Final ASP Analysis - Oconee 3 (IR 050002872002015)

ML20114E069
Person / Time
Site:	Oconee
Issue date:	05/12/2020
From:	Christopher Hunter NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
IR 2002015
Download: ML20114E069 (35)
v • d • e

Text

Enclosure 1 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Final Precursor Analysis Accident Sequence Precursor Program ---Office of Nuclear Regulatory Research Oconee Unit 3 Inadequate Installation of Connectors on a Unit 3 HPI Pump Emergency Power Supply Cable from the ASW Switchgea Event Date: May 30, 2002 IR: 50-287/02-15 CDP1 = 3x10-6 October 25, 2004 Condition Summary The inspectors identified an apparent violation (AV) for the failure to adequately implement the vendors written instructions for attaching the "Elastimold" electrical connectors on the "Black" and

"Red" phases of the Unit 3 HPI pump emergency power supply cable from the auxiliary service water (ASW) switchgear. Consequently, by failing to provide reasonable assurance that the pre-staged HPI pump emergency power supply cable would be available for high energy line break (HELB) and/or tornado event recovery. A HELB (i.e., a failure of adjacent main feedwater or auxiliary steam lines) could cause all three colored buses to fail. Similarly, a tornado could also fail the AC power to the plant through damaging both the switchyard and the Keowee hydro units.

Details of this event are described in Attachment A (Refs. 1 and 4).

Condition duration. The apparent violation is analyzed as a plant condition with an exposure period of 1 year.

Recovery opportunities. HPI power connection failure can be recovered from; this is credited in the model.

Analysis Results

! Importance (CDP)

In accordance with the ASP guidelines, this plant condition is analyzed to calculate its importance in terms of increased plant risk while the condition existed (one-year period is used). The analysis is performed for LOOP (leading to SBO), HELB and TORNADO events, where the SSF can be credited. The plant condition importance (delta CDP) for this event is 3 X 10-6 (mean value). This CDP exceeds the Accident Sequence Precursor Program acceptance threshold.

The importance of each event considered is summarized in the following tabl Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailabilit SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Event CCDP CDP Importance Percent HLOOP 4.4E-06 1.1E-06 3.2E-06 9 TLOOP 6.0E-08 1.6E-08 4.5E-08 LOOP 1.2E-05 1.2E-05 1.0E-07 Sum = 1.7E-05 1.3E-05 3.4E-06 100

! Dominant sequences The following dominant sequences are identified:

Event Sequence CCDP CDP I Importance Percent HLOOP 20-12 2.0E-06 5.4E-08 1.9E-06 56.7%

HLOOP 20-04 2.1E-06 7.6E-07 1.3E-06 38.8%

The first dominant sequence is due to failure of HPI after a LOCA in a HELB event. This failure is represented by the event tree top event HPI-SSF. The dominant sequence is due to failure of HPI after a HELB event where no LOCA is in progress, but an unspecified loss of RCS inventory is assumed to uncover the core in the long term.

! Results tables The conditional probabilities of the sequences with the highest importance are shown in Table 1.

The event tree sequence logic for the sequences with the highest importance are provided in Tables 2a and 2b.

The conditional cut sets for the two sequences with the highest importance are provided in Table 3.

Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions

! Assessment Summary This condition involves potential failure of the single available train of HPI when all AC power is lost to the safety systems and the SSF is placed in operation. The SSF is described in Attachment A.

The potential initiating events in which this plant condition can be of consequence are identified as follows:

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 i) SBO during power operation; ii) HELB events during power operation (leading to SBO-like conditions)

iii) Tornado events during power operation (only those leading to SBO conditions).

The three initiating events in which the plant condition may potentially result in increased risk are severe high energy line breaks (HELB) severe tornados (TORNADO), and loss of offsite power events (LOOP) which could lead to SBO conditions at the plant. For each of these events, the existing LOOP and SBO event tree models are used as the starting point and are modified as needed to credit the HPI following SSF actuation (Attachment D discusses the details and provides the event and fault tree pictures).

HELB and tornado event recoveries take credit for the ability to connect a pre-staged 4160 volt alternating current (VAC) emergency power supply cable from the ASW switchgear to an HPI pump after a loss of the associated units essential (colored) electrical busses and necessary standby shutdown facility (SSF) functions. Providing power and utilizing an HPI pump in such a fashion is addressed in: Section 3.2.2 of the Updated Final Safety Analysis Report (UFSAR);

Section 4 of Abnormal Procedure AP/0/1700/006, Natural Disaster; and the Blackout Section of EP/1,2,3/A/1800/001, Emergency Operating Procedure. Critical actions to start an HPI pump need to be performed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an HELB event and 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for a tornado event.

Other internal and external events during power operation are not affected by this plant condition.

! Modeling assumptions Key Modeling Assumptions It is assumed that the AC power can not be restored to the emergency buses during the 24-hour mission time following HLOOP and TLOOP SBO events. This is due to the nature of the initiating events which damage AC power equipment. The recovery of these equipment could take a long time in these particular events studied.

Other assumptions.

The two HPI recovery events are independent. A sensitivity analysis is made with these events being dependent. The conclusions do not change.

! Modifications to fault trees models The fault tree models are taken from SPAR models directly, whenever applicable. Two fault trees are made from existing SPAR fault trees as needed :

EFW2-WCC: Credits EFW cross connect to other unit after HELB fails.

HPI-SSF: HPI FT is modified to condition the failure of HPI to recovery of the connection cable (HPI-XHE-REC).

A HPI-SSF-SL fault tree is also made for LOCA sequences; it is the same as HPI-SSF except for two HPI recovery basic events have -SL extension. This fault tree is made to distinguish the potential difference in HPI recovery in LOCA sequences, where the available time window is shorte SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Finally, two single-basic event fault trees are made to represent event tree nodes that are scalars:

EPS-H EPS-T These event trees are used to transfer the HLOOP and TLOOP event trees to HSBO and TSBO event trees.

The fault and event tree pictures are given in Appendix D.

! Basic event probability changes The basic event probability changes are summarized below.

HELB Event Initiating Event Frequency (IE-HELB). This initiating event frequency is introduced as a new event, leading to HLOOP and HSBO events, which progress like LOOP and SBO events already modeled in SPAR. The frequency of is taken from Reference 1 as 3.5E-04/yr.

TORNADO Event Initiating Event Frequency (IE-TORNADO). This initiating event frequency is introduced as a new event, leading to TLOOP and TSBO events, which progress like LOOP and SBO events already modeled in SPAR. This is calculated in Attachment D as 4.86E-06/yr.

AC Recovery in HSBO and TSBO (OEP-1H, OEP-SL, OEP-BD). The basic events for OEP-1H, OEP-SL, and OEP-BD event tree tops are set equal to failure (no AC recovery credited) in HLOOP and TLOOP SBO event trees during the mission time, due to the nature of the initiating events where recovery is expected to be long term. . This is done by setting the following basic events to failure (TRUE):

OEP-XHE-NOREC-1H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 1 HR OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER: BATTERY DEPLETION OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

AC Recovery in SBO(OEP-1H, OEP-SL, OEP-BD). The basic events for OEP-1H, OEP-SL, and OEP-BD event tree tops are left as in the SPAR model for the SBO event. To distinguish this recovery from the HSBO and TSBO events, the basic events associated with AC recovery are labeled with an addition of the letter N and retained with their base SPAR values:

OEP-XHE-NOREC-1HN OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 1 HR OEP-XHE-NOREC-SLN OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

OEP-XHE-NOREC-BDN OPERATOR FAILS TO RECOVER OFFSITE POWER: BATTERY DEPLETION HPI RECOVERY, SHORT TERM (HPI-XHE-CON, HPI-XHE-CON-SL). This human action represents the short term recovery, where the operator tightens the connector (-SL extension is used for LOCA sequences). The HEPs are calculated in Attachment B, as 0.3 for both cases.

HPI RECOVERY, LONG TERM (HPI-XHE-REP, HPI-XHE-REP-SL). This human action represents the longer term recovery (repair) of the HPI connection (-SL extension is used for LOCA sequences). The HEP is calculated in Attachment B, as 0.05; for LOCA sequences, the HEP is SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 LOOP Flags for HELB and TORNADO Events (XX-EPS-H, XX-EPS-T). These two basic events are introduced in the HLOOP and TLOOP event tree node fault trees EPS-H and EPS-T to transfer the HLOOP and TLOOP events to HSBO and TSBO event trees.

! Sensitivity Analyses A sensitivity analysis is made to calculate the event importance if the HPI recovery HEPs are assumed to be dependent (see discussion at the end of Attachment B). In that case the probability of the basic event HPI-XHE-REP becomes 0.1. When the GEM code is run with this value substituted in, the event importance is calculated as 5E-06. This result does not change the conclusions of the analysis.

! SPAR Model updates No SPAR model updates are made.

References NRC Letter EA-02-243 dated November 21, 2002, Subject: Oconee Nuclear Station -

NRC Inspection report 50-269/02-15, 50-270/02-15,and 50-287/02-15; Preliminary White Finding ADAMS Accession No. ML023250552) Oconee Nuclear Station, Units 1, 2, and 3 Postulated high-energy line breaks in turbine building leading to failure of safety-related 4-kV switchgear, Event Date: February 24, 1999, LER 269-99-001, USNRC OERAB Report, Sunil Weerakkody, Erul Chelliah. ASP Analysis. ADAMS Accession No. ML012910027) Final Precursor Analysis, June 25, 2003 for the Oconee 04/01/2000 Even ADAMS Accession No. ML032100335 SDP/Enforcement Panel Worksheet, ADAMS Accession No. EA-02-243, 11/06/02, ML040900358. Duke Power Letter Dated January 10, 2003. Subject: Oconee Nuclear Station - Units 1,2 and 3 Docket Nos 50-269, 50-270, 50-2887 Response to NRC Preliminary White Finding

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Table 1. Sequences Contributing to Event Importance Event Sequence CCDP CDP I Importance Percent HLOOP 20-12 2.0E-06 5.4E-08 1.9E-06 56.7%

HLOOP 20-04 2.1E-06 7.6E-07 1.3E-06 38.8%

LOOP 20-10 5.7E-08 1.4E-09 5.5E-08 1.6%

LOOP 20-12 3.6E-08 8.3E-10 3.5E-08 1.0%

TLOOP 20-12 2.7E-08 7.1E-10 2.6E-08 0.8%

TLOOP 20-04 2.9E-08 1.1E-08 1.9E-08 0.6%

LOOP 20-04 2.2E-08 7.9E-09 1.4E-08 0.4%

Sum = 4.3E-06 8.4E-07 3.3E-06 100%

Table 2a. Event Tree Sequence Logic for Top Sequences Event Tree Sequence Logic Name Number (/ denotes success; see Table 2b for fault tree names)

HLOOP 20-12 /RPS EPS-H /EFW2-WCC /PORV4 OEP-1H RCPSL OEP-SL HPI-SSF-SL HLOOP 20-04 /RPS EPS-H /EFW2-WCC /PORV4 OEP-1H

/RCPSL OEP-BD HPI-SSF LOOP 20-10 /RPS EPS /EFW2-WCC /PORV4 OEP-1HN RCPSL /OEP-SLN HPI-SSF-SL LOOP 20-12 /RPS EPS /EFW2-WCC /PORV4 OEP-1HN RCPSL OEP-SLN HPI-SSF-SL TLOOP 20-12 /RPS EPS-T /EFW /PORV4 OEP-1H RCPSL OEP-SL HPI-SSF-SL TLOOP 20-04 /RPS EPS-T /EFW /PORV4 OEP-1H

/RCPSL OEP-BD HPI-SSF LOOP 20-04 /RPS EPS /EFW2-WCC /PORV4 OEP-1HN

/RCPSL OEP-BDN HPI-SSF

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Table 2b. Definitions of Top Events Listed in Table 2a Fault Tree Description Name EFW NO OR INSUFFICIENT EFW FLOW EFW2-WCC NO OR INSUFFICIENT EFW FLOW DURING SBO EPS OCONEE 1 2 & 3 PWR D EMERGENCY POWER SYSTEM FAILS EPS-H EPS FAILS AFTER HELB EPS-T EPS FAILS AFTER TORNADO HPI-SSF NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM HPI2 OCONEE 1 2 & 3 PWR D HPI USING LOOP-FTF FLAGS OEP-1H OCONEE 1 2 & 3 PWR D OFFSITE POWER RECOVERY 1 HR OEP-SL OCONEE 1 2 & 3 PWR D RECOVER OFFSITE POWER (SEAL LOCA)

PORV4 OCONEE 1 2 & 3 PWR D PORV/SRVs OPEN DURING SBO RCPSL OCONEE 1 2 & 3 PWR D REACTOR COOLANT PUMP SEALS FAIL RPS OCONEE 1 2 & 3 PWR D REACTOR FAILS TO TRIP

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Table 3. Cutsets for Dominant Sequences Sequence HELB 20-12 Probability Cutset Elements 7.446E-07 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.8908E-07 IE-HLOOP SSF-DGN-FR-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-07 IE-HLOOP SSF-DGN-TM-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.0148E-07 IE-HLOOP SSF-MDP-TM-SWP HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 9.636E-08 IE-HLOOP SSF-DGN-FS-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 7.446E-08 IE-HLOOP HPI-XHE-CON-SL SSF-ACU-FS-HVAC2 HPI-XHE-REP-SL RCP-MDP-LK-SEALS 7.446E-08 IE-HLOOP SSF-XHE-XA-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM97 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM398 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MDP-FS-SWP HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-PDP-FS-RCM HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM52 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS Sequence HELB 20-4 Probability Cutset Elements 5.256E-07 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-CON HPI-XHE-REP 2.1024E-07 IE-HLOOP SSF-DGN-FR-SSF HPI-XHE-CON HPI-XHE-REP 1.6644E-07 IE-HLOOP SSF-DGN-TM-SSF HPI-XHE-CON HPI-XHE-REP 1.4016E-08 IE-HLOOP SSF-MDP-TM-SWP HPI-XHE-CON HPI-XHE-REP 1.0512E-08 IE-HLOOP SSF-XHE-XA-RCM HPI-MOV-CC-26 1.0512E-08 IE-HLOOP SSF-XHE-XA-RCM HPI-MDP-FS-B 6.6576E-09 IE-HLOOP SSF-DGN-FS-SSF HPI-XHE-CON HPI-XHE-REP 5.256E-09 IE-HLOOP HPI-XHE-CON HPI-XHE-REP SSF-ACU-FS-HVAC2 5.256E-09 IE-HLOOP SSF-XHE-XA-SSF HPI-XHE-CON HPI-XHE-REP 4.1172E-09 IE-HLOOP SSF-DGN-FR-SSF HPI-MDP-FS-B 4.1172E-09 IE-HLOOP SSF-DGN-FR-SSF HPI-MOV-CC-26 3.504E-09 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-XR-MDPB 3.2412E-09 IE-HLOOP SSF-DGN-TM-SSF HPI-MDP-FS-B 3.2412E-09 IE-HLOOP SSF-DGN-TM-SSF HPI-MOV-CC-26 2.8032E-09 IE-HLOOP SSF-MDP-TM-SWP HPI-MOV-CC-26 2.8032E-09 IE-HLOOP SSF-MDP-TM-SWP HPI-MDP-FS-B 2.5404E-09 IE-HLOOP SSF-XHE-XA-RCM HPI-MDP-FR-B

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Table 4. Definitions and Probabilities for Modified or Dominant Basic Events Basic Events whose probabilities are changed:

Event Name Description Base Prob Curr Prob HPI-XHE-CON OP FAILS TO RECOGNIZE LOOSE +0.0E+000 3.0E-001 HPI-XHE-CON-SL OP FAILS TO RECOGNIZE LOOSE +0.0E+000 3.0E-001 HPI-XHE-REP HPI RECOVERY FAILURE AFTER H +0.0E+000 5.0E-002 HPI-XHE-REP-SL HPI RECOVERY FAILURE AFTER H +0.0E+000 1.0E+000 Basic events whose probabilities remain the same as the base model:

Event Name Description Prob

--------------------------------------------- ---------

ACP-BAC-LP-3TC 4160VAC BUS 3TC FAILS 9.0E-005 ACP-XFM-FC-CT4 TRANSFORMER CT4 FROM KEOWEE HYDRO UNITS FAILS 2.4E-004 CCS-AOV-OC-CC8 FAILURE OF CCS DISCHARGE AOV CC-8 TO COOLERS 4.0E-005 CCS-CKV-CC-CC20 COMPONENT COOLING DISCHARGE CKV CC-20 FAILS 1.0E-004 CCS-CKV-CC-CC24 COMPONENT COOLING DISCHARGE CKV CC-24 FAILS 1.0E-004 CCW-LK_KEOWEE2 LAKE KEOWEE WATER LEVEL <=799' SIPHON FLOW C 9.8E-001 DHR-HTX-CF-ALL COMMON CAUSE FAILURE OF DHR HTXS 3.7E-005 DHR-MDP-CF-STRT DHR PUMP COMMON CAUSE FAILURE TO START 1.2E-004 DHR-MDP-FS-B DHR MDP B FAILS TO START 3.0E-003 DHR-MDP-TM-B DHR MDP B UNAVAILABLE DUE TO TEST AND MAINTEN 2.8E-003 DHR-MOV-CC-HOTLP1 HOT LEG MOV LP-1 FAILS TO OPEN 3.0E-003 DHR-MOV-CC-HOTLP2 HOT LEG MOV LP-2 FAILS TO OPEN 3.0E-003 DHR-MOV-CC-HOTLP3 HOT LEG MOV LP-3 FAILS TO OPEN 3.0E-003 DHR-XHE-XM OPERATOR FAILS TO INITIATE THE DHR SYSTEM 2.0E-003 EFW-AOV-CF-FCV EFW FLOW CONTROL VALVE COMMON CAUSE FAILURES 3.0E-005 EFW-CKV-CF-PMPS CCF OF EFW PUMP DISCHARGE CHECK VALVES 4.2E-006 EFW-CKV-CF-SGS CCF OF STEAM GENERATOR INLET CHECK VALVES 1.3E-005 EFW-CROSS-CONNECT EFW CROSS CONNECT TO OTHER UNIT AFTER HELB FA 2.6E-001 EFW-PMP-CF-ALL COMMON CAUSE FAILURE OF EFW PUMPS 1.4E-006 EFW-XHE-XM-CONHOT OPERATOR FAILS TO SWITCHOVER TO HOTWELL 1.0E-003 EFW-XHE-XM-XTIE OPERATOR FAILS TO ALIGN EFW FROM ANOTHER UNIT 5.0E-002 EPS-CBL-FC-OH KEOWEE 230KV OVERHEAD SUPPLY FAILS 5.6E-003 EPS-CBL-FC-UG KEOWEE 13.8KV UNDERGROUND STBY SUPPLY FAILS 5.6E-003 EPS-HEU-CF-KEOR COMMON CAUSE FAILURE OF KEOWEE HYDRO UNITS TO 7.2E-004 EPS-HEU-CF-KEOS COMMON CAUSE FAILURE OF KEOWEE HYDRO UNITS TO 1.5E-004 EPS-HEU-FR-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC FAILS TO RUN 3.4E-003 EPS-HEU-FR-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC FAILS TO RUN 3.4E-003 EPS-HEU-FS-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC FAILS TO START 2.3E-003 EPS-HEU-FS-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC FAILS TO START 2.3E-003 EPS-HEU-TM-KEOWE COMMON MAINTENANCE OF KEOWEE HYDRO UNITS 5.2E-004 EPS-HEU-TM-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC UNAVAILABLE DUE 1.4E-002 EPS-HEU-TM-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC UNAVAILABLE DUE 1.4E-002 HPI-MDP-CF-RUN CCF OF HPI PUMPS FOR RCP SEAL COOLING 1.8E-002 HPI-MDP-CF-STRT CCF OF HPI MDPS TO START 3.9E-002 HPI-MDP-FR-B HPI MDP B FAILS TO RUN 7.2E-004 HPI-MDP-FS-B HPI MDP B FAILS TO START 3.0E-003 HPI-MDP-TM-B HPI MDP B UNAVAILABLE DUE TO TEST AND MAINTEN 9.4E-003 HPI-MOV-CC-26 HPI TRAIN A DISCHARGE MOV HP-26 TO LOOP A FAI 3.0E-003 HPI-XHE-XR-MDPB OP FAILS TO RESTORE HPI MDP B 1.0E-003 HPR-MOV-CF-BWST CCF OF HPI/BWST ISOLATION MOVS 3HP-24/25 1.0E-004 HPR-XHE-XM OPERATOR FAILS TO INITIATE PIGGY-BACK HPR COO 2.0E-003 LPR-MOV-CC-16 LPR CLR B OUTLET ISOL MOV LP-16 TO HPI SUCTIO 3.0E-003 LPR-MOV-CC-SMPB SUMP ISOLATION MOV LP20 FAILS TO OPEN 3.0E-003 LPR-MOV-CF-BWST BWST ISOLATION MOVS COMMON CAUSE FAILURES 1.0E-004 LPR-MOV-CF-SUMP CCF OF SUMP ISOLATION MOVS TO OPEN 1.0E-004 LPR-MOV-OO-BWSTB BWST ISOLATION MOV B FAILS TO CLOSE 3.0E-003 LPR-SMP-FC-SUMP REACTOR BUILDING EMERGENCY SUMP FAILURES 5.0E-005 LSW-MDP-CF-U3 CCF OF UNIT 3 LPSW MOTOR DRIVEN PUMPS TO RUN 2.2E-005 LSW-MDP-CF-U3ST CCF OF UNIT 3 LPSW MDP TO START 2.0E-004 LSW-MDP-FR-3A LPSW MDP 3A FAILS TO RUN 7.2E-004 LSW-MDP-FS-3A LPSW MDP 3A FAILS TO START 3.0E-003 LSW-MDP-TM-3B LPSW MDP 3B UNAVAILABLE DUE TO TEST AND MAINT 2.7E-002

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Event Name Description Prob

--------------------------------------------- ---------

LSW-MOV-CC-5 LPI TRAIN B COOLER DISCH ISOL MOV 5 FAILS TO 3.0E-003 LSW-STR-CF-3DS CCF OF UNIT 3 LPSW MDP SUCTION DUPLEX FILTERS 1.5E-005 LSW-STR-CF-3SF CCF OF UNIT 3 LPSW SYSTEM PUMP SEAL WATER FIL 1.5E-005 OEP-XHE-NOREC-1HN OPERATOR FAILS TO RECOVER OFFSITE POWER WITHI 1.2E-001 OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHI 6.4E-002 OEP-XHE-NOREC-BDN OPERATOR FAILS TO RECOVER OFFSITE POWER:BATTE 3.7E-001 OEP-XHE-NOREC-SLN OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL 6.4E-001 PBC-MOV-CF-DHR DHR TO HPI SUPPLY MOVS COMMON CAUSE FAILURES 1.0E-004 PPR-MOV-OO-BLK PORV BLOCK VALVE FAILS TO CLOSE 3.0E-003 PPR-SRV-CO-L PORV/SRVS OPEN DURING LOOP 1.6E-001 PPR-SRV-CO-SBO PORV/SRVS OPEN DURING STATION BLACKOUT 3.7E-001 PPR-SRV-OO-PORV PORV RC66 FAILS TO RECLOSE AFTER OPENING 2.0E-003 PPR-XHE-XM-BLK OPERATOR FAILS TO CLOSE THE BLOCK VALVE 2.0E-003 RCP-AOV-CC-HP31 RCP SEAL COOLING CONTROL AOV FAILS 1.0E-003 RCP-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 7.1E-002 RCP-MDP-LK-SEALS1 RCP SEALS FAIL WITHOUT COOLING 1.2E-001 RCP-XHE-XA-HPISEAL OPERATOR FAILS TO ALIGN HPI FOR RCP SEAL COOL 1.0E-003 RPS-VCF-FO-MECH CONTROL ROD ASSEMBLIES FAIL TO INSERT 1.2E-006 SSF-ACU-FS-HVAC2 AIR CONDITIONING UNIT/CHILLER FAILS TO START 1.0E-002 SSF-DGN-FR-SSF SSF DIESEL GENERATOR FAILS TO RUN 3.9E-002 SSF-DGN-FS-SSF SSF DIESEL GENERATOR FAILS TO START 1.3E-002 SSF-DGN-TM-SSF SSF DGN UNAVAILABLE DUE TO T&M 3.1E-002 SSF-MDP-FS-ASW SSF AUXILIARY SERVICE WATER MDP FAILS TO STAR 3.0E-003 SSF-MDP-FS-ASWSUB SUBMERSIBLE PUMP TO ASW MDP SUCTION FAILS TO 3.0E-003 SSF-MDP-FS-SWP SSF DG SERVICE WATER PUMP FAILS TO START 3.0E-003 SSF-MDP-TM-ASW SSF ASW PUMP UNAVAILABLE DUE TO T&M 2.7E-002 SSF-MDP-TM-SWP SSF SERVICE WATER MDP UNAVAILABLE DUE TO T&M 2.7E-002 SSF-MOV-CC-RCM398 SSF RCM DISCHARGE MOV 398 FAILS TO OPEN 3.0E-003 SSF-MOV-CC-RCM52 SSF RCM SUCTION MOV 52 FAILS TO OPEN 3.0E-003 SSF-MOV-CC-RCM97 SSF RCM SUCTION MOV 97 FAILS TO OPEN 3.0E-003 SSF-PDP-FS-RCM SSF REACTOR COOLANT MAKEUP PUMP FAILS TO STAR 3.0E-003 SSF-XHE-XA-ASW OPERATOR FAILS TO INITIATE SSF ASW 3.0E-002 SSF-XHE-XA-RCM OPERATOR FAILS TO INITIATE SSF RCM 1.0E-001 SSF-XHE-XA-SSF OPERATOR FAILS TO INITIATE STANDBY SHUTDOWN F 1.0E-002

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Attachment A:

Description of Event On May 30, 2002, during maintenance activities, the connector on the "Black" phase of the Unit 3 pre-staged emergency HPI pump power supply cable fell off in a maintenance technicians hand when he picked up the cable. Upon further examination, he also identified that the "Red" phase connector was loose. When disassembled, the Black connector was found to be damaged (i.e., socket end spread apart and showing signs of heating). Had it been necessary to operate the Unit 3 HPI pump during the HELB or tornado event recoveries, the two cable connectors would have overheated and likely failed, causing loss of the HPI pump function.

Overheating would have been caused by the lack of mating surfaces between the male and female ends of the connectors and the resulting higher resistance for electrical current flow. The inspectors concluded that both ends of the connector would have to be replaced based on the damage that would likely have occurred. Furthermore, the associated HPI pump motor could have been damaged due to overheating caused imbalance between the three electrical phases or the ASW switchgear protective circuitry could have isolated the HPI motor from the switchgear; also causing a loss of function of the HPI pump.

In addition to correcting the problem in Unit 3, the licensee also inspected the corresponding cable connectors in Units 1 and 2; no further problems were identified. The licensee stated that their root cause determination was still ongoing, although associated PIP O-02-02972 stated that the damage observed on the Black connector was consistent with improper handling or storage of the cable. Based on inspector observations made during the disassembly of the Unit 3 Red and Yellow phase cable connectors on October 10, 2002, the inspectors determined that: (1) because of the connector design, they could only be damaged/loose if they were not properly installed on the cable (i.e., plug end not fully screwed on the socket end of the connector); (2) given the cable storage location, it would be highly unlikely that anyone could damage the cable connectors by standing on them; and (3) because the Unit 3 cable was last used during an operational HPI pump run on April 17, 2000, and there was no other recorded maintenance or use of the cable, the connectors on the Black and Red phases had probably been loose (i.e., held in place, but not screwed on) for a significant period of time and the damage to the Black phase connector occurred during the operational pump run.

Consequently, an apparent violation of Technical Specification (TS) 5.4.1 has been identified for the inadequate installation of the cable connectors.

Standby Shutdown Facility (SSF)

The Standby Shutdown Facility (SSF) functions as a backup to existing safety systems for additional "defense in-depth" protection under extreme emergency conditions . The SSF was not included in the original plant design when the first Oconee Unit began operation in 1973.

Following initial licensing of Oconee, NRC concern increased for issues beyond the traditional accidents analyzed in Chapter 15 of the Oconee Updated Final Safety Analysis Report (UFSAR). In the late 1970's, Duke Energy designed the SSF as an alternate means to achieve and maintain all three Oconee units in Mode 3 following postulated fire, sabotage, or flooding events . The Oconee SSF was made operational in 1986 . The SSF was subsequently credited as a source of alternate AC power and decay heat removal during station blackout and tornado events. The SSF includes a diesel generator, associated electrical switchgear including the SSF Essential AC Power System, an auxiliary service water (ASW) pump, ASW piping from

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 the condenser circulating water piping through the ASW pump to the steam generators, reactor coolant makeup pumps, reactor coolant makeup piping from the spent fuel pools through the makeup pump to the reactor coolant pumps seals, SSF HVAC equipment, and SSF instrumentation and controls.

Technical Specification (TS) 3 .10 .1 requires the SSF and its subsystems to be operable in modes 1, 2, and 3 . One of the functional requirements is to maintain reactor coolant pressure control following an event . Manually controlled PZR heaters (126 kW of PZR heater capacity)

are capable of being powered from the SSF to meet this functional requirement . Per the Bases of the TS, these PZR heaters are considered a support system for the SSF ASW, so an adequate number of these PZR heaters must be OPERABLE for the SSF ASW system to be considered OPERABLE. However, in PRA modeling of this plant and other similar plants, no credit is taken for operation of PZR heaters for successful decay heat removal by secondary cooling during events such as SBO. Thus, unavailability of PZR heaters does not affect the calculated plant CDF.

At time of discovery, all three Oconee Units were operating at 100 % power with no safety systems or components out of service that would have contributed to this conditio SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Attachment B:

HPI Recovery Consideration The operator recovery actions associated with the loose connector are modeled in two phases: The operator recognizes that the connectors are loose while mating them in the first place, and tightens them, thus creating a solid connection. This recovery is credible since:

Vendor instructions for the installation of this type of connector specifically state once installed, the connector may be partially unscrewed to allow for alignment during connection. [5]

Thus, the operators are expected to unscrew and tighten the connectors; such an operation is not outside the domain of credibility. Moreover, the licensee position, which is not unreasonable, is that partial loosening does not lead to failure.

It is possible to expect that the operators will either notice the looseness of the connector while attempting to mate the cable; will loosen and re-tighten the connectors anyway for mating existing looseness will remain but is not sufficient to fail the proper conduction of electricity.

The looser the connector, it will be more likely that the operator will notice it while mating and tighten it. On the opposite side, less the amount of looseness is, it is more likely that the conduction will work even if the connector is not further tightened.

The basic event name assigned to operator recognizing and tightening the connector (including the cases where the looseness is not sufficient to fail the conduction process) is labeled HPI-XHE-CON. The calculation is provided in SPAR-HRA worksheets, which are summarized below. If the above action fails, and a highly loose cable is connected, and the current is passed through it to the HPI pump, the cable and/or the connector may be damaged due to heat at the loose connection. Damage to the switchgear and the pump motor are not credible due to protective relays (ground detection relays) that are engineered to protect the equipment. This is also discussed by the licensee in Reference 5. The licensee also provided a repair time of 5.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> in that case. The operator action of failure to repair/replace the damaged cable and/or the connector is labeled as HPI-HXE-REP. The calculation is provided in SPAR-HRA worksheet, which is attached.

For the event sequences with RCP seal LOCA (or LOCA), it is assumed that there will not be enough time to perform this repair, due to long repair time (5.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />). The following basic event is used for these sequences:

HPI-XHE-REP-SL = 1.0 A basic event named HPI-XHE-CON-SL is defined for the LOCA sequences, the same way as in HPI-XHE-CON; both of these basic events have the same human error probabilit SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 HEP calculations for two human actions are summarized here. These HEPs are used for LOOP/SBO; HELB/SBO; and TORNADO/SBO scenarios. The operator actions for scenarios with RCP Seal LOCA have the -SL extension in their basic event names.

1. HPI-XHE-CON (HPI-XHE-CON-SL for RCP seal LOCA conditions)

This action consists of a diagnosis and action phases; for both phases two PSF are not nominal.

These PSF are:

Stress: Extreme (factor of 5) due to SBO type event occurring; also includes tornado conditions.

Very limited number of safety related equipment may be powered.

Procedures: Available but poor (factor of 5). The connector was observed to be already left loose, and showed signs of heating. It appears that vendor supplied procedures may not be complete in preventing the loose connector failure mode.

Other PSFs are nominal. Up to 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> are available for the limiting scenario for RCP seal LOCA.

Q1 = 2.5 E-01 HEP for diagnosis.

Same PSF for action phase for looseness being diagnosed but the action for tightening is not carried out (omission).

Q2 = 2.5 E-02 HEP for action.

Total HEP for HPI-XHE-CON = 0.3 HPI-XHE-CON-SL has the same HEP value.

2. HPI-XHE-REP (HPI-XHE-REP-SL for RCP seal LOCA conditions)

For this human action, diagnosis phase is not significant; HPI pump already tripped due to the fault; the cable/connector failure due to heat is easy to detect.

Two PSF are not nominal. These PSF are:

Stress: Extreme (factor of 5) due to SBO type event occurring; also includes tornado conditions.

Very limited number of safety related equipment may be powered.

Ergonomics: Poor (factor of 10). Repairs are done in SBO conditions (poor lighting); also includes Tornado conditions.

Eight hours are allocated for HPI to be made operable, following the reactor trip. The function of HPI is to make up RCS inventory for unspecified losses of water during this time period. If RCP seal LOCA is in progress, this repair operator action is not credited (HEP for HPI-XHE-REP-SL is 1.0)

Q1 = small

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Q2 = 5 E-02 Total hep for HPI-XHE-REP = 0.05 Summary:

Basic Event HEP PSF Total PSF multiplier HPI-XHE-CON Extreme stress; 25 poor procedure HPI-XHE-REP 0.05 Extreme stress; 50 Poor ergonomics HPI-XHE-CON-SL Extreme stress; 25 poor procedure HPI-XHE-REP-SL Not enough time available N/A before core uncovery Possible Dependence:

Possibility of dependence between two HEPs was discussed. Most likely different teams and some separation between two actions; one is routine connection, other is repair. Independence is postulated. Low dependence could be a sensitivity analysis. If low dependence exists, HEP for HPI-XHE-REP increases by a factor of 2 to SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Attachment C:

Windowed Events An LER search is made to see if any other events during the exposure time of this condition occurred to potentially aggravate the plant condition, and affect its calculated ASP importance.

The search results are given in Table C-1.

There are eight LERs listed in Table 3-1. The first two are discussed below. LERs 3-6 do not apply to unit 3. LERs 7 and 8 occurred after the current event. An examination of these events indicated that the following two events may be candidates for windowing its impact with that of the current condition being analyzed: LER 2692002001 dated 03/07/2002 and applicable to Oconee 1 , Oconee 2 , Oconee 3:

Pressurizer Heat Loss Exceeds Standby Shutdown Facility Powered Heater Capacity An examination of the plants SPAR model shows that during a SBO event, the success of pressurizer sprays is not necessary for decay heat removal by the secondary side. This success criteria is similar to that used in the plant PRA model maintained by the licensee.

Therefore inoperable PZR heaters have no impact on plant risk during SBO events, including HELB and TORNADO events, since the PZR heaters are not credited. The boiler-condenser mode provides adequate secondary side heat removal. LER 2692002002 dated 03/22/2002 and applicable to Oconee 1 , Oconee 2 , Oconee 3 Potential for Fire to Indirectly Damage Mitigation Component On March 22, 2002, an engineering evaluation identified the potential for an adverse valve actuation during a design basis fire . This valve actuation involves the inadvertent opening of either of two valves in the low pressure injection (LPI) system due to an assumed failure in the valve control circuitry. The opening of either valve would cause the Borated Water Storage Tank (BWST) to empty its contents to the Reactor Building Emergency Sump . The water from the BWST would flood the Reactor Coolant Make-Up (RCMU) Pump resulting in its failure. The RCMU pump supplies reactor coolant pump seal and make-up flow during some design basis fire scenarios.

The Standby Shutdown Facility (SSF) serves as a backup for existing Oconee safety systems to provide an alternate and independent means to achieve and maintain a Hot Standby condition for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for all three of the Oconee Units following sabotage, flooding, or a design basis (10CFR50, Appendix R) fire . The lower level of each Unit's Reactor Building contains an SSF Reactor Coolant Make-Up (RCMU) Pump designed to supply Reactor Coolant Pump seal injection flow in the event that the normal make up system (High Pressure Injection) becomes inoperable during an SSF event.

The licensee stated that the likelihood of an actual spurious actuation occurring due to a "smart fire" causing the right two conductors to short together rather than shorting to ground has a very low probability. Furthermore, the licensee calculated the additional contribution to core damage

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 frequency resulting from the issue of spurious actuation of LP-19 or LP-20 to be less than 3E-8 per year.

The contribution of this plant condition to the plant risk is deemed to be small since The initiating event frequency of such a smart fire is small; The condition affects a backup system (RCMU), but does not affect normal mitigating systems; Even if the plant risk calculated by the licensee is 100 times worse, leading to a CCDP of 3E-06 (assuming a 1-year exposure time), the conclusions of the report do not change.

Thus, this event is not further analyzed for windowing with the plant condition being studied.

As a conclusion, there are no plant-specific events that need to be windowed with the plant condition being analyze SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Table C-1 LER Search Results LER Number Event Date Plant Title 2692002001 03/07/2002 Oconee 1 , Oconee 2 , Oconee 3 Pressurizer Heat Loss Exceeds Standby Shutdown Facility Powered Heater Capacity 2692002002 03/22/2002 Oconee 1 , Oconee 2 , Oconee 3 Potential for Fire to Indirectly Damage Mitigation Component 2692002003 04/01/2002 Oconee 1 Minor Reactor Pressure Vessel Head Leakage Due to Primary Water Stress Corrosion Cracking of An Alloy 600 Control Rod Drive Nozzle 2702002001 10/03/2002 Oconee 2 Tech Spec Valve Manually Inoperable Due to Mechanical Interference 2702002002 10/15/2002 Oconee 2 Reactor Pressure Vessel Head Leakage Due to Primary Water Stress Corrosion Cracking of Alloy 600 Control Rod Drive Nozzles 2702002003 10/31/2002 Oconee 2 Steam Generator Tube Leak During In-Situ Pressure Test 2872001003 11/12/2001 Oconee 3 Minor Reactor Pressure Vessel Head Leakage From Several Control Rod Drive Nozzle Penetrations Due to Primary Water Stress Corrosion Cracking 2872002001 11/14/2002 Oconee 3 Moisture Separator Reheater Level Results in Reactor Trip

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15 Attachment D:

Event Tree and Fault Tree Additions and Modifications Event Tree Pictures: LOOP SBO HLOOP HSBO TLOOP TSBO Fault Tree Pictures: EPS-H EPS-T EFW2-WCC HPI-SSF (HPI-SSF-SL fault tree is also made; it is the same as HPI-SSF except for two HPI recovery basic events have -SL extension).

Uncertainty Cases: Conditional Case (run with Latin Hypercube option)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 D-1 Process The existing SBO event tree model for Oconee is examined in detail to see if it can be used to model SSF response to HELB and TORNADO events with minimum modification, crediting existing plant features:

i) HPI operation while supported by SSF (this is added as an event tree node when AC power recovery fails in the SBO event; ii) EFW cross tie capability to another unit (not credited for TLOOP)

iii) For TSBO and HSBO, no credit is taken for power recovery.

Otherwise, SSF-ASW is already credited in the secondary cooling event tree node of SBO event tree. The RCP cooling function of SSF is already credited in the RCPSL event tree node of SBO event tree as SSF-RCM. The LOOP event tree is basically used to transfer into the SBO event tree (through the failure of EPS event tree node); the other LOOP sequences, where SBO does not happen, do not challenge SSF, and are not affected by the plant condition.

It is observed that the sequence 3 of the SBO event tree is modeled in the base SPAR as core damage (e.g. secondary cooling successful; no RCP seal LOCA; no power recovery before battery depletion, OEP-BD). This sequence may be overly conservative when the SSF is operational and provides secondary cooling and no seal LOCA occurs. To remove at least some of the conservatism, HPI node is added to this sequence, generating a new success criteria of:

If secondary cooling is successful and no seal LOCA occurs, and HPI through SSF is operational, no core damage is postulated.

This is consistent with current plant procedures: HELB and tornado event recoveries take credit for the ability to connect a pre-staged 4160 volt alternating current (VAC) emergency power supply cable from the ASW switchgear to an HPI pump after a SBO event (loss of the associated units essential (colored) electrical busses and necessary standby shutdown facility (SSF) functions). Providing power and utilizing an HPI pump in such a fashion is addressed in:

Section 3.2.2 of the Updated Final Safety Analysis Report (UFSAR); Section 4 of Abnormal Procedure AP/0/1700/006, Natural Disaster; and the Blackout Section of EP/1,2,3/A/1800/001, Emergency Operating Procedure. Critical actions to start an HPI pump need to be performed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an HELB event and 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for a tornado event.

A similar treatment is applied to other two event tree top events where AC power recovery is modeled in the base SBO event tree (OEP-1H, and OEP-SL).

First the base case is defined and quantified for LOOP, HLOOP, and TLOOP events, using SAPHIRE. Then, GEM code is used with the conditional case, with a 8760-hour time period.

D-2 Initiating Events An examination of the SPAR model for SBO event shows that it takes credit for power recovery, whereas power recovery after HELB and Tornado initiating events may not be feasible for long time periods. The initiating event frequencies for the HELB and Tornado events that can fail all AC busses are taken from the licensee PRA (as used in Reference 1). The HELB frequency is actually referenced back to an USNRC ASP Report (Reference 2). The Tornado frequencies

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

S 50-287/02-15 for F2, F3, and F4 tornados are provided by the licensee in reference 1 and check well against generic values.

The initiating event frequencies leading to loss of all AC power (SBO conditions) due to HELB and Tornado events are given as:

IE-HELB = 3.5E-04/ year, IE-TSBO = 4.86E-06 / year.

IE-TSBO is calculated from data in Reference 1 as follows:

Tornado Switchyard Keowee SBO Frequency Frequency Damage Damage F2 5.37E-05 2.89E-01 6.20E-02 9.62E-07 F3 4.12E-05 2.79E-01 1.55E-01 1.78E-06 F4 3.59E-05 2.63E-01 2.24E-01 2.11E-06 Totals = 1.31E-04 4.86E-06 per year 5.55E-10 per hour The LOOP events already modeled in the base SPAR model may also lead to SBO and a challenge of SSF. Thus, these events must also be studied. The initiating event frequency for LOOP is already calculated as :

IE-LOOP = 5.25E-06 events/hr * 8760hrs = 4.6E-02 events/year Summary of Initiating Event Frequencies Initiating Event Frequency (per year)

IE-HLOOP = 3.50E-04 IE-TLOOP =[1] 4.86E-06 IE-LOOP = 4.6E-02 Note:

[1] =This value is taken from reference 1, and the calculation is shown in this report. Total tornado (>= F2) frequency is 1.31E-04/year. Those tornado challenges that would cause SBO are given above. Others will not challenge SS SENSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 D-3 Event Tree Models Three sets of event tree models are developed for LOOP/SBO, HLOOP/HSBO, and TLOOP/TSBO. These models actually have the same structure, emphasizing the interaction between the SSF and HPI. These event tree models are given in Attachment D.

Four event tree top events are affected by the modeling revisions:

EPS node in LOOP event trees:

Two top events named EPS-H and EPS-T are introduced to transfer HELB and TORNADO events directly to SBO. These top events contain one-basic event fault trees, with the basic event probability set to failure.

EFW2 in SBO and HSBO event trees:

This is replaced by EFW2-WCC to take credit for cross connecting EFW to another unit.

AC recovery in SBO event trees (OEP-1H, OEP-SL, OEP-BD):

In HSBO and TSBO event trees, no credit is taken for power recovery. The usual credit is taken in the SBO event tree.

HPI in SBO event trees:

HPI system question is asked when AC recovery fails (after OEP-1H, OEP-SL, OEP-BD) ; the fault tree used for this purpose is named HPR-SSF. This case models the availability of a single HPI pump train supported by the SSF DG, and injecting into one RCS loop. The HPI model is taken from the plant SPAR model and is modified to credit SSF support. An operator action to connect the HPI to the SSF and water source (if necessary) is introduced.

D-4 Success Criteria The success criteria is taken from SPAR models whenever available. Changes are discussed below.

I) Sequence Success criteria Given a SBO-type initiating event (HELB, TORNADO) with very small probability of short term recovery of AC power, the event could be successfully mitigated if; Reactor trips; SSF AC power source is made operational; ASW is available and provides secondary heat removal; HPI is operational.

If SSF AC power source fails, then potential cross connect to another unit, and NO LOCA constitutes succes SENSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 If ASW fails, then potential cross connect to another unit, and NO LOCA constitutes success. If LOCA occurs, success of HPI powered by SSF constitutes success (one pump to one loop).

If small LOCA occurs (RCP seal LOCA, or pressurizer valve LOCA), one HPI pump supported by the SSF and feeding the RCS, plus the operation of ASW pump are sufficient for success.

II) Event Tree Node Success Criteria The RPS, SSF and HPI systems are modeled in the event tree. Whenever an applicable fault tree exists in SPAR model, it is used.

The following fault trees are taken from SPAR model, or are quantified from an existing SPAR model with SBO conditions imposed on them, as needed:

EFW2-WCC (Made from EFW2 with credit for cross connect)

HPI-SSF (Made from HPI2 FT - Uses the success criteria one HPI pump feeding 1 cold leg; the same as the success criteria in plant IPE)

D-5 Data Data is taken from multiple sources; first source is SPAR models. If data exists in SPAR model and is applicable, it is used. The data sources are: SPAR Models; Reference 1 (takes initiating event data from the licensee PRA) Reference 2 Reference 3 D-6 Quantification The HELB and TORNADO cases are quantified using SAPHIRE and GEM codes by configuring cases for them. A E-16 cutoff probability is used. The results are given in the main body of the report.

First the base case is quantified in SAPHIRE. In this case, HPI recovery HEPs are set equal to zero, since HPI is not assumed failed by the plant condition.

The results are saved as the base case. Then GEM code is run with this base case, and a conditional case, with the following conditions to simulate failure of HPI and credit HPI recovery: HPI-XHE-CON HPI-XHE-CON-SL 0.05 HPI-XHE-REP HPI-XHE-REP-SL

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 These basic event changes model failure of HPI and its failure to recover by operator actions.

D-7 Uncertainty Analysis An uncertainly analysis based on the distributions specified in the input basic event values is made. The results are reported in Attachment D. The results indicate that the ratio of the 95%

to the mean value is about a factor of 3.3, which is in the expected range for plant CDF. There is no additional insight resulting from this analysi SENSITIVE - NOT FOR PUBLIC DISCLOSURE

E 50-287/02-15 LOSS OF REA CTOR EME RGENCY EM ERGENCY PORV/S RVs RCP SE ALS OFFSITE HIGH FEED OFFSITE SECONDARY RCS DECAY HIGH OFFSITE TRIP AC FEE DWA TE R ARE CL OSED SURV IVE P OWER REC PRE SSURE AND P OWER REC COOLING COOLDOWN HEAT PRESSURE P OWER POWE R SY STEM LOOP W /IN 2 HRS INJECTION BLEED W /IN 6 HRS RECOVERED FOR DHR REMOV AL RE CIRCULATION IE-LOOP RPS EPS EFW 1 PORV3 RCPS L1 OE P-2H HPI FAB1 OE P-6H SGCOOL COOLDOWN DHR HP R

1. END-STATE 1 OK 2 OK 3 CD 4 OK 5 CD 6 CD 7 OK HP R1 8 CD HPI 2 9 CD 10 OK HP R1 11 CD HPI 2 12 CD 13 OK 14 OK 15 CD 16 OK 17 OK S GCO OL1 HP R1 18 CD 19 CD 20 T SBO 21 CD LOOP - Oconee 1,2, & 3 PWR D loss of offsite power 2004/07/29

NSITIVE - NOT FOR PUBLIC DISCLOSURE

S 50-287/02-15 FAILU RE OF EMERGEN CY PORV/SR Vs OFFSIT E R CP SEALS OFFSITE OFFSITE POWER HIGH FEED RCS D ECAY H IGH EMERGENCY FEEDW ATER WIT H ARE CLOSED POWER SU RVIVE SBO POWER R EC REC OVERY PRESSURE AND COOLD OW N H EAT PRESSUR E POWER CROSS CONNECT RECOVER Y D URING BEFORE INJECT ION BLEED FOR DH R R EMOVAL R EC IRCU LATION EPS EFW2 -WC C PORV4 OEP-1H N R CPSL OEP-SLN OEP-BDN HPI FAB COOLD OW N D HR H PR # END -STAT E 1 OK 2 OK 3 OK 4 CD 5 OK 6 OK 7 CD 8 OK CO OLDO WN 1 9 CD 10 CD 11 OK 12 CD 13 OK 14 CD 15 CD 16 CD 17 OK 18 CD SBO - Oconee 1,2, & 3 PWR D station blackout 2004/07/29

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

E 50-287/02-15 L OSS OF REAC TOR E MER GENCY E MERGENC Y P ORV/SR Vs RC P SEALS OFFS ITE HIGH FEED OFFSITE SEC OND ARY R CS D ECA Y H IGH OFFSITE TR IP A C POWER FEE DWA TE R A RE C LOS ED SUR VIVE POWER REC PRE SSURE AND POWER RE C COOL ING C OOLD OWN H EAT PR ESS URE POW ER DUE S YSTEM LOOP W/IN 2 HRS IN JECTION BLE ED W/IN 6 HRS RE COVE RED FOR D HR R EMOVAL R EC IR CU LA TION TO HE LB IE-H ELB RPS E PS-H E FW 1 P ORV3 RC PSL 1 OEP-2 H HPI FAB1 OEP-6H SGCOOL C OOLD OWN D HR H PR # E ND -STATE 1 OK 2 OK 3 CD 4 OK 5 CD 6 CD 7 OK HP R1 8 CD HPI 2 9 CD 10 OK HP R1 11 CD HPI 2 12 CD 13 OK 14 OK 15 CD 16 OK 17 OK S GCOOL1 HP R1 18 CD 19 CD 20 T HSBO 21 CD HLOOP - LOOP EVENT TREE FOLLOWING HELB EVENT 2004/07/29

NSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 FAILURE OF EMERGEN CY PORV/SRVs OFFSITE RC P SEALS OFFSITE OFFSI TE POW ER H IGH FEED R CS DECAY HIGH EMERGENC Y FEEDW ATER WITH ARE CL OSED POW ER SUR VIVE SBO POWER REC RECOVERY PR ESSUR E AND C OOLDOWN HEAT PRESSURE POWER CROSS CONNECT RECOVERY D URIN G BEFORE IN JEC TION BLEED FOR DHR REMOVAL REC IRCULATION EPS-H EFW2-WCC PORV4 OEP-1H RC PSL OEP-SL OEP-BD H PI FAB C OOLDOWN DHR HPR # END -STATE 1 OK 2 OK 3 OK 4 CD 5 OK 6 OK 7 CD 8 OK CO OLDOWN1 9 CD 10 CD 11 OK 12 CD 13 OK 14 CD 15 CD 16 CD 17 OK 18 CD HSBO - SBO EVENT T REE AFTER HELB 2004/07/29

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 LOSS OF RE ACTOR EM ERGE NCY EMER GEN CY PORV/SR Vs RC P SEALS OFFSITE HIGH FE ED OFFSITE S ECON D ARY RC S D EC AY HIGH OFFSITE TRIP AC FE EDW ATER AR E CL OSED S URVIVE POWER REC PR ESSUR E AND POWE R RE C C OOLIN G COOL DOW N H EAT PRE SSURE P OWER DUE TO POW ER SYSTEM LOOP W/IN 2 H RS INJ ECTION BLEE D W/IN 6 HRS R EC OVER ED FOR DHR R EMOVA L REC IRC ULATION IE-TOR NAD O RP S EP S-T EFW1 PORV3 RC PSL1 OEP-2H HPI FA B1 OEP-6H S GCOOL COOL DOW N D HR HPR # END -STATE 1 OK 2 OK 3 CD 4 OK 5 CD 6 CD 7 OK HPR1 8 CD HP I2 9 CD 10 OK HPR1 11 CD HP I2 12 CD 13 OK 14 OK 15 CD 16 OK 17 OK SGCOOL1 HPR1 18 CD 19 CD 20 T TS BO 21 CD TLOOP - LOOP EVENT TREE FOLLOWING TORNADO 2004/07/29

SITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 F AILURE OF EM E RGE NCY P ORV /S RV s O FFS ITE RCP SE A LS O FFS ITE OFF SITE P OW E R HIGH F EE D RCS DE CA Y H IG H E M E RGE NCY FE ED W AT ER NO A RE CLOS ED P O W ER SU RV IV E SB O P OW E R RE C RE COV E RY P RE SS URE A ND COO LDOW N HE A T P RE S S URE P OW E R CROS S CONN ECT R ECO V ERY DU RIN G BE FO RE INJE CTIO N B LE ED FOR D HR RE M OV A L R ECIRC ULATIO N E P S- T EF W P ORV 4 O E P- 1H RCP S L O EP -S L OE P -B D HP I F AB COO LDOW N DHR H PR # EN D-S TA TE 1 OK 2 OK 3 OK 4 CD 5 OK 6 OK 7 CD 8 OK CO OL DOW N1 9 CD 10 CD 11 OK 12 CD 13 OK 14 CD 15 CD 16 CD 17 OK 18 CD T S BO - S BO EV EN T T R EE FO LL OW IN G T O RN ADO 2004/ 07/29

IVE - NOT FOR PUBLIC DISCLOSURE

E 50-287/02-15 EPS-H EPS-H EPS FAILS FOLLOWING A HELB EVENT THAT AFFECTS ALL 3 BUSSES TRUE XX-EPS-H EPS-H - 2004/06/29 Page 42

NSITIVE - NOT FOR PUBLIC DISCLOSURE

E 50-287/02-15 EPS-T EPS-T EPS FAILS DUE TO A TORNADO EVENT THAT CAUSES SBO CONDITIONS AT THE PLANT TRUE XX-EPS-T EPS-T - 2004/06/29 Page 45

VE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 50-269/02-15 NO OR INSUFFICIENT EFW FLOW DURING SBO EFW2-WCC NO OR INSUFFICIENT EFW CROSS EFW FLOW TO SGs CONNECT TO OTHER UNIT AFTER HELB FAILS 24 2.6E-1 EFW EFW-CROSS-CONNECT EFW2-W CC - 2004/06/29 Page 36

SNSITIVE - NOT FOR PUBLIC DISCLOSURE

50-287/02-15 F AIL URE T O PRO VIDE RCS MAKEUP AFT ERSBO - NO LO CA CONDITIONS H PI-S SF RCM MAKEUP BY SSF NO ORINSUFF ICIE NT REACT ORCOO LANT F L OW F ROM T HE MAKEUP SYST EM FAILS HPI SYST EM 111 SE ALLOC A-S SF HP I- SSF- SYS HPI-SSF FAIL S HPI CONNECT ION TO SSF FAILS DUE T O PL ANT CONDIT ION H PI-SSF -FAILS HPI-OPA -RE COV CCF OF HPI COL D LEG HPI SUCTI ON BW ST F AI L S T O F AILURE T O PROVI DE Vacu um-Brea ke r Va vl e CCF OF DISCHARGE CCF O F HPI MDPs OP FAILS T O RECOGNIZ E HPI RECO VERY FAILURE SUF FICIENT FL OW DISCHARGE CKECK CCF OF HPI SUCT ION L OOSE CO NNECTOR T HUS AF T ER HELB/TORNADO DIS CH CHECK VALVES I SOL M OV COM MON PROVI DE SUF FICIENT 3L P-6 1 F ai sl to Ope n CHECK VAL VES CHECK VALVES CAUSE F AIL URES W AT ER INT O CO LD LEGS F ROM HPI PUMPS VAL VES FAILING TO T IGH AND CONNECT . F AILU 6.5E -6 1.0E- 4 1.3E-6 1.0E-4 1.0E -5 5.8E- 6 1.0E- 5 3.0E-1 5.0E- 2 H PI-CK V-C F-D ISCL HP I- MOV- CF- SUC T H PI-T NK- VF-B WST H PI-C LHD R- F H PI-C KV-C C -3LP61 H PI-C KV-C F-D ISAB HP I-CK V-C F-PMP S HP I- CKV -C F-SU CT H PI-X HE- CON HP I-XH E-R EP NO O RINSUF F CI IENT NO ORINSUFF ICIE NT NO OR N I SUFF ICIE NT NO OR N I SUFF ICIE NT FL OW INT O COLD F LOW N I T O COLD F LOW INT O COLD F LOW INT O COLD L EG 3 A1 L EG 3 A2 L EG 3B1 L EG 3B2 H PI-C LHD RA 1- F HP I- CLH DR A2-F HP I- CLH DR B1-F HP I- CLH DR B2-F F AIL URE OF COLD F AILURE OF HPI F AIL URE OF CO LD F AIL URE OF HPI HPI TRAIN C F AIL URE OF COLD W ATER SUPPLY FAILURE OF COL D HPI TRAINC L EG CKV HP-4 87 MDPs T OCO LD L EG CKV HP-4 86 MDPs TO COL D FAILURES L EG CKV HP-4 88 T O HPI TRAIN LEG CKV HP-48 9 F AI L URES L EG 3A1 L EG 3 A2 C FAILS 1.0E -4 1.0E- 4 62 1.0E- 4 1.0E-4 62 H PI-CK V-C C- 487 HPI-C LHD R A1-PMPS -F HP I- CKV -C C-486 H PI-C LHD RA 2-PMPS -F H PI-TR NC -F HP I- CK V-C C-488 HPI-MD PC SU P-F HPI-CKV -CC -489 H PI-TR NC -F HPI MDP A F LOW HPI MDP B F LOW HPI MDP A F LOW HPI M DP B FL OW W ATER SUPL Y W ATER SUPPLY WAT ER SUPPL Y INT OCO LD LEGS I T O COLD L EGS N INT O CO LD LEGS INTO COL DL EGS PAT HB ISO LAT O I N PAT HA ISO LATION T O HPI T RAIN F AIL URES F AI LURES F AIL URES F AIL URES VAL VE F AIL URES VAL VES FAI LS C FAILS HP I- TRN A-F LW -F H PI-TR NB- FLW-F HP I- TRN A- FLW-F H PI-TR NB-FLW -F H PI-MDP CS UP1- F HP I-MDP CSU PA LT -F HP I- MD PC SU P-F W AT ERSUPPLY HPI M DP A FAILURES HPI TRAI N B SUCTION HPI MDP B SUCTION TO HPI T RAIN CKV HP-10 2 FAI L S T O M OV HP-25 FAILS TO L OSS OF AC POW ER A F AIL S OPEN OPEN ON BUS 3T D 57 1.0E- 4 3.0E- 3 2 H PI-MD PAS UP- F H PI-TR NA -F H PI-CK V-C C- 102 HP I- MOV- CC -25 A CP- 3TD W ATER SUPPLY W AT ERSUPPL Y HPI T RAIN A SUCT ION HPI M DP A SUCT ION CKV HP-1 01 F AILS TO MOV HP-2 4 F AIL S T O HPI SUCT IO N L OSS OF ACPOW ER PAT HA ISO LATION PATH B ISOL AT ION ON BUS 3T C VAL VE F AIL URES VALVE FAILURES OPEN OPEN M OV HP-98 FAILS 1.0E-4 3.0E -3 F ALSE 1 H PI-MDP ASU P1-F HPI-MD PAS UP ALT-F H PI-C KV- CC -101 H PI-MOV-C C-24 HP I- MOV- OC -98 A CP -3TC HPI T RAIN A SUCT IO N HPI MDP A SUCT IO N CKV HP-10 1 F AIL S T O HPI T RAIN B W AT ERSUPPL Y MOV HP-24 FAILS T O L OSS OF ACPOW ER L OSS O F ACPOW ER ON BUS 3T C OPEN ON BUS 3T D F AILURES TO HPI T RAIN OPEN B F AIL S 3.0E -3 1 3.0E-3 2 60 HP I-MOV -CC -24 ACP -3TC H PI-MOV-C C-25 AC P-3TD HP I- TRN B-F -SSF H PI-MD PBSU P- F HPI MDP B SUCT I ON MOV HP-2 5 F AIL S T O HPI T RAIN B SUCTION W ATER SUPPLY WAT ER SUPPL Y CKV HP-10 2 F AIL S T O HPI SUCTION OPEN M OV HP-98 FAILS PAT HA ISO LATION PAT H B ISOLAT I ON O PEN VAL VE F AIL URES VALVE F AILURES 1.0E-4 1.0E -4 FA LSE H PI-CKV- CC -101 HP I-CK V-C C- 102 HPI-MOV-OC -98 HP I-MDPB SU P1-F H PI-MDP BSU PALT -F HPI T RAIN A SUCTION HPI MDP A SUCTION HPI TRAI N B SUCTION HPI MDP B SUCT I ON CKV HP-10 1 F AIL S T O M OV HP-24 FAI LS TO HPI SUCTION LOSS OF AC POWER CKV HP-10 2 FAI L S T O L OSS OF AC POW ER MOV HP-2 5 F AIL S T O O PEN OPEN M OV HP-98 FAILS O NBUS 3 TC OPEN ON BUS 3T D OPEN 1.0E -4 3.0E- 3 FALS E 1 1.0E- 4 2 3.0E-3 H PI-CK V-C C- 101 HP I-MOV -CC -24 H PI-MOV-OC -98 AC P-3TC H PI-CK V-C C- 102 A CP -3TD H PI-MOV-C C- 25 HPI-SSF - NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM 2004/09/02 Page 55

S

50-287/02-15

35NSITIVE - NOT FOR PUBLIC DISCLOSURE