ML050960263
| ML050960263 | |
| Person / Time | |
|---|---|
| Site: | Perry  |
| Issue date: | 12/17/2004 |
| From: | Hunter C S NRC/RES/DRAA/OERAB |
| To: | |
| Shared Package | |
| ML060030075 | List: |
| References | |
| LER 03-002 | |
| Download: ML050960263 (18) | |
Text
1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is thevalue obtained when calculating the probability of core damage for an initiating event with subsequent failure of oneor more components following the initiating event. The value reported here is the mean.
1Enclosure Final Precursor AnalysisAccident Sequence Precursor Program --- Office of Nuclear Regulatory ResearchPerryAutomatic Reactor Trip and Loss of Offsite Power Due to theAugust 14, 2003, Transmission Grid BlackoutEvent Date8/14/2003LER: 440/03-002 CCDP 1 = 3x10-5 December 17, 2004Event Summary At 1610 hours0.0186 days <br />0.447 hours <br />0.00266 weeks <br />6.12605e-4 months <br /> on August 14, 2003, Perry experienced a disturbance on the electrical grid and asubsequent main generator trip followed by a turbine trip and a reactor trip while operating at 100%
power. Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs.1 and 2).Cause. The reactor trip and loss of offsite power (LOOP) were caused by grid instabilityassociated with the regional transmission system blackout that occurr ed on August 14, 2003.Other conditions, failures, and unavailable equipment. Residual heat removal (RHR) train Awas inoperable for approximately 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> because of air binding in the keep-fill system pump. Thelow-pressure core spray (LCS) system was also affected by the air binding in the keep-fill systempump, but the LCS system was recoverable from the start of the LOOP (Refs. 3 and 4).Approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event, the reactor core isolation cooling (RCIC) turbine-driven pump was manually secured to prevent an automatic shutdown on high steam tunnel temperature. Thesteam tunnel temperature was caused by a loss of ventilation.The Division 1 EDG tripped on reverse power while being removed from service. This had noeffect on the conditional core damage probability (CCDP) for this event; it will be analyzed as aseparate Accident Sequence Precursor (ASP) analysis.Recovery opportunities. Offsite power was first available at 1737 hours0.0201 days <br />0.483 hours <br />0.00287 weeks <br />6.609285e-4 months <br /> when one transmissionyard breaker was closed. Offsite power was restored to the Division 1 emergency bus at 1813 hours0.021 days <br />0.504 hours <br />0.003 weeks <br />6.898465e-4 months <br /> on August 14, to the Division 3 emergency bus at 1214 hours0.0141 days <br />0.337 hours <br />0.00201 weeks <br />4.61927e-4 months <br /> on August 15, and to the Division 2 emergency bus at 1548 hours0.0179 days <br />0.43 hours <br />0.00256 weeks <br />5.89014e-4 months <br /> on August 15.
LER 440/03-002 2Analysis Results
!Conditional Core Damage Probability (CCDP)The CCDP for this event is 3x10
-5. The acceptance threshold for the ASP Program is aCCDP of 1x10
-6. This event is a precursor.Mean5%95%Best estimate 3x10-51x10-61x10-4!Dominant SequencesThe dominant core damage sequences for this assessment are LOOP sequences 30(44.4% of the total CCDP) and LOOP sequence 21 (30.7% of the total CCDP). The LOOPevent tree is shown in Figure 1.The events and important component failures in LOOP Sequence 30 are:
Sloss of offsite power occurs, Sreactor shutdown succeeds, Semergency power is available, Ssafety relief valves (SRVs) reclose after opening Shigh-pressure core spray (HPCS) fails, Sreactor core isolation cooling (RCIC) fails, Smanual depressurization succeeds, and Slow pressure injection fails.The events and important component failures in LOOP Sequence 21 are:
Sloss of offsite power occurs, Sreactor shutdown succeeds, Semergency power is available, SSRVs reclose after opening, SHPCS fails, SRCIC succeeds, Ssuppression pool cooling (SPC) fails, Smanual depressurization succeeds, Slow pressure injection fails, and Salternate low pressure injection fails.
LER 440/03-002 3!Results Tables SThe CCDP values for the dominant sequences are shown in Table 1.
SThe event tree sequence logic for the dominant sequences is presented in Table 2a.STable 2b defines the nomenclature used in Table 2a.
SThe most important cut sets for the dominant sequences are listed in Table 3.
STable 4 presents names, definitions, and probabilities of (1) basic events whoseprobabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that areimportant to the CCDP result.Modeling Assumptions
!Assessment SummaryThis event was modeled as a LOOP initiating event. Rev. 3.10 (SAPHIRE 7) of the PerrySPAR model (Ref. 5) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.RHR Train A, LCS, and RCIC were inoperable at various times during the LOOP. Sincethis event involves a LOOP of significant duration, probabilities of nonrecovery of offsitepower at different times following the LOOP are important factors in the estimation of the CCDP.Best Estimate: Offsite power was available in the switchyard approximately 90 minutesafter the LOOP. The first safety bus was returned to offsite power at 1813 (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the LOOP). Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing toclose on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least30 minutes are necessary to restore power to an emergency bus given that offsite power is available in the switchyard. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 6). Assumptions describedbelow, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.!Important AssumptionsImportant assumptions regarding power recovery modeling include the following:
SNo opportunity for the recovery of offsite power to safety-related loads is consideredfor any time prior to power being available in the switchyard.
SAt least 30 minutes are required to restore power to emergency loads after poweris available in the switchyard.
SSPAR models do not credit offsite power recovery following battery depletion.
LER 440/03-002 4The GEM program used to determine the CCDP for this analysis will calculate pr obabilitiesof recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power wasrestored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power wasrestored to the switchyard. Attachment B is a procedure for analysis of LOOP events in the ASP Program. AttachmentC is a description of the approach to estimating offsite power recovery probabilities.!Event Tree and Fault Tree ModificationsTrain A of RHR (RHR-A) was inoperable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of the event because of airbinding in the keep-fill system pump. After 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A was operable. Failure of thekeep-fill system is not modeled in the RHR-A fault tree of the base SPAR model; therefore,the RHR-A fault tree was updated to include this failure mode. The updated RHR-A faulttree is shown in Figure 2. For this analysis, the recovery of train A of RHR was credited forlong-term LOOP sequences. The following project rules were created to apply the recovery to long-term LOOP sequences:if INIT(IE-LOOP)
- system(CVS)
- RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC;elsif INIT(IE-LOOP)
- system(CSS)
- RHR-A-KEEP-FILL then DeleteEvent = RHR-A-KEEP-FILL; AddEvent = RHR-A-KEEP-FILL-REC;endifAdditionally, the LCS pump train was affected by the failure of the keep-fill system; howeverthe LCS pump train was immediately recoverable. Like RHR-A, failure of the keep-fillsystem is not modeled in the LCS fault tree of the base SPAR model; therefore, the LCSfault tree was updated to include this failure mode. The updated LCS fault tree is shown in Figure 3. The three basic events involved in the these two changes are included in the basic event probability changes section.
!Basic Event Probability ChangesTable 4 includes basic events whose probabilities were changed to reflect the event beinganalyzed. The bases for these changes are as follows:
SLCS pump train is unavailable because of keep-fill system failure (LCS-KEEP-FILL). This event represents the failure of the LCS pump train due to the keep-fillsystem failures. Since the LCS pump train was immediately recoverable, recovery of the system was credited. Using the SPAR human error model to determine thevalue (see Attachment D), LCS-KEEP-FILL was set to 2.1x10
-1. This is assumedto be the mean of a constrained noninformative distribution.
SProbability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power was not available in the switchyard until LER 440/03-002 51.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsitepower in 30 minutes and OEP-XHE-XL-NR30M was set to TRUE.
SProbability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).During the event, offsite power was not available in the switchyard until 1.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />safter the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.
SProbability of failure to recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (OEP-XHE-XL-NR03H). During the event, offsite power was not available in the switchyard until1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 1.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />sto recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR03H was set to 1.0x10-2.SProbability of failure to recover offsite power in 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> (OEP-XHE-XL-NR07H). During the event, offsite power was not available in the switchyard until1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 6.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />sto recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR07H was set to 1.0x10-3.SProbability of failure to recover offsite power in 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> (OEP-XHE-XL-NR016H). During the event, offsite power was not available in the switchyard until1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 14.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />sto recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR16H was set to 1.0x10-3.SProbability that restart of RCI is required (RCI-RESTART). During the event,RCI and HPCS automatically started to provide flow to the reactor vessel. Uponreaching level 8 in the reactor, both systems were isolated. RCIC was later used to provide makeup inventory to the reactor. Since RCI restart occurred, RCI-RESTART was set to TRUE.
SProbability of RCI TDP failing to run (RCI-TDP-FR-TRAIN). Approximately 5hours into the event, the RCIC turbine-driven pump was automatically isolatedbecause of high steam tunnel temperature due to a loss of ventilation. Therefore, RCI-TDP-FR-TRAIN was set to TRUE.
SProbability of operator failing to recover failure of RCI to run (RCI-XHE-XL-RUN). This event represents the probability that an operator fails to recover thefailure of the RCI TDP to run. During this event, the RCI TDP was taken offline, not because of mechanical failure, but because of an inhospitable plant environment (high steam tunnel temperature). Therefore, for this analysis, RCI-XHE-XL-RUN was updated to represent a composite of two distinct failure modes, mechanical failure and inhospitable plant environment. The mechanical failure portion was calculated by multiplying the probability of mechanical failure (1.2x10
-2) by theprobability of operator recovery of mechanical failure (5.0x10
-1), yielding an overallmechanical failure probability of 6.0x10
-3. The probability of the operator failing torecover the RCI TDP from the inhospitable plant environment was calculated using LER 440/03-002 6the SPAR human error model to determine the diagnosis and recovery value,5.5x10-3 (see Attachment C). RCI-XHE-XL-RUN was set to the sum of the twoprobabilities, 1.15x10
-2.SRHR-A is unavailable because of keep-fill system failures (RHR-A-KEEP-FILL).This event represents the short-term failure-to-run (< 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) of the RHR train A.Since the pump was unavailable for the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, RHR-A-KEEP-FILL was setto 1.0. (Note: Due to the way that the GEM program applies recovery rules, RHR-A-KEEP-FILL must be set to 1.0, not TRUE.)
SRHR-A train keep-fill nonrecovery after 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (RHR-A-KEEP-FILL-REC). Thisevent represents the long-term (> 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) failure-to-recover the keep-fill system.Since the RHR system was available after the first 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, long-term recovery ofthe system was credited. Using the SPAR human error model to determine thevalue (see Attachment D), RHR-A-KEEP-FILL-REC was set to 2.1x10
-1. This isassumed to be the mean of a constrained noninformative distribution.
SProbability of diesel generators failing to run (ZT-DGN-FR-L). The defaultdiesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 8.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />. References 1.Licensee Event Report 440/03-002, Revision 1, Reactor Scram Due to Electric GridDisturbance, event date December 2, 2003 (ADAMS Accession No. ML033530117).2.NRC Region 1 Grid Special Report, October 15, 2003 (ADAMS Accession No.ML0324102160).3.NRC Special Inspection Report 440/03-009, October 10, 2003 (ADAMS Accession No.ML032880107).4.Licensee Event Report 440/03-005, Revision 1, Technical Specification Violation/Loss ofSafety Function due to Air Bound Water-leg Pump, event date October 31, 2003 (ADAMSAccession No. ML040070073).5.J. A. Schroeder, Standardized Plant Analysis Risk Model for Nine Mile Point 2 (ASP BWR C), Revision 3.10, December 2004.6.D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November2002 (ADAMS Accession No. ML0315400840).
LER 440/03-002 7Table 1. Conditional probabilities associated with the highest probability sequen ces.Event treenameSequence no.Conditional core damageprobability (CCDP)1PercentagecontributionLOOP301.2x10
-544.4%LOOP218.3x10
-630.7%Total (all sequences) 22.7x10-51.Values are point estimates. (File name: GEM 440-03-002 12-13-2004.wpd)2.Total CCDP includes all sequences (including those not shown in this table).Table 2a. Event tree sequence logic for the dominant sequences.Event treenameSequence no.Logic("/" denotes success; see Table 2b for top event names)LOOP30/RPS, /EPS, /SRV, HCS, RCI, /DEP, LPILOOP21/RPS, /EPS, /SRV, HCS, /RCI, SPC, /DEP, LPI, VATable 2b. Definitions of fault trees listed in Table 2a.DEPMANUAL DEPRESSURIZATION FAILSEPSLOSS OF ONSITE EMERGENCY POWERHCSHPCS FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSELLPILOW-PRESSURE INJECTION IS UNAVAILABLERCIRCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSELRPSREACTOR SHUTDOWN FAILSSPCSUPPRESSION COOLING MODE OF RHR FAILSSRVONE OR MORE SRVS FAIL TO CLOSEVAALTERNATE LOW-PRESSURE INJECTION FAILS LER 440/03-002 8Table 3. Conditional cut sets for dominant sequen ces.CCDP 1PercentcontributionMinimal cut sets 2Event Tree: LOOP, Sequence 305.0x10-74.1SSW-MDP-TM-TRNC EPS-DGN-FR-DGBRCI-XHE-XL-RUN RHR-A-KEEP-FILLLCS-KEEP-FILL 2.9x10-72.4RCI-XHE-XO-ERROR EPS-DGN-FR-DGBRHR-A-KEEP-FILL LCS-KEEP-FILLHCS-XHE-XO-ERROR1 2.5x10-72.1ECW-MDP-TM-C001B SSW-MDP-TM-TRNCRCI-XHE-XL-RUN RHR-A-KEEP-FILLLCS-KEEP-FILL 2.5x10-72.1SSW-MDP-TM-TRNC EPS-DGN-FR-DGBRCI-TDP-FS-RSTRT RCI-XHE-XL-RSTRTRHR-A-KEEP-FILL LCS-KEEP-FILL1.2x10-5Total (all cut sets) 3Event Tree: LOOP, Sequence 214.2x10-75.1OPR-XHE-XM-ALPI SSW-MDP-TM-TRNCEPS-DGN-FR-DGB RHR-A-KEEP-FILLLCS-KEEP-FILL 2.1x10-72.5OPR-XHE-XM-ALPI ECW-MDP-TM-C001BSSW-MDP-TM-TRNC RHR-A-KEEP-FILLLCS-KEEP-FILL 2.1x10-72.5FWS-EDP-TM-TRN SPCAISSW-MDP-TM-TRNC EPS-DGN-FR-DGBRHR-A-KEEP-FILL LCS-KEEP-FILL2.1x10-72.5OPR-XHE-XM-ALPI EPS-DGN-FR-DGBEPS-DGN-FR-DGC RHR-A-KEEP-FILLLCS-KEEP-FILL 8.3x10-6Total (all cut sets) 31.Values are point estimates.2.See Table 4 for definitions and probabilities for the basic events.3.Totals include all cut sets (including those not shown in this table).
LER 440/03-002 9Table 4. Definitions and probabilities for modified or dominant basic events.Event nameDescriptionProbability/frequencyModifiedECW-MDP-TM-C001BECW PUMP 1B IS IN TEST ORMAINTENANCE5.0x10-3 NoEPS-DGN-FR-DGBEDG B FAILS TO RUN1.0x10
-2 NoEPS-DGN-FR-DGCEDG C FAILS TO RUN1.0x10
-2 NoFWS-EDP-TM-TRAINDIESEL FIREWATER PUMPUNAVAILABLE BECAUSE OF TEST ANDMAINTENANCE5.0x10-3 NoHCS-XHE-XO-ERROR1OPERATOR FAILS TO START/CONTROLHPCS INJECTION1.4x10-1 NoIE-LOOPLOSS OF OFFSITE POWER INITIATINGEVENT1.0Yes 1LCS-KEEP-FILLLCS PUMP TRAIN IS UNAVAILABLEBECAUSE OF KEEP-FILL SYSTEMFAILURES (OPERATOR FAILURE TORECOVER)2.1x10-1Yes 2OEP-XHE-XL-NR30MOPERATOR FAILS TO RECOVEROFFSITE POWER IN 30 MINUTESTRUEYes 3OEP-XHE-XL-NR01HOPERATOR FAILS TO RECOVEROFFSITE POWER IN 1 HOURTRUEYes 3OEP-XHE-XL-NR03HOPERATOR FAILS TO RECOVEROFFSITE POWER IN 3 HOURS1.0x10-2Yes 3OEP-XHE-XL-NR07HOPERATOR FAILS TO RECOVEROFFSITE POWER IN 7 HOURS1.0x10-3Yes 3OEP-XHE-XL-NR16HOPERATOR FAILS TO RECOVEROFFSITE POWER IN 16 HOURS1.0x10-3Yes 3OPR-XHE-XM-ALPIOPERATOR FAILS TO ALIGNALTERNATE LOW PRESSUREINJECTION1.0x10-2 NoRCI-RESTARTRESTART OF RCIC IS REQUIREDTRUEYes 2RCI-TDP-FR-TRAINRCIC FAILS TO RUN GIVEN THAT ITSTARTEDTRUEYes 2RCI-TDP-FS-RSTRTRCIC FAILS TO RESTART GIVEN STARTAND SHORT-TERM RUN1.2x10-2 NoRCI-XHE-XL-RSTRTOPERATOR FAILS TO RECOVER RCICFAILURE TO RESTART5.0x10-1 NoRCI-XHE-XL-RUNOPERATOR FAILS TO RECOVER RCICFAILURE TO RUN1.2x10-2Yes 2RCI-XHE-XO-ERROROPERATOR FAILS TO START/CONTROLRCIC INJECTION 1.0x10-3 NoRHR-A-KEEP-FILLRHR-A TRAIN IS UNAVAILABLEBECAUSE OF KEEP-FILL SYSTEMFAILURES1.0Yes 2 LER 440/03-002Event nameDescriptionProbability/frequencyModified 10RHR-A-KEEP-FILL-RECRHR TRAIN A KEEP-FILL NONRECOVERYAFTER 6 HOURS2.1x10-1Yes 2SPCAISUPPRESSION POOL CLEANUPALTERNATE INJECTION FAILS1.0NoSSW-MDP-TM-TRNCSSW PUMP C IS UNAVAILABLEBECAUSE OF MAINTENANCE2.0x10-2 NoZT-DGN-FR-LEDG FAILS TO RUN (LATE)7.0x10
-3Yes 41.Initiating event assessment- all other initiating event frequencies set zero.2.Changed to reflect to the event being analyzed. See report and Basic Event Probability Changes for further details. 3.Evaluated per the SPAR-H method (Ref. 4). See report and Attachment C for further details. 4.Changed mission times to correspond to the time offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.
LER 440/03-002 11Attachment AEvent TimelineTable A.1 Timeline of significant events.DateTimeEvent8/14/031610Generator, turbine, and reactor trip due to grid instability1737Offsite power is restored to the switchyard1813Division 1 emergency bus is switched to offsite power source 378471214Division 3 emergency bus is switched to offsite power source1548Division 2 emergency bus is switched to offsite power source LER 440/03-002 2 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.
12Attachment BLOOP Analysis ProcedureThis procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:Detailed Analysis
- 2. LOOP event analyses are a type of initiating event assessment as describedin ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.1.Determine significant facts associated with the event.1.1Determine when the LOOP occurred.1.2Determine when stable offsite power was first available in the switchyard.
1.3Determine when offsite power was first restored to an emergency bus.
1.4Determine when offsite power was fully restored (all emergency buses poweredfrom offsite, EDGs secured).1.5Identify any other significant conditions, failures, or unavailabilities that coincidedwith the LOOP.2.Model power recovery factors associated with the best estimate case and anydefined sensitivity cases.2.1For the best estimate case, the LOOP duration is the time between the occurrenceof the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recoveryfactors for the best estimate case analysis.2.2If EDGs successfully start and supply emergency loads, plant operators do nottypically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity caseconsiders the LOOP duration as the time between the occurrence of the LOOP andthe time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivitycase analysis.3.Model event-specific mission durations for critical equipment for the best estimatecase and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)3.1For the best estimate case, mission durations are set equal to the assumed LOOPduration as defined in Step 2.1 above.3.2For a typical upper bound sensitivity case, mission durations are set equal to thetime between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to representthe longest possible mission duration for any critical equipment item.)
LER 440/03-002 13Attachment CPower Recovery Modeling
!Backgr oundThe time required to restore offsite power to plant emergency equipment is a significantfactor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include varioussequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control anddecay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.In this analysis, offsite power recovery probabilities are based on (1) known informationabout when power was restored to the switchyard and (2) estimated probabilities of failingto realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The timeused is the time at which the grid operator informed the plant that power was available tothe switchyard (with a load limit). This ASP analysis does not consider the possibility thatgrid power would have been unreliable if that power were immediately used. Failure to recover offsite power to plant safety-related loads (if needed because EDGs failto supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand,or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing torestore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to theswitchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.
!Human Error ModelingThe SPAR human error model generally considers the following three factors:
SProbability of failure to diagnose the need for action SProbability of failure to successfully perform the desired action SDependency on other operator actions involved in the specific sequence of interestThis analysis assumes no probability of failure to diagnose the need to recover ac powerand no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the pr obability of failure to successfully perform the desiredaction.The probability of failure to perform an action is the product of a nominal failure probability(1.0x10-3) and the following eight performance shaping factors (PSFs):
LER 440/03-002 14 SAvailable time SStress SComplexity SExperience/training SProcedures SErgonomics SFitness for duty SWork processesFor each ac power nonrecovery probability, the PSF for available time is assigned a valueof 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the timeavailable is inadequate (i.e., less than the time to restoration of power to the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0 (TRUE).The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all acpower nonrecovery probabilities. Factors considered in assigning this PSF incl ude thesudden onset of the LOOP initiating event, the duration of the event, the existence ofcompounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a valueof 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.For all of the ac power nonrecovery probabilities, the PSFs for experience/training,procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).
!ResultsTable C.1 presents the calculated values for the ac power nonrecovery probabilities usedin the best estimate analysis. Table C.1 AC Power Nonrecovery ProbabilitiesNonrecovery FactorNominalValue PSFNonrecoveryProbabilityTimeAvailableProduct ofAll OthersOEP-XHE-XL-NR30M1.0x10
-3Inadequate10TRUEOEP-XHE-XL-NR01H1.0x10
-3Inadequate10TRUEOEP-XHE-XL-NR03H1.0x10
-31101.0x10-2OEP-XHE-XL-NR07H1.0x10
-30.1101.0x10
-3OEP-XHE-XL-NR16H1.0x10
-30.1101.0x10
-2 LER 440/03-002 15Attachment DModified Human Error EventsFor this analysis, the values of two operator recovery events, LCS-KEEP-FILL and RHR-A-KEEP-FILL-REC, were updated using the standard SPAR Model Human Error Worksheet. A summary of the worksheet results are provided by table D.1.Table D.1 Human Error Basic Event ProbabilitiesNonrecovery FactorNominalValue PSF 1Nonrecovery ProbabilityTimeStressComplexityTrainingProceduresLCS-KEEP-FILL(Diagnosis)1.0x10-2.1221502.0x10
-12.1x10-1 (Total)LCS-KEEP-FILL(Action)1.0x10-3.1211501.0x10
-2RHR-A-KEEP-FILL-REC(Diagnosis)1.0x10-2.1221502.0x10
-12.1x10-1 (Total)RHR-A-KEEP-FILL-REC(Action)1.0x10-3.1211501.0x10
-21.All other PSFs were set to nominal (i.e., 1.0).
LILATEINJECTIONCVSCONTAINMENTVENTINGCSSCONTAINMENTSPRAY SPCSUPPRESSIONPOOLCOOLINGOPR-16HOFFSITEPOWERRECOVERYIN 16 HRS VAALTERNATELOW PRESSINJECTIONLPILOWPRESSUREINJECTION DEPMANUALREACTORDEPRESSSPCSUPPRESSIONPOOLCOOLING(EARLY)RCIRCICHCSHPCSSRVSRV'SCLOSE EPSEMERGENCYPOWERRPSREACTORSHUTDOWNIE-LOOP OSS OF OFFSITE POWER
- END-STATE 1 OK 2 OK 3 OK 4 OK 5 CD 6 OK 7 CD 8 OK 9 OK 10 OK 11 OK 12 CD 13 OK 14 CD 15 OK 16 OK 17 OK 18 CD 19 OK 20 CD 21 CD 22 CD 23 OK 24 OK 25 OK 26 OK 27 CD 28 OK 29 CD 30 CD 31 CD 32T LOOP-1 33T LOOP-2 34T SBO 35T ATWS P1 P2LI01LI00LI01LI00LI01LI01LI00LI00Figure 1: Perry LOOP event tree with dominant sequences highlighted.
16 LER 440/03-002 LCS2.1E-1LCS-KEEP-FILL7.2E-5LCS-STR-PG-LPCS5.6E-8RHR-STR-CF-SPOOLDIV-1-ACDIV-1-DCLCS-11.0E-4LCS-CKV-CC-INJEC1.0E-4LCS-CKV-CC-PCKV5.1E-4LCS-MDP-FR-PUMP1.2E-3LCS-MDP-FS-PUMPDIVISION I 125VDC POWER ISUNAVAILABLELPCS PUMP TRAINIS UNAVAILABLEDIVISION I ACPOWER IS UNAVAILABLELPCS SYSTEMFAILURESLCS IS UNAVAILABLEDUE TO KEEPFILLSYSTEM FAILURESECCS SUPPRESSIONPOOL STRAINERSFAIL FROM COMMONCAUSELPCS PUMP DISCHARGECKV FAILS TOOPENLPCS INJECTIONCKV F006 FAILSTO OPENLPCS PUMP FAILSTO RUNLPCS PUMP FAILSTO STARTLPCS SUPPRESSIONPOOL STRAINERPLUGSFigure 2: Perry LCS Fault Tree (The figure is cropped to show event modification) 17 LER 440/03-002 RHR-A1.0E+0RHR-A-KEEP-FILL1.0E-4RHR-CKV-CC-PCKVA5.1E-4RHR-MDP-FR-PUMPA1.2E-3RHR-MDP-FS-PUMPARHR PUMP TRAINA IS UNAVAILABLERHR-A IS UNAVAILABLEDUE TO KEEPFILLSYSTEM FAILURESRHR PUMP A DISCHARGECKVS FAILS TOOPENRHR PUMP A FAILSTO RUNRHR PUMP A FAILSTO STARTFigure 3: Perry RHR-A Fault Tree (The figure is cropped to show event modification) 18 LER 440/03-002