on the voltage regulator printed circuit
board. Based on the previously discussed observations the NRC concluded that multiple opportunities existed for the
licensee to promptly identify that the EDG 2 voltage
regulating
card installed
on November 8, 2006, was defective prior
to declaring the EDG operable on November 19, 2006. Based on the failure to
promptly identify this
degraded condition corrective actions were
not implemented
in accordance
with 10 CFR Part 50, Appendix B, Criterion
XVI, "Corrective Action," resulting in
the failure of EDG 2 on January 18, 2007.
Analvsis:
This finding is a performance deficiency because the licensee
failed to promptly identify that a defective
Emergency
Diesel Generator (EDG) 2 voltage regulator circuit
board was installed
that resulted in
adversely affecting the
safety function of equipment important
to safety. This finding is more than minor because it is associated
with the equipment performance
attribute
of the Mitigating Systems cornerstone and adversely
affects the cornerstone
objective
of ensuring the availability, reliability, and capability
of systems that
respond to initiating
events. This finding was evaluated using the
Significance Determination Process (SDP) Phase
1 Screening Worksheet provided
in Manual Chapter 0609, Appendix A, "Significance
Determination of Reactor
Inspection
Findings for At-Power Situations." The screening
indicated
that a Phase 2
analysis was required because the finding
represents
a loss of safety function for EDG 2 for greater than its Technical
Specification allowed completion
time. The Phase 2 and 3 evaluations
concluded
that the finding was of low to moderate safety significance (See Enclosure
3 for details).
The cause of this finding
is related to the problem identification
and resolution crosscutting
components
of the corrective action
program and operating experience because
the licensee failed to thoroughly evaluate the EDG high
voltage condition
such that resolutions
address the causes and the licensee
failed to effectively use operating
experience, including
vendor recommendations, resulting
in changes to plant equipment (P.l (c)), and (P.2(b)).
-5- Enclosure 2
Cooper Nuclear Station
Failure of EDG 2 Voltage Regulator
NRC Phase 3 Analysis The NRC estimated
the risk increase resulting from
the degraded Emergency Diesel Generator (EDG) 2 voltage regulator.
The diesel was run at the following times with durations reported
as the period of time that
the voltage regulator
was energized (all of these operational runs were conducted after the defective voltage regulator circuit board was installed):
11/11/06 0 hrs 3 min 11/13/06 1 hr
30 min (first
failure) 11/14/06 6 hrs 46 rnin 11/15/06 1 hr 35 rnin
11/16/06 9 hrs 23 rnin
11/17/06 5 hrs 3 min 11/18/06 2 hrs 28
min 12/12/06 5 hrs 41 rnin 01/18/07 4 hrs 16 min (second
failure) The unit was returned to Mode 1 on November 22, 2006, and
ran at power until the last failure occurred on January 18, 2007.
The period of exposure was 57 days.
Assumptions
1. The licensee
determined that the voltage regulator failures were caused
by an intermittent
condition
resulting
from a faulty diode. Two failures of the voltage regulator occurred within a period
of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> during which the voltage regulator
was energized. This information was
used to calculate
an hourly failure rate for use in the risk analysis. The
NRC noted the licensee had
calculated
an increased unreliability
of the voltage regulator
by performing a Bayesian update
of industry data. However, the NRC determined that
the risk impact
is more accurately expressed
by modeling the condition
as a new failure
mode of the diesel
generator.
2. 3. Common cause vulnerabilities for EDG 1 did not exist, that
is, the failure
mode is assumed to be independent
in nature. This is because the root
caus'e investigation determined that
the failure was the result of a manufacturing defect resulting
in an infant
mortality.
The same component in
EDGI had been installed since initial plant operations and had operated reliably beyond the "burn-in" period, providing evidence that it did not have the same manufacturing defect. The NRC considered the probability of EDG 1 failing from
defective voltage regulator within a short period of time
of the EDG 2 failure to be too low to affect the
results of this analysis. The standard
CNS SPAR model credited the Class 1 E batteries with an 8-hour discharge capability following a station blackout. Based on information received from the licensee, this credit was
extended to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. Although
the batteries could potentially function
beyond IO hours under certain conditions other challenges related to
the operation of
RCIC and HPCl in station blackout conditions would
be present. These challenges
included the availability of adequate injection supply water and operational concerns
of -1- Enclosure 3
RClC under
high back pressure
conditions
as a result of
the unavailability
of suppression pool cooling
during an extended station blackout event. Performance Shaping
Factor 4. Using the SPAR-H methodology, it was estimated
that the probability of recovering from the failure, using manual voltage
regulation control, in a time frame
consistent
with the core damage sequences
was 72.5 percent, or a 0.275 non-recovery
probability.
Recovery would involve diagnosing the problem and then making a decision to either
replace the automatic voltage regulating circuit
board or operate the EDG in a manual voltage
regulating
mode. Diagnosis
(0.01) The results of this analysis are
presented in the table
below: Experiencenraining
Procedures
~ Low (1 0) Incomplete
(20) Available
Time I Expansive Time
(0.01) (>2X nominal and > 30 min.) Work Processes
Total' Stress I High (2) Nominal 0.168 Complexity
I High (5) Ergonomics
1 Nominal Action (0.001) >5 Times Required
(0.1) High (2) I I Moderate (2) Incomplete
(20) Nominal I Poor (5) I Overall Total
HRA I 0.275 I (1) This reflects the result using the formula for cases where
3 or more negative
PSFs are present. The nominal time
for performing the
actions was small compared
to the minimum time of 4 or 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available (for most core damage
sequences) to restore
power following
a loss of offsite
power (LOOP) event. The time available
for diagnosis
was considered
to be expansive because
it exceeded twice
what would be considered nominal
and is greater than 30 minutes. Extra time was credited for the action steps because at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> would be available for
most sequences and it was assumed that approximately
1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be required.
High stress was
assumed because the station would be in a blackout condition.
The steps needed
to diagnose the problem and decide on
an action plan to either replace the voltage
regulator
or attempt manual voltage
control operation
were considered
to be highly complex because procedural guidance did not direct operators
to take manual voltage regulation control
of the EDG following high voltage
trip conditions. Diagnosing the
failed voltage regulator
and determining subsequent recovery
actions would be an unfamiliar maintenance task requiring high skill. During NRC
discussions
-2- Enclosure
3
5. with control
room operators they stated engineering support would be required to evaluate
the diesel failure
rather than attempt to start the EDG in manual control, potentially damaging the
machine. The NRC addressed diagnosis recovery
as presented in the SPAR-H Method
in NUREG/CR-6883, Section 2.8, "Recovery." Additional credit
for this finding
was not considered applicable because of a lack of additional alarms or cues that would occur after the initial diagnosis effort
was completed. Also, the
NRC determined that recovery from an initial diagnosis failure was already adequately accounted
for in the 0.01 factor that was applied for the availability
of expansive time. The actions needed
to operate the diesel generator
in a manual voltage regulating mode were considered to be moderately
complex. Low training and experience
was assumed because
the plant staff had
not performed this
mode of operation
and had not received specific training. Procedures focused on
manual operation
of the diesel were not available, but credit for incomplete procedures was
applied because various technical sources were available that could be pieced together
to generate a temporary working procedure.
Work processes for actions were considered
poor because a substantive crosscutting issue is currently open related
to personnel failing
to adhere to procedural compliance, reflective
of a trend of poor work practices.
The result of
the SPAR-H analysis
was a failure probability
of 0.275. For the short-term (30-minute) sequences in
the SPAR model (corresponding
to the failure
of steam-powered
high pressure injection sources), credit
for recovery of
the EDG 2 voltage regulator failure was not applied because
of inadequate
time available. For cutsets that contained both recovery of EDG
2 from the voltage regulator failure and a standard generic recovery
for EDGs, which
in this case would apply
only to a recovery of
EDG 1, a dependency correction
was applied as discussed in the SPAR-H Method in NUREG/CR-6883, Section 2.6. The dependency rating
was determined to be
"high," based on the rating factors of "same crew" (crew in this case was defined
as the team of managers and engineers who would
be making decisions
related to the recovery of both EDGs), "close
in time", and "different location. To account for the dependency on
the recovery of EDG 1 , the formula of (1 + base SPAR non-recovery probability)/2
was used. The use of a dependency correction accounts for several issues, including the fact that the standard
EDG recovery factors
in SPAR models address
the probability
of recovering
one of two EDGs that have failed, meaning that
the more easily recoverable
unit can be selected for this
purpose. In this case, the recovery factor is limited to only one EDG, and the option to select
the other EDG
is not available within
the mathematics of the model. The dependency also accounts for situations where recovery
of one EDG may be abandoned
in favor of recovery the other unit, and where
the recovery team loses confidence after experiencing a failure
to recover the first EDG.
It also accounts for the splitting
of resources
in the double-EDG failure scenario.
6. For EDG fail-to-run
basic events, the Cooper SPAR
model assumes that the failure occurs
immediately
following
the loss of offsite power event. This
is a conservative modeling
assumption
because it fails to account for scenarios where
offsite power or the other EDG is recovered prior to the moment that the EDG 2 experiences a failure
to run. For the assumed intermittent failure condition of EDG 2, failure is
assumed to be equally probable
throughout
the 24-hour mission time. Therefore, recovery of offsite power
or the other diesel generator
before or close in time following the assumed EDG 2 failure renders the safety consequences of
the performance deficiency to
be insignificant
in those cases.
To -3- Enclosure
3
correct for this conservatism, the Cooper
SPAR model was modified with sequence specific convolution correction factors that
were applied whenever an EDG fail-to-run event appeared
in a cutset. Delta-CDF Result
in SPAR 7.846-6 /vr. Internal Events
Analysis Result for 57-Day Exposure 1.2E-6 The Cooper SPAR model, Revision 3.31 , dated October
IO, 2006, was used in the analysis. A
cutset truncation
of 1 .OE-I 2
was used. Average test and maintenance
was assumed. The model
was modified as previously discussed
to apply convolution correction factors and
to credit the battery with a IO-hour discharge capability. In addition, a modeling error
was discovered and corrected related
to the failure of a battery charger on a train alternate to an EDG failure.
The result of this correction reduced the base CDF result of
the model. For the estimate of
the voltage regulator failure rate, the NRC assumed a "zero" prior distribution
which resulted in a lambda value of 0.556 for two failures occurring
in a 36-hour time period (Assumption
1). Using a Poisson distribution, this equates
to a probability of 0.736 that
the EDG will fail to run within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following a demand. A 24-hour period
is used as the standard mission time within
the SPAR model.
The NRC created a new basic event for the failure of
the voltage regulator and placed
it into the fault tree for "Diesel Generator 2 Faults." Under the same "AND" gate, a basic event
for recovery of the EDG 2 voltage regulator failure (0.275)
was inserted. As previously discussed, for cutsets that contained both
failure to recover EDG 2 from the voltage regulator failure and a standard
term, which would
in this case only apply
to EDG 1, a correction
to the standard EDG non-recovery probability
was applied to account for
the dependency between these two
recoveries.
Using the SPAR-H methodology, a
high dependency was determined
and the calculation using
this assumption resulted in
an increase in the non-recovery probability
for EDG 1 within the affected cutsets. Additionally, for cutsets containing a 30-minute recovery term, related to the loss of high pressure injection sources, the value of the EDG 2 voltage regulator
non-recovery probability was
set to 1 .O, because recovery of EDG 2 would not be possible
in that time frame. The common
cause EDG fail-to-run term
was not changed and therefore all cutsets containing this term were completely offset
by the base case. The following table displays the result of
the analysis: The major cutsets were reviewed and no anomalies were identified. External Events
Analysis The risk increase
from fire initiating events
was reviewed and determined
to have a small impact on the risk of the finding. Only two fire scenarios were identified where equipment damage could
cause an unintentional
LOOP to occur. These are a fire
in control room board C
or a fire in control room vertical
board F. For these control room fires, the probability of causing a
LOOP are remote because of the confined specificity of their locations and
the fact that a combination
of hot shorts of a specific polarity are needed
to cause the emergency and startup transformer breakers -4- Enclosure 3
to open. Breakers
to these transformers
do not lock out and recovery of power
can be achieved
by pulling the control
power fuses at the breakers and operating
the breakers manually.
Procedures
are available
to perform these actions. The combination
of the low event frequency and high recovery probability means that fires
in these locations
do not add appreciably
to the risk of this finding. The other class of fires resulting
in a LOOP required an evacuation of the control room. In this case, plant procedures
require isolating offsite power from the vital buses and using the preferred
source of power, Division 2 EDG. The sequences that could lead
to core damage would include a failure of the Division
1 EDG, such that ultimate success in averting core
damage would rely on recovery of either EDG
or of offsite power. A review
of the onsite electrical distribution
system did not reveal any particular difficulties
in restoring switchyard power to the vital buses
in this scenario, especially
given that at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> are available
to accomplish
this task for the
bulk of the core damage scenarios. Switchgear room fires only affected the ability
to power one of the two vital
buses from offsite power, leaving at least
one vital bus available for plant recovery. Therefore, a
fire in Switchgear Room A would not
require operation of EDG 2 and a fire
in Switchgear
Room B would not affect the risk difference
of the finding because it would cause the same consequence as
in the base case. In general, the
fire risk importance for this finding is small compared
to that associated
with internal events because onsite fires
do not remove
the availability
of offsite power in the switchyard, whereas, in the internal events scenarios, long-term unavailability
of offsite power is presumed to occur as a consequence
of such events
as severe weather or significant electrical grid failures. The Cooper IPEEE
Internal Fire Analysis screened the
fire zones that
had a significant
impact on overall plant risk.
When adjusted for the exposure period
of this finding, the cumulative
baseline core damage frequency for the zones having
the potential for a control room evacuation (and a
procedure-induced
LOOP) or an induced plant centered LOOP was approximately 3.6E-7/yr. The methods used to screen
these areas were not rigorous and used several bounding assumptions, the refinement of which would likely lower the result. Based on these considerations, the
NRC concluded that
the risk related to fires would not be sufficient to change
the risk characterization of this finding. The seismicity at
Cooper is low and would likely have a small impact
on risk for an EDG issue. As a sensitivity, data
from the RASP External Events Handbook was used
to estimate the
scope of the seismic risk particular
to this finding.
The generic median earthquake acceleration
assumed to cause a loss of offsite power is 0.3g. The estimated frequency
of earthquakes
at Cooper of this
magnitude or greater
is 9.828E-5/yr. The generic median
frequency
assumed to cause a loss of the diesel generators
is 3.lg, though essential equipment
powered by the EDGs would likely
fail at approximately 2.0g. The seismic information
for Cooper is
capped at a magnitude
of 1 .Og with a frequency of 8.187E-6. This would
suggest that an earthquake could
be expected to occur with an approximate frequency of
9.OE-5/yr that would remove offsite power
but not damage other equipment important to safe shutdown. To model the seismic
risk, that NRC assumed that offsite power could not
be recovered
within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and therefore
zeroed all offsite power recoveries in the SPAR model. A CCDP
was -5- Enclosure 3
generated for the base case and, using the same assumptions
for the failure probability of the voltage regulator, for the analysis case. The result is presented
in the following table: (I EF=9E- 57-Day
Exposure I .279E-3 7.560E-3 5.7E-7
8.9E-8 Flooding could
be a concern because of the proximity
to the Missouri River. However, floods that would remove offsite power would also likely flood the EDG compartments and therefore not result in a significant change
to the risk associated with
the finding. The switchyard elevation is
below that of the power block
by several feet, but it is not likely that a slight inundation of the switchyard would cause a
loss of offsite power. The low frequency
of floods within the thin slice of water elevations that
would remove offsite
power for at least
4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, but not debilitate the diesel generators indicates
that external flooding would not add appreciably
to the risk of this
finding. The NRC determined
that although external
events would add risk
to the overall assessment, the
amount of risk would be small and not change the safety significance of the finding.
Alternative Mitigation Strategies
The NRC noted that several alternative mitigation strategies
discussed
by the licensee during the Regulatory Conference
on July 13, 2007, were
not modeled or were disabled
in the SPAR model. These strategies included
the ability to operate RClC
in a manual mode of operation following battery depletion, the use of firewater injection into the
RCS, and the capability
to blackstart an EDG following
loss of the Class IE dc buses. With respect to the use of fire water injection the
NRC noted that
the CNS SPAR model integrates a recovery
based on firewater injection into the station blackout event tree.
In the base case, this recovery is
set at a non-recovery probability of 1 .O, which implies
no recovery credit.
As a sensitivity study, the NRC assumed a baseline firewater
failure probability
of 0.1 and noted that the final delta CDF result
was decreased
by only 2.1 percent because firewater was
only modeled in depressurized reactor coolant system sequences
that were not large risk contributors
to this finding.
With respect to manual operation of the RClC
system, the NRC noted that this mitigation strategy was not credited in either the NRC or CNS risk assessment models. Nonetheless, the feasibility
of this strategy was assessed
by reviewing station procedures, interviewing station personnel, performing a field walkdown of
the procedural
steps with station operators, and evaluating the
human error factors that would be present following an extended station blackout event resulting in depletion of
the station essential batteries. Based on this qualitative review, the NRC concluded that
this strategy would not significantly change
the overall risk assessment conclusion
for this specific type of event. Factors assessed that affected
this decision included:
1) following depletion of
the battery supporting
RClC operation the initial valve lineup supporting manual system operation would
take at least 75 minutes; 2) no cooling over an extended period of time
in the RClC turbine room causes
an extremely high temperature environment that would significantly restrict personnel stay times;
3) reactor vessel level indication is
on a different
-6- Enclosure 3
elevation than the RCIC flow
controls;
4) manual starting of the RClC pump in this configuration
has not been tested; 5) position indication
is not readily available
for motor operated
valves; 6) procedures are
not clear ensuring proper
system alignment;
7) procedures do
not verify adequate RClC water supply tank level prior to starting
the pump nor supply adequate guidance to maintain adequate level during RClC operation
to prevent vortexing
concerns in the supply tank; 8) one identified
motor operated valve that is required to be manually operated
is approximately
12 feet above the floor and is not readily accessible because it is directly above the
RClC turbine; 9) operators would be
required to travel up and down multiple levels (in an extremely hot
environment)
repeatedly;
and IO) a substantive
crosscutting
issue is currently
open related to
personnel
failing to follow procedural guidance
reflective
of a trend related to poor work
practices.
Additionally, the ability
to black start an EDG was reviewed by the NRC. The
NRC concluded
that because of
the many uncertainties
and associated variables that credit
for this mitigation
strategy was not readily
quantifiable.
After review of
the particular
procedures, activities, and conditions under which these
actions would be taken, none of these strategies were considered
to appreciably
affect the risk significance
of the finding. Nevertheless, in a qualitative
sense, they would improve
the chances for avoiding core
damage. The NRC determined the success
of using these alternative mitigation
strategies
were comparable
to the additional risk
due to external events.
Based on this qualitative
assessment
these alternative mitigation strategies were considered
offset by the risk contribution
of the external events. Large Early Release Frequency:
In accordance with Manual Chapter 0609, Appendix
A, Attachment
1, Step 2.6, "Screening
for the Potential Risk
Contribution
Due to LERF," the NRC reviewed the core damage
sequences
to determine an
estimate of the change in
large early release frequency caused by
the finding. The LERF consequences of this performance
deficiency
were similar to those documented
in a previous SDP Phase 3 evaluation regarding a misalignment
of gland seal water to the service water pumps.
The final determination
letter was issued on March 31 , 2005, and is located in ADAMS, Accession No. ML050910127.
The following excerpt from
this document addressed
the LERF issue: "The NRC reevaluated
the portions of the preliminary significance
determination
related to the change in LERF. In the regulatory
conference, the licensee
argued that the dominant sequences
were not contributors to
the LERF. Therefore, there
was no change in LERF resulting
from the subject performance
deficiency. Their argument
was based on the longer than usual core damage sequences, providing
for additional
time to core damage, and the relatively short time estimated
to evacuate the close
in population surrounding
Cooper Nuclear Station. LERF is defined in NRC Inspection
Manual Chapter 0609, Appendix
H, "Containment
Integrity Significance Determination Process" as: "the frequency
of those accidents
leading to significant, unmitigated release from containment
in a time frame prior to the effective
evacuation of the close-in population such
that there is a potential for
early health effect." The NRC noted
that the dominant
core damage sequences documented
in the -7- Enclosure 3
preliminary significance
determination
were long sequences
that took greater than
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to proceed to reactor
pressure vessel breach. The shortest calculated interval
from the time reactor conditions
would have met the requirements for entry
into a general emergency (requiring the evacuation)
until the time of postulated containment
rupture was 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. The licensee stated that the average evacuation time
for Cooper, from the
declaration
of a General Emergency
was 62 minutes. The NRC determined
that, based on a 62-minute average evacuation time, effective
evacuation
of the close-in population
could be achieved within 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Therefore, the dominant core damage sequences
affected by the subject performance
deficiency
were not LERF contributors. As such, the
NRC's best estimate determination
of the change in LERF resulting from the performance
deficiency was zero."
In the current analysis, the total
contribution
of the 30-minute sequences
to the current case
CDF is only 0.17% of the total. For 2-hour sequences, the contribution
is only 0.04%. That
is, almost all of the risk associated with this
performance
deficiency
involves sequences
of duration 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or longer following the
loss of all ac power. Based on the average 62-minute evacuation
time as documented above, the NRC determined that large
early release did not contribute
to the significance
of the current finding.
References
NUREG/CR-6890, "Reevaluation
of Station Blackout Risk
at Nuclear Power Plants, Analysis of
Loss of Offsite Power Events: 1986-2004" "Incremental Change
in Core Damage
Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division
2 Diesel Generator," PSA-ES083, Revision
0 NUREG/CR-6883, "SPAR-H Human
Reliability
Analysis Method" Peer Review John Kramer, NRR See-Meng Wong, NRR Jeff Circle, NRR David Loveless, RIV
-8- Enclosure
3
Enclosure
4 Number Description
0 Original Issue
PROBABILISTIC
SAFETY ASSESSMENT
COOPER NUCLEAR STATION ENGINEERING
STUDY Reviewed Approved BY Date BY Date See Above
See Above Incremental
Change in Core Damage Probability
Resulting
from Degraded Voltage Regulator Diode Installed
in the Division
2 Diesel Generator
PSA-ES082
Revision 0 Prepared By: Reviewed By: Approval:
Risk Management Engineer
$isk Management
Engineer Risk Management
Supervisor
Revisions:
PROBABILISTIC
SAFETY ASSESSMENT COOPER NUCLEAR
STATION ENGINEERING STUDY
Number Description Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode Installed
in the Division
2 Diesel Generator
Reviewed Approved BY Date BY Date PSA-ES082
Revision 0 0 S ignature/Date
See Original for Signatures
Original Issue See Above See Above Prepared By: Ole Olson 7/27/2007
Reviewed By: Risk Management Engineer John Branch
7/27/2007
Approval: Risk Management Engineer
Kent Sutton 7/27/2007 Risk Management Supervisor
Revisions:
Incremental
Change in Core Damage Probability
Resulting from Degraded
Voltage Regulator
Diode Installed in the
Division 2 Diesel Generator
TABLE OF CONTENTS EXECUTIVE SUMMARY
.........................................................................................................................................
2 NOMENCLATURE
......................
......................................................
DEFINITIONS
...................................................................................................................................
7 I .2.1 1.2.2 Discussion of the
AC Electrical Power System
at CNS .................................................................. Defective Diode's Impact on Normal Operation
2.0 EVALUATION
....................................................................................................................................................
10 ............
IO 2.1.1 ASSUMPTIONS
AND CHARACTERISTICS OF THE MODEL
...........................................................
10 2.1.2 DERIVATION OF ICCDP ...............................................................
13 2.1.2.1 Base CDF Quantification 13
2,1.3 RISK SIGNIFICANCE CONCLUSIONS WITH
RESPECT TO ICCDP ................................................
16 2.1 SPECIFIC INCREASE
IN RISK RESULTING FROM
THE DEFECTIVE
DIODE 2.1.2.2 Conditional
CDF Quantification
................................................................................................................
15 2.2 RISK INSIGHTS FROM BOUNDING ANALYSIS
2.2.2 ICCDP SENSITIVITY
IN 2.2.3 BOUNDING ANALYSIS 2.3 LARGE EARLY RELEASE F
...............................................................................
20 2.4 EXTERNAL EVENT EVALUATION
..................... 2.4.1 Intcrnal Fire
3.0 CONCLUSION
................................................................................................
4.0 REFERENCES
.............................................................
22 Appendix A Station Blackout Event Tree Adjustinelits
Appendix B Human Reliability
Analysis Appendix C Data Analysis for Defective Diode Installed in Voltage Regulator Card
Appendix D DG2 Voltage Control Board Diode Failure
FIRE-LOOP
Evaluation
Appendix E Time Weighted LOOP Recoveries for SBO Sequences
Page 1 of 23
Incremental
Change in Core Damage Probability Resulting
from Degraded Voltage Regulator Diode
Installed
in the Division
2 Diesel Generator
Change in CDF resulting
from Defective Diode
Duration of Full Power ODerations with Defective
Diode EXECUTIVE
SUMMARY 8.806E-08Nr 56 Davs A focused probabilistic Risk assessment (PRA) based
on the Cooper Nuclear
Station PRA model and the CNS SPAR model has been performed to evaluate the safety significance
of a January
18, 2007, run failure of the division 2 emergency diesel generator (DG-GEN-DG2). This
assessment
concluded
that the increased risk can be characterized as veiy low
in significance
in term of incremental change
in core damage probability resulting
from at power internal and
exteimal events. The run failure of DG-GEN-DG2 was the result of a diesel generator trip from
an over voltage
condition
that occuil-ed during routine surveillance testing.
The failure occurred approximately
4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> into the suiveillance
run with the diesel generator synchronized
to the grid.
Investigation
found the over voltage condition was caused by an open circuit failure
of a diode on the voltage regulator
card for DG-GEN-DG2.
The voltage regulator card was
installed
in DG-GEN-DG2
during refLieling
outage RE23 on November 8, 2006. Dissection
of the diode
at a laboratory
found that the open circuit was caused by a poor electrical connection inside the diode package. Cross sectioning
of the failed diode
showed that connections between the die and the heat sinks
were at best marginal and
that these marginal connections
were the result
of a manufacturing defect. This manufacturing defect manifested itself
as a random and intermittent
open circuit failure of the diode.
This assessment evaluates safety significance of this manufacturing defect
in tenns of incremental
change in core damage probability (ICCDP). The ICCDP reflects the
overall change in risk resulting froin at power operations
of Cooper Nuclear Station (CNS) while
the defective
voltage regulator
diode was installed
in DG-GEN-DG2.
The resulting ICCDP, computed
with the CNS PRA model of record is 1.35
1 E-08 and is summarized
in the following table.
ICCDP Derivation
Base CDF for CNS Full Power Oueration
I 1.359E-OYYr
I Bounding Conditional CDF resulting
froin Defective Diode
I 1.3678E-OYYr
I ICCDP Resulting from
Defective
Diode I 1.351E-08
The risk significance
of the condition is characterized as very low significance.
This is based on the fact that the ICCDP is below an established threshold
of safety significance
set at 1.OE-06. This risk significance threshold is
used in various PSA applications including the Nuclear Regulatory Commission Significance Determination Process, and the Maintenance Rule
Configuration Risk Assessments
(1 O.CFR50.65(a)(4)).
An additional
bounding ICCDP evaluation
was also perfonned.
This evaluation
also characterized
risk as very low in significance with an ICCDP that was less than
1.OE-06. It was performed using the CNS SPAR model.
It is important
to note that incremental change
to Large Early Release
Probability
is negligible
and less than
1.OE-07 based on the fact that ICCDP is less Page 2 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode Installed
in the Division
2 Diesel Generator
than 1 .OE-07. However, a qualitative evaluation of LERF impact was provided. This qualitative evaluation found that change
in LEW was negligible.
The DG2 over voltage trip also resulted in
very low risk change
in teiins of large early release
frequency (LEW), and core damage probability resulting
from extei-nal
events. Both the change in LEW and core damage probability resulting from external events is characterized
as very low in safety significance.
Page 3 of 23
Incremental
Change in Core Damage Probability
Resulting from Degraded
Voltage Regulator Diode
Installed
in the Division
2 Diesel Generator
NOMENCLATURE
CDF Core Damage Frequency
CNS Cooper Nuclear Station
Change in Core Damage Probability
Incremental
Change in Large Early Release Probability
DG DG -GEN-DG 2 DIV I DIV I1 HEP HPCI IPE LERF LOOP LOSP NRC PDS PRA PSA RPV SDP Diesel Generator
Division 2 Emergency Diesel Generator Division I
Division I1 Human Error Probability High Pressure Coolant Injection
Individual
Plant Examination
Loss of Offsite Power United States Nuclear Regulatory Coininission
Plant Damage State
Probabilistic
Risk Analysis Probabilistic Safety Assessment Reactor Pressure Vessel Significance Determination Process
Page 4 of 23
Incremental
Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed
in the Division
2 Diesel Generator
DEFINITIONS
Accident sequence - a representation in teims of an initiating
event followed by a combination
of system, fiinction
and operator failures
or successes, of an accident that can lead to undesired consequences, with a specified
end state (e.g., core damage
or large early release). An accident
sequence may contain many unique variations
of events (minimal
cut sets) that are similar.
Core damage - uncovery and heat-up of
the reactor core
to the point at which prolonged oxidation and
severe file1 damage is anticipated
and involving enough of
the core to cause a significant release.
Core damage frequency - expected number
of core damage events
per unit of time. Cutsets - Accident sequence failure combinations.
EizdStnte - is the set
of conditions at
the end of an event sequence
that characterizes
the impact of the sequence on the plant
or the environment. End
states typically include: success states, core damage sequences, plant damage states for Level
1 sequences, and release categories
for Level 2 sequences. Event tree - a quantifiable, logical network that begins
with an initiating event
or condition
and progresses through a series
of branches that represent expected system
or operator performance
that either succeeds
or fails and arrives at either a successfiil
or failed end state. Initintiizg
Event - An initiating event is
any event that
pei-turbs the steady state operation of the plant, if operating, or the steady state operation
of the decay heat
removal systems during shutdown operations
such that a transient is initiated in the plant. Initiating events trigger
sequences
of events that challenge the plant control
and safety systems.
Large early release - the rapid, unmitigated release
of airborne fission products from the containment
to the environment occurring before
the effective implementation
of off-site emergency response and protective actions.
Lnrge early release
frequency - expected number
of large early releases per unit
of time. Level I - identification
and quantification
of the sequences
of events leading to the onset of core damage. Level 2 - evaluation
of Containment
response to severe accident challenges and quantification
of the mechanisms, amounts, and probabilities
of subsequent radioactive material releases from
the containment.
Plant daiiznge state - Plant damage states are collections
of accident sequence
end states according
to plant conditions at the onset of severe core damage. The plant conditions considered are those
that determine
the capability of the Containment
to cope with a severe core damage
Page 5 of 23
Incremental
Change in Core Damage Probability Resulting
from Degraded Voltage
Regulator
Diode Installed
in the Division
2 Diesel Generator
accident.
The plant damage states represent the interface
between the Level
1 and Level
2 analyses.
Probability - is a numerical measure
of a state of knowledge, a degree
of belief, or a state of confidence
about the outcome of
an event. Probabilistic risk
assessiizeizt - a qualitative
and quantitative assessment
of the risk associated
with plant operation
and maintenance that is measured in tenns of frequency
of occurrence
of risk metrics, such
as core damage or a radioactive inaterial release and its effects on the
health of the public (also referred to
as a probabilistic safety assessment, PSA).
Release category - radiological source
tenn for a given accident sequence that consists
of the release fractions for various radionuclide
groups (presented
as fractions
of initial core inventory), and the timing, elevation, and energy of release. The factors addressed
in the definition of the release categories include
the response of the containment structure, timing, and mode
of containment failure; timing, magnitude, and mix of any releases
of radioactive inaterial;
thermal energy of release; and key factors affecting deposition and filtration
of radionuclides. Release categories can
be considered
the end states of the Level
2 portion of a PSA. Risk - encompasses what
can happen (scenario), its likelihood (probability), and its level
of damage (consequences).
Severe accident - an accident that involves extensive core
damage and fission product
release into the reactor vessel and containment, with potential
release to the environment.
Vessel Breach - a failure of the reactor vessel
occurring
during core melt (e.g., at a penetration or
due to thermal attack of the vessel bottom
head or wall by molten core debris). Page 6 of 23
Incremental
Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode Installed
in the Division 2 Diesel Generator
1.0 INTRODUCTION On Januaiy
18,2007, DG-GEN-DG2 tripped
after running for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> during a
surveillance
test. The trip resulted from an over voltage condition. The over
voltage condition
resulted from an open circuit failure
of a defective diode contained on
the voltage regulator
card for DG-GEN-DG2.
1.1 PURPOSE In order to assist
in a significance determination of the DG-GEN-DG2
trip, a risk assessment
is provided herein.
The card with the defective diode
was installed on November
8, 2006 during
refuel outage, RE23. Cooper Nuclear Station resumed full
power operations
from RE23 on November 23, 2006. Based on
this timeline, this risk assessment evaluates
this condition for
an exposure time of 56 days. This risk assessment predicts
the incremental change
in core damage probability (ICCDP)
and relates the significance
of the risk increase using industry established
ICCDP thresholds.
The risk assessment also evaluates impacts to the baseline Large Early Release Frequency (LERF) as well as core damage probabilities attributed to external events.
1.2 BACKGROUND
1.2.1 The station electrical power systems provide a
diversity
of dependable power sources which are physically isolated.
The station electrical power systems consist of the normal and startup
AC power source, the emergency
AC power source, the 4160 volt
and 480 volt auxiliaiy
power distribution systems, standby
AC power source, 125 and 250 volt DC power systems, 24 volt DC power system, 115/230 volt
AC no break power system, and the 120/240
volt AC critical power
system. Discussion
of the AC Electrical Power System
at CNS Figure 1.1 illustrates the power supplies and
distribution
for the station loads at the 41 60 volt AC bus level. The noi-mal AC power source provides
AC power to all station auxiliaries and is
the normal AC power source
when the main generator is operating.
The startup AC power source provides
AC power to all station auxiliaries and is noiinally in use when the noma1 AC power source
is unavailable.
The emergency
AC power source provides AC power to emergency station auxiliaries.
It is normally used to supply emergency station
auxiliary loads when the main generator is shutdown and the startup AC power source
is unavailable.
The station 4160
volt and 480 volt auxiliaiy
power distribution systems distribute
all AC power necessary
for startup, operation, or shutdown of station loads.
All poi-tions
of this distribution system receive
AC power from the normal AC power source or the startup AC power source. The critical service portions
of this distribution system
also can receive
AC power from
the standby AC power source or the emergency
AC power source.
Page 7 of 23
Incremental
Change in Core Damage
Probability Resulting from Degraded Voltage Regulator Diode
Installed
in the Division
2 Diesel Generator
The standby AC power source provides
two independent
41 60 volt DGs as the on-site sources of
AC power to the critical service portions
of the auxiliary
power systems. Each DG provides AC power to safely shutdown the reactor, maintain the safe shutdown condition, and operate all
auxiliaries
necessary for station safety.
The above power sources are integrated
into the following protection
scheme to insure that the CNS emergency loads will
be supplied at all times.
If the normal station service transformer (powered
by the main generator) is lost, the startup station service transformer, which is normally energized, will automatically energize
4 160 volt buses 1A and 1B as well as their connected loads, including the critical buses. If the
stamp station service transformer fails
to energize the critical buses, the emergency station service transformer, which is normally energized, will automatically energize both
critical buses. If the emergency station service
transformer
were also to fail, the DGs would automatically energize
their respective buses. The defective diode
was installed
in the voltage regulator
for 56 days while CNS was at power. The voltage regulator card was part of the excitation control for
DG-GEN-DG2 (illustrated as
diesel generator
- 2 in Figure 1.1). All other power sources available
to the 41 60 Volt AC buses remained available and unaffected by the defective diode.
Page 8 of 23
Incremental Change
in Core Damage Probability Resulting
from Degraded Voltage Regulator
Diode Installed
in the Division
2 Diesel Generator
Figure 1.1 Cooper Nuclear Station
Single Line, 4160 Volt Distribution FROM FROM MAIN GENERATOR
345 KV1161 KV GRID v v STATION SERVICE STATION SERVICE TRANSFORMER
TRANSFORMER
EMERGENCY
TRANSFORMER
STATION SERVICE 4160v'69 Kv s" BE:; ) DIESEL GENERATOR
- 2 0 f 6 DIESEL GENERATOR
- 1 0.PS'S. LINE Page 9 of 23
Incremental
Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed
in the Division
2 Diesel Generator
1.2.2 During nonnal operations the DG-GEN-DG2 is not
required to provide power
to support plant loads. DG-GEN- DG2 is tested during nonnal operations and electrical
load is supplied through synchronization
of DG2 to the offsite power grid. Protective relaying
is provided to prevent iinpact
to noma1 operations should DG-GEN-DG2 encounter electrical failures while being tested.
These protective devices remained fully operation while
the defective
diode was installed.
Thus, installation
of the defective diode had
no impact on nonnal plant operations and resulted
in negligible increase
in the frequency
of occurrence
of plant events. Defective Diode's Impact
on Normal Operation
1.2.3 During a plant emergency, which includes the inability
to provide power
to the 4160 Volt AC buses with offsite power, DG-GEN-DG2
is the remaining power
source for 4160 critical bus 1G. Defective Diode's Impact
on Emergency Operation The defective diode installed in
DG-GEN-DG2
affected the ability of
the generator's excitation controls
to regulate voltage. The defective diode's open circuit
failure inode resulted in an over voltage
condition
which tripped DG-GEN-DG2 rendering
it incapable
of providing power
to 4160 Volt AC bus 1G in the automatic
voltage control mode. It should also be noted that the defective diode is a subcomponent
of the automatic
voltage regulating portion
of DG-GEN-DG2. DG-GEN-DG2 would
be fully recoverable
when started and loaded to bus 1 G using the
inanual voltage regulating controls provided locally in
the diesel generator room.
2.0 EVALUATION This section
evaluates
the specific increase
in risk resulting
fioin the defective diode found
in DG-GEN-DG2
and documents
other bounding analysis coinpleted
to provide key insights into
the overall risk significance of the defective
diode. Section 2.1 evaluates
the incremental increase
in core dainage probability that results from the
risk increase caused by the defective diode installed in the
voltage regulator card. This section provides the
specific conclusions of overall risk
impact. Section 2.2 provides bounding analysis
to fiirther substantiate the conclusions provided
in section 2.1.
Sections 2.3 and 2.4 discuss exteinal events
and large early release frequency changes
that resulted froin the
defective
diode. 2.1 SPECIFIC INCREASE IN RISK RESULTING
FROM THE DEFECTIVE
DIODE 2.1.1 ASSUMPTIONS
AND CHARACTERISTICS OF THE MODEL
1 ) The CNS 2006TM PRA inodel and the
3.31, dated October
IO, 2006) werc applicable for use in this evaluation. Page 10 of
23
Incremental
Change in Core Damage Probability Resulting from
Degraded Voltage Regulator Diode
Installed
in the Division
2 Diesel Generator
Quantification was truncated at
1 .OE-12 to ensure results
captured all relative combinations
in the PRA sequences.
The condition evaluated
is limited to the time in which the defective
diode was installed during at power
conditions.
This was approximated
as the time in which reactor power
was above turbine bypass valve
capacity and correlates
to the period starting
November 23,2006 to January 18,2007. The exposure period for the condition is 56
days. Fire water injection
for the purposes
of reactor inventory makeup and cooling is
not credited in
this evaluation.
It should be noted, however, that this injection source
is viable and available for
mitigation
of SBO sequences. The use of the diesel driven fire protection pump
has been identified
as a mitigation
system during several
emergency
drills by the Emergency Response Organization.
The system provides
WV injection through one of three possible hose connections to the RHR system. The procedure
(5.3ALT-STRATEGY)
and equipment needed
to accomplish RPV injection using the
fire protection
pump are in place. The ability to black start DG-GEN-DG1
or DG2 was not credited in this
study. Procedures are
in place at CNS (5.3 ALT-STRATEGY) that direct the "black start"
of a diesel generator.
This means a DG can be started and tied to the critical AC bus after the station batteries are depleted. The diesel generator "fail
to run" failure rate
and probability contained
of record (Reference
3) will be used for
this evaluation
to allow a more direct comparison between CNS
PRA results and the CNS SPAR Model
results. This failure probability
is defined as 2.07E-02 in the SPAR model.
SPAR Model event trees for station blackout
will use the actual battery
depletion
times documented
in CNS PRA internal events analysis. Refer
to Appendix A
for details on
these depletion
times. The failure
rate for the defective diode was derived
per the guidance
of NUREG CR6823 (Reference
4). This derivation included Bayesian estimation through application
of a constrained noninformative prior
to best represent failure rates given
the existing diesel generator failure data available
in the PRA models and the small amount
of nm time experienced
by the defective diode.
See Appendix C for derivation
of the defective diode failure rates.
Further sensitivity analysis was provided
to ensure that bounding diode failure
rates using other statistical approaches result in negligible
risk increase (refer to Section
2.2.2). Actual failures of the defective diode while installed
in the excitation
control circuit for DG-GEN-DG2
has been deteiinined
to be 1 (one) for
the purposes of failure rate derivations. Evaluation of
perfoiinance leading to the over voltage trip
of DG-GEN-DG2 on January 18, 2007
and subsequent
root cause lab
testing found that there were two
other instances that could be attributed
to the open circuit failure condition of the defective diode. However both
of these instances
were dismissed
as fo 11 ow s : During post
maintenance testing of DG-GEN-DG2 on November 1
1, 2006, an over voltage condition was
noted while tuning the control
circuit that contained the defective diode. Because
this testing did not provide conclusive evidence that the diode was
the cause of the over voltage condition
and because DG- Page 11 of 23
Incremental Change
in Core Damage Probability Resulting from Degraded Voltage
Regulator
Diode Installed
in the Division
2 Diesel Generator GEN-DG2 demonstrated over
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of successful
i-un time after occurrence
of the November
1 1, 2006 condition, this instance is dismissed
as a attributable failure
of the defective diode. A post failure
test of the circuit card that included the defective diode resulted
in both satisfactory card operation followed
by unsatisfactory
card operation
with subsequent determination that the defective diode was
in a permanent
open circuit state. This lab testing failure
has been dismissed in this shidy due to the large amounts
of variability introduced
by shipping of the card to the lab, the
differences
between lab bench top testing
and actual installed conditions, and equipment and human errors that could be
attributed
to test techniques. Section 2.2 provides analysis
to address sensitivity
in the assumption
of number of actual diode failures. Expected operator actions that would be taken to recover from the over voltage trip that was experienced
on January 18, 2007 include a successful restart of DG-GEN-DG2 and loading
of the generator
using the manual voltage controls provided
locally in the diesel generator room.
The diagnosis and performance
of this recovery has been determined
to have a non-recovery probability
of 3.OE-02. The detailed evaluation
for this human
reliability analysis is included
in Appendix B. The CNS Level 1 and Level 2 PRA Model was developed based on plant specific fiinctions and
system success criteria
for each of the important
safety functions and support systems relied
upon for accident
prevention
or mitigation
for the duration of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following
an event. The systems included in the model were those that supported
the overall objective
of maintaining adequate core and containment cooling. There
are two figures-of-merit
for meeting these objectives:
core damage frequency
and large early release frequency. The definitions used
in this study are consistent
with the CNS PRA. For the purposes
of this study, the mission
time for the DG iun was assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. To compensate
for this overly conservative assumption, the
sensitivity study in Section 2.2.2 includes
sequence dependent time-weighted offsite power non-recoveiy probabilities.
The derivation
of these non-recovery
probabilities is discussed
in Appendix E. The Diesel Generator
failure-to-run
events are treated in the CNS PRA with a lumped parameter approximation. All
i-un failures are treated
as failures occurring
at accident initiation (t=O). This treatment
results in not accounting for diesel offsite power
recoveiy at extended
times associated
with these failure modes
even though adequate
AC power is available
during the initial diesel run. To ininiinize the conservative impact
of this lumped parameter assumption in the regular CNS PRA model (as
opposed to the model used
for this analysis), a
iyin time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is used in establishing
nin failure probability. This
is based on the following: The
DG mission time accounts for two competing effects.
The first is the running failure rate of the
DG and the second is
the recovery of offsite or on-site AC power. All cutsets with a DG fail to i-un event must also include
an offsite or on-site AC power non-recovery event. The
time dependent product
of these two events is maximized
at about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> into the accident.
The offsite power non-recoveiy probability is dominated
by weather related events beyond
6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> into the accident. The
initiating
frequencies
used in this shidy include costal effects such as sea spray
and hurricanes.
Due to the location of
CNS, inclusion of these events results
is overly conservative when included in
non- recoveiy probabilities.
The exclusion of these events from the LOOP non-recovery
probabilities
is appropriate; however, the events are included in the LOOP frequency.
Page 12 of 23
Incremental
Change in Core Damage
Probability Resulting from Degraded
Voltage Regulator
Diode Installed
in the Division 2 Diesel Generator
Base CDF Conditional
CDF Resulting
from the Defective
Diode 1.359E-O5/Yr 1.3678E-O5/Yr 2.1.2 DERIVATION
OF ICCDP Derivation
of ICCDP resulting
from the over voltage trip
of DG-DEN-DG2 that occurred on January
18,2007 provides the following results.
Change in CDF Exposure (days)
Incremental
Change in Core Damage Probability
8.806E-08Nr 56 1.35 1 E-08 2.1.2.1 Base
CDF Quantification
Base CDF was derived
by quantification
of the CNS PRA model of record with the following adjustments
to best fit this application.
1. The diesel generator fail
to run basic event probabilities
were changed to reflect those in the SPAR model. Specifically, basic events EAC-DGN-FR-DG1
and EAC-DGN-FR-DG2 probabilities
were changed from
1.45E-03 to 2.07E-02.
This was done to allow a better comparison between SPAR
results and CNS PRA model results. This
also changed the
DG mission times to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> as opposed to the 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> that is noiinally used
in the CNS PRA model. 2. Loss of offsite power frequencies and recoveries
were revised to best reflect current industry performance data. NUREG CR 6890 (Reference 2) was used
to derive these
new values. These values are reflected
in Table 2.1.2-1. This table also details the
10 and 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> DG recoveries
required to support the event tree adjustments
made in Appendix A. All DG recoveries were
obtained using the existing
CNS PRA model basis documents. (Reference
6). 3. The SBO portions of the event trees were revised to better
reflect the SPAR SBO structure.
The SBO portion of the event trees
were also revised to extend recovery times. This accurately models actual battery depletion times
that are in excess of those currently modeled.
Refer to Appendix A
for further discussions
on the event tree revisions.
Page 13 of 23
lncrernental
Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed
in the Division 2 Diesel Generator %TI G-INIT
I Grid Centered Loss Of Offsite Power Table 2.1.2- 1
Loss of Offsite Power Frequency
and Non-recoveiy Updates
7.18E-03 %T 1 P-INIT YoT 1 W-INIT I Plant Centered Loss Of Offsite Power
I Weather Centered Loss Of Offsite Power
1.3 1 E-02 4.83E-03 I NR-DG-IOHR
I Non-Recoverv Of DG Within
10 Hours I 2.60E-01 I NR-LOSP-G
1 OHR NR-LOSP-GI
2HR I Conditional Non-Recovery Grid Centered Off-Site Power
In 10hr I Conditional Non-Recovery Grid Centered Off-Site Power
In 1211r 3.64E-02 2.42E-02 NR-LOSP-G
1 HR NR-LOSP-G24HR
NR-LOSP-G6HR
NR-LOSP-GgHR
NR-LOSP-PI
OHR Non-Recovery
Of Grid-Centered LOSP Within
1 Hr Conditional Non-Recovery Of Grid Centered Off-Site Power
In 24 Hrs Conditional Non-Recovery Of
Grid Centered Off-Site Power In
6 Hrs Conditional Non-Recovery Of Grid Centered Off-Site Power In
8 Hr 3.73E-0 1 4.15E-03 9.76E-02 5.73 E-02 Conditional Non-Recoverv Plant Centered Off-Site Power In
1 Olir 2.48E-02 NR-LOSP-P 12HR
NR-LOSP-P
1 HR NR-LOSP-P24HR
NR-LOSP-P6HR
NR-LOSP-P8HR
NR-LOSP-W
1 OHR I NR-LOSP-W 12HR Conditional Non-Recovery Plant Centered Off-Site Power In 1211r Non-Recovery Of Plant-Centered LOSP Within
1 Hr Conditional Non-Recovery Of
Plant Centered Off-Site
Power In 24 Hrs Conditional Non-Recovery Of Plant Centered Off-Site
Power In 6 Hrs Conditional Non-Recovery
Of Plant Centered Off-Site Power
In 8 Hr Conditional
Non-Recovery
Weather Off-Site Power
In I Ohr 1.71E-02 1.18E-01 . 3.49E-03 6.42E-02 3.83E-02 2.89E-01 Conditional
Non-Recovei-v Weather Off-Site Power
In 1211r 2.5 5 E-0 1 Page 14 of 23 NR-LOSP-W
1 HR NR-LOSP-W24HR
NR-LOSP-W6HR NR-LOSP-W 8HR
Non-Recovery Of Weather-Related LOSP Within
1 Hr Conditional Non-Recovery Of Weather Centered Off-Site Power In 24 Hrs Conditional Non-Recovery Of Weather Centered Off-Site
Power In 6 Hrs Conditional Non-Recovery Of
Weather Off-Site Power
In 8 Hr 6.568-01 1.48E-0 1 3.97E-01 3.34E-01
Incremental Change
in Core Damage Probability Resulting
from Degraded Voltage Regulator
Diode Installed
in the Division 2 Diesel Generator
2.1.2.2 Conditional CDF Quantification
Conditional
CDF was also quantified using
the CNS model of record with the adjustments
detailed for the base CDF. The defective diode was modeled as
a new and separate event placed in the diesel generator fault
tree as an input to gate
EAC-DG2-007, "Diesel Generator DG2 Failures".
The original DG2 fail-to-nin event EAC-DGN-
FR-DG2 was also retained in
the tree. The defective diode probability
was set at 5.70E-02 (see Appendix
C) and adjusted to reflect a non-recovery probability
of 0.03 (see Appendix B). The following represents the addition of
defective
diode modeling.
I , .. I I I I I U, I P Page 15 of 23
Incremental Change
in Core Damage Probability Resulting
from Degraded Voltage Regulator
Diode Installed in the Division
2 Diesel Generator
2.1.3 The exposure of DG-GEN-DG2
to the failure
mode presented
by the defective diode found
in the voltage regulator card resulted
in quantifiable increases
in risk. Increase
was quantified as an incremental change
in core damage probability
of 1.351E-08. This is
judged as not risk significant and well below the risk significance ICCDP threshold
of 1.OE-6 set for PRA applications.
RISK SIGNIFICANCE
CONCLUSIONS
WITH RESPECT TO ICCDP The low significance
is a result of a small exposure
time (56 days), Cooper Nuclear Station design features that provide redundancy
to DG-GEN-DG2, and the ability to recover from the diode's
open circuit failure
mode. 2.2 RISK INSIGHTS FROM BOUNDING ANALYSIS
The assumptions made for this risk change application were chosen
to most accurately reflect
conditions
that existed at the time
of the over voltage trip of DG-GEN-DG2 on January
18, 2007. Review of the assumptions found the following are key contributors in the overall
derivation
of ICCDP: 1. The non-recoveiy
probability
derived in Appendix B 2. The defective diode failure probability estimated in
Appendix C 3, The statistical methodology used
to determine the diode failure probability This section performs
bounding analysis using both
SPAR and the CNS PRA models to provide insight with
respect to the sensitivity
of the diode non-recovery
and failure probabilities.
2.2.1 ICCDP SENSITIVITY
IN RELATION TO NON-RECOVERY AND DIODE FAILURE
RATE Tables 2.2.1-1 and 2.2.1-2, as well as Figure 2.2.1-1, represent the sensitivity
of ICCDP in relation
to both non-recoveiy probabilities
and diode failure probabilities. Diode failure probabilities
are varied to detail how
the assumed number of failures experienced while
the defective
diode was installed affects overall ICCDP. Non-recovery probabilities
are increinented
in steps of 0.5 to provide relative sensitivity insights. The ICCDP values were derived
using the same methods outlined
in Section 2.1 above.
The SPAR model of reference was used including
the adjustments detailed in
Appendix A. Page 16 of 23
!9 U-I Y 8 u-) Y
> E a, E: 5 .3 ti; a, M E: CQ .c u 2 u I 3 I 3 cd C a, a, L 0 Y 2 5 E M .3 ,. C Y Lo W 0 4 9 T- co 4 F d0331 s x T- o 0 M N Ccl 0 00 i c4
Incremental Change
in Core Damage Probability
Resulting from Degraded
Voltage Regulator
Diode Installed in
the Division 2 Diesel Generator
2.2.2 A bounding ICCDP
was also derived using a conservative
statistical
approach in which a inaxiinuin likelihood estimation was applied
This bounding analysis assumed
two failures of the defective diode
occurred in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of nin time. The inaxiinin likelihood estimation (MLE) allows the diode failure probability
to be calculated
directly through use of
Poisson as follows: ICCDP SENSITIVITY IN RELATIONS TO STATISTICAL METHOD ( 1 -Exp(-A,,w
- 24)), or (1 -Exp(-(2/36)
"24)) = 0.736 This diode failure probability increases the'actual
ICCDP derived in section 2.1 by a factor of
8.5. This increase approaches the risk significance threshold
of 1 .OE-06. Further evaluation
found it prudent to adjust ICCDP
to account for the conservatisin resulting
in the assumption that all diesel generator
run failures occur at
the start of station blackout events. This adjustment is similar to
application
of the convolution integral
and is detailed in Appendix E. Results of application of
Appendix E, specifically
Tables 5.1 through 5.3, results are
as follows: Table 2.2.2-1 Diode Failure Probability
as a Function
of DG Non-Recovery
Probability
Number of diode failures
in 36 hour4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />s>>> Diode Failure Probability (24
how mission)>>>
2 failures (CNS MODEL w/ MLE and Time Weighted NR-LOSP) 0.736402862
DG Non-Recovery
Probability
+ 0.03 ICCDP + 1.01345E-07
0.05 0.1 0.15 1.68909E-07
3.378 17E-07 5.06726E-07
0.2 0.25 0.3 0.35 0.4 1 2.2.3 BOUNDING ANALYSIS CONCLUSIONS Sensitivity results support
the overall conclusion
that the ICCDP risk increase resulting froin the
installation
of the defective diode
is below the threshold of risk significance.
This is supported
by both the SPAR and CNS PRA models. 6.75634E-07
8.44543E-07
1.01345E-06
1.18236E-06
1.35127E-06
3.37817E-06
Semi tivity results detail that the extremes
of both the diode failure probabilities
and non-recovery probabilities would have
to be applied
to push the ICCDP above the
risk significance threshold
of Page 19 of 23
Incremental
Change in Core Damage Probability
Resulting from Degraded Voltage Regulator
Diode Installed
in the Division 2 Diesel Generator
1 .OE-06. These extremes, though insightful, are
judged not to be viable or representative
of the actual conditions that existed at
the time of the over voltage trip of DG-GEN-DG2.
2.3 LARGE EARLY RELEASE FREQUENCY
ANALYSIS It is important to note that incremental change
to Large Early Release Probability is negligible and less than
1.OE-07 based on the fact that
ICCDP is less than 1.OE-07. However, a qualitative
evaluation
of LERF impact was provided. This qualitative evaluation found
that change in LERF was negligible.
The qualitative evaluation is provided below.
The LERF consequences of
exposure to the defective diode were similar
to those documented
in a previous
SDP Phase 3 evaluation regarding a inisalignment
of gland seal water to
the seivice water pumps (Reference
5). The following excerpt
from NRC Special Inspection
Report 2007007 addresses the LERF issue:
The NRC reevaluated the
portions ofthe preliniinary signijicance determination related
to the change in
LERF. In the regulatory conference, the licensee argued that the dominant sequences were not
contribzitors
to the LERF. Therefore, there was no change in
LERF resulting
fi"oni the subject
peiforinance
deficiency.
Their argument was based
on the longer than
ziszial core darnage sequences, providiiigfor additional time
to core damage, and the relatively short
time estimated
to evacuate the close in popzilation
szirrozinding
Cooper Nuclear Station..
LERF is de$tied in NRC Inspection Manual Chapter
0609, Appendix H, "Containnient
Integrity Significance Deterinination Process" as:
"the fiequency ofthose accidents leading
to significant, uninitigated
release,fi.om containnient in
a time fianze prior
to the effective evacuation
ofthe close-in population
szich that there
is apotentialfor early health
effect.
The NRC noted that the
dominant core damage sequences docziniented in
the preliminary signijicance determination were
long seqziences
that tool: greater than I2 hours to proceed to reactor presszire
vessel breach. The shortest
calciilated
internalfioni the time reactor conditions would have ?net the
reqtiirei~ients
for entiy into a genei~al emergency (keqtriring the
evacuation)
until the time ofpostailated containment
ruptaire was 3.5 lioaii~s.
The licensee stated that
the average evacuation
time for CNS, fioni the declaration
of a Genei-a1 Eniergency was 62 nzintites. . The NRC determined that, based on a
62-nzinute average evacuation time, effective evacuation
ofthe close-in poptilation
could be achieved within 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Therefore, the dominant core damage
sequences
afected by the subject
performance
deficiency
were not LERF contributors.
As such, the NRC's best estimate deterinination
ofthe change in LERF resultingfioni
the performance
deficiency
was zero. In the current analysis, tlie totaI
contribution
ofthe 30-ininute
sequences
to the current case CDF is only 0. I 7% ofthe total. For two hour sequences, the contribution
is only 0.04 percent. That is, almost all of the risk associated with this
performance deficiency involves sequences
of diiration,foair
hours 01" longer following
the loss of all ac power. Based on the average
62 niinzite evacuation
time as docziniented
above, the analyst determined that large
eady release did not contribute
to the signijkance
ofthe current ,finding.
This same excerpt is true for
this analysis also.
Page 20 of 23
Incremental Change
in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed
in the Division
2 Diesel Generator 2.4 EXTERNAL
EVENT EVALUATION 2.4.1 Internal Fire
An evaluation of this condition with respect to
fire initiated accidents concluded
that the ICCDP
due to these initiators is
not a significant contributor
to the overall condition ICCDP, and does
not warrant inclusion into the overall quantitative results.
While some postulated
CNS fires can cause a loss of offsite power requiring
the use of the
Diesel Generators, manual recovery
of the offsite power does
not require repair activities and is
relatively
easy. The bulk of the postulated fires do not cause an unintentional LOOP. Rather, they cause abandonment
of the inain control rooin and a procedurally administrated
LOOP. Only two fires can
actually cause an unintentional LOOP. These are a fire
in control rooin board
C or a fire in the control rooin vertical board
F. Multiple hot shorts in either of these locations
can cause the emergency and startup transformer breakers
to open. The breakers to the emergency transformers do
NOT lock out in a manner that prevents recovery
from inside the plant. Recovery froin these events involves pulling the control power fuses
at the breakers and operating
the beakers manually. Considerable procedural guidance
is available
for these actions.
The IPEEE Internal Fire Analysis conservatively estimated that
the probability
of a fire induced LOOP is almost an order of magnitude
lower that the 1E-6 ICCDP cutoff frequency.
2.4.2 External Events
The contribution
to the ICCDP froin external events is considered
to be insignificant.
The NRC in IR07-07 determined
that the risk increase from external events (seismic and flooding)
"did not add significantly
to the risk of the finding".
This was based on a condition that the DG2 ran for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> before failing and
is a follows:
As a seiisitivioi, datafioin
the RASP External Events Handbook was used to estimate the scope
of the seismic risk
particular
to this finding. The generic median earthquake
acceleration
asstinzed
to catise a loss of offsite power is 0.39. The estiinatedfieqiieiicy ojearthqiialces at
CNS of this magnitude
or greater is 9.828E-5/yr. The generic median
eartlzqiialce
fiequeiicy assumed to cause a loss of the diesel generatoi-s is
3.19, though essential
eqziipment
powered bj} the EDGs would
likely fail at approxiinatelj
2. Og. The seismic informatioiifoi~
CNS is capped at a inagnittrde
of 1.Og with a frequency
of 8.187E-6.
This would suggest that
an earthquake could
be expected to
occw with an approximate
fie qtiency of 9.OE-5/yr-
that would remove offsite
powere but not damage other equipment
iinpoi-taiit to safe shutdown.
In the internal events discussion above, it was estimated
that LOOPS that exceeded
four how-s duration would occur
with a ,fi-equeiicy
of 3.91 E-3/yi-.
Most LOOP events that exceed the
four hour diiration
wozild likely have recovery characteristics closely matching that
fioin an earthquake.
The ratio between these
two fieqiiencies
is 43. Based
on this, the analyst qualitatively
concliided
that the risk associated with seismic
events would be sinall
conipared
to the internal
1-esiilt. Flooding could
be a concei*n because of the proximity
to the Missoziri
River. However-, floods that wotild ieenzove offsite power woiild also IilcelyJlood
the EDG coinpartmerits
Page 21 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed
in the Division
2 Diesel Generator
and thei-efore not result
iii a significant change
to the risk associated with the
finding. The switchyard elevation
is below that of the power block by several
feet, but it is not likely that a slight in~indation
of the switchyard
would came a loss of offsite power. The low fieqwency
ofjloods within the
thin slice of water elevations that
would reinove offsite
power, for at least fotir hows, but not render the diesel generators inoperable, indicates
that extei-nal~floodiiig would not
add appreciably
to the risk of this finding. Based on the above, the analyst determined that external events
did not add signijkantly
to the risk of thejnding, The above logic remains valid when the four hour DG2 run assumption is eliminated and a random intermittent voltage regulator
board diode failure is assumed.
In addition, external floods applicable
to CNS are veiy slow developing
events. The plant would have one
to three days warning.
Plant procedures require
the plant to be shut down, depressurized, and the
vessel flooded with the head vents open
when flood levels
are anticipated
to exceed the 902 level.
3.0 CONCLUSION When examining the risk significance resulting froin
the installation
of the defective diode
contained
in the voltage regulator
controls for DG-GEN-DG2, it was concluded that increases
in core damage probability and LERF were
below risk significant thresholds established
by the industry.
Consideration
of the uncertainties
involved in significance deteiinination process (probabilistic
risk assessments)
was alternatively addressed by separately evaluating bounding cases using
conservative
inputs and assumptions.
The conclusion is that the
safety impact associated
with the defective diode is not risk significant.
4.0 REFERENCES
1. 2. 3. 4. 5. 6. NRC Special Inspection
Report 2007007, dated
May 22,2007, froin Arthur
T. Howell 111, to Stewart B. Minehan NUREG CR 6890, Reevaluation of Station
Blackout Risk at Nuclear Power plants, published December, 200
3.3.1, dated October
IO, 2006 NUREG CR 6823, Handbook of Parameter Estimation for Probabilistic
Risk Assessinent, Published September, 2003 Cooper Nuclear
Station - NRC Inspection Report 05000298/2004014 - Final Significance
Determination
for a Preliininaiy Greater than
Green Finding, dated
March 3 1, 2005, fioin Arthur T. Howell 111, to Randall K. Edington AC Power Recoveiy Evaluation, Prepared by Erin Engineering
and Research, Inc, dated October
1995 Page 22 of 23
Incremental Change
in Core Damage Probability
Resulting
from Degraded Voltage Regulator
Diode Installed in the Division
2 Diesel Generator
7. ASME RA-S-2002, Standard for Probabilistic
Risk Assessment for Nuclear Power Plant Applications and Addenda
ASME RA-Sb-2005 Page 23 of 23
APPENDIX A STATION BLACKOUT EVENT TREE ADJUSTMENTS
The Station Black-out (SBO) portion
of the CNS Loss
of Offsite Power (LOOP) event tree
was modified to reflect updated timing insights gained through thermal hydraulic
and battery depletion calculations perfonned to support the
PRA upgrade project.
Of particular importance
to SBO mitigation
are timing for potential challenges
to high pressure injection systems (HPCI and RCIC)
and individual battery depletion timing (with and without load shed). The revised
LOOP event tree considers updated information regarding: Batteiy depletion timing
for each DC bus, Potential
RPV low pressure isolation
challenges due to operator actions
to emergency
depressurize
the RPV in response to EOP required actions on Heat
Capacity Temperature Limit (HCTL), Pressure Suppression Pressure (PSP), and
high diywell temperahire, Potential equipment trips
due to high exhaust back pressure, Potential
suction source impacts associated
with ECST depletion
or suction temperahire if automatic suction swap
to the suppression pool is anticipated, and Post event
room heat-up impacts on equipment reliability. Use of the on-site diesel driven fire
pump was added to the event tree
for potential credit
provided initial success of HPCI or RCIC, but was given a failure probability
of 1 .O for this study. The failure probability
for actions to extend HPCI or RCIC operation
was assumed to be 0.06. This assuinption was utilized for consistency
in comparing results
to SPAR modeling and is considered a conservative estimate of the failure probability given the relatively long time to accomplish
the relatively simple
human actions (e.g. gravity fill
of ECST, shedding one large DC load, etc.). Figure A-1 shows a graphical representation
of the revised
LOOP event tree. The new core
damage sequences are named
TlSBO-1 through TlSBO-8 and are described
as follows: Sequence T1 SBO-1 : /U2*/RCI-EXT*/Xl "VS"REC-LOSP-DGl2H Following a
LOOP with failure of the emergency diesel generators, RCIC (U2) provides
initial inventory
make-up to the RPV. Manual operator actions
to extend RCIC
operation
are considered
successfd at a 94% probability.
Successfil depressurization (X
1) in support of fire water injection occurs, but fire water injection (V5) fails (assumed
1 .O failure probability
in this analysis).
Recovery of AC power within
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is not successful for
this sequence, resulting
in core damage. Twelve hours is allowed
to recover AC power based on calculation
NEDC 07- 053, which documents a limiting
division 1 (RCIC supply) battery capability
for providing all
required loads for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> without
any load shedding. Due
to extended boil-off time an
additional hour is allowed to recover AC power prior
to core damage.
Page A1 of A6
Sequence T1 SBO-2:
/U2*/RCI-EXT*Xl
- REC-LOSP-DG12H
Same as sequence T1 SBO-1, except depressurization
of the RPV fails resulting in failure
of fire water injection (V5). The basis for AC recovery is the same
as described for sequence
TlSBO- 1. Sequence Tl SBO-3:
/U2*RCI-EXT*/Xl*REC-LOSP-DGIOH Following a
LOOP with failure of the emergency diesel generators, RCIC (U2) provides
initial inventoiy
make-up to the RPV. Manual operator actions
to extend RCIC operation are considered failed at a
6% probability. Successful depressurization (Xl) in support of fire water injection occurs, but fire
water injection (V5) fails (assumed 1.0 failure probability in this
analysis).
Recovery of AC power within
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is not successful for
this sequence, resulting
in core damage. Ten hours is allowed
to recover AC power based on the limiting time for manual operator action for
any anticipated challenge
to continued
RCIC operation. The
first potential
challenge
to RCIC operation occurs due
to the need to manually align
gravity fill of the Emergency Condensate Storage Tank (ECST)
within 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />. Due to extended boil-off time an additional hour
is allowed to recover AC power prior
to core damage.
It is noted that the next most limiting challenge for continued RCIC operation does
not occur until after
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> due
to potential high exhaust back-pressure turbine trip.
Sequence T1 SBO-4:
/U2*RCI-EXT*Xl
- REC-LOSP-DGlOH
Same as sequence T1 SBO-3, except depressurization
of the RPV fails resulting
in failure of fire water injection (V5). The
basis for AC recovery is the same as described for sequence
TlSBO- 3. Sequence TI SBO-5: U2*/UlB*/HCI-EXT*/Xl
- VS*REC-LOSP-DGl OH Following a
LOOP with failure of the emergency diesel generators, RCIC (U2) fails and HPCI (U1 B) provides initial inventoiy
make-up to the RPV. Manual operator actions
to extend HPCI operation are considered successful at a 94% probability.
Successfiil
depressurization (Xl) in support of fire water injection occurs, but fire water injection (V5) fails (assumed 1 .O failure probability in
this analysis). Recovery of AC power within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is not successfiil
for this sequence, resulting
in core damage.
Ten hours is allowed
to recover AC power based on calculation
NEDC 07-053, which documents a limiting division 2 (HPCI supply) battery capability for providing
all required loads
for 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> with manual action
to shed one major DC load. Due to extended boil-off time
an additional hour
is allowed to recover AC power prior
to core damage. Sequence T1 SBO-6:
U2*/UlB*/HCI-EXT*Xl
- REC-LOSP-DGlOH
Same as sequence T1
SBO-5, except depressurization
of the RPV fails resulting
in failure of fire water injection (V5). The basis for
AC recovery is the same
as described for sequence
TlSBO- 5. Page A2 of A6
Sequence T1 SBO-7:
U2*/UlB*HCI-EXT*/Xl
- VS*REC-LOSP-DG6H Following a
LOOP with failure of the emergency diesel generators, RCIC (U2) fails and HPCI (U1 B) provides initial inventory make-up
to the RPV. Manual operator actions to extend
HPCI operation are considered failed at a
6% probability. Successful depressurization (Xl) in support of fire water injection occurs, but
fire water injection (V5) fails (assumed 1 .O failure probability
in this analysis). Recovery
of AC power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is not successful for this sequence, resulting
in core damage. Six hours is allowed
to recover AC power based on calculation
NEDC 07-053, which documents a limiting division 2 (HPCI supply) battery capability
for providing
all required loads for 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> without manual action to shed any loads. Due
to extended boil-off time an additional hour is
allowed to recover
AC power prior to core damage. Sequence T1
SBO-8: U2*/UlB*HCI-EXT*Xl "REC-LOSP-DG6H
Same as sequence TlSBO-7, except depressurization
of the RPV fails resulting in failure of
fire water injection (V5). The basis for
AC recovery is the same
as described for sequence
TISBO- 7. Table A- 1 suininarizes the basis for
timing insights associated
with potential
high pressure injection and
batteiy depletion challenges during SBO type scenarios.
Table A-1 HPCI Challenpe
Exhaust Pressure Suction Temperature
PSP ED HCTL I-ligh DW Temperature ED
Area Temperature ECST inventory
Time (hrs) NIA 8 hrs 14.5 hrs 1 I .4 hrs 17 hrs. >I2 hrs. 9.5 hrs. Reference
Calculation
NEDC 92-50W MAAP run CN06058, NEDC 01-29A, B, C MAAP run CN06058 MAAP run CN06058 and EOP IHCTL curve MAAP run CN06058 Calculation
NEDC 07-065, PSA-ES72 and
PSA-ES73 PSA-ES66, NEDC 92-050K, and NEDC 98-001 Description HPCI high exhaust back pressure set-point is - set high enough to not cause a concern of tripping the turbine during
an SBO. Nominal set-point
is 136 psig. HPCI is expected
to be capable of operating
at full load conditions with cooling water
temperatures of 180°F for
greater than 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. This temperature is
not reached until
greater than 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> into
the event, and HPCI would be expected to function
for an additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />
at a minimum. The timing to the Pressure Suppression
Curve in EOPs is estimated based
on variation
in suppression
pool water levels seen in the analysis.
Timing based on ability
to maintain RPV pressure below HCTL curve yet around 200
psi to allow continued
HPCI operation. Based on 200 psig in the RPV the
suppression
pool temperature to
exceed HCTL occurs
at approximately 235°F.
Equipment reliability for HPCI and RCIC areas not impacted for
a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SBO scenario. Timing based on interpolated
time for integrated decay
heat make-up for 87,000
gallons consumed to prevent the low level suction swap. Note that HPCI would
be anticipated
to auto swap to torus and this challenge
is not limiting for HPCI operation, ~~ Page A3 of A6
9.0 hrs DC battery depletion with load
shed RCIC Challenge Exhaust Pressure
Time (hrs) 10.5 hrs Suction Temperature
I 1.5 hrs PSP ED 17.5 hrs I-ICTL 14.1 hrs .4rc;1 Tcinpc.r;i[urc
> I2 hrs. ECST inventory
9.5 hrs. I 1 .O hrs DC battery depletion without
load shed Reference NEDC 07-053
NEDC 07-053 Reference
MAAP run CN06059A.
Calculation
NEDC 92-050AP MAAP run CN06059A MAAP run CN06059A MAAP run CN06059A and EOP HCTL curve
MAAP run CN06059A C;ilculntion
NEDC 07-065. PSA-ES72 and PSA-ES73.
PSA-ES66, NEDC 92-050K, and NEDC 98-001 NEDC 07-053 Assumed action to isolate the Main Turbine
Emergency
Oil Pump within the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />
results in extending the 250 V Division 2
battery time to 9 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />
The limiting time reported here
is for 125 V Division 2 battery
DescriDtion
Based on nominal set-point and conservative
accounting
of head-loss.
Not a limiting concern for RCIC due
to no automatic suction swap from
ECST on high suppression
pool water level. The timing to the
Pressure Suppression Curve
in EOPs is estimated based
on variation
in suppression
pool water levels
seen in the analysis.
Timing based on ability to maintain
RPV pressure below
IHCTL curve yet around 200
psi lo allow continued HPCI
operation.
Based on 200 psig in the RPV the
suppression
pool temperature to exceed
HCTL occurs at approximately 235°F.
Equipment
reliability
for HPCI and RCIC areas not impacted
for a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SBO scenario.
Timing based on interpolated time
for integrated decay heat make-up for 87,000 gallons consumed to prevent the low level suction swap. Note that HPCI would
be anticipated
to auto swap to torus and this challenge
is not limiting for HPCI operation. Page A4 of A6
U E .r C li: i c[ c T C t 4 a e ? D U !Y a W t E 2 i Y.. I U a ! E ii
W 41 0 \o 4 4 5 a
APPENDIX B Human Reliability
Analysis Introduction
Division 2 DG failed a monthly Surveillance
Test on January
18, 2007. The DG VAR loading rapidly spiked until the Diesel
Generator Breaker tripped
on Over-Voltage. The DG VAR loading spiked to approximately 10,667
KVAR prior to tripping the Diesel Generator.
After trouble shooting the
Diesel Generator, it was deteiinined that a diode
on the Voltage
Regulator
card had failed
and caused the
VAR excursion
and subsequent Diesel Generator failure.
A risk evaluation of this condition
was documented
in CR-CNS-2007-00480 which credits recoveiy from the DG2 failure. This is also a key input to the significance deteiinination of this failure, since recoveiy of the DG trip restores critical on-site AC
power. This paper provides
the basis for recovery, identifying the activities
that accomplish recovery
and discusses factors affecting
the successful outcome.
An estimate of the probability
of failure of the recovery is determined for the limiting core damage scenarios
as defined in the
plant PRA and SPAR models , Conclusion
Recovery of DG2 is considered likely due to time available for diagnosis using existing Station Blackout procedures
that place priority on
restart of emergency
AC power. The most limiting core damage event
for failure of Diesel Generator 2 is a
LOOP with the Diesel Generator
1 not available.
In these sequences
high pressure core cooling
is initially successful. More
than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is available
to recover at least one
AC electrical power source prior
to core damage. With the station
in a blackout condition, DG2 restart is directed
by 5.3SBO which is applicable to greater
than 95% of the core darnage sequences. Given
an extended coping period available for
diagnosis and execution, the
likelihood
of successful
recoveiy for DG2 is estimated
to be at or below 3.2E-2, depending on the HRA model used. Review of Expected Plant Response
The increase in
risk due to emergency
AC failure occurs in sequences where core
and containment
cooling was successful when relying solely
on Division 2
DG during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission
time of the PRA supplying
all required loads. These sequences require a
Loss of Offsite Power event concurrent
with DG1 out of service for maintenance (or
as result of system failures). After the scram, DG2 trips
due to random (intermittent) diode failure. When the diode
fails, the DG VAR (voltage)
output rapidly increases until the
DG trips on output breaker lockout (86 relay) on over voltage. The loss of DG2 emergency
AC power occurs almost instantaneously following
the diode failure. The DG2 would
trip and lockout
on over-voltage given
the Voltage Control
Mode Selector (VCMS) switch is
positioned
to Auto. In response to a LOOP, the Control Room would
be operating the
plant using HPCI
or RCIC to control level and pressure while depressurizing the reactor.
An RHR pump, a Service Water
Pump Page B1 of B20
and a Service Water Booster Pump would
be in service to cool the suppression pool. These
loads would be supplied
by DG2. Since DG 1 is not credited, once the Control Rooin
validates that offsite
power will not be available promptly (prior
to DG2 failure), the RCIC loads will be transferred
to the Division I1 batteries and supplied by
Division I1 Diesel Generator (via 5.3AC480, Attachment
8). This action would extend
the available battery depletion time to
approximately
8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after DG2 diode
failure. A realistic
battery depletion
of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is modeled in the
CNS PRA. The depletion times assume
that both divisions
of batteries
are both at 90% capacity. Calculation
NEDC 07-053 estimates
how long the batteries would
last using the
Design Basis calculations
NEDC 87-131A3, By C and D as inputs. The average loading
assumed in these calculations
is determined and
divided by the actual battery capacity. The result of this
calculation validates that both divisions of batteries would be capable
of supplying all required
loads for a ininiinum
of approximately
8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. At the end of the scenario, the battery terminal voltage was compared
with the ininiinum battery teiininal voltage required
to ensure adequate voltage
to start the Diesel Generator
was available.
Based on this analysis, both RCIC
and/or HPCI are available
for a minimnuin
of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Review of Other Issues Effecting:
Recovery There are a number of issues that should be addressed
as part of crediting restoration
of the DG2 lockout. These issues and their resolution are
listed below: Diagnosis:
In order to diagnose the DG2 voltage regulator failure, an operator (in the DG2 room)
inust confirm there are no obvious gross mechanical
or electrical issues effecting
DG operation.
This is accomplished
by procedure
2.2.20. land supports the decision to restart. Since a LOOP event would
have occurred, the plant would be in the Emergency Power procedure
(5.3EMPWR). A station operator monitors diesel operation (Operations Procedure
2.2.20 and 2.2.20.1, the DG operating
procedures)
and during a LOOP would be expected to be nearby (not necessarily in the diesel
rooin). Once the SBO
is entered, the station operator returns
to the diesel rooin and confirms overall integrity
of the machine
to support restart
as needed. Effects of DC2 Restart: The nature of the failure becomes apparent when initial
restart fails due to over-voltage and sanie
annunciation
re-occurs (Procedure
2.3-C-4, Page 8, Tile C-4/A-5
.) Given a failure attempt
to restai-t from the Control Rooin per 2.2.20.1, the Operations
crew would focus
on local operation
in Procedure
2.2.20.2, Section 9 (or 5) as directed by 5.3SBO. Procedure 2.2.20.2 provides guidance for placing DG control in ISOLATE
which defeats the standing emergency start
signal. The decision for local operation in inanual voltage control would
be driven by the high priority of AC power restoration given the
SBO condition.
Staffing: At the initiation
of the LOOP event, the plant would have been placed in a Notification
of Unusual Event. Although a
NOUE does not require initiating actions
to bring the
ERO on site, Operations Management
would expect the SM to call in additional personnel, once the Control
Rooin contacted the Doniphan Control Center and
determined that offsite power would not be restored
promptly.
In the event that
the SM did not initiate ERO pagers to activate facilities, the Operations
Management
team would require
the SM to take these actions
as follow-up
to notification Page B2 of B20
of change
in plant status. The needed staff, including management, maintenance, and engineering, would be called out and mobilized
to respond to the plant event. After the
SBO occurred due
to the loss of DG2, a Site Area Emergency
would be declared and the ERO would be activated, if not already
staffed. Lighting: When DG2 is running
the plant would be in a LOOP with normal lighting powered from
MCC-DG2. When DG2 failed, a station blackout would occur given
DG1 is unavailable. Local inspections would be facilitated
by emergency Appendix R lighting. A
set of emergency lights
are located in the DG2 room and they are directed in the general direction
of the local control panels.
The emergency lights are
rated at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> on battery. Lighting levels
are adequate for general
activities
such as getting around
in the room and gross inspection
of the diesel. The lighting would be
sufficient
to support local control using
the VC Mode Selector and Manual Voltage Regulator Adjust, each
which are within aims reach on the front control panel in the
DG2 room. Execution:
Loading of the DG during manual operation
was reviewed for system response. The
first loads the
DG would supply are the 480 volt load center including the
460 volt MCC loads. This loading is expected
to be approximately
500 to 750 1VA. Based on the rating
of the DG compared to this load, the DG output voltage is not expected
to change significantly. Following these
loads, an RHR pump, a Service Water Booster
Pump and a Service Water
pump would be manually
started from the Control Rooin.
These loads would be started individually
by the operator
in the DG Room. The operator
stationed
in the DG room would
monitor DG voltage after each
large motor start and adjust the voltage back
to approximately
4200 volts after the
motors had started and a steady state
voltage had been achieved. Conversations with the
DG System Engineer and
two MPR representatives
indicated that with the DG
in manual voltage control, the voltage drop between
no load and full load would probably be around
5%. Since each of the large motors that would
be started represents
approximately
'/4 of the total
capacity of the generator, a voltage drop
of 1.25% would be expected.
Due to the uncertainties associated with operating a
DG in this manner, a value
of 5% voltage drop
for each motor start
will be conservatively utilized.
Given the minimal loading and the significant
margin between the
original voltage of 4200 volts
and the minilnuin required voltage, the Station
Operator would be able to maintain the
output voltage of the DG at above the minimum voltage requirements for the equipment
at all times. Recovery Time Line A list of actions is described for
the recovery of DG2, including consideration of the issues described
above. These actions are shown in the following
table, with estimates
of the range
of times required
to perform each
action (Time Estimate
column). A narrative
of the Operator response is given here
to support the list in Table 1. After the DG2 trip, the
Control Room would enter procedure 5.3SBO which
would direct the Operator located near DG2
to do a visual inspection
of the Diesel Generator
to ensure that fluid levels
and other parameters are
in specifications
(5.3SBO Attachment 3, Step 1.2.3.2 ff). When the 86 lockout relay is reset in the Control Room, DG2 restart is expected due
to the standing safety system
actuation
signal. Due to the failed diode
in the voltage regulator card, the diesel generator will fail almost
instantly
upon starting.
As a result of
this trip, the same alarms and trip indications will re-occur. Once DG2 trips the second time, the Control
Room would have received
the same annunciation
and breaker flags on both trips (indicates a voltage
control problem.)
The Control Room would be
directed Page B3 of B20
to place DG2 in ISOLATE (5.3SB0, Step 1.2.3.5) which defeats the emergency start signal. The
Control Room directs use
of Section 9, Procedure 2.2.20.2, Operation
of Diesel Generators froin
Diesel Generator
Rooms, by placing Control
Mode Selector Switch to LOCAL. At Step 9.6.1 the Control Room would require the VC Mode Selector switch
be positioned
to Manual to start the
DG and the Manual Voltage Regulator Adjust
be set and maintained
at approximately
4200 volts. It should be noted that this control
will probably already be set
to approximately 4200
volts. Once the DG was running and not tripping, the Operations
Crew would load the DG per plant procedures (refer
to 5.3SB0, Attachment
3, Step 1.2.3.6.)
1, Control room responds to
LOOP, 5.3EMPWR verifies DG2 runiiiiig
2. Station Operator dispatched
to DG2 room B. TSC Activation
Table 1 Recovery Activities and Duration
I Activitv I Time Estimate finin) I Time Lim (tniti) 1 1-2 1-2 2-5 3-7 I A. LOOP ResDonse I I t=O I 4. Station
Operator performs checklist, contact Coiitrol
rooin 5. Station Operator observes DG2 start sequence and trip
2-5 6-14 1-1 7-15 I 1. TSC Activatioii
I 60 I 60 I 45- 105 6. Decision to Restart
DG2, 5.3SB0, Att. 3, Step 1.2.3.5 using 2.2.20.2 (DG2 Isolated, cliaiige
VC Mode to Manual and Man Volt Control)
D. Execution
I 3. Decisioii to Restart DG2. 5.3SBO.
SteD 1.2.3.4 Der 2.2.20.1 I 1-2 I 4-9 I 51-120 I 1. Station ODerator restart DG2
in Manual I 5-10 I 56-130 I The time required
to recover the DG is estimated at 120 minutes for diagnosis (steps
C.l through C.6) and 10 minutes for execution (step D. 1) froin
the time the DG lockout occurs. (The ininiinum
time estimated to perform
the recoveiy is 56 minutes.) This is supported
by the expected time
to review the
alanns and step through existing procedures
to determine applicable steps. This restoration, operating
the DG in manual, is a relatively simple task which is
accomplished
by the Operating
crew member assigned to the DG unit. These times
are used in the next section, where the recoveiy failure probabilities
are estimated
in SPAR-H method.
The minilnuin
retui-n to service time available is
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, based on 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> RCIC operation plus 120 minute boil-off period. (Similar time for recovery exists
for the HPCI success case, with actions to extend injection
to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> following DG2 failure.) This treatment is applicable
to more than 95% of the sequences contributing
to core damage.
The remaining
5% of the sequences
have considerably shorter time frame for recoveiy
and are assumed not recovered. This assumption
has negligible impact
on expected change
to core damage
frequency.
Probability
of Failure to Recover The SPAR-H model was used
to estimate the probability of failure
to recover the DG as a function of
the time required
to perform the manual restart (the time from the timelines) and the time available
to complete the actions
in order to mitigate core
damage (which comes from the accident sequence
Page B4 of B20
analysis in the PSA).
The recovery will be considered
in two parts, Diagnosis
and Execution, per the SPAR-H method.
The time available
to make the restoration
is the time the plant is able to cope with a SBO. The DC battery depletion time is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with either high pressure injection source with
an additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />
for core boil-off time. This evaluation assumes
the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> depletion
time starts at the time of the SBO event. For this scenario no credit
is given for possibility of using the swing charger on Division
1 batteries when DG2 is running.
A bounding 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> recovery
period is assumed
to apply to both HPCI
and RCIC depletion sequences. The following perfoiinance
shaping factors from the SPAR-H method are
assumed for the diagnosis
portion: a W W W a W Time Available
= Long (9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />), time needed
-120 minutes Stress = High, LOOP, then station blackout conditions
Complexity
= Nominal, indications are compelling, interpretation and action
is clear Training = Nominal, address symptoms use TSC support to diagnose Procedures
= Nominal, use alarms
as defined and steps in procedures problem is self-revealing
Ergonomics
= Nominal, CR emergency lighting exists The following performance shaping factors from
the SPAR-H method are assumed for
the execution
portion: a Time Available
= Long (-10 min), with
>60 min available
Stress = High, focused
on DG recovery, however action
does not create conflict Complexity
= Nominal, actions are simple and gradual
Training = Low, however manual operation uses familiar
controls at DG panel Procedures
= Not complete, TSC to add steps
to Section 9 for manual start and load Ergonomics
= Nominal, emergency lighting in
place a W W a a As seen on the following
SPAR-H table, the estimate for the probability of failure
to recover the
DG is 3.2E-2. This is calculated using conservative
estimates
of repair activity
times. Discussion
of SPAR-H Performance Shapinp Factors
Diagnosis
Factors: Location: Information from
the Control Room and the Diesel
Generator Room would be utilized
to diagnose this event. Time Available:
The minimum time available is considered
long (>60 minutes) because
total time to diagnose the DG is approximately
120 minutes and the execution
is expected to take about 10 min. Stress: The stress is considered high because the plant
would be in an SBO. With
the ERO staffed, the
Operations
Crew would have additional resources
to help diagnose the problem and significant insight into the problem would be available.
Complexity:
The Control Room would have
at least two distinct annunciator and a breaker
trip flag cues - indicate a voltage control
problem as confirmed by alarm card listing. There is
not conflicting
infoiinatioii
since both cues lead to the same conclusion, the complexity is
considered
Nominal. Page B.5 of B20
Training: Operations is
trained on how to operate the DG and a procedure is available
for operation
of the DG from the Diesel Generator
Room which is considered
adequate. Procedures: Procedures
5.3EMPRY 5.3SB0, 2.2.20.1, and 2.2.20.2 provide guidance
on what actions
should occur during
an SBO. The guidance in 2.2.20.2 (refer
to Section 9) to start the
DG in auto voltage control
would establish
the DG voltage trouble. The
vendor manual states
that DG operation
in manual should be used if
there are voltage control issues. By modifying Procedure
2.2.20.2, at Step 9.6.1 the Control Room would require the
VC Mode Selector switch be positioned
to Manual to start the DG and the Manual Voltage Regulator Adjust be set and maintained
at approximately 4200 volts. Therefore, the procedures are considered nominal
for diagnosis.
Ergonomics:
The operator would be required
to operate the
DG from the Diesel Generator Room and the actions of starting the
DG and adjusting
DG voltage would occur
at different
times. The actions the operator would be required
to perfom are considered ininiinal and
the position of the equipment is
considered
adequate.
Therefore, the ergonomics of this recovery is considered nominal.
Execution
Factors: Location:
The recoveiy of the DG would occur in the Diesel Generator
Room. Time Available:
The time available is considered long because the actual starting of the DG in manual voltage control
is estimated
to take approximately
10 minutes and the available time is much greater
than 5 times that amount. Stress: Since the operator would
have been in the DG room inspecting the
DG and resetting breakers since the
time the DG failed, the stress is considered high. Since the DG would start
once procedure
2.2.20.2 was utilized, the stress would
only decrease as the recovery continued.
Complexity:
The start and operation
of the DG in manual voltage control is provided
by the Control
Room using 2.2.20.2 with the exception that
the operator does not perform the step
to start the DG
in automatic voltage control. The
control room would provide guidance
on manual operation
to be followed prior to running in manual. Once the DG was running and not tripping, the Operations
Crew would load the DG per plant procedures (refer to 5.3SB0, Attachment 3, Step
1.2.3.6.) With the DG
in manual, the need for adjusting
the voltage as loads are added is considered minimal. Overall the complexity is considered nominal. Training: Procedure
2.2.20.2 does not provide explicit guidance on how to manually adjust voltage, therefore the training is considered low.
Manual voltage control of the DG
is not specifically
trained on, however, the required voltage
band is large and the control of the DG voltage is
simple. Overall, training is considered low
for this recovery.
Ergonomics:
The ergonomics for this recovery is considered adequate.
The controls for the DG are readily available and are the same controls used
in other DG evolutions.
Once the DG is started, the
only operator input required
is occasionally verifying the output
voltage and malting minor
adjustments
as needed. Overall, the
ergonomics is considered nominal
for this recovery.
Page B6 of B20
+ -----I- ", :Ic & -I ' 1 Y i- 4 I f .- " KKSSK c s 0 .o .o .o .o .o CI-C-lII $Mu,, 23x33 a,a,a,a,a, cxxxxx .zwwwww L m I1 ~ h =!. c3 n c m m 0 0 -I - b
Discussion
of EPRI HRA Calculator Analysis
EPS-XHE-FO-DG2, Operator fails to recover
DG2 after VC board failure Table 1: Basic Event Summary Table 2: EPS-XHE-FO-DG2
SUMMARY Related Human Interactions:
Cue: - The increase in
risk due to emergency
AC failure occurs in
sequences where core and containment cooling was successful
when relying solely on Division 2
DG during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time
of the PRA supplying
all required loads. These sequences
require a Loss of Offsite Power event concurrent
with DG 1 out of service for maintenance (or
as result of
system failures). The DG2 continues to run for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> prior to the diode failure causing
the DG to trip. When the diode fails, the DG VAR (voltage) output rapidly increases
until the DG trips on output breaker lockout
(86 relay) on over voltage.
The loss of DG2 emergency
AC power occurs almost instantaneously following
the diode failure. The DG2
would trip and lockout on over-
voltage given the Voltage Control
Mode Selector (VCMS)
switch is positioned to Auto. In response to a LOOP, the Control Room would be operating
the plant using HPCI
or RCIC to control level and pressure while depressurizing the reactor.
An RHR pump, a Service Water Pump and a Service Water Booster
Pump would be in service to cool the suppression pool.
These loads would be supplied by DG2. Since DG1 is
not credited, once the Control
Room validates
that offsite power will
not be available
proiiiptly (prior to DG2 failure), the RCIC loads will be transferred
to the Division
I1 batteries and supplied
by Division I1 Diesel Generator (via 5.3AC480, Attachment
8). This action would extend the available battery depletion time to approximately
8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after
DG2 diode failure. The cue is the trip of the DG2 and entry into SBO conditions. It would be indicated by
numerous alarms and indications and clearly identifiable.
Degree of Clarity of Cues & Indications:
Very Good Page B8 of B22
Procedures:
Cognitive:
5.3SBO (STATION BLACKOUT)
Revision:
14 Execution: 2.2.20.2 (OPERATION OF DIESEL
GENERATORS
FROM DIESEL GENERATOR ROOMS)
Revision:
36 Other: () Revision: Cognitive Procedure:
Step: 1.2.3.1 Instmction:
LOCALLY CONFIRM DG INTEGRITY Procedure and
step governing
HI: Plant Response : DG2 automatically starts
and loads Essential Bus
4160 Volt 1G. Main Control Room (MCR) declares a NOUE and enters 5.3EMPR, Attachment
2, Step 1.8.3 "If normal power cannot be restored
or is subsequently lost, ensure
TSC activated and have
TSC activate Attachment
5 (Page 18)
to restore power to PPGB 1 .I1 Attachment
3, Step 1.2.3 "If only one DG is providing power, perform following:
Monitor DG load in accordance with
Step 1.1.2 and Attachment 4 (Page 1
l)." DG2 Voltage Regulator Card
Fails causing DG2 Failure
Plant Response:
MCR declares a Site Area Emergency and activates
the ERO if the ERO has not already
been activated due to the extended LOOP. MCR enters 5.3SBO Step 1.2.3, Attachment 3
1.2.3 "If a DG is not running, perform following: 1.2.3.1 Check
local control boards, valve lineups, and control power fiises if degraded conditions such as shorts, fires, or mechanical
damage are not evident.
1.2.3.2 Reset any
trip condition.
Page B9 of B22
a At VBD-Cy check white light
above DIESEL GEN
l(2) SEQ RESET button light is off. If
on, press RESET button to reset trip.
INCOMPLETE b Locally in
DG Room, check ENGINE OVERSPEED alarm is not in alaim. If alaimed, reset per alarm procedure. c Locally in DG Room, on DIESEL GENERATOR #1(2) RELAYING panel
check white light above DGl(2) LOCKOUT relay is on. If off, check relays to determine cause
and reset. 1.2.3.3 If starting air pressure is low, start diesel
air compressor per Procedure
2.2.20.1.
1.2.3.4 Start and load DG per Procedure 2.2.20.1." MCR and DG Operators would enter Procedure 2.2.20.1, Section 7. Section
7 contains several steps designed for maintaining the availability
of the DG during surveillance runs, however, the steps
of interest are:
Plant Enters 2.2.20.1 "DIESEL GENERATOR
OPERATIONS" 7.13 STOP light tui-ns off. Place and
hold DIESEL GEN 2 STOPETART
switch to START until 7.14 4200V. This step does
not state specifically
the voltage regulator would be in "Automatic" at this time, however, since
this is a Restart froin
the Main Control Room, the only option for restarting the Diesel Generator froin
the Control Rooin
is in Automatic.
Due to this fact, the DG would trip and cause
an over-voltage
lock- out, an over-voltage annunciation exactly the
same as the first
trip. Using DIESEL
GEN 2 VOLTAGE REGULATOR, adjust voltage
to - Plant Continues
in Procedure
5.3SBO Attachment
3, Step 1.2.3.5 provides
the following guidance: "If DG(s) cannot be started and loaded, start and load DG(s) with ISOLATION
SWITCHES in ISOLATE per
Procedure
2.2.20.2".
Procedure
2.2.20.2 has 3 Sections that are applicable
to DG2. Sections 5, "DG2 STARTUP AND SHUTDOWN
AFTER MAJOR MAINTENANCE", Section 7, "DG2 STANDBY
STARTUP AND SHUTDOWN FROM
DG2 ROOM Page B 10 of B22
Section 9, "DG2 OPERATION
WHEN REQUIRED BY PROCEDURE 5.3SBO
OR 5.4POST-FIRE" The obvious
section that would be applicable for this condition
would be Section
9 since it references
5.3SB0, however, upon reviewing
this section, the
steps are virtually identical
to the steps in 2.2.20.1 except that the DG is physically started in
the DG rooin. The Voltage Control remains
in Automatic and thus the DG would trip
as soon as the DG started resulting in the same annunciation, alarms and flags. Reviewing the procedure
further reveals that Section 5 provides
the appropriate guidance for starting
the DG in manual voltage control. Since Operations use
this section of the procedure
each outage if
any major maintenance
is performed on
the DG, it is reasonable
to assume that this section
of the procedure would be utilized
under these conditions with these combined expertise
of the TSC and the on-shift operating crew and potentially the entirely
ERO staffed. Following
either section 5
or section 9 would accomplish the same actions, and both would lead
to a successful
stai-t of the DG. Plant Enters
2.2.20.2 "OPERATION
OF DIESEL GENERATORS
FROM DIESEL GENERATOR
ROOMS" 1. Section 5 "DG2 STARTUP AND SHUTDOWN AFTER MAJOR
MAINTENANCE" 5.8 Place
VOLTAGE CONTROL MODE SELECTOR switch to MANUAL. 5.16 Press and hold START button until blue
AVAILABLE
light t~irns off. 5.20 Using MANUAL
VOLTAGE CONTROL ADJUST knob, adjust
5.23 GENERATOR VOLTAGE
to - 4200V. Place VOLTAGE CONTROL MODE SELECTOR
switch to AUTO. At this time
the DG would trip and cause
an over-voltage lock-out, an over-voltage annunciation exactly the same as the previous
trips. Since the trip would occur
immediately
after the switch was placed in automatic, the cause of the failure would
be self revealing.
Once the cause the
DG trip was determined, the procedures would easily be revised to
eliminate
the step that puts the
DG in automatic voltage control
and adds a step that
has the DG operator check and/or adjust the DG
voltage as necessary within a
few minutes after
large motors are added and
as a periodic task.
This task would be identical
to the task the operator perforin
to add load to the DG for the Monthly
Suiveillance tests with
the only exception being that they would be monitoring voltage
and total load rather than
just total load. Therefore, the operators receive training on
this type of activity twice a month.
Operation
of the DG in manual voltage control
is also discussed in the Vendor Manual.
Training: Classroom, Frequency: Initial
OJT, Frequency: Initial Routine Operation:
The operators perform a manual start
from the DG rooin per procedure
2.2.20.2, section 5, at least once per outage. Page B11 of B22
JPM Procedure:
Environment:
() Revision:
Lighting Einergeiicy
Heatkluinidity
Hot I Huinid Radiation
B aclcgsouiid
Atmosphere
Nonnal HFE Scenario Description: Division 2
DG failed a monthly Surveillance Test on January
18,2007. The DG VAR loading rapidly spiked until the Diesel Generator Breaker tripped on Over-Voltage.
The DG VAR loading spiked
to approximately 10,667
KVAR prior to tripping the Diesel Generator.
After trouble shooting
the Diesel Generator, it was detennined
that a diode on the Voltage Regulator card had failed and
caused the VAR excursion
and subsequent Diesel
Generator
failure. Special Requirements:
Comdexitv
of ResDonse:
A risk evaluation
of this condition was
documented
in CR-CNS-2007-00480 which
credits recovery from the DG2 failme. This
is also a key input to the significance deteiinination of this failure, since recovery
of the DG trip restores critical on-site
AC power. Comitive Coinulex This HRA estimates
the probability of failure of the recovery.
Equipment
Accessibility: Execution Performance Shaping Factors: Executioii Complex
CONTROL ROOM Accessible
DIESEL GENERATOR ROOM
Accessible
Stress: High Plant Response As Expecled:
No Workload:
NIA Pei:fonnance Sliapiiig
Factors: NIA Page B12 of B22
Performance
Shaping; Factor Notes: Cognitive Unrecovered
EPS-XHE-FO-DGZ
Timing: 6no.00 sw I Cue I Irrevekble
DamageS tate I t=o I Timing Analysis:
The time required
to recover the
DG is estimated
at 120 minutes for diagnosis (steps C.l through (2.6) and 10 minutes for execution (step
D.l) from the time the
DG lockout occurs. (The
minimum time estimated
to perform the recovery is 56 minutes.)
This is supported by the expected time to review the alarms and
step through existing procedures
to determine applicable steps.
This restoration, operating
the DG in manual, is a relatively simple task which is accomplished
by the Operating
crew member assigned
to the DG unit. The time available
to inalte the restoration
is the time the plant is able to cope with a
time is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with either high pressure injection source with
an additional
2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for core boil-off time.
This evaluation assumes
the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> depletion
time starts at the time of the SBO event. For
this scenario no credit is given for possibility
of using the
swing charger on Division 1 batteries
when DG2 is running.
A bounding 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> recovery period is
assumed to apply to both HPCI and RCIC depletion sequences. Time available for recovery:
470.00 Minutes SPAR-H Available time (cognitive):
590.00 Minutes SPAR-H Available time (execution) ratio:
48.00 Minimum level of dependence for
recovery:
ZD Page B 13 of B22
Table 3: EPS-XHE-FO-DG2
COGNITIVE
UNRECOVERED
Page B14 of B22
Indication
Avail in CR Most necessary indications are available
in tlie main control
rooin. CR Indication
Warning/Alternate
Training on Accurate in Procedure
Indicators Lockout relay and diesel integrity
information
is necessary
for the cognitive
task and is readily available from the diesel generator room.
Low vs. Hi Workload Check vs. Monitor Front
vs. Back Alarmed
vs.Not Panel Alarmed Low Monitor Front Back (b) 1.5e-04 (c) 3.0e-03 Check (a) neg. (m) Me-02 Back (n) 1.5e-03 1 Monitor Front (d) 1.5s-04 (e) 3.0e-03 I (0) 3.0e-02 Per procedure
during a SBO, recoveiy of the EDGs is tlie operators' primary concern and focus. Most
of the necessary
information
is available
on a front control panel
or tlie DG local panel. Page B 15 of B22
indicators Easy
to Locate I (h) 7.0e-03 While diesel noise could hinder coinmunication while
the diesel is running, it will not be
ruiiniiig
during the cognitive
phase and communication froin
the DG room to the CR should be
normal. GoodlBad indicator Formal
Communications
pcd: Information misleading
Yes -_ No Ail Cues as Stated Warning
of Specific Training General Training
Differences (b) 3.0e-03 ~ pce: Skip a step in procedure
Obvious vs. Single vs. Multiple Graphically Placekeeping
Aids I Hidden Distinct r------- No I (a) 1.0e-03 (b) 3.0e-03 (c) 3.0e-03 (d) 1.0e-02 (e) 2.0e-03 (f) 4.Oe-03 (i) 1.Oe-01 Page B 16 of B22
pcf: Misinterpret
instruction "NOT" Statement
Standard or All Required Training on Step Ambiguous wording Information "AND or "OR" Both "AND" B Practiced Scenario
Statement "OR I Belief in Adequacy of Instruction
I (d) 3.0e-03 (e) 3.0e-02 Adverse Reasonable Policy of
Consequence
if Alternatives "Verbatim" I I (f) 6.0e-03 (9) 6.0e-02 (a) 1.6e-02 (b) 4.Be-02 (e) 6.0e-03 (d) 1.08-02 (e) 2.0e-03 (f) 6.0e-03 Page B17 of B22
e s e L VI e! V w A w W n 0 2 il 2 2 2 0 V W V C 3 e t; E B 5 z m Q 0 d 0 V Q 0 > -1 Q 3 z 2 s t; 2 W V a 5
0 x - N m m 2 3 C
% x
APPENDIX C Data analysis The following section describes
the process and results
of the data analysis performed
to determine
the failure probability
of the defective
diode in the DG-GEN-DG2 voltage
regulator
card. In Service Performance
for the Defective Diode The diodes
in service life included
36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of run time and one failure
of ftinction.
The defective diode was
installed
in as pai-t of the voltage regulator control card on November
8, 2006. The card was in service for 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> following installation
as the diesel generator was
ran for post maintenance testing and surveillance testing
up until its failure
and reinoval on
January 18, 2007. Evaluation
of performance leading to the over voltage trip
of DG-GEN-DG2 on
January 18, 2007 and subsequent root cause
lab testing found that
there were two other instances that could be attributed
to the open circuit failure condition
of the defective diode. However both of these
instances
were dismissed
as follows: During post maintenance testing
of DG-GEN-DG2 on November
1 1, 2006, an over voltage condition was
noted while tuning
the control circuit that contained the defective diode.
Because this testing did not provide conclusive evidence that the diode was the
cause of the over voltage condition and based on the
fact that DG-GEN-DG2 demonstrated over
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of successful
iun time after occurrence
of the November 1
1, 2006 condition, this instance is dismissed
as a attributable failure
of the defective diode.
A post failure test of the circuit card that included
the defective diode resulted in both satisfactory card operation followed
by unsatisfactory
card operation with subsequent
determination
that the defective
diode was in a permanent
open circuit state. Though this lab testing could
have been interpreted
as an additional failure
of the diode, it has been dismissed due
to the large amounts
of variability introduced
by shipping of the card to the lab, the differences between lab bench top
testing and actual installed conditions, and errors that could be
attributed
to test techniques and human errors.
Priors A bounding approach was taken
in the application
of diesel generator failure
to nin data used
to assess the change in risk resulting
fonn the January 18, 2007 over voltage
trip. This bounding approach includes use of a higher diesel generator
fail to An failure rate modeled
in the CNS SPAR model. The SPAR model diesel generator fail to run probability is 2.07E-02
for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time. The mean failure rate can be derived by solving the following poison
derivation
for the diesel generator failure probability
of 2.07E-02:
Page C1 of C2
2.07E-02=1-Exp(-h"24)
or h = 8.715E-O4/Hr Number of
Diode Failures (N)
This failure rate will
be used as a noninfonnative prior to
derive the failure rate
of the defective
diode. Diode In Service hpost, Diesel Generator Diode Failure
Tiine (Hours) (dc+N)/p+3
6) Mission Time
Probability
(1- E~p(-Api,,t
"24) Bayesian Estimation
N= 1 N=2 Guidance provided
in NUREG CR6823 (Reference
4) was used to deteiinine
that a Constrained
Noninfonnative Prior Bayesian
Estimation
was the best method to utilize in
the derivation of the defective diode failure rate.
Section 6.5.1 of NUREG CR6823 discusses failure
to run during mission events and directs the
use of Bayesian estimates using section 6.2.
Section 6.2.2.5.3 recoininends use
of the constrained noninformative prior as a coinpromise
to a Jeffi-ies
prior when prior belief is available but the dispersion is defined to
correspond
to little information. Because the
SPAR fail to run data provides prior belief
with unknown infomation
on possible industry failures resulting
fonn the diode defect a constrained
noninfonnative
prior was applied. 36 2.46E-03
24 HOU~S 5.7E-02 36 4.1 1 E-03 24 Hours 9.3 9E-02 This estimation
assumes an dc of 0.5 and derives p as follows using the 8.715E-04
mean failure rate froin the SPAR data: hprior = dc/p p = 573 Where dc=0.5, hp~i,,=8.715E-04/Hr Applying the
in service performance for the defective diode
the following table can be
generated
to detail the diodes failure probability.
Apost is derived using the Constrained
Noninfonnative Prior with
an dc=0.5 and p = 573. I N=3 I36 I 5.75E-03 I 24 Hours I 1.29E-01 Note the above table includes
1, 2 and 3 failures
to support bounding analysis
done in section 2.2. The overall ,change in risk imparted
by the defective diode derived
in section 2.1 of this study concludes
an overall failure
of 1 to best reflect the actual conditions. Page C2 of C2
APPENDIX D DG2 VOLTAGE
CONTROL BOARD DIODE FAILURE FIRE-LOOP EVALUATION
Introduction During surveillance testing
on January 18,2007 the Division 2 Emergency Diesel Generator (DG2) tripped unexpectedly
after running for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
in automatic voltage
control mode. This paper evaluates
the impact of
internal fires on offsite
AC power availability
and recoveiy actions. Internal
fires can contribute
to the Incremental Conditional Core Damage Probability (ICCDP) for
this condition, and that contribution
is assessed using
the results of the CNS IPEEE Internal Fire Analysis coupled with additional condition specific analysis. This evaluation is limited
to conditional fire initiated accident sequences where the DGs are demanded. Therefore, for
the evaluated
fire sequences
to contribute to the overall
ICCDP, they inust cause a Loss of Offsite Power (LOOP). The LOOP can
be caused in
one of two ways. Either the fire physically
damages equipment that causes offsite power
to be lost, or it forces the
operators
to intentionally (per procedure)
isolate offsite power from
the plant. Sequences
that include a
partial LOOP event occurring as result
of loss of the start-up transformer are
also possible. However the onsite
LOOP recovery (as addressed
in 5.4POST-FIRE)
from these sequences are not discussed
here. Evaluation
Summary Only two credible fires
will cause a LOOP due to equipment damage.
Those fire initiators are
1) a control
room fire originating at
either Vertical Board
F or Board C, and 2) a fire in Division
I1 critical switchgear
room 1G. The latter switchgear
room fire is not considered
because this fire is assumed to disable Division
I1 AC power regardless of the success of the DG2 voltage
control board. There are
two locations in the control room where a fire can conceivably cause a LOOP. Both of these locations contain control circuits for
the critical bus
tie breakers from both the station
startup transformer (SSST) and the emergency
transformer (ESST). A fire in each
location is considered a separate initiator.
One of those sequences requires
an unmitigated fire
involving
at least 4 feet of a control
board to affect the necessaiy breakers.
Both fire sequences would
require a combination of hot shorts to open the breakers before
the breaker control circuits were shorted to ground. The 69 ItV transmission
line that supplies
the ESST does not have a local 69kV
breaker and therefore the
86 Lockout and
87 Differential
relays cannot de-energize
the transformer. Instead the
86 Lockout and the 87 Differential
relays cause the
41 60 Volt breakers
1F and 1G to trip. Therefore, power from
the ESST is recoverable
by pulling the fuses at
the brealter(s) and manually
closing the breaker(s).
Ifjust one (out of
two) of the 1G breaker
control circuits is either not shorted to power (hot short) or
blows a fuse due to a short to ground, the 1G critical AC
bus will remain energized from
an offsite source. Due to the required complexity
of these fires, the probability
of the short combinations is
on the order
of 1E-3. The four lockout relays are individually fiised
and required 125 VDC control
power to operate. A fire creating a
Page D1 of D6
short would have
to simulate a
CLOSED contact from
an initiating device without
blowing a control power fuse
to actuate the lockout relay
or affect current transfoiiner wiring from the current transformer
to the neutral over-current
or differential relay causing the relay to actuate.
The contribution
to risk from these sequences
is negligible. There are
several fires that result in the transfer
of control of the plant to the ASD Panel.
When this occurs operators are directed
to isolate offsite power and then power
bus 1G with DG2. These fire initiators are
1) a control room fire requiring evacuation, 2) a fire
in the cable spreading
room, 3) a fire in the cable expansion room, 4) a fire in the NE comer of the reactor building, and 5) a fire in the auxiliary relay room. Procedure 5.4FIRE-SD provides instructions
on isolating offsite power
and powering the plant
from DG2. In these cases, the LOOP is administratively induced
and fiilly recoverable if needed.
In response to the above sequences, the Emergency Response Organization (ERO) will be available after 60 minutes
to assist operations
in restoring offsite power if
DG2 fails. (Refer
to EAL 5.2.1, a fire that effects any system required to be operable, directs
an Alert classification
with ERO activation.) For example, if 4160 VAC buslF is energized, an alternate
breaker alignment could be use
to power the 4160
VAC bus 1G (Div. 11) loads that are controlled from
the Alternate Shutdown (ASD) Panel.
Overview of CNS 4160 VAC Distribution Design
The configuration
of the CNS offsite power sources and the main generator supply is illustrated
in Figure 1. CNS supplies power to the grid at 345kV.
The 345kV switchyard
is designed with a "breaker and
a half scheme, so if the CNS Main Generator output breakers
trip, the remainder
of the 345kV yard is unaffected.
The primary offsite power source at
CNS is the Startup
Station Service Transformer (SSST) which
is supplied via a step-down transformer T2 from
the 345kV switchyard. The SSST can also
be supplied by a 161kV transmission line that
leaves the site and terminates close
to the city of Auburn. At power, CNS norinally supplies the non-1E and 1E 4160 VAC switchgear from the station unit auxiliary transformer (Normal Station
Seivice Transformer or NSST). If the CNS generator
trips or the NSST de-energizes without a generator trip, the station switchgear
is designed to transfer
station to the SSST if available
via a "fast transfer".
The fast transfer occurs within
3-5 cycles such that no loads are shed during this transfer.
Since the 4160 volt Essential
Buses 1F and 1G are supplied
by 4160 Volt Buses A
and B, the Essential Buses also "fast
transfer" to the SSST.
The SSST is supplied
by the 161kV
CNS switchyard which is connected
to the CNS 3451cV switchyard
via an auto-transformer
and a 16 1 kV switchyard
via the CNS to Auburn 16 1 kV transmission
line. If the SSST is not available
or the tie breakers between
4160 Volt BL~S A and F (and B and G) trip, the Essential Buses
1F and 1G transfer
to the Emergency Station Service
Transformer
via a short duration dead bus transfer.
Page D2 of D6
FROM MAIN GENEWTOR FROM 345 KV/161 KV GRID v N 22 W/4 160V NORMAL STATION SERVICE TRANSFORMER
V I STARTUP STATION SERVICE UAAJ TRANSFORMER - I161 KV/4160'/
OESEL GENERATOR
P2 f OPPO LINE DIESEL GENERATOR
RI Figure 1. CNS 4160 VAC Distribution
Page D3 of D6
The ESST is supplied by a 69kV sub-transmission
line from the 691tV Substation near
Brock, Nebraska which has inultiple sources. A
trip of the CNS main generator
supply would have a minimal affect on the voltage at the
Brock Substation.
If the ESST is available and breakers
1FA and 1GB are OPEN, the ESST supply breakers (1FS
and 1GS) to the 1F and 1G switchgear
will close after a short delay (in which the 4160 motors trip) and the ESST will supply both class
1E switchgear.
' If the ESST is also unavailable
or one of the supply breakers (IFS or IGS) does not close, the diesel generator(s) will supply the associated
41 60 VAC switchgear. Devices that will prevent
the ESST or SSST from automatically supplying
the 1E switchgear
are the 86/EGP Lockout Relay (ESST Sudden Gas
Pressure), 86/SGP (SSST Sudden Gas Pressure), 86IST (SSST Differential
Current) and the 86/STL (SSST Neutral
Over-current). These lockout
relays will trip the 4160 VAC supply breakers
froin the offsite
power transformers
and prevent remote closure froin the control room of the 4160 VAC supply breakers. Reference B&R Drawing 3012, Sheet 4
Rev N1 1 . The lockout relays associated with the SSST
will also trip the
16 1 kV breakers 1604 and 1606.
The four lockout relays associated with the
ESST and SSST are located on
Vertical Board F in
the CNS Control Room. The 86/EGP is actuated
by a normally
open contact at the ESST.
Tlie 86/SGP is actuated by a normally
open contact at the SSST.
The 86/STL is actuated by over- cui-rent relay 5 lN/STL (also located
on Board F) with a
cui-rent transformer
on the neutral of the SSST. The 86/ST is actuated by the differential
relay 87/ST (also located in Board F) with cui-rent transformers located
in the Non-Critical Switchgear
Room. Discussion
of Fire Induced
Unintentional
LOOP A Control Rooin fire
originating
at either Vertical Board F or Board C could cause a LOOP due to control circuit faults.
Tlie following is a discussion
of the fire damage scenario needed
to result in a LOOP. Postulated Control Rooin
Fire on Vertical Board F
or Board C: In order to cause 4160 VAC busses
A, B, F and G
to de-energize
due to a fire under Board C
in the control room, the following actions must
be caused by the fire before the control room staff
pull the fiises as part of the alternate shutdown
procedure.
These actions can either
be caused by a fire a Board C
or Vertical Board F but the result
of the fire must cause
damage that results
in the following conditions:
1. The fire would have
to cause the breakers 1AS and lBS, the breakers that close to supply buses 1A and 1B froin the SSST, to fail such that a trip signal
would be present. 2. The fire would have
to cause the wires for
breakers 1FS and IGS, the breakers that close
to supply the buses 1F and
1G froin the
ESST, to fail such that a trip signal
would be present.
3. The fire would have to cause the
wires for breakers 1 FE and 1 GE, the breakers that close
to supply the buses from the DGs, to fail such that a trip signal
would be present. Page D4 of D6
All of the above failures would have
to occur or the under-voltage protection scheme at CNS
would cause the loads to be transferred
to the next source. The under-voltage scheme
only transfers loads
in one direction, thus once
the loads are transferred
from the SSST, the under- voltage protection scheme would not cause
the loads to be loaded back onto the SSST if it becomes available.
This latter transfer
would be a manual action only. These breakers
could be manually reset
from the Essential Switchgear
Room once the trip signal is removed.
The trip signal could
be removed by the fire causing a short
in the control wiring
that would cause the Control Power Transformer fuses
to blow or pulling these fuses at the breakers 1FS
and/or 1GS and close the breakers manually.
The switches on Board C where
the above control wires are teiininated for division
I breakers are located between
3 to 5 feet from
the corresponding
Division I1 switches on Board C in the control room.
The fire would have
to damage both switch groups and/or corresponding
wire bundles in the manner described above
in order to initiate
a LOOP. The 86 and 87 relays are located on Vertical Board
F. The four 86
lockout relays open the 4160 VAC tie breakers from
the SSST and ESST in the event
of either a high transfoiiner pressure
or a neutral over-current.
The four relays are
in close proximity
to each other and could conceivably be involved
in a single fire.
One of these four relays controls
the tie breakers from the ESST and the other
three control the tie breakers from the SSST. For a fire to isolate all of
the offsite power, it must involve the 86 relay for the ESST and at least one of the relays for the
SSST. The fire must cause
hot shorts that energize the 86
relay coils for all four tie breakers before
any shorts to ground occur that
blow the power supply fuses to these relays. Fire Induced Intentional LOOP For postulated fires
that could impair the ability
of the operators
to control the plant froin
the control room, CNS procedure 5.4FIRE-SD direct
the operators
to isolate offsite power, and then
supply power to the plant with DG2. Consequently, the LOOP is administratively induced and leaves the plant
in a configuration
where Division I1 equipment is controlled from the
ASD panel (Div I equipment cannot
be controlled
from the ASD panel.) These postulated fire initiators are
1) fire in the cable spreading room (zone 9A), 2) a fire in
the cable expansion
room (zone 9B), 3) a fire in the
auxiliaiy relay rooin (zone 8A), 4) a fire in each of the remaining
35 control rooin panels, and 5) a fire
in the NE corner of the Reactor Building (zone
2N2C). If DG2 fails
and cannot be recovered, the operations
shift manager (SM) may determine
that offsite power is available
and restoration
is needed. The ERO can then direct offsite power
recovery using simple breaker operations combined
with removing fuses. If needed, the NPPD Distribution Control Center
located at Doniphan
can operate 16 lkV switchyard breakers 1604
or 1606 to restore power
to the SSST. CNS IPEEE Internal Fire Analysis The CNS IPEEE Internal Fire Analysis addressed
the above fire zones.
The results of that analysis are summarized in
the following
table. These sequences
are limited to those that result in the potential for control
rooin evacuation
and induced plant centered LOOP.
The screening values are the reported screening frequencies in the IPEEE adjusted
for the condition exposure
Page D5 of D6
time. This time was determined
by taking the tiine
fioin plant starhip from the refueling
outage to the DG2 failure (56 days). Fire Location Cable &reading Room
Table 1. Adjusted screening
value 6.3 1E-8 See Note 2 Auxiliary Relay
Room NE Corner of RX Building Control Room Vertical Board F Control Room Board C I Cable ExDansion
Room I 2.65E-8 See Note 2 I 2.81E-8 See Note 2 6.26E-8 See
Note 1, 2 1.28E-7 See Note 2 4.3 1E-8 See Note
2 I Control Room All Other Panels
I 6.86E-8 See Note 2 Notes: 1. Value for the 903 '-6" Rx Building Elevation that includes
the NE corner; however, only the contribution
from NE corner requires controlling
the plant from the ASD. 2. Since the recovery
of offsite AC power in each of these sequences does not involve a
repair, can be performed
from within the plant, and
has significant procedural guidance, a non-recovery probability
of 5E-1 is estimated and applied
to each sequence.
Table 1 lists the applicable results
for the base case, including various
DG2 failure inodes
and illustrates
the order of magnitude
importance
for areas that include induced
LOOP sequences.
The ICCDP for fire would essentially be
the sum of the additional cutsets formed
by replacing
the DG2 failure events
with the voltage control board failure event, and the normal
DG non- recovery with
the specific non-recovery
of a failed voltage control board. The
cutset multiplier to
estimate this replacement
would be just slightly over 1 .O and would result
in an ICCDP of much less than 1E-6. Page D6 of D6
APPENDIX E
TIME WEIGHTED LOSP RECOVERIES
FOR SBO SEQUENCES
1. OBJECTIVE
The purpose of this calculation file is
to update of the offsite power
recovery failure probability for the Cooper PRA. It also documents
the calculation
of time-weighted offsite power recovery failure factors for application
in SBO sequences
in which diesel
generators
i-un for a period of time before the
SBO occurs. 2. INPUTS AND REFERENCES
The following inputs and references
were used to generate offsite
power recovery:
1. NUREG CR 6890, Reevaluation
of Station Blackout
Risk at Nuclear
Power plants, published December, 2005 3. DEFINITIONS
Time-weighted
LOSP Recovery:
This represents
the average offsite
power recovery failure probability assuming temporary
operation of the EDG
after loss of offsite
power. 4. ASSUMPTIONS Offsite Power
Recovery 1. General industry loss
of offsite power data
as reported in References
1 are considered
to be applicable
to Cooper. Loss
of offsite power events at other
nuclear power plants documented
in these references could
also occur at Cooper
due to the similarity in the
design of their power grid. Pooling all applicable events would provide a better estimate
of the offsite
power recoveiy failure probability
as a fiinction of time than
relying simply on data for Cooper. Recovery Time 1. Refer to Appendix A
for discussions
of batteiy depletion times
5. ANALYSIS Method Einployed and Suminailr
of Results The analysis is performed
in two steps: Derive offsite power recoveiy failure probability
as a fiinction of time for
three conditions
- Plant centered loss
of offsite power Grid centered loss
of offsite power
Page El of E9
Weather related loss of offsite power Develop a time
weighted offsite power recovery factor
to account for the possibility that a diesel generator
may run for a period
of time before a station blackout occurs. Successful diesel operation, even if temporarily, can provide additional time to recover offsite power. Offsite Power Recovery
The methodology used here develops a discrete probability profile generated from
compilation of loss of offsite power durations which is then fit to a continuous distribution fiinction using least-square curve fit.
The data used
in this analysis was collected
by the NRC [References
11. The loss of offsite power events were used to form the inputs
for deriving the discrete offsite power failure recovery probability.
Time Weighted Offsite Power Recovery Factor:
The Cooper station blackout (SBO) sequences consider seven different means
of reaching core damage. Extended RCIC Success (Case
1) - Modeled recovery of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> RCIC Success (Case 2) - Modeled recovery of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> Extended HPCI Success (Case
3) - Modeled recovery of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> HPCI Success (Case
4) - Modeled recoveiy of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> One SORV, RCIC Success (Case
5) - Modeled recovery
of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Two SORV (Case
6) - Modeled recovery
of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Injection Failure (Case
7) - Modeled recovery of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> For the above scenarios, the
current SBO accident sequences are quantified
as though the SBO event occurs at
the time of the loss of offsite power event (time
= 0). This assumption
is considered conservative
from an offsite power recovery standpoint given that
one or both EDGs may be available for a while
to provide support for operation of AC powered accident mitigating systems.
Temporary
operation
of an EDG would allow inore time for operators
to recover offsite power
and thus would reduce the
SBO CDF. Explicitly accounting for the SBO scenarios where the EDG(s) runs temporarily requires integration of the run failure rate and the offsite power recovery probability over the mission time
of the accident sequence.
A discrete approximation to this integration
can be performed
by breaking out the original 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> EDG mission
time into equal run time segments (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> segments) with corresponding
EDG failure probabilities. Since offsite
power is lost at time zero, the latest time to recover power increases
by an hour for each succeeding EDG successful run segment. Correspondingly, with
each succeeding
hour that the SBO event is delayed, the offsite power
recoveiy failure probability would decrease.
The event tree shown in Figure 5-1 illustrates
the EDG run scenarios
to be quantified
to obtain a time-weighted offsite power
recovery failure probability for the extended
RCIC success sequences.
Page E2 of E14
ct, = Pt, / Plosp,o PtW = Averaged offsite power recovery factor
Ch,, = Time Weighted Correction Factor
Page E3 of E14
Figure 5-1 : EDG Time Dependent
Event Tree (Plant Centered)
Plant Centererl
0 EDG Run Time-Segment
(1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) Must Case
0 1 2 4 5 6 7
8 Recv 1 Bat -------- - - - - - - - - - - - - - -- OSP Depl 12 3 5 6 7 8 9 10 11 12131415161718192021222324 9 10 11 12 13 14 15 16 17 18 192021 22 23 Seq byhr PLOSP 1 I- .) I -11 P :: 16 17 18 19 20 dI 24 I EDG I FTS *Time weighted recovery(Ptw)
= SUM(recoveries over 24 hr)/24 **Correction Factor (Ctw) = Time weighted recovery/FTS
OSP fail to recover 24 23
22 21 20 19
18 17 16 15 14 13 P( 12h) 0.004 0.005 0.005 0.006 0.007 0.008 0.091 0.010 0.012 0.014 0.0 17 0.020 = 0.024 SUM 0.199 Period 24
'Ptw 0.008 **ch 0.345 The time weighted correction
factor would be applied
to SBO accident sequence cut sets in which a diesel fail to run
basic event occurred.
Analysis Page E4 of E9
Using the methods described in
the preceding section, this section presents the derivation of the probability
of failure to recover offsite
power as a fiinction
of time. As explained
in Section 5.1, offsite power recovery
factors are initially applied
in the PRA as though the station blackout occurred at
time zero. In fact, a portion
of the station blackout accident sequences may have an emergency diesel generator available
as a power source for a short period
of time before the blackout occurs.
These diesel generator failure
to run sequences actually have a
longer period of time for operators
to recover offsite power than those sequences
in which both offsite power and the
diesels are lost at the LOSP event. Tables 5-1 through 5-3 below coinpile the offsite
power recovery failure
as a function of
the available recoveiy
times for diesel generator failure
to mn sequences for each of the three LOSP event categories (plant centered, grid
centered, weather related).
The first coluinn
represents
the sequence in the event tree
shown in Figure
5-1. The second coluinn is the time at which it is assumed that the last diesel generator
fails to run following the loss of offsite power
initiator.
The coluinns labeled "AC Recovery Required" represent the time at which core damage
is assumed and
the associated offsite power
recovery failure probability (PLosp
iJ. The offsite power recoveiy
factor as a fiinction
of time (Plosp-i)
is calculated
as illustrated
in Figure 5-1 for all seven cases. Since offsite power recovery failure for the
three SBO scenarios are represented
by point values
in the accident sequence quantification, it is necessary
to obtain representative average values
for sequences
in which a diesel fail
to run occurs. The average values
are time-weighted
on the EDG i-un cases and are calculated by the following equation.
Equation 4 Where: Ptw = Time weighted
loss of offsite power recovery factor
Ch,. = Time weighted loss
of offsite power recovery correction factor (normalized
to recovery assuming blackout conditions at
t=O) Plosp - i = Probability
of offsite power
recovery failure by time segment i
Plosp~~s = Probability
of offsite power
recovery failure assumes
EDG fails at t=O tl = Recovery time (Case specific)
t2 = EDG mn mission time (24 hr) For example, for battery depletion scenarios, accident sequence quantification is perfoiined
assuming a failure
to recover offsite power probability
at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The time weighted correction factor Ch,, is calculated
by averaging offsite
power recovery failure over the
9 hour1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> to 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time frame and
noiinalizing
to the recovery failure probability at
8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. For any cut set
Page E5 of E14
containing
an EDG fail to nm event, the time weighted
coi-rection
factor (C,,) is applied as
a recovery factor.
This approach to SBO accident sequence quantification
assuines that the EDG mission time is set to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for
all accident sequences.
Page E6 of E14
2 w 4. 0 M w a, a 2 I1
2 W cr 0 m W
The above tables derive
conditional
time weighted recovery factors
and were used to derive
values in Table 2.2.2-1 Because the CNS model combines plant centered
and switchyard
centered events into one initiator with recoveries, no specific switchyard recovery factors
are provided.
A separate analysis, specific
to Cooper Nuclear Station, was performed
to provide recovery
factors for switchyard centered events.
This is reflected in
the following
4 tables (5.4 through 5.7). The recovery factors in
Tables 5.4 through 5.7 are provided
to allow other analyst
the option to apply recovery time weighted factors should
the analyst's
PRA model separate
the switchyard
centered LOSP recoveries
from the plant centered
LOSP recoveries.
Page E10 of E14
2 c! W rcr 0 W e, M cd a
c d W r, 0 m W c al 3 a