IR 05000287/2002015

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Oconee 3 (IR 050002872002015)
ML20114E069
Person / Time
Site: Oconee Duke Energy icon.png
Issue date: 05/12/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
IR 2002015
Download: ML20114E069 (35)
v  d  e


Text

1Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment availabl This incremental increase or importance is determined by subtracting the CDP from the CCD This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Enclosure 1 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Final Precursor Analysis Accident Sequence Precursor Program ---Office of Nuclear Regulatory Research Oconee Unit 3 Inadequate Installation of Connectors on a Unit 3 HPI Pump Emergency Power Supply Cable from the ASW Switchgear.

Event Date: May 30, 2002 IR: 50-287/02-15 CDP1 = 3x10-6 October 25, 2004 Condition Summary The inspectors identified an apparent violation (AV) for the failure to adequately implement the vendors written instructions for attaching the "Elastimold" electrical connectors on the "Black" and

"Red" phases of the Unit 3 HPI pump emergency power supply cable from the auxiliary service water (ASW) switchgear. Consequently, by failing to provide reasonable assurance that the pre-staged HPI pump emergency power supply cable would be available for high energy line break (HELB) and/or tornado event recover A HELB (i.e., a failure of adjacent main feedwater or auxiliary steam lines) could cause all three colored buses to fai Similarly, a tornado could also fail the AC power to the plant through damaging both the switchyard and the Keowee hydro units.

Details of this event are described in Attachment A (Refs. 1 and 4).

Condition duration. The apparent violation is analyzed as a plant condition with an exposure period of 1 yea Recovery opportunitie HPI power connection failure can be recovered from; this is credited in the mode Analysis Results

!

Importance (CDP)

In accordance with the ASP guidelines, this plant condition is analyzed to calculate its importance in terms of increased plant risk while the condition existed (one-year period is used). The analysis is performed for LOOP (leading to SBO), HELB and TORNADO events, where the SSF can be credited. The plant condition importance (delta CDP) for this event is 3 X 10-6 (mean value). This CDP exceeds the Accident Sequence Precursor Program acceptance threshol The importance of each event considered is summarized in the following tabl SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Event CCDP CDP Importance Percent HLOOP 4.4E-06 1.1E-06 3.2E-06 95.6 TLOOP 6.0E-08 1.6E-08 4.5E-08 1.3 LOOP 1.2E-05 1.2E-05 1.0E-07 3.1 Sum =

1.7E-05 1.3E-05 3.4E-06 100

!

Dominant sequences The following dominant sequences are identified:

Event Sequence CCDP CDP I Importance Percent HLOOP 20-12 2.0E-06 5.4E-08 1.9E-06 56.7%

HLOOP 20-04 2.1E-06 7.6E-07 1.3E-06 38.8%

The first dominant sequence is due to failure of HPI after a LOCA in a HELB event. This failure is represented by the event tree top event HPI-SSF. The dominant sequence is due to failure of HPI after a HELB event where no LOCA is in progress, but an unspecified loss of RCS inventory is assumed to uncover the core in the long term.

!

Results tables The conditional probabilities of the sequences with the highest importance are shown in Table 1.

The event tree sequence logic for the sequences with the highest importance are provided in Tables 2a and 2b.

The conditional cut sets for the two sequences with the highest importance are provided in Table 3.

Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions

!

Assessment Summary This condition involves potential failure of the single available train of HPI when all AC power is lost to the safety systems and the SSF is placed in operatio The SSF is described in Attachment A.

The potential initiating events in which this plant condition can be of consequence are identified as follows:

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE i)

SBO during power operation; ii)

HELB events during power operation (leading to SBO-like conditions)

iii)

Tornado events during power operation (only those leading to SBO conditions).

The three initiating events in which the plant condition may potentially result in increased risk are severe high energy line breaks (HELB) severe tornados (TORNADO), and loss of offsite power events (LOOP) which could lead to SBO conditions at the plan For each of these events, the existing LOOP and SBO event tree models are used as the starting point and are modified as needed to credit the HPI following SSF actuation (Attachment D discusses the details and provides the event and fault tree pictures).

HELB and tornado event recoveries take credit for the ability to connect a pre-staged 4160 volt alternating current (VAC) emergency power supply cable from the ASW switchgear to an HPI pump after a loss of the associated units essential (colored) electrical busses and necessary standby shutdown facility (SSF) functions. Providing power and utilizing an HPI pump in such a fashion is addressed in: Section 3.2.2 of the Updated Final Safety Analysis Report (UFSAR);

Section 4 of Abnormal Procedure AP/0/1700/006, Natural Disaster; and the Blackout Section of EP/1,2,3/A/1800/001, Emergency Operating Procedure. Critical actions to start an HPI pump need to be performed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an HELB event and 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for a tornado event.

Other internal and external events during power operation are not affected by this plant conditio !

Modeling assumptions Key Modeling Assumptions It is assumed that the AC power can not be restored to the emergency buses during the 24-hour mission time following HLOOP and TLOOP SBO event This is due to the nature of the initiating events which damage AC power equipmen The recovery of these equipment could take a long time in these particular events studied.

Other assumptions.

The two HPI recovery events are independen A sensitivity analysis is made with these events being dependen The conclusions do not change.

!

Modifications to fault trees models The fault tree models are taken from SPAR models directly, whenever applicable. Two fault trees are made from existing SPAR fault trees as needed :

EFW2-WCC: Credits EFW cross connect to other unit after HELB fails.

HPI-SSF:

HPI FT is modified to condition the failure of HPI to recovery of the connection cable (HPI-XHE-REC).

A HPI-SSF-SL fault tree is also made for LOCA sequences; it is the same as HPI-SSF except for two HPI recovery basic events have -SL extensio This fault tree is made to distinguish the potential difference in HPI recovery in LOCA sequences, where the available time window is shorte SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Finally, two single-basic event fault trees are made to represent event tree nodes that are scalars:

EPS-H EPS-T These event trees are used to transfer the HLOOP and TLOOP event trees to HSBO and TSBO event trees.

The fault and event tree pictures are given in Appendix D.

!

Basic event probability changes The basic event probability changes are summarized below.

HELB Event Initiating Event Frequency (IE-HELB). This initiating event frequency is introduced as a new event, leading to HLOOP and HSBO events, which progress like LOOP and SBO events already modeled in SPAR. The frequency of is taken from Reference 1 as 3.5E-04/yr.

TORNADO Event Initiating Event Frequency (IE-TORNADO). This initiating event frequency is introduced as a new event, leading to TLOOP and TSBO events, which progress like LOOP and SBO events already modeled in SPA This is calculated in Attachment D as 4.86E-06/yr.

AC Recovery in HSBO and TSBO (OEP-1H, OEP-SL, OEP-BD). The basic events for OEP-1H, OEP-SL, and OEP-BD event tree tops are set equal to failure (no AC recovery credited) in HLOOP and TLOOP SBO event trees during the mission time, due to the nature of the initiating events where recovery is expected to be long term.. This is done by setting the following basic events to failure (TRUE):

OEP-XHE-NOREC-1H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 1 HR OEP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER: BATTERY DEPLETION OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

AC Recovery in SBO(OEP-1H, OEP-SL, OEP-BD). The basic events for OEP-1H, OEP-SL, and OEP-BD event tree tops are left as in the SPAR model for the SBO even To distinguish this recovery from the HSBO and TSBO events, the basic events associated with AC recovery are labeled with an addition of the letter N and retained with their base SPAR values:

OEP-XHE-NOREC-1HN OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 1 HR OEP-XHE-NOREC-SLN OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL LOCA)

OEP-XHE-NOREC-BDN OPERATOR FAILS TO RECOVER OFFSITE POWER: BATTERY DEPLETION HPI RECOVERY, SHORT TERM (HPI-XHE-CON, HPI-XHE-CON-SL). This human action represents the short term recovery, where the operator tightens the connector (-SL extension is used for LOCA sequences). The HEPs are calculated in Attachment B, as 0.3 for both cases.

HPI RECOVERY, LONG TERM (HPI-XHE-REP, HPI-XHE-REP-SL). This human action represents the longer term recovery (repair) of the HPI connection (-SL extension is used for LOCA sequences). The HEP is calculated in Attachment B, as 0.05; for LOCA sequences, the HEP is SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LOOP Flags for HELB and TORNADO Events (XX-EPS-H, XX-EPS-T). These two basic events are introduced in the HLOOP and TLOOP event tree node fault trees EPS-H and EPS-T to transfer the HLOOP and TLOOP events to HSBO and TSBO event trees.

!

Sensitivity Analyses A sensitivity analysis is made to calculate the event importance if the HPI recovery HEPs are assumed to be dependent (see discussion at the end of Attachment B). In that case the probability of the basic event HPI-XHE-REP becomes When the GEM code is run with this value substituted in, the event importance is calculated as 5E-0 This result does not change the conclusions of the analysis.

!

SPAR Model updates No SPAR model updates are made.

References NRC Letter EA-02-243 dated November 21, 2002, Subject: Oconee Nuclear Station -

NRC Inspection report 50-269/02-15, 50-270/02-15,and 50-287/02-15; Preliminary White Finding ADAMS Accession N ML023250552) Oconee Nuclear Station, Units 1, 2, and 3 Postulated high-energy line breaks in turbine building leading to failure of safety-related 4-kV switchgear, Event Date: February 24, 1999, LER 269-99-001, USNRC OERAB Report, Sunil Weerakkody, Erul Chellia ASP Analysis. ADAMS Accession N ML012910027) Final Precursor Analysis, June 25, 2003 for the Oconee 04/01/2000 Even ADAMS Accession N ML032100335 SDP/Enforcement Panel Worksheet, ADAMS Accession N EA-02-243, 11/06/02, ML04090035. Duke Power Letter Dated January 10, 200 Subject: Oconee Nuclear Station - Units 1,2 and 3 Docket Nos 50-269, 50-270, 50-2887 Response to NRC Preliminary White Finding

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table Sequences Contributing to Event Importance Event Sequence CCDP CDP I Importance Percent HLOOP 20-12 2.0E-06 5.4E-08 1.9E-06 56.7%

HLOOP 20-04 2.1E-06 7.6E-07 1.3E-06 38.8%

LOOP 20-10 5.7E-08 1.4E-09 5.5E-08 1.6%

LOOP 20-12 3.6E-08 8.3E-10 3.5E-08 1.0%

TLOOP 20-12 2.7E-08 7.1E-10 2.6E-08 0.8%

TLOOP 20-04 2.9E-08 1.1E-08 1.9E-08 0.6%

LOOP 20-04 2.2E-08 7.9E-09 1.4E-08 0.4%

Sum =

4.3E-06 8.4E-07 3.3E-06 100%

Table 2a. Event Tree Sequence Logic for Top Sequences Event Tree Name Sequence Number Logic (/ denotes success; see Table 2b for fault tree names)

HLOOP 20-12

/RPS EPS-H /EFW2-WCC /PORV4 OEP-1H RCPSL OEP-SL HPI-SSF-SL HLOOP 20-04

/RPS EPS-H /EFW2-WCC /PORV4 OEP-1H

/RCPSL OEP-BD HPI-SSF LOOP 20-10

/RPS EPS /EFW2-WCC /PORV4 OEP-1HN RCPSL /OEP-SLN HPI-SSF-SL LOOP 20-12

/RPS EPS /EFW2-WCC /PORV4 OEP-1HN RCPSL OEP-SLN HPI-SSF-SL TLOOP 20-12

/RPS EPS-T /EFW /PORV4 OEP-1H RCPSL OEP-SL HPI-SSF-SL TLOOP 20-04

/RPS EPS-T /EFW /PORV4 OEP-1H

/RCPSL OEP-BD HPI-SSF LOOP 20-04

/RPS EPS /EFW2-WCC /PORV4 OEP-1HN

/RCPSL OEP-BDN HPI-SSF

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 2b. Definitions of Top Events Listed in Table 2a Fault Tree Name Description EFW NO OR INSUFFICIENT EFW FLOW EFW2-WCC NO OR INSUFFICIENT EFW FLOW DURING SBO EPS OCONEE 1 2 & 3 PWR D EMERGENCY POWER SYSTEM FAILS EPS-H EPS FAILS AFTER HELB EPS-T EPS FAILS AFTER TORNADO HPI-SSF NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM HPI2 OCONEE 1 2 & 3 PWR D HPI USING LOOP-FTF FLAGS OEP-1H OCONEE 1 2 & 3 PWR D OFFSITE POWER RECOVERY 1 HR OEP-SL OCONEE 1 2 & 3 PWR D RECOVER OFFSITE POWER (SEAL LOCA)

PORV4 OCONEE 1 2 & 3 PWR D PORV/SRVs OPEN DURING SBO RCPSL OCONEE 1 2 & 3 PWR D REACTOR COOLANT PUMP SEALS FAIL RPS OCONEE 1 2 & 3 PWR D REACTOR FAILS TO TRIP

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 3. Cutsets for Dominant Sequences Sequence HELB 20-12 Probability Cutset Elements 7.446E-07 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.8908E-07 IE-HLOOP SSF-DGN-FR-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-07 IE-HLOOP SSF-DGN-TM-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.0148E-07 IE-HLOOP SSF-MDP-TM-SWP HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 9.636E-08 IE-HLOOP SSF-DGN-FS-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 7.446E-08 IE-HLOOP HPI-XHE-CON-SL SSF-ACU-FS-HVAC2 HPI-XHE-REP-SL RCP-MDP-LK-SEALS 7.446E-08 IE-HLOOP SSF-XHE-XA-SSF HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM97 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM398 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MDP-FS-SWP HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-PDP-FS-RCM HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS 2.2776E-08 IE-HLOOP SSF-MOV-CC-RCM52 HPI-XHE-CON-SL HPI-XHE-REP-SL RCP-MDP-LK-SEALS Sequence HELB 20-4 Probability Cutset Elements 5.256E-07 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-CON HPI-XHE-REP 2.1024E-07 IE-HLOOP SSF-DGN-FR-SSF HPI-XHE-CON HPI-XHE-REP 1.6644E-07 IE-HLOOP SSF-DGN-TM-SSF HPI-XHE-CON HPI-XHE-REP 1.4016E-08 IE-HLOOP SSF-MDP-TM-SWP HPI-XHE-CON HPI-XHE-REP 1.0512E-08 IE-HLOOP SSF-XHE-XA-RCM HPI-MOV-CC-26 1.0512E-08 IE-HLOOP SSF-XHE-XA-RCM HPI-MDP-FS-B 6.6576E-09 IE-HLOOP SSF-DGN-FS-SSF HPI-XHE-CON HPI-XHE-REP 5.256E-09 IE-HLOOP HPI-XHE-CON HPI-XHE-REP SSF-ACU-FS-HVAC2 5.256E-09 IE-HLOOP SSF-XHE-XA-SSF HPI-XHE-CON HPI-XHE-REP 4.1172E-09 IE-HLOOP SSF-DGN-FR-SSF HPI-MDP-FS-B 4.1172E-09 IE-HLOOP SSF-DGN-FR-SSF HPI-MOV-CC-26 3.504E-09 IE-HLOOP SSF-XHE-XA-RCM HPI-XHE-XR-MDPB 3.2412E-09 IE-HLOOP SSF-DGN-TM-SSF HPI-MDP-FS-B 3.2412E-09 IE-HLOOP SSF-DGN-TM-SSF HPI-MOV-CC-26 2.8032E-09 IE-HLOOP SSF-MDP-TM-SWP HPI-MOV-CC-26 2.8032E-09 IE-HLOOP SSF-MDP-TM-SWP HPI-MDP-FS-B 2.5404E-09 IE-HLOOP SSF-XHE-XA-RCM HPI-MDP-FR-B

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table Definitions and Probabilities for Modified or Dominant Basic Events Basic Events whose probabilities are changed:

Event Name Description Base Prob Curr Prob HPI-XHE-CON OP FAILS TO RECOGNIZE LOOSE +0.0E+000 3.0E-001 HPI-XHE-CON-SL OP FAILS TO RECOGNIZE LOOSE +0.0E+000 3.0E-001 HPI-XHE-REP HPI RECOVERY FAILURE AFTER H +0.0E+000 5.0E-002 HPI-XHE-REP-SL HPI RECOVERY FAILURE AFTER H +0.0E+000 1.0E+000 Basic events whose probabilities remain the same as the base model:

Event Name Description Prob

--------------------------------------------- ---------

ACP-BAC-LP-3TC 4160VAC BUS 3TC FAILS 9.0E-005 ACP-XFM-FC-CT4 TRANSFORMER CT4 FROM KEOWEE HYDRO UNITS FAILS 2.4E-004 CCS-AOV-OC-CC8 FAILURE OF CCS DISCHARGE AOV CC-8 TO COOLERS 4.0E-005 CCS-CKV-CC-CC20 COMPONENT COOLING DISCHARGE CKV CC-20 FAILS 1.0E-004 CCS-CKV-CC-CC24 COMPONENT COOLING DISCHARGE CKV CC-24 FAILS 1.0E-004 CCW-LK_KEOWEE2 LAKE KEOWEE WATER LEVEL <=799' SIPHON FLOW C 9.8E-001 DHR-HTX-CF-ALL COMMON CAUSE FAILURE OF DHR HTXS 3.7E-005 DHR-MDP-CF-STRT DHR PUMP COMMON CAUSE FAILURE TO START 1.2E-004 DHR-MDP-FS-B DHR MDP B FAILS TO START 3.0E-003 DHR-MDP-TM-B DHR MDP B UNAVAILABLE DUE TO TEST AND MAINTEN 2.8E-003 DHR-MOV-CC-HOTLP1 HOT LEG MOV LP-1 FAILS TO OPEN 3.0E-003 DHR-MOV-CC-HOTLP2 HOT LEG MOV LP-2 FAILS TO OPEN 3.0E-003 DHR-MOV-CC-HOTLP3 HOT LEG MOV LP-3 FAILS TO OPEN 3.0E-003 DHR-XHE-XM OPERATOR FAILS TO INITIATE THE DHR SYSTEM 2.0E-003 EFW-AOV-CF-FCV EFW FLOW CONTROL VALVE COMMON CAUSE FAILURES 3.0E-005 EFW-CKV-CF-PMPS CCF OF EFW PUMP DISCHARGE CHECK VALVES 4.2E-006 EFW-CKV-CF-SGS CCF OF STEAM GENERATOR INLET CHECK VALVES 1.3E-005 EFW-CROSS-CONNECT EFW CROSS CONNECT TO OTHER UNIT AFTER HELB FA 2.6E-001 EFW-PMP-CF-ALL COMMON CAUSE FAILURE OF EFW PUMPS 1.4E-006 EFW-XHE-XM-CONHOT OPERATOR FAILS TO SWITCHOVER TO HOTWELL 1.0E-003 EFW-XHE-XM-XTIE OPERATOR FAILS TO ALIGN EFW FROM ANOTHER UNIT 5.0E-002 EPS-CBL-FC-OH KEOWEE 230KV OVERHEAD SUPPLY FAILS 5.6E-003 EPS-CBL-FC-UG KEOWEE 13.8KV UNDERGROUND STBY SUPPLY FAILS 5.6E-003 EPS-HEU-CF-KEOR COMMON CAUSE FAILURE OF KEOWEE HYDRO UNITS TO 7.2E-004 EPS-HEU-CF-KEOS COMMON CAUSE FAILURE OF KEOWEE HYDRO UNITS TO 1.5E-004 EPS-HEU-FR-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC FAILS TO RUN 3.4E-003 EPS-HEU-FR-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC FAILS TO RUN 3.4E-003 EPS-HEU-FS-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC FAILS TO START 2.3E-003 EPS-HEU-FS-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC FAILS TO START 2.3E-003 EPS-HEU-TM-KEOWE COMMON MAINTENANCE OF KEOWEE HYDRO UNITS 5.2E-004 EPS-HEU-TM-KU1 KEOWEE UNIT 1 HYDRO ELECTRIC UNAVAILABLE DUE 1.4E-002 EPS-HEU-TM-KU2 KEOWEE UNIT 2 HYDRO ELECTRIC UNAVAILABLE DUE 1.4E-002 HPI-MDP-CF-RUN CCF OF HPI PUMPS FOR RCP SEAL COOLING 1.8E-002 HPI-MDP-CF-STRT CCF OF HPI MDPS TO START 3.9E-002 HPI-MDP-FR-B HPI MDP B FAILS TO RUN 7.2E-004 HPI-MDP-FS-B HPI MDP B FAILS TO START 3.0E-003 HPI-MDP-TM-B HPI MDP B UNAVAILABLE DUE TO TEST AND MAINTEN 9.4E-003 HPI-MOV-CC-26 HPI TRAIN A DISCHARGE MOV HP-26 TO LOOP A FAI 3.0E-003 HPI-XHE-XR-MDPB OP FAILS TO RESTORE HPI MDP B 1.0E-003 HPR-MOV-CF-BWST CCF OF HPI/BWST ISOLATION MOVS 3HP-24/25 1.0E-004 HPR-XHE-XM OPERATOR FAILS TO INITIATE PIGGY-BACK HPR COO 2.0E-003 LPR-MOV-CC-16 LPR CLR B OUTLET ISOL MOV LP-16 TO HPI SUCTIO 3.0E-003 LPR-MOV-CC-SMPB SUMP ISOLATION MOV LP20 FAILS TO OPEN 3.0E-003 LPR-MOV-CF-BWST BWST ISOLATION MOVS COMMON CAUSE FAILURES 1.0E-004 LPR-MOV-CF-SUMP CCF OF SUMP ISOLATION MOVS TO OPEN 1.0E-004 LPR-MOV-OO-BWSTB BWST ISOLATION MOV B FAILS TO CLOSE 3.0E-003 LPR-SMP-FC-SUMP REACTOR BUILDING EMERGENCY SUMP FAILURES 5.0E-005 LSW-MDP-CF-U3 CCF OF UNIT 3 LPSW MOTOR DRIVEN PUMPS TO RUN 2.2E-005 LSW-MDP-CF-U3ST CCF OF UNIT 3 LPSW MDP TO START 2.0E-004 LSW-MDP-FR-3A LPSW MDP 3A FAILS TO RUN 7.2E-004 LSW-MDP-FS-3A LPSW MDP 3A FAILS TO START 3.0E-003 LSW-MDP-TM-3B LPSW MDP 3B UNAVAILABLE DUE TO TEST AND MAINT 2.7E-002

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Event Name Description Prob

--------------------------------------------- ---------

LSW-MOV-CC-5 LPI TRAIN B COOLER DISCH ISOL MOV 5 FAILS TO 3.0E-003 LSW-STR-CF-3DS CCF OF UNIT 3 LPSW MDP SUCTION DUPLEX FILTERS 1.5E-005 LSW-STR-CF-3SF CCF OF UNIT 3 LPSW SYSTEM PUMP SEAL WATER FIL 1.5E-005 OEP-XHE-NOREC-1HN OPERATOR FAILS TO RECOVER OFFSITE POWER WITHI 1.2E-001 OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHI 6.4E-002 OEP-XHE-NOREC-BDN OPERATOR FAILS TO RECOVER OFFSITE POWER:BATTE 3.7E-001 OEP-XHE-NOREC-SLN OPERATOR FAILS TO RECOVER OFFSITE POWER (SEAL 6.4E-001 PBC-MOV-CF-DHR DHR TO HPI SUPPLY MOVS COMMON CAUSE FAILURES 1.0E-004 PPR-MOV-OO-BLK PORV BLOCK VALVE FAILS TO CLOSE 3.0E-003 PPR-SRV-CO-L PORV/SRVS OPEN DURING LOOP 1.6E-001 PPR-SRV-CO-SBO PORV/SRVS OPEN DURING STATION BLACKOUT 3.7E-001 PPR-SRV-OO-PORV PORV RC66 FAILS TO RECLOSE AFTER OPENING 2.0E-003 PPR-XHE-XM-BLK OPERATOR FAILS TO CLOSE THE BLOCK VALVE 2.0E-003 RCP-AOV-CC-HP31 RCP SEAL COOLING CONTROL AOV FAILS 1.0E-003 RCP-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 7.1E-002 RCP-MDP-LK-SEALS1 RCP SEALS FAIL WITHOUT COOLING 1.2E-001 RCP-XHE-XA-HPISEAL OPERATOR FAILS TO ALIGN HPI FOR RCP SEAL COOL 1.0E-003 RPS-VCF-FO-MECH CONTROL ROD ASSEMBLIES FAIL TO INSERT 1.2E-006 SSF-ACU-FS-HVAC2 AIR CONDITIONING UNIT/CHILLER FAILS TO START 1.0E-002 SSF-DGN-FR-SSF SSF DIESEL GENERATOR FAILS TO RUN 3.9E-002 SSF-DGN-FS-SSF SSF DIESEL GENERATOR FAILS TO START 1.3E-002 SSF-DGN-TM-SSF SSF DGN UNAVAILABLE DUE TO T&M 3.1E-002 SSF-MDP-FS-ASW SSF AUXILIARY SERVICE WATER MDP FAILS TO STAR 3.0E-003 SSF-MDP-FS-ASWSUB SUBMERSIBLE PUMP TO ASW MDP SUCTION FAILS TO 3.0E-003 SSF-MDP-FS-SWP SSF DG SERVICE WATER PUMP FAILS TO START 3.0E-003 SSF-MDP-TM-ASW SSF ASW PUMP UNAVAILABLE DUE TO T&M 2.7E-002 SSF-MDP-TM-SWP SSF SERVICE WATER MDP UNAVAILABLE DUE TO T&M 2.7E-002 SSF-MOV-CC-RCM398 SSF RCM DISCHARGE MOV 398 FAILS TO OPEN 3.0E-003 SSF-MOV-CC-RCM52 SSF RCM SUCTION MOV 52 FAILS TO OPEN 3.0E-003 SSF-MOV-CC-RCM97 SSF RCM SUCTION MOV 97 FAILS TO OPEN 3.0E-003 SSF-PDP-FS-RCM SSF REACTOR COOLANT MAKEUP PUMP FAILS TO STAR 3.0E-003 SSF-XHE-XA-ASW OPERATOR FAILS TO INITIATE SSF ASW 3.0E-002 SSF-XHE-XA-RCM OPERATOR FAILS TO INITIATE SSF RCM 1.0E-001 SSF-XHE-XA-SSF OPERATOR FAILS TO INITIATE STANDBY SHUTDOWN F 1.0E-002

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Attachment A:

Description of Event On May 30, 2002, during maintenance activities, the connector on the "Black" phase of the Unit 3 pre-staged emergency HPI pump power supply cable fell off in a maintenance technicians hand when he picked up the cable. Upon further examination, he also identified that the "Red" phase connector was loose. When disassembled, the Black connector was found to be damaged (i.e., socket end spread apart and showing signs of heating). Had it been necessary to operate the Unit 3 HPI pump during the HELB or tornado event recoveries, the two cable connectors would have overheated and likely failed, causing loss of the HPI pump function.

Overheating would have been caused by the lack of mating surfaces between the male and female ends of the connectors and the resulting higher resistance for electrical current flow. The inspectors concluded that both ends of the connector would have to be replaced based on the damage that would likely have occurred. Furthermore, the associated HPI pump motor could have been damaged due to overheating caused imbalance between the three electrical phases or the ASW switchgear protective circuitry could have isolated the HPI motor from the switchgear; also causing a loss of function of the HPI pump.

In addition to correcting the problem in Unit 3, the licensee also inspected the corresponding cable connectors in Units 1 and 2; no further problems were identified. The licensee stated that their root cause determination was still ongoing, although associated PIP O-02-02972 stated that the damage observed on the Black connector was consistent with improper handling or storage of the cable. Based on inspector observations made during the disassembly of the Unit 3 Red and Yellow phase cable connectors on October 10, 2002, the inspectors determined that: (1) because of the connector design, they could only be damaged/loose if they were not properly installed on the cable (i.e., plug end not fully screwed on the socket end of the connector); (2) given the cable storage location, it would be highly unlikely that anyone could damage the cable connectors by standing on them; and (3) because the Unit 3 cable was last used during an operational HPI pump run on April 17, 2000, and there was no other recorded maintenance or use of the cable, the connectors on the Black and Red phases had probably been loose (i.e., held in place, but not screwed on) for a significant period of time and the damage to the Black phase connector occurred during the operational pump run.

Consequently, an apparent violation of Technical Specification (TS) 5.4.1 has been identified for the inadequate installation of the cable connectors.

Standby Shutdown Facility (SSF)

The Standby Shutdown Facility (SSF) functions as a backup to existing safety systems for additional "defense in-depth" protection under extreme emergency conditions. The SSF was not included in the original plant design when the first Oconee Unit began operation in 1973.

Following initial licensing of Oconee, NRC concern increased for issues beyond the traditional accidents analyzed in Chapter 15 of the Oconee Updated Final Safety Analysis Report (UFSAR). In the late 1970's, Duke Energy designed the SSF as an alternate means to achieve and maintain all three Oconee units in Mode 3 following postulated fire, sabotage, or flooding events. The Oconee SSF was made operational in 1986. The SSF was subsequently credited as a source of alternate AC power and decay heat removal during station blackout and tornado event The SSF includes a diesel generator, associated electrical switchgear including the SSF Essential AC Power System, an auxiliary service water (ASW) pump, ASW piping from

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE the condenser circulating water piping through the ASW pump to the steam generators, reactor coolant makeup pumps, reactor coolant makeup piping from the spent fuel pools through the makeup pump to the reactor coolant pumps seals, SSF HVAC equipment, and SSF instrumentation and controls.

Technical Specification (TS) 3.10.1 requires the SSF and its subsystems to be operable in modes 1, 2, and 3. One of the functional requirements is to maintain reactor coolant pressure control following an event. Manually controlled PZR heaters (126 kW of PZR heater capacity)

are capable of being powered from the SSF to meet this functional requirement. Per the Bases of the TS, these PZR heaters are considered a support system for the SSF ASW, so an adequate number of these PZR heaters must be OPERABLE for the SSF ASW system to be considered OPERABL However, in PRA modeling of this plant and other similar plants, no credit is taken for operation of PZR heaters for successful decay heat removal by secondary cooling during events such as SBO. Thus, unavailability of PZR heaters does not affect the calculated plant CDF.

At time of discovery, all three Oconee Units were operating at 100 % power with no safety systems or components out of service that would have contributed to this conditio SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Attachment B:

HPI Recovery Consideration The operator recovery actions associated with the loose connector are modeled in two phases:

1.

The operator recognizes that the connectors are loose while mating them in the first place, and tightens them, thus creating a solid connectio This recovery is credible since:

Vendor instructions for the installation of this type of connector specifically state once installed, the connector may be partially unscrewed to allow for alignment during connection. [5]

Thus, the operators are expected to unscrew and tighten the connectors; such an operation is not outside the domain of credibilit Moreover, the licensee position, which is not unreasonable, is that partial loosening does not lead to failur It is possible to expect that the operators will either notice the looseness of the connector while attempting to mate the cable; will loosen and re-tighten the connectors anyway for mating existing looseness will remain but is not sufficient to fail the proper conduction of electricity.

The looser the connector, it will be more likely that the operator will notice it while mating and tighten i On the opposite side, less the amount of looseness is, it is more likely that the conduction will work even if the connector is not further tightened.

The basic event name assigned to operator recognizing and tightening the connector (including the cases where the looseness is not sufficient to fail the conduction process) is labeled HPI-XHE-CO The calculation is provided in SPAR-HRA worksheets, which are summarized below.

2.

If the above action fails, and a highly loose cable is connected, and the current is passed through it to the HPI pump, the cable and/or the connector may be damaged due to heat at the loose connectio Damage to the switchgear and the pump motor are not credible due to protective relays (ground detection relays) that are engineered to protect the equipmen This is also discussed by the licensee in Reference The licensee also provided a repair time of 5.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> in that cas The operator action of failure to repair/replace the damaged cable and/or the connector is labeled as HPI-HXE-REP. The calculation is provided in SPAR-HRA worksheet, which is attached.

For the event sequences with RCP seal LOCA (or LOCA), it is assumed that there will not be enough time to perform this repair, due to long repair time (5.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />). The following basic event is used for these sequences:

HPI-XHE-REP-SL = 1.0 A basic event named HPI-XHE-CON-SL is defined for the LOCA sequences, the same way as in HPI-XHE-CON; both of these basic events have the same human error probabilit SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE HEP calculations for two human actions are summarized her These HEPs are used for LOOP/SBO; HELB/SBO; and TORNADO/SBO scenario The operator actions for scenarios with RCP Seal LOCA have the -SL extension in their basic event name. HPI-XHE-CON (HPI-XHE-CON-SL for RCP seal LOCA conditions)

This action consists of a diagnosis and action phases; for both phases two PSF are not nominal.

These PSF are:

Stress: Extreme (factor of 5) due to SBO type event occurring; also includes tornado conditions.

Very limited number of safety related equipment may be powered.

Procedures: Available but poor (factor of 5). The connector was observed to be already left loose, and showed signs of heatin It appears that vendor supplied procedures may not be complete in preventing the loose connector failure mode.

Other PSFs are nomina Up to 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> are available for the limiting scenario for RCP seal LOCA.

Q1 = 2.5 E-01 HEP for diagnosis.

Same PSF for action phase for looseness being diagnosed but the action for tightening is not carried out (omission).

Q2 = 2.5 E-02 HEP for action.

Total HEP for HPI-XHE-CON = 0.3 HPI-XHE-CON-SL has the same HEP value. HPI-XHE-REP (HPI-XHE-REP-SL for RCP seal LOCA conditions)

For this human action, diagnosis phase is not significant; HPI pump already tripped due to the fault; the cable/connector failure due to heat is easy to detect.

Two PSF are not nomina These PSF are:

Stress: Extreme (factor of 5) due to SBO type event occurring; also includes tornado conditions.

Very limited number of safety related equipment may be powered.

Ergonomics: Poor (factor of 10). Repairs are done in SBO conditions (poor lighting); also includes Tornado conditions.

Eight hours are allocated for HPI to be made operable, following the reactor tri The function of HPI is to make up RCS inventory for unspecified losses of water during this time perio If RCP seal LOCA is in progress, this repair operator action is not credited (HEP for HPI-XHE-REP-SL is 1.0)

Q1 = small

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Q2 = 5 E-02 Total hep for HPI-XHE-REP = 0.05 Summary:

Basic Event HEP PSF Total PSF multiplier HPI-XHE-CON 0.3 Extreme stress; poor procedure

HPI-XHE-REP 0.05 Extreme stress; Poor ergonomics

HPI-XHE-CON-SL 0.3 Extreme stress; poor procedure

HPI-XHE-REP-SL 1.0 Not enough time available before core uncovery N/A Possible Dependence:

Possibility of dependence between two HEPs was discussed. Most likely different teams and some separation between two actions; one is routine connection, other is repair. Independence is postulate Low dependence could be a sensitivity analysi If low dependence exists, HEP for HPI-XHE-REP increases by a factor of 2 to SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Attachment C:

Windowed Events An LER search is made to see if any other events during the exposure time of this condition occurred to potentially aggravate the plant condition, and affect its calculated ASP importanc The search results are given in Table C-1.

There are eight LERs listed in Table 3-The first two are discussed belo LERs 3-6 do not apply to unit LERs 7 and 8 occurred after the current event. An examination of these events indicated that the following two events may be candidates for windowing its impact with that of the current condition being analyzed:

1.

LER 2692002001 dated 03/07/2002 and applicable to Oconee 1, Oconee 2, Oconee 3:

Pressurizer Heat Loss Exceeds Standby Shutdown Facility Powered Heater Capacity An examination of the plants SPAR model shows that during a SBO event, the success of pressurizer sprays is not necessary for decay heat removal by the secondary sid This success criteria is similar to that used in the plant PRA model maintained by the license Therefore inoperable PZR heaters have no impact on plant risk during SBO events, including HELB and TORNADO events, since the PZR heaters are not credited. The boiler-condenser mode provides adequate secondary side heat removal.

2.

LER 2692002002 dated 03/22/2002 and applicable to Oconee 1, Oconee 2, Oconee 3

Potential for Fire to Indirectly Damage Mitigation Component On March 22, 2002, an engineering evaluation identified the potential for an adverse valve actuation during a design basis fire. This valve actuation involves the inadvertent opening of either of two valves in the low pressure injection (LPI) system due to an assumed failure in the valve control circuitry. The opening of either valve would cause the Borated Water Storage Tank (BWST) to empty its contents to the Reactor Building Emergency Sump. The water from the BWST would flood the Reactor Coolant Make-Up (RCMU) Pump resulting in its failure. The RCMU pump supplies reactor coolant pump seal and make-up flow during some design basis fire scenarios.

The Standby Shutdown Facility (SSF) serves as a backup for existing Oconee safety systems to provide an alternate and independent means to achieve and maintain a Hot Standby condition for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for all three of the Oconee Units following sabotage, flooding, or a design basis (10CFR50, Appendix R) fire. The lower level of each Unit's Reactor Building contains an SSF Reactor Coolant Make-Up (RCMU) Pump designed to supply Reactor Coolant Pump seal injection flow in the event that the normal make up system (High Pressure Injection) becomes inoperable during an SSF event.

The licensee stated that the likelihood of an actual spurious actuation occurring due to a "smart fire" causing the right two conductors to short together rather than shorting to ground has a very low probability. Furthermore, the licensee calculated the additional contribution to core damage

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE frequency resulting from the issue of spurious actuation of LP-19 or LP-20 to be less than 3E-8 per year.

The contribution of this plant condition to the plant risk is deemed to be small since 1.

The initiating event frequency of such a smart fire is small; 2.

The condition affects a backup system (RCMU), but does not affect normal mitigating systems; 3.

Even if the plant risk calculated by the licensee is 100 times worse, leading to a CCDP of 3E-06 (assuming a 1-year exposure time), the conclusions of the report do not change.

Thus, this event is not further analyzed for windowing with the plant condition being studied.

As a conclusion, there are no plant-specific events that need to be windowed with the plant condition being analyze SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table C-1 LER Search Results

LER Number Event Date Plant Title 2692002001 03/07/2002 Oconee 1, Oconee 2, Oconee 3 Pressurizer Heat Loss Exceeds Standby Shutdown Facility Powered Heater Capacity

2692002002 03/22/2002 Oconee 1, Oconee 2, Oconee 3 Potential for Fire to Indirectly Damage Mitigation Component 2692002003 04/01/2002 Oconee 1 Minor Reactor Pressure Vessel Head Leakage Due to Primary Water Stress Corrosion Cracking of An Alloy 600 Control Rod Drive Nozzle

2702002001 10/03/2002 Oconee 2 Tech Spec Valve Manually Inoperable Due to Mechanical Interference

2702002002 10/15/2002 Oconee 2 Reactor Pressure Vessel Head Leakage Due to Primary Water Stress Corrosion Cracking of Alloy 600 Control Rod Drive Nozzles

2702002003 10/31/2002 Oconee 2 Steam Generator Tube Leak During In-Situ Pressure Test

2872001003 11/12/2001 Oconee 3 Minor Reactor Pressure Vessel Head Leakage From Several Control Rod Drive Nozzle Penetrations Due to Primary Water Stress Corrosion Cracking

2872002001 11/14/2002 Oconee 3 Moisture Separator Reheater Level Results in Reactor Trip

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Attachment D:

Event Tree and Fault Tree Additions and Modifications Event Tree Pictures:

1.

LOOP 2.

SBO 3.

HLOOP 4.

HSBO 5.

TLOOP 6.

TSBO Fault Tree Pictures:

1.

EPS-H 2.

EPS-T 3.

EFW2-WCC 4.

HPI-SSF (HPI-SSF-SL fault tree is also made; it is the same as HPI-SSF except for two HPI recovery basic events have -SL extension).

Uncertainty Cases:

1.

Conditional Case (run with Latin Hypercube option)

50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE D-1 Process The existing SBO event tree model for Oconee is examined in detail to see if it can be used to model SSF response to HELB and TORNADO events with minimum modification, crediting existing plant features:

i)

HPI operation while supported by SSF (this is added as an event tree node when AC power recovery fails in the SBO event; ii)

EFW cross tie capability to another unit (not credited for TLOOP)

iii)

For TSBO and HSBO, no credit is taken for power recovery.

Otherwise, SSF-ASW is already credited in the secondary cooling event tree node of SBO event tre The RCP cooling function of SSF is already credited in the RCPSL event tree node of SBO event tree as SSF-RCM. The LOOP event tree is basically used to transfer into the SBO event tree (through the failure of EPS event tree node); the other LOOP sequences, where SBO does not happen, do not challenge SSF, and are not affected by the plant condition.

It is observed that the sequence 3 of the SBO event tree is modeled in the base SPAR as core damage (e.g. secondary cooling successful; no RCP seal LOCA; no power recovery before battery depletion, OEP-BD). This sequence may be overly conservative when the SSF is operational and provides secondary cooling and no seal LOCA occur To remove at least some of the conservatism, HPI node is added to this sequence, generating a new success criteria of:

If secondary cooling is successful and no seal LOCA occurs, and HPI through SSF is operational, no core damage is postulate This is consistent with current plant procedures: HELB and tornado event recoveries take credit for the ability to connect a pre-staged 4160 volt alternating current (VAC) emergency power supply cable from the ASW switchgear to an HPI pump after a SBO event (loss of the associated units essential (colored) electrical busses and necessary standby shutdown facility (SSF) functions). Providing power and utilizing an HPI pump in such a fashion is addressed in:

Section 3.2.2 of the Updated Final Safety Analysis Report (UFSAR); Section 4 of Abnormal Procedure AP/0/1700/006, Natural Disaster; and the Blackout Section of EP/1,2,3/A/1800/001, Emergency Operating Procedure. Critical actions to start an HPI pump need to be performed within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> for an HELB event and 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> for a tornado even A similar treatment is applied to other two event tree top events where AC power recovery is modeled in the base SBO event tree (OEP-1H, and OEP-SL).

First the base case is defined and quantified for LOOP, HLOOP, and TLOOP events, using SAPHIR Then, GEM code is used with the conditional case, with a 8760-hour time period.

D-2 Initiating Events An examination of the SPAR model for SBO event shows that it takes credit for power recovery, whereas power recovery after HELB and Tornado initiating events may not be feasible for long time period The initiating event frequencies for the HELB and Tornado events that can fail all AC busses are taken from the licensee PRA (as used in Reference 1). The HELB frequency is actually referenced back to an USNRC ASP Report (Reference 2). The Tornado frequencies

S 50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE for F2, F3, and F4 tornados are provided by the licensee in reference 1 and check well against generic values.

The initiating event frequencies leading to loss of all AC power (SBO conditions) due to HELB and Tornado events are given as:

IE-HELB = 3.5E-04/ year, IE-TSBO = 4.86E-06 / year.

IE-TSBO is calculated from data in Reference 1 as follows:

Tornado Frequency Switchyard Damage Keowee Damage SBO Frequency F2 5.37E-05 2.89E-01 6.20E-02 9.62E-07 F3 4.12E-05 2.79E-01 1.55E-01 1.78E-06 F4 3.59E-05 2.63E-01 2.24E-01 2.11E-06 Totals =

1.31E-04 4.86E-06 per year 5.55E-10 per hour The LOOP events already modeled in the base SPAR model may also lead to SBO and a challenge of SS Thus, these events must also be studied. The initiating event frequency for LOOP is already calculated as :

IE-LOOP

= 5.25E-06 events/hr * 8760hrs = 4.6E-02 events/year Summary of Initiating Event Frequencies Initiating Event Frequency (per year)

IE-HLOOP =

3.50E-04 IE-TLOOP =[1]

4.86E-06 IE-LOOP =

4.6E-02 Note:

[1] =This value is taken from reference 1, and the calculation is shown in this report. Total tornado (>= F2) frequency is 1.31E-04/yea Those tornado challenges that would cause SBO are given abov Others will not challenge SS /02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE D-3 Event Tree Models Three sets of event tree models are developed for LOOP/SBO, HLOOP/HSBO, and TLOOP/TSB These models actually have the same structure, emphasizing the interaction between the SSF and HPI. These event tree models are given in Attachment Four event tree top events are affected by the modeling revisions:

EPS node in LOOP event trees:

Two top events named EPS-H and EPS-T are introduced to transfer HELB and TORNADO events directly to SB These top events contain one-basic event fault trees, with the basic event probability set to failure.

EFW2 in SBO and HSBO event trees:

This is replaced by EFW2-WCC to take credit for cross connecting EFW to another unit.

AC recovery in SBO event trees (OEP-1H, OEP-SL, OEP-BD):

In HSBO and TSBO event trees, no credit is taken for power recover The usual credit is taken in the SBO event tree.

HPI in SBO event trees:

HPI system question is asked when AC recovery fails (after OEP-1H, OEP-SL, OEP-BD) ; the fault tree used for this purpose is named HPR-SS This case models the availability of a single HPI pump train supported by the SSF DG, and injecting into one RCS loo The HPI model is taken from the plant SPAR model and is modified to credit SSF suppor An operator action to connect the HPI to the SSF and water source (if necessary) is introduced.

D-4 Success Criteria The success criteria is taken from SPAR models whenever availabl Changes are discussed belo I)

Sequence Success criteria Given a SBO-type initiating event (HELB, TORNADO) with very small probability of short term recovery of AC power, the event could be successfully mitigated if; Reactor trips; SSF AC power source is made operational; ASW is available and provides secondary heat removal; HPI is operational.

If SSF AC power source fails, then potential cross connect to another unit, and NO LOCA constitutes succes /02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE If ASW fails, then potential cross connect to another unit, and NO LOCA constitutes success. If LOCA occurs, success of HPI powered by SSF constitutes success (one pump to one loop).

If small LOCA occurs (RCP seal LOCA, or pressurizer valve LOCA), one HPI pump supported by the SSF and feeding the RCS, plus the operation of ASW pump are sufficient for success.

II)

Event Tree Node Success Criteria The RPS, SSF and HPI systems are modeled in the event tre Whenever an applicable fault tree exists in SPAR model, it is used.

The following fault trees are taken from SPAR model, or are quantified from an existing SPAR model with SBO conditions imposed on them, as needed:

EFW2-WCC (Made from EFW2 with credit for cross connect)

HPI-SSF (Made from HPI2 FT - Uses the success criteria one HPI pump feeding 1 cold leg; the same as the success criteria in plant IPE)

D-5 Data Data is taken from multiple sources; first source is SPAR model If data exists in SPAR model and is applicable, it is use The data sources are:

1.

SPAR Models; 2.

Reference 1 (takes initiating event data from the licensee PRA)

3.

Reference 2 4.

Reference 3 D-6 Quantification The HELB and TORNADO cases are quantified using SAPHIRE and GEM codes by configuring cases for the A E-16 cutoff probability is use The results are given in the main body of the report.

First the base case is quantified in SAPHIR In this case, HPI recovery HEPs are set equal to zero, since HPI is not assumed failed by the plant condition.

The results are saved as the base cas Then GEM code is run with this base case, and a conditional case, with the following conditions to simulate failure of HPI and credit HPI recovery:

0.3 HPI-XHE-CON 0.3 HPI-XHE-CON-SL 0.05 HPI-XHE-REP HPI-XHE-REP-SL

50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE These basic event changes model failure of HPI and its failure to recover by operator actions.

D-7 Uncertainty Analysis An uncertainly analysis based on the distributions specified in the input basic event values is mad The results are reported in Attachment The results indicate that the ratio of the 95%

to the mean value is about a factor of 3.3, which is in the expected range for plant CD There is no additional insight resulting from this analysi E 50-287/02-15

NSITIVE - NOT FOR PUBLIC DISCLOSURE HP R HIGH PRESSURE RE CIRCULATION DHR DECAY HEAT REMOVAL COOLDOWN RCS COOLDOWN FOR DHR SGCOOL SECONDARY COOLING RECOVERED OEP-6H OFFSITE P OWER REC W /IN 6 HRS FAB1 FEED AND BLEED HPI HIGH PRESSURE INJECTION OEP-2H OFFSITE P OWER REC W /IN 2 HRS RCPS L1 RCP SE ALS SURV IVE LOOP PORV3 PORV/S RVs ARE CLOSED EFW 1 EMERGENCY FEE DWA TE R SY STEM EPS EME RGENCY AC POWE R RPS REACTOR TRIP IE-LOOP LOSS OF OFFSITE P OWER

END-STATE

OK

OK

CD

OK

CD

CD

OK

CD

CD

OK

CD

CD

OK

OK

CD

OK

OK

CD

CD 20 T SBO

CD SGCO OL1 HPR1 HPI2 HPI2 HPR1 HPR1 LOOP - Oconee 1,2, & 3 PWR D loss of offsite power 2004/07/29

50-287/02-15 S

SENSITIVE - NOT FOR PUBLIC DISCLOSURE HPR HIGH PRESSURE RECIRCULATION DHR DECAY HEAT REMOVAL COOLDOW N RCS COOLDOW N FOR DHR FAB FEED AND BLEED HPI HIGH PRESSURE INJECTION OEP-BDN OFFSITE POWER RECOVERY BEFORE OEP-SLN OFFSITE POWER REC DURING RCPSL RCP SEALS SURVIVE SBO OEP-1HN OFFSITE POWER RECOVERY PORV4 PORV/SRVs ARE CLOSED EFW2-WCC EMERGENCY FEEDW ATER WITH CROSS CONNECT EPS FAILURE OF EMERGENCY POWER

END-STATE

OK

OK

OK

CD

OK

OK

CD

OK

CD

CD

OK

CD

OK

CD

CD

CD

OK

CD COOLDOWN1 SBO - Oconee 1,2, & 3 PWR D station blackout 2004/07/29

E 50-287/02-15

NSITIVE - NOT FOR PUBLIC DISCLOSURE HPR HIGH PRESS URE RECIRCULA TION DHR DECA Y HEAT REMOVAL COOLDOWN RCS COOLDOWN FOR DHR SGCOOL SECONDARY COOLING RE COVE RED OEP-6H OFFSITE POWER RE C W/IN 6 HRS FAB1 FEED AND BLE ED HPI HIGH PRE SSURE INJECTION OEP-2H OFFS ITE POWER REC W/IN 2 HRS RCPSL1 RCP SEALS SURVIVE LOOP P ORV3 P ORV/SRVs A RE CLOS ED EFW 1 EMERGENCY FEEDWA TE R SYSTEM E PS-H E MERGENCY A C POWER RPS REACTOR TRIP IE-HELB LOSS OF OFFSITE POW ER DUE TO HE LB

END-STATE

OK

OK

CD

OK

CD

CD

OK

CD

CD

OK

CD

CD

OK

OK

CD

OK

OK

CD

CD 20 T HSBO

CD SGCOOL1 HPR1 HPI2 HPI2 HPR1 HPR1 HLOOP - LOOP EVENT TREE FOLLOWING HELB EVENT 2004/07/29

50-287/02-15

SENSITIVE - NOT FOR PUBLIC DISCLOSURE HPR HIGH PRESSURE RECIRCULATION DHR DECAY HEAT REMOVAL COOLDOWN RCS COOLDOWN FOR DHR FAB FEED AND BLEED HPI HIGH PRESSURE INJECTION OEP-BD OFFSITE POW ER RECOVERY BEFORE OEP-SL OFFSITE POWER REC DURING RCPSL RCP SEALS SURVIVE SBO OEP-1H OFFSITE POW ER RECOVERY PORV4 PORV/SRVs ARE CL OSED EFW2-WCC EMERGENCY FEEDW ATER WITH CROSS CONNECT EPS-H FAILURE OF EMERGENCY POWER

END-STATE

OK

OK

OK

CD

OK

OK

CD

OK

CD

CD

OK

CD

OK

CD

CD

CD

OK

CD COOLDOWN1 HSBO - SBO EVENT TREE AFTER HELB 2004/07/29

50-287/02-15

SITIVE - NOT FOR PUBLIC DISCLOSURE HPR HIGH PRE SSURE RECIRCULATION DHR DECAY HEAT REMOVA L COOLDOW N RCS COOLDOW N FOR DHR S GCOOL S ECONDARY COOLING RECOVERED OEP-6H OFFSITE POWER REC W/IN 6 HRS FAB1 FEED AND BLEE D HPI HIGH PRESSURE INJ ECTION OEP-2H OFFSITE POWER REC W/IN 2 HRS RCPSL1 RCP SEALS SURVIVE LOOP PORV3 PORV/SRVs ARE CLOSED EFW1 EMERGENCY FE EDW ATER SYSTEM EP S-T EM ERGENCY AC POW ER RP S RE ACTOR TRIP IE-TORNADO LOSS OF OFFSITE POWER DUE TO

END-STATE

OK

OK

CD

OK

CD

CD

OK

CD

CD

OK

CD

CD

OK

OK

CD

OK

OK

CD

CD 20 T TSBO

CD SGCOOL1 HPR1 HPI2 HPI2 HPR1 HPR1 TLOOP - LOOP EVENT TREE FOLLOWING TORNADO 2004/07/29

50-287/02-15

IVE - NOT FOR PUBLIC DISCLOSURE H PR H IG H PRESSURE R ECIRC ULATIO N DHR DECAY HEAT REMOVAL COO LDOW N RCS COO LDOW N FOR D HR F AB F EED AND BLEED HPI HIGH PRESSURE INJECTIO N OEP-BD OFF SITE POW ER RECOVERY BEFO RE O EP-SL O FFSITE POW ER REC DU RIN G RCPSL RCP SEALS SU RVIVE SBO O EP-1H O FFSITE PO W ER R ECO VERY PORV4 PORV/SRVs ARE CLOSED EF W EMERGENCY FEED W AT ER NO CROSS CONN ECT EPS-T F AILURE OF EMERGENCY POW ER

EN D-STATE

OK

OK

OK

CD

OK

OK

CD

OK

CD

CD

OK

CD

OK

CD

CD

CD

OK

CD CO OLDOW N1 TS BO - SBO EVENT TR EE FOLL OW ING TORNADO 2004/07/29

E 50-287/02-15

NSITIVE - NOT FOR PUBLIC DISCLOSURE EPS-H TRUE XX-EPS-H EPS-H EPS FAILS FOLLOWING A HELB EVENT THAT AFFECTS ALL 3 BUSSES EPS-H -

2004/06/29 Page 42

E 50-287/02-15

VE - NOT FOR PUBLIC DISCLOSURE EPS-T TRUE XX-EPS-T EPS-T EPS FAILS DUE TO A TORNADO EVENT THAT CAUSES SBO CONDITIONS AT THE PLANT EPS-T -

2004/06/29 Page 45

50-287/02-15 50-269/02-15

SNSITIVE - NOT FOR PUBLIC DISCLOSURE EFW2-WCC

EFW 2.6E-1 EFW-CROSS-CONNECT NO OR INSUFFICIENT EFW FLOW DURING SBO NO OR INSUFFICIENT EFW FLOW TO SGs EFW CROSS CONNECT TO OTHER UNIT AFTER HELB FAILS EFW2-WCC -

2004/06/29 Page 36

50-287/02-15

S HP I-SSF-SYS 1.0E-4 HPI-CKV-CC-3LP61 1.0E -5 HPI-CKV-CF-DISAB 5.8E-6 HP I-CK V-CF-PMP S 1.0E-5 HP I-CKV -CF-SUCT 1.0E-4 HP I-MOV-CF-SUCT 1.3E-6 HPI-T NK-VF-B WST 6.5E -6 HPI-CK V-CF-DISCL HPI-CLHDR-F HPI-CLHDRA 1-F 1.0E -4 HPI-CK V-CC-487 HPI-CLHDRA1-PMPS -F HP I-TRNA-F LW -F HPI-MDPAS UP-F HPI-MDP ASUP1-F

ACP -3TC HPI-MDPAS UP ALT-F FA LSE HPI-MOV-OC-98

ACP-3TD

HPI-TRNA -F HPI-TRNB-FLW-F HPI-MDPBSUP-F HP I-MDPB SUP1-F FALS E HPI-MOV-OC-98

ACP-3TC HPI-MDP BSUPALT -F

A CP -3TD

HP I-TRNB-F -SSF HP I-CLHDRA2-F 1.0E-4 HP I-CKV -CC-486 HPI-CLHDRA 2-PMPS -F HP I-TRNA-FLW-F HPI-TRNB-FLW -F HP I-CLHDRB1-F 1.0E-4 HP I-CK V-CC-488 HPI-MDPCSUP-F HPI-MDP CS UP1-F 3.0E-3 HP I-MOV-CC-25

A CP-3TD HP I-MDP CSUPA LT -F 3.0E -3 HPI-MOV-CC-24 F ALSE HP I-MOV-OC-98

A CP -3TC

HPI-TRNC-F HP I-CLHDRB2-F 1.0E-4 HPI-CKV -CC-489 HP I-MDPCSUP-F

HPI-TRNC-F 1.0E-4 HPI-CK V-CC-102 1.0E-4 HPI-CKV-CC-101 1.0E-4 HPI-CK V-CC-102 3.0E-3 HPI-MOV-CC-25 3.0E-3 HP I-MOV -CC-24 1.0E -4 HPI-CK V-CC-101 3.0E -3 HP I-MOV -CC-24 1.0E-4 HPI-CKV-CC-101 3.0E-3 HPI-MOV-CC-25 1.0E -4 HP I-CK V-CC-102 HPI-SSF -FAILS 5.0E-2 HP I-XHE-REP HPI-OPA -RE COV 3.0E-1 HPI-X HE-CON HPI-S SF 111 SE ALLOCA-S SF W ATER SUPPLY PATH A ISO LATION VAL VES FAILS W ATER SUPL Y PATH B ISO LAT ION VAL VE FAIL URES W ATER SUPPLY TO HPI TRAIN C FAILS WAT ER SUPPL Y TO HPI TRAIN C FAILS WATER SUPPL Y PATH B ISOLATION VALVE F AILURES W ATER SUPPLY PATH A ISO LATION VAL VE FAIL URES W ATER SUPPL Y TO HPI TRAIN B FAIL S HPI MDP A F LOW INTO CO LD LEGS FAIL URES HPI MDP A FLOW INTO CO LD LEGS FAIL URES HPI MDP B FLOW INTO COLD L EGS FAILURES HPI M DP B FL OW INTO COL D L EGS FAIL URES W AT ER SUPPLY TO HPI T RAIN A FAIL S FAIL URE OF HPI MDPs TO COL D L EG 3 A2 FAILURE OF HPI MDPs TO CO LD L EG 3A1 NO OR INSUFF ICIENT FLOW INTO COLD L EG 3B2 NO OR INSUFF ICIENT FLOW INTO COLD L EG 3B1 NO OR INSUFF ICIENT FLOW INTO COLD L EG 3 A2 NO O R INSUFFICIENT FL OW INT O COLD L EG 3 A1 FAILURE TO PROVIDE SUF FICIENT FL OW INT O CO LD LEGS W ATER SUPPLY PATH A ISO LATION VAL VE F AIL URES W AT ER SUPPL Y PATH B ISOL ATION VALVE FAILURES HPI M DP A FAILURES HPI TRAIN C FAILURES HPI TRAIN C FAIL URES HPI TRAIN B F AILURES NO OR INSUFF ICIENT FL OW FROM THE HPI SYSTEM L OSS O F AC POW ER ON BUS 3T D L OSS OF AC POW ER ON BUS 3TD L OSS OF AC POW ER ON BUS 3TD L OSS OF AC POW ER ON BUS 3TC LOSS OF AC POWER O N BUS 3 TC L OSS OF AC POW ER ON BUS 3TC FAIL URE OF COLD L EG CKV HP-4 88 FAILURE OF COL D LEG CKV HP-48 9 F AIL URE OF COLD L EG CKV HP-4 87 FAIL URE OF CO LD L EG CKV HP-4 86 CCF OF DISCHARGE CHECK VAL VES F ROM HPI PUMPS CCF OF HPI COL D LEG DISCH CHECK VALVES CCF O F HPI MDPs DISCHARGE CKECK VAL VES Vacu um-Brea ke r Va lv e 3L P-6 1 Fails to Ope n HPI SUCTION M OV HP-98 FAILS HPI SUCTION M OV HP-98 FAILS HPI SUCT IO N M OV HP-98 FAILS HPI M DP A SUCTION MOV HP-2 4 FAIL S TO OPEN HPI MDP B SUCTION M OV HP-25 FAILS TO OPEN BW ST FAIL S TO PROVIDE SUF FICIENT W ATER HPI SUCTION ISOL M OV COM MON CAUSE FAIL URES CCF OF HPI SUCTION CHECK VALVES HPI TRAIN B SUCTION CKV HP-10 2 FAIL S TO OPEN HPI T RAIN A SUCT ION CKV HP-1 01 FAILS TO OPEN HPI TRAIN B SUCTION CKV HP-10 2 FAIL S TO OPEN HPI MDP B SUCTION MOV HP-2 5 FAIL S TO OPEN HPI MDP A SUCTION M OV HP-24 FAILS TO OPEN HPI TRAIN A SUCTION CKV HP-10 1 FAIL S TO O PEN HPI MDP A SUCT IO N MOV HP-24 FAILS TO OPEN HPI TRAIN A SUCTIO N CKV HP-10 1 F AIL S T O OPEN HPI MDP B SUCTION MOV HP-2 5 FAIL S TO OPEN HPI TRAIN B SUCTION CKV HP-10 2 FAIL S TO O PEN HPI-SSF FAIL S HPI RECO VERY FAILURE AFTER HELB/TORNADO AND CONNECT. FAILU HPI CONNECTION TO SSF FAILS DUE T O PL ANT CONDITION OP FAILS TO RECOGNIZE L OOSE CO NNECTOR THUS FAILING TO TIGH FAIL URE TO PRO VIDE RCS MAKEUP AFTER SBO - NO LO CA CONDITIONS RCM MAKEUP BY SSF REACTOR COO LANT MAKEUP SYSTEM FAILS HPI-SSF - NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM 2004/09/02 Page 55

50-287/02-15

35NSITIVE - NOT FOR PUBLIC DISCLOSURE

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000287/2002015&oldid=4289969"