IR 05000317/2004008

From kanterella
(Redirected from IR 05000318/2004008)
Jump to navigation Jump to search
Final Precursor Analysis - Calvert Cliffs 2, LER 318/04-001-00; IR 05000317-04-008 and 05000318-04-008 - Excessive Steam Demand - Reactor Trip Due to Low Steam Generator Water Level After Feed Pump Trip
ML062710050
Person / Time
Site: Calvert Cliffs  Constellation icon.png
Issue date: 06/01/2006
From: Demoss G
NRC/RES/DRASP/DDOERA/OEGI
To:
References
IR-04-008, LER 04-001-00
Download: ML062710050 (79)
v  d  e


Text

LER 318/04-001

Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Calvert Cliffs 2 Excessive Steam Demand Reactor Trip Due to Low Steam Generator Water Level After Feed Pump Trip Event Date 1/23/2004 LER 318/04-001-00; IR 05000317/2004008 and 05000318/2004008 CCDP =

4.0 x 10-6 June 1, 2006 Event Summary At 3:26 pm on January 23 2004, Calvert Cliffs Nuclear Power Plant (CCNPP) Unit 2 tripped from 100 percent power, initiated by the Reactor Protective System due to low steam generator water level caused by an erroneous overspeed trip signal on 22 Steam Generator Feed Pump (SGFP). The control room operator could not reset the SGFP, and the reactor was scrammed upon an automatic reactor trip signa The Turbine Bypass Valves (TBVs) and Atmospheric Dump Valves (ADVs) opened as designed, but the quick open signal did not clear due to the failure of a relay in the reactor regulating circui The open valves (turbine bypass and atmospheric dump) resulted in overcooling of the Reactor Coolant System (RCS) and also generation of a Safety Injection Actuation Signal (SIAS) and a Steam Generator Isolation Signal (SGIS).

About three minutes after the reactor trip, both Main Steam Isolation Valves (MSIVs) were shut upon receipt of an SGIS, isolating steam flow through the TBVs and thereby slowing the rate of RCS cooldow Approximately six minutes later, the operations crew could take control of the ADVs through the Auxiliary Shutdown Panel, terminating the RCS overcooling and depressurizatio During the recovery, a large insurge of subcooled water caused by full charging with a relatively high RCS heatup, cooled the pressurizer, lowering the RCS pressure to produce a second SIA The following summarizes the sequence of actions on January 23, 2004, leading to the event from Unit 2 operating at 100 percent power:

3:26 pm: 22 Steam Generator Feed Pump (SGFP) tripped on overspeed.

  • The Reactor Operator (RO) attempted to reset 22 SGFP but failed to achieve normal operation (three attempts to reset the SGFP controls).

LER 318/04-001 1 The quick open signal is generated by the Reactor Regulating System and serves to momentarily fully open the TBVs and ADVs when the reactor trips, provided that the RCS average temperature (Tave) is greater than 557oF.

2 Each of the four TBVs is sized to pass 10% of the steam flow for a total of 40%, and each of the two ADVs is sized to pass 2.5% of the steam flow for a total of 5%. Therefore, the excessive steam demand was equivalent to 45% of the steam flow.

  • 3:27 pm: The RO manually tripped the reactor when the conditions for Steam Generator (SG) level warranted and entered Post Trip Immediate Actions EOP-0 (subsequent analysis of the performance of the reactor protection system indicated that the reactor tripped automatically 1 second prior to the insertion of the manual trip signal).
  • Upon reactor trip, the quick open signal1 opened the TBVs and ADVs, but these valves were not closed due to the persistent signal as a result of the K7 relay failure.
  • The open TBVs and ADVs caused an excessive steam demand2 that rapidly overcooled the RCS and the Main Steam Syste *

3:28 pm: The SG levels were lowered and the Auxiliary Feedwater Actuation Signal (AFAS) caused 21 and 23 AFW Pumps to start.

  • The RCS pressure decreased to SIAS setpoint which caused the signal to automatically start standby safety systems, including 2A & 2B Diesel Generators, 21 & 23 High Pressure Safety Injection (HPSI) Pumps, 21 & 22 Low Pressure Safety Injection (LPSI)

Pumps, and 21 & 22 Containment Spray (CS) Pumps.

  • The SIAS caused RCS letdown to be isolated, and the operating crew secured two reactor coolant pumps for procedure requirements for receipt of a SIAS signal.
  • 3:29 pm: The SG pressure decreased to SGIS setpoint, causing both MSIVs to close automatically.
  • 3:36 pm: The operating crew transferred control of the ADVs to the Auxiliary Shutdown Panel where the quick open signal was removed and the steam flow was subsequently throttled, thereby terminating the RCS overcooling and depressurization.
  • The pressurizer level trended up due to post-trip decay heat, RCP heat input, and full charging pump operation with letdown isolated.
  • A second SIAS signal was received during the recovery phase.

A more detailed chronology of the events can be found in Appendix A, and References 1 and 2.

Cause. The root causes of the Calvert Cliffs Unit 2 Reactor Trip and the associated failures or malfunctions are as follows [1, 2]:

The trip of 22 SGFP was caused by degradation of voltage from the power source supplying the digital speed monitor which generated an erroneous trip signal to the SGFP controls trip circui The voltage degradation was caused by corrosion on the contact surfaces of the power supply fuse due to high humidity in the control cabinet. All fuses and fuse holders in the Units 1 and 2 SGFP control cabinets were replace *

The inability to reset and start 22 SGFP was determined to have resulted from a shift in the mechanical calibration of the Electric to Hydraulic (E/H) Converte The specific cause of the shift has not been identified in Reference LER 318/04-001 3 The LOMFW event tree was used in lieu of the general transient (i.e., TRANS) event tree, because the loss of 22 SGFP led to SG low level which necessitated a reactor trip. The failure of the K7 relay is not directly included in the revised SPAR model; however, a basic event for excessive steam demand which results from the relay failure has been included in the model to enable the assessment of the risk impac When the reactor tripped, the TBVs and ADVs opened to the full-open position upon receipt of the quick open signal provided to the valves, and thereby relieving stored energy in the secondary and primary systems for a short period. However, the TBVs and ADVs did not re-close automatically because of the contacts sticking closed in the K7 relay.

  • The failure to re-close the TBVs and the ADVs was caused by a normally open contact sticking closed in the K7 relay of the Reactor Regulating System (RRS). The root cause of this failure has been identified as an under-rated K7 relay (i.e., the K7 relay contacts are rated for 29 VDC, but were installed in a 125 VDC circuit).

Recovery Opportunit If the operators had correctly diagnosed the cause of the excessive steam demand within a relatively short time (e.g., 10 to 30 minutes depending on the specific sequences, such as functioning of MSIVs or control rods) and switched to the alternate channel of the Reactor Regulating System (RRS) [2] after failure of the RRS Channel X, the ADVs and TBVs would have properly controlled reactor temperature and terminated the uncontrolled cooldow However, it is believed that the cause (i.e., the under-rated condition of the K7 relay)

could not have been easily diagnosed in such a short time and under a stressful situatio Furthermore, CCNPP did not have an off-normal procedure for failure of the RRS, and as a result, no credit is taken for the availability of the alternate channel.

Condition Duratio The K7 relay of the Reactor Regulating System successfully functioned when the reactor tripped on May 28, 200 Based on licensee review, the K7 relay contacts would have failed to open on the next relay actuation, following the May reactor trip [1,2]. There were no other demands or tests which would have demonstrated whether the quick open function was operational from May 28, 2003, until the reactor trip on January 23, 2004, when the RRS relay failure was identified by a self revealing event. Therefore, the K7 relay was in failure condition for a period of 240 days (May 28, 2003 ~ January 23, 2004).

Other concurrent or windowed event No other significant operating events existed at Calvert Cliffs 2 while the K-7 relay was inoperable according to the LER Search Database.

Analysis Results

!

Importance Two different types of analyses were performed to evaluate the impact of the inoperable K7 relay and the associated excess steam demand event on plant risk: a) initiating event assessment and b) condition assessmen The initiating event assessment was carried out using the event tree for loss of main feedwater (i.e., LOMFW)3 with the failure of the K7 rela This relay failure has negative impact on all the potential accident scenarios4 including activation of the quick open signal for the TBVs and the SG ADVs; however, the K7 relay and the associated excessive steam demand are not included in the SPAR model for Calvert Cliffs [3]. Therefore, all the event trees other than those for irrelevant

LER 318/04-001

initiating events (i.e., large LOCA and medium LOCA) have been modified to properly evaluate the risk impact associated with the excessive steam deman The modified LOMFW event tree projects an initiating event assessment CCDP of 4.0 x 10-6 for the ESD even The uncertainty distribution for the CCDP is given belo CCDP 5%

Mean 95%

Calvert Cliffs 2 2.2E-7 4.1E-6 1.5E-5 Condition assessment also has been conducted by assuming that the K7 relay of the Reactor Regulating System was in failure condition for 240 days, based on the finding discussed in the Special Inspection Report [2]. The condition assessment for the excessive steam demand event yields a CCDP of 1.2 x 10- As the initiating event assessment yields a higher CCDP than the condition assessment, the discussion below is focused on the former.

!

Dominant Sequences The dominant core damage sequences resulting from LOMFW in this analysis are:

Sequence 51 (50.0% of the total CCDP) and Sequence 34 (47.5%). The LOMFW event tree with these dominant sequences highlighted is shown in Figure 1 (Appendix B).

The events and important component failures in LOMFW Sequence 51 are:

S Loss of main feedwater occurs, S

Reactor trip fails, and S

Excessive steam demand occurs.

The events and important component failures in LOMFW Sequence 34 are:

S Loss of main feedwater occurs, S

Reactor trip succeeds, S

Excessive steam demand occurs, S

Both MSIVs are closed, S

Steam generator cooling fails, and S

Once through cooling fails.

!

Results Tables

!

The conditional core damage probabilities for the dominant sequences are shown in Table LER 318/04-001

!

The event tree sequence logic for the dominant sequences is presented in Table 2a.

!

Table 2b defines the nomenclature used in Table 2a.

!

The most important cut sets for the dominant sequences are listed in Table 3.

!

Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions

!

Analysis Type The Revision-3-Plus of the Calvert Cliffs Standardized Plant Analysis Risk (SPAR)

model [3] was used for this assessment. The SPAR Revision-3-Plus does not model the excessive steam demand, and therefore, the SPAR model has been modified to enable the risk evaluation of the ESD event. These modeling updates are discussed below in detai Subsequent to the updating of the SPAR model, both initiating event assessment and condition assessment have been performed to evaluate the risk impact of the K7 relay failure and the resulting ESD event. In the initiating event assessment, the actual reactor scram in the midst of the K7 relay failure was evaluated using the LOMFW event tree; the generation of the initial SIAS was also accounted for in this assessment. On the other hand, the condition assessment was performed for the failure condition of the K7 relay for 240 days with consideration of all potential initiating events as mentioned earlier.

!

Modeling Assumptions Summary Key modeling assumption The key modeling assumptions are listed below and discussed in detail in the following section These assumptions are important contributors to the overall ris S The operators would not be able to diagnose the cause of the excessive steam demand because of the complicated nature of the cause and the relatively short time available in the midst of the stressful situatio Therefore, the alternate RRS channel [2 is not given credit.

S The K7 relay of the Reactor Regulating System successfully functioned when the reactor tripped on May 28, 200 However, the under-rated relay would have failed to open the next time the relay de-energized following the May reactor trip

[2]. Therefore, in the condition assessment that was compared with the initiating event assessment, the K7 relay was assumed in failure, from the last successful function until this event on January 23, 2004 (i.e., 240 days).

S The function of the TBVs and ADVs following turbine trip is modeled together in the event trees by the top event of excessive steam demand to evaluate the risk

LER 318/04-001 5 If wide range SG level in both SGs is less than -350 inches or the RCS cold leg temperature (i.e., TC) rises uncontrollably 5oF or greater, the emergency operating procedures (e.g., Contingency Action 9.1 of the Loss of All Feedwater Recovery Guideline) instruct the operators to establish RCS heat removal via once-through-coolin impact of the K7 relay failur Closure of the MSIVs isolates steam flow from the steam generators to the TBVs. Therefore, the impact of the open TBVs on the plant was modeled by specifically accounting for all the possible functional states of the MSIVs upon reaching SGIS setpoint, namely: (1) both MSIVs successfully close, (2) only one MSIV successfully closes, and (3) no MSIV closes. On the other hand, the impact of the open ADVs on the plant was considered along with the MSIV states in evaluating the available time for the operator to carry out once through cooling.

S When both MSIVs are closed upon SGIS, the steam demand is only from open ADVs (5% of the total steam flow) and the failure of AFW (i.e., SG cooling)

would necessitate OT In this case, the operators must initiate OTC upon recognition of lowering SG levels (due to no MFW and AFW) prior to SG dryout and subsequent RCS pressure rise to greater than the HPSI shutoff hea The operator performance in this case is modeled in terms of human error event OTC3 as shown in Figure 1 of Appendix B. The plant behavior as predicted by the thermal-hydraulic (T/H) analyses for similar conditions was considered in developing the associated sequence modeling and estimating the human error probability for OTC3. The T/H analyses by both the plant simulator and the plant-specific RELAP-5 model for Calvert Cliffs are discussed in Appendix C, and the human performance modeling by the SPAR-H method [4] in Appendix S When only one MSIV closes upon SGIS, the operators first should block the AFW flow path to the affected steam generator (i.e., with the associated MSIV failing open) and then ensure that the RCS heat is properly removed by the AFW flow into the intact steam generator with the steam removed through the ADVs.

Based on a review of the T/H analyses (Appendix C) for similar situations, it was assumed that core damage could be prevented if secondary cooling is established whether or not the affected SG is blocked. Further, it was also assumed that the performance requirements for operator action would be almost the same regardless of success or failure of blocking the affected SG. As a result, the two operator actions for OTC given blocking success or failure of the affected SG were modeled in terms of an identical human error event (i.e.,

OTC4). The estimation of the human error probability for OTC4 is discussed in Appendix S Where both MSIVs fail to close upon SGIS, a review of the detailed plant-specific T/H analyses performed for this case indicates that core damage can be prevented as long as SG cooling is properly established (e.g., by motor-driven AFW flow into a SG). In this case, the results of the RELAP-5 runs show that SG level will first drop rapidly due to release of the large amount of steam through the open valves (i.e., TBVs and ADVs), but will increase to the normal level in

LER 318/04-001

about one and a half hours as a result of the AFW flow due to the decreasing core heat. Consequently, the RCS temperature suddenly drops due to the overcooling cased by the ESD, but stays low as a result of the effective SG cooling (Appendix C). In addition, the results from the plant simulator also point out the effectiveness of the AFW flow under these circumstances (Appendix C).

In light of these plant-specific T/H analyses, credit was taken for the motor-driven AFW pumps, but not for the turbine-driven AFW pumps because of insufficient steam pressure to drive them under these circumstances. If both motor-driven AFW pumps (i.e., AFW MDP-13 and MDP-23) or associated flow paths are unavailable for operation, the plant operators need to initiate OTC; this operator action is modeled by human error event OTC5 (Appendix D). Finally, also note in this case that credit was not taken for an interlock signal for closure of all the TBVs upon loss of condenser vacuum, nor for the operator intervention to close the TBVs and/or ADVs, based on the following insights from a review of the T/H runs (Appendix C):

a)

The plant simulator runs indicate that wide range SG level in both SGs is expected to drop below -350 inches within 10 minutes, and as a result, OTC will have to be initiated before the main condenser loses vacuum.

The loss of condenser vacuum supposedly will take at least half an hour according to an ex-SRO (senior reactor operator) at Calvert Cliffs.

b)

The RELAP-5 runs predict that only a small amount of steam will be released through the TBVs after 10 minutes into the ESD event, and as a result, the operator intervention to close the TBVs (which is unlikely to happen before 10 minutes into the ESD event) is not expected to significantly change the potential outcome of the event.

S In the cases where an anticipated transient without scram (ATWS) occurs in concurrence with an excessive steam demand (especially given that the cause of the ESD is unknown to the operators), it is conservatively assumed that core damage will result. The reason for this conservative assumption is as follows:

a)

The operators might be able to manually trip the reactor by injecting boric acid into the core in the event of mechanical rods failure, provided that the core was not at the beginning of the fuel cycle and the operators were not in a very stressful situation due to other co-existing or on-going failure b)

However, it is expected that the operators would be subjected to extremely high stress in a very rapidly developing accident caused by the simultaneous occurrence of an ATWS and an excess steam demand (due to the K7 relay failure, unknown to the operators during the event).

Therefore, even though credit is taken for the operator recovery action to inject borated water into the core in the specific case where the RPS failed due to immovable control rods during a fuel cycle other than the

LER 318/04-001

early stage, the incorporation of this recovery action is not expected to have significant impact on the conditional core damage probabilit S The reactor vessel is subjected to a pressurized thermal shock (PTS) when an extended cooling transient to the vessel wall is accompanied by system pressurization. According to PTS experiments, a crack may initiate and propagate entirely through the vessel wall, involving large openings in the reactor vessel and also significant additional deformation of the vessel. However, there currently is an incomplete understanding concerning the progression of an accident following a postulated PTS-induced vessel failure. In light of the uncertainty about the PTS occurrence and also the subsequent accident propagation especially given lack of the plant-specific probabilistic fracture mechanics for the ESD event, a check was made to see how much impact the occurrence of a potential PTS will have on the likelihood of the two most dominant scenarios, i.e., Transient Sequence 51 and SGTR Sequence 38, shown in Figures 2 and 3, respectively. These scenarios contribute about 25%

and 15% to the event CCDP (Table 1). The examination of these scenarios indicates that the likelihood of these dominant scenarios is essentially insensitive to the potential occurrence of a PTS during the event progression:

a)

First, consider Transient Sequence 51 where a transient occurs followed by failure of a reactor trip and occurrence of an excessive steam demand. In this case, core damage was already assumed in the sequence modeling for this event assessment (see Figure 2). Therefore, this sequence modeling is still valid even if the core damage is caused by occurrence of a PTS in the midst of the ATWS and ESD conditions.

b)

Second, consider the SGTR Sequence 38 where an SGTR occurs followed by a successful reactor trip, an excessive steam demand, closure of both MSIVs, successful SG cooling and high pressure injection, operator failure to depressurize the RCS below SG relief valve setpoint, and subsequent operator failure to depressurize the RCS given a SG relief valve opened. Considering that the closure of MSIVs and the SG cooling will generally take place in the very early stage by the automatic signals (i.e., SGIS and AFAS), the potential occurrence of a PTS may be contemplated for two periods: 1) before HPSI operation, and 2) after operator failure to depressurize the RCS given a SG relief valve opened. For the first period, the PTS is not likely to happen because the large amount of steam release through the TBVs was isolated early by the closure of both MSIVs, and as a result, the RCS will not be considerably overcooled. For the second period, even if a PTS occurs, a core damage is already assumed in Figure S Natural circulation cooling would not have been threatened during the event sequences (e.g., loss of offsite power) involving an excessive steam demand, because of the initial high differential temperature between the hot leg and the cold leg of the RCS which promotes natural circulatio LER 318/04-001

S The generation of the second SIAS signal during the recovery phase of the event does not have significant impact on core damage frequency (CDF).

!

Event Tree Modifications All the Event Trees But LLOCA and MLOCA Event Trees (e.g., TRANS, LOMFW, SGTR, LOOP, etc.) The following three new top events have been added to all the event trees of the original SPAR model other than those for large LOCA and medium LOCA initiating events:

a)

Excessive Steam Demand (ESD) to model the considerable steam release through the widely open TBVs and ADVs as a result of the K7 relay failure; b)

Main Steam Isolation Valves Closed (MSIV) to model the function of the MSIVs subsequent to the excessive steam demand; and c)

One AFW Flow-Path Blocked (SGBLOCK) to model the inefficiency of the steam generator with the associated MSIV open in the presence of all the TBVs fully open.

The second top event (i.e., MSIV) is associated with three alternatives, namely: (1) both MSIVs successfully closed; (2) only one MSIV closed; and (3) failure of both MSIVs to close. Therefore, the following rule has been added to the existing event tree linkage rules, so that an appropriate fault tree may be applied for each of the three cases implemented in terms of triple branches in the event trees:

if always then

/MSIV = MSIV MSIV[1] = MSIV-1 MSIV[2] = MSIV-2 endif The first fault tree in the above rule (i.e., MSIV) models the success of both MSIVs being closed on demand, and the second and the third fault trees (i.e., MSIV-1 and MSIV-2) model successful closure of only one MSIV and failure of both MSIVs to close upon demand, respectively.

In addition, the event tree linkage rules such as the following also have been added to the event trees modified to incorporate the ESD event, so that an appropriate fault tree for steam generator cooling and once through cooling may be applied depending on the specific circumstances:

if /RPS*ESD*MSIV[2] then SGC = SGC-ESD; endif

LER 318/04-001

if /RPS*ESD*/MSIV*SGC then OTC = OTC3; endif if/RPS*ESD*MSIV[1]*/SGBLOCK*SGC then OTC = OTC4; endif if /RPS*ESD*MSIV[1]*SGBLOCK*SGC then OTC = OTC4; endif if /RPS*ESD*MSIV[2]*SGC then OTC = OTC5; endif The salient features in the modification of the original event trees are briefly summarized below using the revised event tree for general transients (i.e., TRANS) as an example (see Figure 2 in Appendix B):

a)

TRANS sequences 1-17 in the revised event tree are the same as TRANS sequences 1-17 of the original event tree, because excessive steam demand does not occur.

b)

TRANS sequences 18-34 in the revised event tree show the cases where both MSIVs are closed upon receipt of the steam generator isolation signal (SGIS). If steam generator cooling (SGC) is established through AFW prior to SG dryout, the subsequent sequences are essentially the same as for TRANS sequences 1-13. If SGC fails, the operators should initiate OTC to prevent core damag c)

TRANS sequences 35-44 reflect the cases where only one MSIV closes upon SGIS. In these circumstances, the operators first need to block the AFW flow path to the affected steam generator with the associated MSIV failed open so that the intact SG can be used for RCS heat removal by controlling the SG water level through the ADV Hence, the new top event SGBLOCK is asked following the MSIV top event. If the SG cooling cannot be properly established, the operators then should initiate OTC to avert core damage.

d)

TRANS sequences 45-49 show the cases where both MSIVs fail to close upon SGI Based on the plant-specific T/H analyses (Appendix C), the operators need to ensure SG cooling has been properly established; otherwise, they must initiate OTC to prevent core damag e)

TRANS sequence 50 transfers to ATWS event tree as in the original TRANS event tree because of the RPS failure and no demand for excessive stea LER 318/04-001

f)

TRANS sequence 51 is assumed to lead to core damage because of the excessive steam demand in the midst of the ATWS condition caused by the RPS failure.

A similar modification has been made to all the event trees other than LLOCA and MLOCA event trees, because in these LOCA conditions the RCS average temperature (i.e., Tave) is expected to be less than 557EF following reactor trip, and as a result, the quick open signal will not be generate The modified event trees are shown in Figures 1-10 (Appendix B).

!

Fault Tree Modifications Fourteen new fault trees for the following top events have been developed and added to the SPAR model for CCNPP [3] in order to enable assessment of the excessive steam demand event:

S ESD: Excessive steam demand S

MSIV: Both MSIVs closed on demand S

MSIV-1: Only one MSIV closed on demand S

MSIV-2: No MSIV closed on demand S

SGBLOCK: AFW block fails on demand S

OTC3: Once through cooling when both MSIVs close on demand S

OTC4: Once through cooling when only one MSIV closes on demand S

OTC5: Once through cooling when both MSIVs fail to close on demand S

SGC-ESD: Steam generator cooling S

AFW-ESD: AFW flow from Unit 1 AFW system S

AFW-SG-11-ESD: Steam generator 11 cooling S

AFW-SG-12-ESD: Steam generator 12 cooling S

AFW-TDP-11-ESD: AFW TDP 11 flow S

AFW-TDP-12-ESD: AFW TDP 12 flow These fault trees are shown in Figures 11-24 (Appendix B). Human error probabilities associated with initiating OTC under different conditions were quantified using SPAR-H

[4] as mentioned before (Appendix D). The last six fault trees were added to model failure of the turbine-driven AFW pumps due to insufficient steam pressur !

Recovery Rule Modifications The recovery rules in the original SPAR model contain a number of dependency correction factors for human error probabilities to take into account the dependency of the operator failures in a sequence cut set. The recovery rules including the operator action for once through cooling in the original model (i.e, HPI-XHE-XM-OTC) were modified such that they also apply to other OTC actions defined for the event assessment. For example, the following recovery rule, i.e.,

LER 318/04-001

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP

  • MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent

= MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC; AddEvent

= HPI-XHE-XM-OTC1; was expanded to include:

elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP

  • MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC3 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent

= MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC3; AddEvent

= HPI-XHE-XM-OTC1; elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP

  • MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC4 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent

= MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC4; AddEvent

= HPI-XHE-XM-OTC1; elsif MFW-XHE-XO-ERROR * CDS-XHE-XM-LTSUPP * AFW-XHE-XL-LTSUPP

  • MFW-XHE-XM-LPFLCHS * HPI-XHE-XM-OTC5 then DeleteEvent = MFW-XHE-XM-LPFLCHS; AddEvent

= MFW-XHE-XM-LPFLCHS1; DeleteEvent = HPI-XHE-XM-OTC5; AddEvent

= HPI-XHE-XM-OTC1; Note that the human error probability for once through cooling is increased to the human error probability for HPI-XHE-XM-OTC1 (i.e., 1.0), when such multiple human errors as specified by the recovery rules above are included in a sequence cut se !

Basic Event Probability Changes Table 4 provides all the basic events that are included in the dominant sequences of Table 3, or have been generated as part of this analysis in order to model event sequences associated with the excessive steam demand.

!

Other Items of Interest S

Common cause failure (CCF) of the MSIVs was modeled using SPAR model values [3] for alpha factor parameters for two air operated valves with staggered

LER 318/04-001 6 The alpha factor parameters for air operated valves were used for MSIVs as per suggestion from the Idaho National Laboratories (INL), because the SPAR CCF database does not include the specific parameters for MSIV testin S Process flag I (indicating the use of the system logic for failure and the use of the complement of the system logic for success) was attached to the basic event for excessive steam demand (i.e., ESD-BE) in order to appropriately account for success event when the associated probability is relatively large (e.g., as in sensitivity analyses).

S The re-quantification of the base case CDF by the revised SPAR model (with the assumed failure probability of 1 x 10-4 for the excessive steam demand basic event) yields a value of 8.144 x 10-6 per year which is essentially identical to the baseline CDF as obtained by the original SPAR model (i.e., 8.145 x 10-6 per year).

!

Sensitivity Analyses Sensitivity analyses were performed to determine the effects of model uncertainties on results based on best estimate assumption The following table provides the results of the sensitivity analyses.

Sensitivity Case Importance Case A: Increase the failure probability for the excess steam demand basic event (ESD-BE) from 1E-4 to 1E-3 in the revised baseline model incorporating event sequences associated with the excessive steam demand (Base Case)

8.1E-6 Case B: Increase the fault exposure time for the K7 relay from 240 days to 365 days (Condition Assessment)

1.8E-6 Case C: Compute the conditional probability of core damage, given that the K7 relay was in failure and this condition would only be discovered through an excessive steam demand following some initiating event. This calculation assumes that the failure condition lasts as long as it takes to discover it through an initiating event, and is independent of actual duration. (Initiating Event Assessment)

1.1E-5 Case D: Increase the failure probability of each MSIV to close on demand by an order of magnitude (i.e., from 1.5E-3 to 1.5E-2)

(Initiating Event Assessment)

4.1E-6

LER 318/04-001 Sensitivity Case Importance

Case E: Increase the common cause failure probability for MSIVs to close on demand by a factor of 2 (i.e., from 4.6E-5 to 9.2E-5)

(Initiating Event Assessment)

4.0E-6 Case F: Increase the failure probability for RCS-PHN-MODPOOR (Moderator Temperature Coefficient Not Enough Negative) by an order of magnitude (i.e., from 1.4E-2 to 1.4E-1) (Initiating Event Assessment)

4.0E-6 Case G: Compute the conditional probability of core damage assuming that the human actions for once through cooling in the midst of excessive steam demand (i.e., OTC3, OTC4, and OTC5)

involve a significant amount of diagnosis activity in addition to the actual action needed (Initiating Event Assessment)

4.3E-6

!

Case A shows that the change in the failure probability for the ESD-BE event by an order of magnitude has insignificant impact on the risk impact, because the dominant sequences involve no demand for excessive steam (i.e., the result is not influenced by whether the success probability for ESD-BE is 9.999 x 10-1 or 9.99 x 10-1).

!

Case B shows that the condition assessment using the extended fault exposure time of 365 days (as opposed to 240 days) yields an importance (i.e., CDP) of 1.8 x 10-6, which is still smaller than the best estimate importance for the event (i.e., a CCDP of 4.0 x 10-6).

!

Case C represents a special situation to estimate the conditional probability that core damage will occur, given that the K7 relay contacts were stuck, assuming that the condition is discovered through the occurrence of some initiating event leading to excessive steam deman Within this thought process, duration does not matter; it is assumed that the failure condition is discovered only through the occurrence of an initiating event leading to excessive steam deman This calculation was done by the artifice of defining a change set in which the initiating event frequencies were proportionately scaled upward so that they summed to unity, and the ESD-BE event was set to Tru This change set was run with a duration of one yea Arithmetically, this equates to multiplying each initiating-event CCDP by the conditional probability of that initiating event, given that some initiator occurre This sensitivity analysis yields a CCDP of 1.1 x 10-5 that is a factor of about 2.8 greater than the initiating event assessment CCDP of 4.0 x 10-6.

!

Case D shows that the independent failure probability for each MSIV to close on demand (i.e., MSS-MSIV-OO-HV11 and MSS-MSIV-OO-HV12) has insignificant impact on the CCDP, because of diverse means of coping with the excess steam

LER 318/04-001

demand event such as auxiliary feedwater or once through cooling.

!

Case E shows that the double increase in the CCF probability for MSIVs to close on demand (i.e., MSS-MSIV-CF-CLOSE) has no impact on the CCDP primarily due to the effectiveness of the motor-driven auxiliary feedwater flow in averting core uncovery in the midst of an ESD event coupled by failure of both MSIVs being close !

Case F shows that the variance in the moderator temperature coefficient as represented by the RCS-PHN-MODPOOR basic event has a negligible impact on the final resul !

Case G represents a special case where it has been assumed that the human actions for once through cooling in the midst of excessive steam demand (i.e.,

HPI-XHE-XM-OTC3, HPI-XHE-XM-OTC4, and HPI-XHE-XM-OTC5) involve a significant amount of diagnosis activity in addition to the actual action needed.

The performance shaping factors (PSFs) used for this case are shown below:

Human Error Event Multiplier for Diagnosis Multiplier for Action Total HEP Time Stress Complexity Time Stress Complexity OTC3

2

10

2 0.08 OTC4

2

10

2 0.87 OTC5

5

10

2 0.97 The total human error probabilities (HEPs) for those situations (either diagnosis or action) involving multiple (i.e., 3 or more) non-nominal PSFs in the above table were calculated by applying an adjustment factor in accordance to the formula provided in the SPAR-H documentation [4] in order to represent the composite PSF influence. Note that the total HEPs used for OTC3, OTC4, and OTC5 in the best estimate evaluation are 0.04, 0.09, and 0.20, respectively, as shown in Table 4 and Appendix D. The initiating event assessment for this sensitivity case yields a CCDP of 4.3 x 10-6 that is just slightly greater than the best estimate event assessment CCDP (i.e., 4.0 x 10-6). This relatively small sensitivity of OTC human actions on the CCDP results from the fact that once through cooling is necessary only when steam generator cooling cannot be properly maintained by use of auxiliary feedwater in most failure cases involving an excessive steam deman LER 318/04-001

References 1.

LER 318/04-001, Revision 00, Reactor Trip Due to Low Steam Generator Water Level After Feed Pump Trip, Event Date: January 23, 200.

NRC Special Inspection (SI) Team Report, EA-04110, Calvert Cliffs Nuclear Power Plant, Unit 1 and Unit 2 - NRC Inspection Report 05000317/2004008 and 05000318/2004008, July 29, 2004.

3.

Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Calvert Cliffs 1 & 2, Revision 3.12, February 2, 2005.

4.

Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method, INEEL/EXT-02-01307, May 2004.

5.

B. Mrowca, et al., Calvert Cliffs Nuclear Power Plant Probabilistic Risk Assessment Individual Plant Examination, December 199 LER 318/04-001

Table Conditional core damage probabilities of dominating sequences.

Event tree name Sequence no.

CCDP1 Contribution LOMFW

2.0E-6 50.0 LOMFW

1.9E-6 47.5 Total (all sequences)2 4.0E-6 100 Values are point estimates. Total CCDP includes all sequences (including those not shown in this table).

Table 2 Event tree sequence logic for dominating sequences.

Event tree name Sequence no.

Logic (/ denotes success; see Table 2b for top event names)

LOMFW

RPS, ESD LOMFW

/RPS, ESD, /MSIV, SGC, OTC3 Table 2 Definitions of top events listed in Table 2a.

Top Event Definition ESD MSIV OTC3 RPS SGC Excessive steam demand occurs Main steam isolation valves fail to close Once through cooling fails Reactor trip fails Steam generator cooling fails

LER 318/04-001

Table Conditional cut sets for the dominant sequences.

CCDP Percent Contribution Minimum Cut Sets (of basic events)

Event Tree: LOMFW, Sequence 51 1.2E-6 58.7 RPS-VCF-FO-MECH 7.0E-7 34.4 RPS-RTB-FC-FTO RPS-XHE-ERROR 1.4E-6 6.9 RPS-XHE-XM-SCRAM RPS-VCF-FO-ELEC 2.0E-6 100 Total (all cutsets)1 Event Tree: LOMFW, Sequence 34 1.4E-6 72.8 CDS-XHE-XM-LTSUPP AFW-XHE-XL-LTSUPP1 HPI-XHE-XM-OTC1 MFW-XHE-XM-LPFLFW1 2.8E-7 14.6 CDS-XHE-XM-LTSUPP LPF-SYS-FC-LOMFW AFW-XHE-XL-LTSUPP1 HPI-XHE-XM-OTC1 1.1E-7 5.7 AFW-CKV-CF-SGS HPI-XHE-XM-OTC3 9.6E-8 5.0 CDS-TNK-FC-CST12 HPI-XHE-XM-OTC3 1.9E-6 100 Total (all cutsets)1 Total Importance includes all cutsets (including those not shown in this table).

Table Definitions and probabilities for modified and dominant basic event Event Name Description Probability/

Frequency (per hour)

Modified AFW-BLOCK1 AFW BLOCK FAILS ON DEMAND 1.5E-4 N/A AFW-CKV-CF-SGS CCF OF STEAM GENERATOR INLET CHECK VALVES 2.8E-6 No AFW-XHE-XL-LTSUPP1 OPERATOR FAILS TO RECOVER FROM CST 12 LOW LEVEL (DEPENDENT EVENT)

1.4E-1 No CDS-TNK-FC-CST12 CONDENSATE STORAGE TANK 12 IS UNAVAILABLE 2.4E-6 No CDS-XHE-XM-LTSUPP OPERATOR FAILS TO ALIGN A LONG-TERM WATER SUPPLY TO AFW SUCTION 1.0E-5 No ESD-BE2 EXCESSIVE STEAM DEMAND EVENT OCCURS 1.0E-4 N/A HPI-XHE-XM-OTC1 OPERATOR FAILS TO INITIATE ONCE THROUGH COOLING (DEPENDENT EVENT)

1.0E+0 No HPI-XHE-XM-OTC33 FAILURE TO INITIATE OTC WITH BOTH MSIVS SUCCESSFULLY CLOSED 4.0E-2 N/A HPI-XHE-XM-OTC43 FAILURE TO INITIATE OTC WITH ONE MSIV OPEN 9.0E-2 N/A

LER 318/04-001 Event Name Description Probability/

Frequency (per hour)

Modified

HPI-XHE-XM-OTC53 FAILURE TO INITIATE OTC WITH BOTH MSIVS OPEN 2.0E-1 N/A LPF-SYS-FC-LOMFW LOW PRESSURE FEED HARDWARE FAILED GIVEN LOSS OF FEEDWATER 2.0E-1 No MFW-XHE-XM-LPFLFW1 OPERATOR FAILS TO ESTABLISH LOW PRESSURE FEED TO SGs (DEPENDENT EVENT)

1.0E-2 No MSS-MSIV-CF-CLOSE4 CCF OF MSIVS TO CLOSE 4.6E-5 N/A MSS-MSIV-OO-HV115 MSIV HV11 FAILS TO CLOSE 1.5E-3 N/A MSS-MSIV-OO-HV125 MSIV HV12 FAILS TO CLOSE 1.5E-3 N/A RPS-RTB-FC-FTO TRIP CIRCUIT BREAKERS FAIL TO OPEN 1.6E-6 No RPS-VCF-FO-ELEC ELECTRICAL (UV & ST) RPS FAILURE TO OPEN TRIP CIRCUIT BREAKERS 1.4E-5 No RPS-VCF-FO-MECH CONTROL ROD ASSEMBLIES FAIL TO INSERT 1.2E-6 No RPS-XHE-ERROR OPERATOR FAILS TO DE-ENERGIZE CEDM POWER SUPPLY (RECOVERY EVENT)

4.4E-1 No RPS-XHE-XM-SCRAM OPERATOR FAILS TO MANUALLY TRIP THE REACTOR 1.0E-2 No This basic event has been generated to model the inefficiency of the steam generator with the associated MSIV open in the presence of all the TBVs fully open. The failure probability of 1.5E-4 for this event was taken from the IPE for Calvert Cliffs Nuclear Power Plant [5]. This basic event has been generated to model the excessive steam demand as part of event sequences following a reactor trip; however, no detailed system model (e.g., including specific relays) was developed in this analysis. The failure probability of 1.0E-4 has been assumed for the ESD-BE basic event based on engineering judgmen Note that the assumption of this value has no effect on the results of this analysis, because the ESD-BE basic event was set to True in both the initiating event assessment and the condition assessment for the base case (i.e., 240 days of fault exposure time for the K7 relay). Refer to the SPAR HRA worksheet in Appendix C. The CCF probability for MSIVs is based on the alpha factors for air operated valves with staggered testing scheme. These basic events for MSIVs have been generated to model the event sequences following the excessive steam deman The failure probability of 1.5E-3 for these events was taken from the IPE for Calvert Cliffs Nuclear Power Plant [5].

LER 318/04-001

Appendix A Sequences of Key Events

LER 318/04-001

From NRC Special Inspection Team Report 50/317/318-2004-008:

15:26.02 Initial Conditions 100% Reactor Powe CWP secured for planned maintenanc RTCBs 1&5 open due to problems experienced earlier in the day during the performance of an IM STP Reactor Reg System selected to Channel X.

15:26.37 22 SGFP Trips (With direction from the CRS, the CRO attempts multiple resets of the 22 SGFP per plant stabilizing actions IAW AOP-3 None of the resets are successful and the CRS orders a manual reactor trip when S/G Low Level Pre-Trips are received (coincident with -40 S/G levels per narrow range level indication).)

15:27.48 RPS Steam Generator Low Level Channel A & D Tri RTCBs 2, 3, 4, 6, 7, 8 open. RPS manual reactor trip from 1C05 due to action of RO.

15:28.20 ADVs and TBVs are not responding as designed as they are still full open and RCS average temperature is well below 557EF.

15:28.26 All pressurizer backup and proportional heater banks automatically secure due to pressurizer level falling below 101". The RO places all heater hand switches in OFF shortly afterwards.

15:28.34 AFAS B actuatio ESFAS SIAS A & B actuation.

15:28.52 2B EDG, 21 & 22 LPSI pumps, 21 & 22 CS pumps, 21 HPSI pump all start.

15:28.53 22 Component cooling pump starts, 23 HPSI pump all start.

15:28.54 21 & 22 Boric acid pumps, 21/22/23 IRU, 24 CAC Fan all start.

15:28.57 ESFAS SGIS A & B Actuation.

15:28.59 Letdown secured. 2A & 2B EDG start.

15:29.00 21 & 22 MSIVs shut (with the MSIVs shut due to the SGIS actuation, the TBVs are no longer contributing to the excess steam demand even For approximately the next seven minutes the RCS continues to cooldown at a rate of approximately 160EF/hr.

15:29.13 Pressurizer level goes off-scale low.

15:32.15 21B & 22A RCP secured in accordance with RCP Trip Strategy for SIAS actuation.

15:37.00 The Quick Open Dump Signal from RRS is removed from both ADVs when the TBO shifts the hand transfer valves in the 45 switchgear room to align ADV

LER 318/04-001

control to 2C4 Over the next 32 minutes, an RCS heatup at approximately 57EF/hr takes place until RCS cold leg temperatures are restored to 515EF.

15:39.50 Pressurizer level returns to scale 15:47.30 The operating crew reduces AFW flow to each S/G from 300gpm to 150gpm.

Summary of EOP-O, Post Trip Immediate Actions:

Safety Function Status Reactivity Control - Complete Vital Auxiliaries - Complete RCS Pressure and Inventory Control - Not Met Core and RCS Heat Removal - Not Met Containment Environment - Complete Rad Levels External to Containment - Complete Safety System Actuations AFAS - Verified SIAS - Verified SGIS - Verified 15:55.00 EOP-1, Reactor Trip, is implemented from EOP-Upon entry, the crew recognizes the high RCS pressure and the rapidly rising pressurizer level and prepares to take stabilizing actions.

15:56.00 The RO takes manual control of the Main Spray Controller, 2HIC100, (which has been greatly reduced due to only having one RCP operating in the spray line loops) and places the output at approximately 30-35% to stop the RCS pressure rise at 2335 psi Subsequent minor manual Main Spray Controller manipulations results in a stable RCS pressure at around 2318psi Note - the main spray valves, 1CV100E and 1CV100F, did not start to open until 2300 psia (based on a pressurizer controller setpoint of 2250 psia).

15:58.00 Due to the insurge from the RCS heatup, along with approximately 4100 gallons of injection from the Charging system, Pressurizer level has reached ~210 and the Pressurizer temperature has reached a minimum value of 514EF (saturation for 771 psia).

15:59.00 The Pressurizer insurge continues as full Charging is still present at 128 GPM and the 57EF/hr RCS heatup continue At this point, due to the large volume of cold water in the Pressurizer and the lack of full heater capability, RCS pressure begins to rapidly drop from ~2318 to ~1800 psia over the next 22 minutes.

16:01.46 22 & 23 charging pump are secured (H/S placed in PTL).

16:05.00 Based on Operator recall, the Main Spray Controller, 2HIC100, output signal is lowered from 30 - 35% to approximately -2% (although 2HIC100 can be driven

LER 318/04-001

to an output as low as -20%, an output of 0% should represent a signal at which both Main Spray valves are full shut).

16:06.50 21 Charging pump is secured.

16:08.00 The RCS heatup is temporarily secured per the operating crews decision to hold RCS cold leg temperature at 515EF.

16:09.00 Based on Operator recall, both Pressurizer Proportional Heaters are returned to AUTO and Backup Heaters 22 and 24 are placed in O Backup Heater 24 only has a capacity of 225 KW (normal capacity is 300 KW) due to a previous CMF that had one bank of heaters removed from servic Backup Heaters 21 and 23 can not be returned to service at this time due to the active SIAS signals.

16:17.28 SIAS A is reset remotely from the Control Roo SIAS B can not be reset from the Control Room due to a problem with the reset pushbutton.

16:27.36 SIAS B is reset locally from the Cable Spreading Room.

16:33.35 21 Charging Pump is started per OI-2A in an effort to restore Letdown to restore Pressurizer leve For approximately the next five minutes, the Operating Crew attempts to restore Letdown, but problems associated with the Control Room position indication for one of the Letdown isolation valves, 2-CV-516, delays the successful restoration.

16:38.50 21 Charging Pump is secured when the Operating Crew believes that the Letdown isolation valve, 2-CV-516, is not opening when attempts are made using the hand switch.

16:39.00 Based on Operator recall, Pressurizer Backup Heaters 21 and 23 are restored and placed in ON now that SIAS has been reset and both heater breakers have been closed locally.

16:45.30 A second heatup of the RCS at approximately 35EF/hr is commenced to return RCS cold leg temperatures to the EOP-1 acceptable range of 525 - 535E The heatup and resulting Pressurizer insurge contributes to RCS pressure lowering from ~1800 psia to ~1750 psia over the next 30 minute The combination of Letdown and the RCS heatup result in the RCS Pressure lowering to 1750 psia and a second SIAS actuation.

16:48.29 21 Charging pump is started per OI-2A in a second effort to restore Letdown to restore pressurizer level.

16:48.40 Letdown is successfully placed in service and raised to approximately 105gpm over the next nine minutes.

16:57.23 Letdown is maintained between 100 & 115gpm until about 17:14.3 LER 318/04-001

17:04.00 Per CRS/SM direction, the RO lowers the Main Spray Controller, 2HIC100, output signal to -20% (lowest possible output signal) to ensure that the Main Spray valves are fully closed in an attempt to minimize any leakby on the valves.

17:14.34 Letdown flow is reduced to ~70 GPM as the Operating Crew recognizes that RCS pressure is steadily lowering and re-approaching the SIAS setpoint.

17:18.01 ESFAS SIAS B actuation (lose capability to use pressurizer backup heater 23).

17:18.02 ESFAS SIAS A actuation (lose capability to use pressurizer backup heater 21).

17:20.53 21 charging pump is secured.

17:49.00 After using procedure guidance from EOP-4 and blocking SIAS, the Operating Crew resets SIAS A remotely from the Control Roo The decision to block and reset SIAS is made in order to recover full Pressurizer heater capability in an attempt to restore RCS pressure which has remained between 1750 and 1780 psia for the previous 50 to 60 minutes.

17:53.29 SIAS B is reset locally from the Cable Spreading Room.

17:58.00 Based on Operator recall, Pressurizer Backup Heaters 21 and 23 are restored and placed in ON now that SIAS has again been reset and both heater breakers have been closed locall The Operating Crew now has full Pressurizer heater outpu The Operating Crew decides to not attempt to reinitiate Charging and Letdown until RCS pressure reaches 2100 psia in order to assure that another RCS depressurization does not occur.

18:22.00 Based on Operator recall, the Main Spray Controller, 2HIC100, is returned to automatic control.

18:25.00 SGIS is reset using guidance from EOP-3.

18:29.20 AFAS A & B are reset in accordance with OI-32B.

18:32.29 21 Charging pump is started in preparation for restoring letdown.

18:33.35 Charging and Letdown is restored in attempt to return Pressurizer level to the EOP-1 acceptable band of 130 to 18 Letdown is established at approximately 45 - 50 GPM.

19:26.00 The Operating Crew exits EOP-1 and implements OP-2 and OP-4.

19:30.00 The 21B and 22A RCPs are restarted in accordance with OI-1 The 21 AFW pump is secured.

19:50.00 Both MSIVs are reopened in accordance with OP-LER 318/04-001

19:55.00 Secured 21 AFW pump.

20.00.00 RCS parameters have reached normal post-trip levels and are considered steady stat LER 318/04-001

Appendix B Event Tree and Fault Tree Figures

LER 318-04-001

CSR CONT AI NMENT COO LING H PR SUM P R ECIRC SDC SHUTDOW N CO OLI NG SSC SEC ONDARY SIDE COO LDOW N OTC ONCE THRO UGH COO LING HPI HIGH PRESSURE INJECTIO N RC PSL RC P SEAL I NTEGRITY M AINTAINED PORV PORVs ARE CLO SED SGC STEAM GENERATOR COO LING SG BL OCK ONE AFW FLOW PATH BL OCKED M SIV M AIN ST EAM ISO LATIO N VALVES ESD EXCESS STEAM DEM AND (ADVS & TBVS)

RPS REAC TOR TRIP IE-LOM FW LOSS O F M AIN FEEWATER

ENDSTATE

OK

OK

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

T ATW S

CD Bot h C losed O ne Open Bot h O pen OTC 3 OTC 4 OTC 4 OTC 5 SGC-ESD OTC LOMFW - Calvert Cliffs 1 & 2 loss of m ain feedwater transient 2006/05/25 Figure Event tree for loss of main feedwater transien LER 318-04-001

CSR CONT AINMENT COO LING HPR SUMP RECIRC SDC SHUTDO WN COOLING SSC SECONDARY SIDE COOL DOWN OT C ONCE THRO UGH COO LING HPI HIGH P RESSURE INJECT ION RCPSL RCP SEAL INT EGRITY MAINT AINED PORV PORVs ARE CLOSED SGC STEAM G ENERATOR CO OLING SG BLO CK ONE AFW FLO WPATH BLO CKED M SIV M AIN STEAM IS OLATION VALVES ESD EXCESS STEAM DEMAND (ADVs & TBVs)

RPS REACTOR TRIP IE-T RANS G ENERA L PLANT T RANSIE NT

ENDSTATE

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

T ATW S

CD B oth Closed One Open B oth Open O TC O TC3 O TC4 O TC4 O TC5 SGC-ESD TRANS - Calvert Cliffs 1 & 2 general plant transient 2006/05/03 Figure Event tree for general plant transien LER 318-04-001

CSR CO NTAIN MENT CO OLIN G HPR SUM P REC IRC SD C SH UT DO WN CO O LIN G SSC SEC ON DAR Y SID E CO O LD OW N O PR- 06 H O F FS IT E PO W ER R ECO VERY IN 6 HR S O PR-02 H O F FS IT E PO W ER R ECO VERY IN 2 HR S O TC O NC E THR OU GH C OO LI NG H PI H IG H PR ESSU RE IN JEC TION L O SC R CP SEAL C OO L ING M AI NT AIN ED POR V POR Vs ARE CLO SED AF W AUXILIAR Y FE EDW AT ER EPS EM ERG ENC Y POW ER SGB LO CK ON E AFW FL O WP ATH BLO CK ED M SIV M AIN ST EAM ISO LATIO N VAL VES ESD EXC ESS S TE AM DEMAN D (A DVs & TBVs)

RP S RE ACTO R TRIP IE-LO O P LOSS O F O FFSI TE PO WE R

END -STATE

OK

T LO O P-1

OK

OK

CD

CD

OK

CD

CD 1 0 OK 1 1 CD 1 2 CD 1 3 CD 1 4 OK 1 5 OK 1 6 CD 1 7 CD 1 8 OK 1 9 CD 2 0 CD 2 1 CD 2 2 T

SBO 2 3 OK 2 4 T

LO O P-1 2 5 OK 2 6 OK 2 7 CD 2 8 CD 2 9 OK 3 0 CD 3 1 CD 3 2 OK 3 3 CD 3 4 CD 3 5 CD 3 6 OK 3 7 OK 3 8 CD 3 9 CD 4 0 OK 4 1 CD 4 2 CD 4 3 CD 4 4 T

SBO 4 5 OK 4 6 T

LO O P-1 4 7 OK 4 8 OK 4 9 CD 5 0 CD 5 1 OK 5 2 CD 5 3 CD 5 4 OK 5 5 CD 5 6 CD 5 7 CD 5 8 OK 5 9 OK 6 0 CD 6 1 CD 6 2 OK 6 3 CD 6 4 CD 6 5 CD 6 6 T

SBO 6 7 OK 6 8 OK 6 9 OK 7 0 CD 7 1 CD 7 2 OK 7 3 CD 7 4 CD 7 5 CD 7 6 SBO 7 7 OK 7 8 OK 7 9 OK 8 0 CD 8 1 CD 8 2 OK 8 3 CD 8 4 CD 8 5 CD 8 6 SBO 8 7 T

ATWS 8 8 CD H PI-L HPR -L CSR -L HPR -L CSR -L O TC-L A FW -L PO R V-L L OS C-L A FW -L PO R V-L L OS C-L H PI-L O TC-3 HPR -L CSR -L HPR -L CSR -L A FW -L PO R V-L L OS C-L H PI-L O TC-4 HPR -L CSR -L HPR -L CSR -L O TC-4 O TC-5 Bot h C los ed On e Open Bot h O pen S GC -ESD LOOP - Calvert Cliffs 1 & 2 loss of offsite power 2006/05/03 Figure Event tree for loss of offsite powe LER 318-04-001

CSR CONTAINMENT COO LING HPR SUMP RECIRC SDC SHUTDO WN COOLI NG SSC SECONDARY SIDE COOL DOWN OT C ONCE THRO UGH COO LING HPI HI GH PRESSURE I NJECT ION RCPSL RCP SEAL INT EGRITY MAINT AINED PORV PORVs ARE CLOSED SGC STEAM G ENERATOR CO OLI NG SG BLO CK ONE AFW FLO WPATH BLO CKED M SIV M AIN STEAM ISOLATION VALVES ESD EXCESS STEAM DEM AND (ADVs & TBVs)

RPS REACTOR TRIP I E-LO CHS LO SS O F CO NDENSER HEAT SINK

ENDSTATE

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

T ATW S

CD Both Closed One Open Both Open O TC O TC3 O TC4 O TC4 O TC5 SGC-ESD LOCHS - Calvert Cliffs 1 & 2 loss of condenser heat sink transient 2006/05/03 Figure Event tree for loss of condenser heat sink transien LER 318-04-001

CSR CO NT A INM EN T CO O LIN G H PR S UM P R EC IRC SD C SH UTD O WN C O OLIN G R CS-DE P SEC O ND ARY SID E TO D EPR ESS R CS T O SDC C ON DI TIO NS T H RO TT LE T H RO TT LE HP I TO RE DU CE PR ESSU RE SG ISO L RU PT U RED SG ISO LATED SG -D EP PRI MA RY S IDE HAR DW AR E T O DEP RESS RC S T O < S GR V DEP-R EC OPE RAT O R DEPR ESS AF TER SG RV LIF T R CS -SG O PER ATO R D EPR ESS R CS TO

< SGR V O T C O NC E TH RO UG H C OO LIN G H PI H IGH PR ESSU RE IN JEC T IO N SG C STEAM G ENER ATO R CO O L ING SG BLO C K ON E A FW F LO W PATH BLOC KED MS IV MA IN ST EAM ISO LA TION VALVES E SD E XCES S STEA M D EMAN D ( AD Vs & TBVs )

R PS R EAC T OR TR IP IE-SG T R ST E AM G EN ERAT O R TU BE R UP T UR E

EN D-ST AT E

O K

O K

C D

C D

C D

O K

O K

C D

C D

C D

C D

O K

C D

C D

O K

C D

C D

C D

O K

O K

C D

C D

O K

C D

C D

C D

C D

O K

O K

C D

C D

C D

O K

O K

C D

C D

C D

C D

O K

C D

C D

O K

C D

C D

C D

O K

O K

C D

C D

O K

C D

C D

C D

C D

O K

O K

O K

C D

C D

O K

C D

C D

C D

C D

O K

O K

C D

C D

O K

C D

C D

C D

C D

O K

O K

O K

C D

C D

O K

C D

C D

C D

C D

C D

C D SG ISO L1 R CS-SG 1 SG ISO L1 SG C0 4 SG C0 4 R CS-SG 1 SG ISO L1 SG ISO L1 B ot h Clo se d O n e O pe n B ot h Op en O TC O TC3 O TC4 O TC4 O TC5 SG C-ESD SGTR - Calvert Cliffs 1 & 2 steam generator tube rupture 2006/05/03 Figure Event tree for steam generator tube ruptur LER 318-04-001

CSR CO NTAINM ENT CO OLI NG HPR SUM P RECI RC SDC SHUTDOW N COO LING SSC SECONDARY SIDE CO OLDOW N OTC ONCE THROUG H COOLI NG HPI HIG H PRESSURE INJECTIO N RCPSL RCP SEAL I NTEGRIT Y PO RV PO RVs ARE CLOSED AF W AUXIL IARY FEEDW ATER SGBLOCK ONE AF W F LOWPATH BLOCKED M SIV M AIN STEAM I SO LAT IO N VALVES ESD EXCESS STEAM DEM AND (ADVs & T BVs)

RPS REACT OR TRIP I E-LDC11 LO SS O F DC BUS

END-STATE

OK

OK

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

OK

CD

CD

CD

OK

OK

OK

CD

CD

CD

OK

OK

OK

CD

CD

CD

CD

CD Both Closed O ne O pen Both O pen OTC OTC3 OTC4 OTC4 OTC5 SGC-ESD LDC11 - Calvert Cliffs 1 & 2 loss of vital dc bus 11 2006/05/03 Figure Event tree for loss of vital dc bus 1 LER 318-04-001

CSR CON TAINM ENT COO LING LPR LOW PRESSURE RECIRC HPR HIG H PR ESSURE RECIRC SD C SH UTDOW N COOL ING LPI LOW PRESSURE INJECTIO N SSC SECON DARY SIDE C OOLD OWN O TC O NCE T HROUG H CO OLING HPI HIGH PRESSUR E INJECTION SGC STEAM G ENERATO R CO OLING SGBLOCK ONE AFW FL OW PATH BLOCKED M SIV M AIN STEAM ISOL AT ION VAL VES ESD EXCESS STEAM DEMAND (AD Vs & TBVs)

RPS REACT OR TRIP IE-SL OCA SM ALL L OCA

ENDSTATE

OK

OK

CD

CD

OK

CD

CD

OK

OK

CD

CD

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

OK

OK

CD

CD

CD

CD

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

CD

CD SSC01 SSC01 Both Closed One Op en Both Op en O TC O TC3 O TC4 O TC4 O TC5 SGC-ESD SLOCA - Calvert Cliffs 1 & 2 small LOCA 2006/05/03 Figure Event tree for small LOC LER 318-04-001

CSR CONTAINMENT COOLING HPR SUMP RECIRC SDC SHUTDOWN COOLING SSC SECONDARY SI DE COOLDOWN OTC ONCE THROUGH COOLING HPI HIGH PRESSURE INJECTION CCWR CCW RECOVERY RCPSL RCP SEALS SURVIVE LOSS OF COOLING PORV PORVs ARE CLOSED SGC STEAM GENERATOR COOLING SGBLOCK ONE AFW FLOWPATH BLOCKED MSIV MAIN STEAM ISOLATION VALVES ESD EXCESS STEAM DEMAND (ADVs & TBVs)

RPS REACTOR TRIP IE-LOCCW LOSS OF COMPONENT COOLING WATER

END-STATE

OK

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

CD

CD

CD

CD

OK

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

CD

CD SGC02 PORV03 RCPSL02 SGC02 PORV03 RCPSL02 OTC OTC3 OTC4 OTC4 OTC5 Both Closed One Open Both Open SGC-ESD LOCCW - Calvert Cliffs 1 & 2 loss component cooling water 2006/05/03 Figure Event tree for loss of component cooling wate LER 318-04-001

CSR CONTAINMENT COO LING HPR SUMP RECIRC SDC SHUTDO WN COOLI NG SSC SECONDARY SIDE COOL DOWN OT C ONCE THRO UGH COO LING HPI HI GH PRESSURE I NJECT ION RCPSL RCP SEAL INT EGRITY MAINT AINED PORV PORVs ARE CLOSED SGC STEAM G ENERATOR CO OLI NG SG BLO CK ONE AFW FLO WPATH BLO CKED M SIV M AIN STEAM ISOLATION VALVES ESD EXCESS STEAM DEM AND (ADVs & TBVs)

RPS REACTOR TRIP I E-LO IAS LO SS O F I NST RUMENT AI R SYSTEM

ENDSTATE

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

O K

CD

CD

CD

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

O K

O K

CD

CD

CD

CD

CD Both Closed One Open Both Open O TC O TC3 O TC4 O TC4 O TC5 SGC-ESD LOIAS - Calvert Cliffs 1 & 2 loss of instrument air system transient 2006/05/03 Figure Event tree for loss of instrument air system transien LER 318-04-001

CSR CONTAINMENT COOLING HPR SUMP RECIRC SDC SHUTDOWN COOLING SSC SECONDARY SI DE COOLDOWN OTC ONCE THROUGH COOLING HPI HIGH PRESSURE INJECTION SWSR SWS RECOVERY RCPSL RCP SEALS SURVIVE LOSS OF COOLING PORV PORVs ARE CLOSED SGC STEAM GENERATOR COOLING SGBLOCK ONE AFW FLOWPATH BLOCKED MSIV MAIN STEAM ISOLATION VALVES ESD EXCESS STEAM DEMAND (ADVs & TBVs)

RPS REACTOR TRIP IE-LOSWS LOSS OF SALT WATER SYSTEM

END-STATE

OK

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

CD

CD

CD

CD

OK

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

OK

CD

CD

CD

CD

OK

CD

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

OK

OK

CD

CD

CD

CD

CD SGC01 PORV02 RCPSL01 SGC01 PORV02 RCPSL01 Both Closed One Open Both Open OTC OTC3 OTC4 OTC4 OTC5 SGC-ESD LOSWS - Calvert Cliffs 1 & 2 loss of salt water system 2006/05/03 Figure 1 Event tree for loss of salt water syste LER 318-04-001

ESD 1.000E-4 ESD-BE EXCESS STEAM DEMAND (ADVS

& TBVS)

EXCESSIVE STEAM DEMAND EVENT OC CURS ESD - EXCESS STEAM DEMAND (ADVs & TBVs)

2005/08/04 Page 59 Figure 1 Fault tree for excess steam deman LER 318-04-001

MSIV 9.960E-1 MSIV-SUC-BE MSIVS CLOSED MSIVS ACTUALLY CLOSE MSIV - MAIN STEAM ISOLATION VALVES 2005/08/04 Page 64 Figure 1 Fault tree for main steam isolation valves close LER 318-04-001

MS IV-1 1.520E-3 MSS-MSIV-OO-HV11 1.520E-3 MSS-MSIV-OO-H V12 ON E MS IV FAILS TO CLOSE MSIV HV12 FAILS TO CLOSE MS IV HV 11 FAILS TO CLOS E MSIV-1 - ONE MSIV FAILS T O CLOSE 2005/08/04 Page 136 Figure 1 Fault tree for one MSIV close LER 318-04-001

MSIV-2 4.636E -5 MSS -MSI V-CF-CLO SE MSIV-2-1 1.520E-3 MSS-MS IV-OO -HV11 1.520E-3 MSS-MSIV -O O-HV12 INDEPE NDE NT FA ILURES OF MS IVS TO CLOS E BOT H MSIVS FAIL TO CLOSE MSIV HV12 FAILS TO CLO SE MSIV HV11 FAILS TO CLOSE CCF OF MS IVS TO CLO SE MSIV-2 - BOTH MSIVS FAIL TO CLOSE 2005/08/04 Page 137 Figure 1 Fault tree for when both MSIVs fail to clos LER 318-04-001

SGBLOCK 1.540E-4 AFW -BLOCK AFW BLOCK FAILS ON DEMAND ONE AFW FL OW PATH BLOCKED SGBLOCK - ONE AFW FLOW PATH BLOCKED 2005/08/01 Page 65 Figure 1 Fault tree for one AFW flow path blocke LER 318-04-001

OTC 3 1.000E+0 BLEED 1.000E+0 HPI 4.000E-2 HPI-XHE-XM -OTC3 FAILURE TO PROVIDE BLEED PORTION OF F&B COO LING ONC E-TH ROUGH C OOLING NO OR IN SUFFICIENT HPI FLOW FAILURE TO INITIATE OTC W ITH BOTH MSIVS SUC CLOSED OTC3 - ONCE-THROUGH COOLING 2006/05/24 Page 139 Figure 1 Fault tree for once-through cooling when both MSIVs close on deman LER 318-04-001

OTC4 9.000E-2 HPI-XHE-XM-OTC4 1.000E+0 BLEED 1.000E+0 HPI FAILURE TO PROVIDE BLEED PORTION OF F&B COOLING FAILURE OF OTC WITH ONE MSIV STILL OPEN NO OR INSUFFICIENT HPI FLOW FAILURE TO INIT OTC W ITH ONE MSIV OPEN OTC4 - FAILURE OF OTC WITH ONE MSIV STILL OPEN 2005/08/18 Page 147 Figure 1 Fault tree for once-through cooling when only one MSIV closes on deman LER 318-04-001

OTC5 2.000E-1 HPI-XHE-XM-OTC5 1.000E+0 BLEED 1.000E+0 HPI FAILURE TO PROVIDE BLEED PORTION OF F&B COOLING FAILURE TO INIT OTC WITH BOTH MSIVS OPEN NO OR INSUFFICIENT HPI FLOW FAILURE TO INIT OTC WITH BOTH MSIVS OPEN OTC5 - FAILURE TO INIT OTC WITH BOTH MSIVS OPEN 2005/08/18 Page 155 Figure 1 Fault tree for once-through cooling when both MSIVs fail to close on deman LER 318-04-001

SGC-ESD 130 MFW 195 AFW-ESD STEAM GENERATOR COOLING IS UNAVAILBLE MAIN FEEDWATER COOLING IS UNAVAILABLE INSUFFICIENT AFW FLOW FROM UNIT 1 AFW SYSTEM SGC-ESD - STEAM GENERATOR COOLING IS UNAVAILBLE 2006/05/24 Page 211 Figure 1 Fault tree for steam generator coolin LER 318-04-001

AFW-ESD 179 AFW-SG-11-ESD 184 AFW-SG-12-ESD INSUFFICIENT AFW FLOW FROM UNIT 1 AFW SYSTEM STEAM GENERATOR 11 IS UNAVAILABLE STEAM GENERATOR 12 IS UNAVAILABLE AFW -ESD - INSUFFICIENT AFW FLOW FROM UNIT 1 AFW SYSTEM 2006/05/24 Page 195 Figure 2 Fault tree for AFW flow from Unit 1 AFW syste LER 318-04-001

A F W-S G-11-E SD 2.7 60E -6 AF W-CK V-CF-S GS AF W-SG -11 -4 AF W-S G-1 1-3 1 9 AF W -M DP -13 A F W-SG-11-6 3.34 8E -5 AF W-AO V-CF-S TM A FW -SG-1 1-1 1.000 E -4 A F W-CK V -CC-S G11 1.0 00 E-4 AFW -CK V-CC-S1 03 2.7 60E - 6 A FW -CKV -CF -S TM AF W - ST M1 2 A F W -S G-11-8 1 34 M SS - ST M-11 AF W -S G -11 -5

AF W-MDP-2 3 156 AF W -T DP-1 1-ES D 17 8 AFW -TDP - 12-ESD AF W - SG -11 -7

A FW-FCV - S G11M 1 5 A FW -F CV -S G11 T 3.90 4E -7 AF W -P M P -CF -ALL 9.00 0E-4 AF W - AOV-CC-S40 70 1.0 00E - 4 A FW-CK V -CC-S 1 06 9.00 0E-4 AF W-A OV-CC-S40 71 A FW-S TM 11 NO F LOW TO SG -11 F ROM TDPs NO FL OW TO S G -11 FRO M M DPs AF W MDP -1 3 IS UNAV AILA B LE CCF OF TDP S TE A M SUPP L Y AOV s F A ILURE O F ST EA M S UP P LY NO F LOW TO SG 11 S TE A M GENE RA TO R 11 IS UNAVA ILA BLE S T E AM GE NERAT OR 11 INLE T CHE CK VA LV E F AIL S CCF O F S T E AM G E NERA T OR INL ET CHE CK V AL V ES CCF OF S TE A M S UPP LY CHE CK V A LV E S FA ILU RE OF AF W S T EA M SU PPLY T O T DPs ST E AM GENE RATOR 11 ST E AM RE LIE F P AT H IS UNA V AIL ABL E AFW MD P-23 IS UNA V AIL AB L E NO FL OW F ROM P UM P 13 AND P UM P 23 NO FL OW FRO M T DPS MDP DISCH F LOW CONTRO L V A LV E T O SG-11 FA ILS T DP DISCH F LOW CONT ROL V A LV E TO SG -11 F AIL S COM MON CAUS E FA IL URE OF AF W PUMP S FA ILURE O F SG -11 S TE AM SUP P LY A OV 40 70 F AIL URE OF SG-1 1 S TE A M SUPP LY AOV 4 070 F A ILURE O F SG-12 ST E AM SUP PL Y AO V 407 1 F AIL URE OF S G-1 2 STEA M S UP PLY CKV 1 06 F AIL URE OF S G-1 2 S TE AM S UP P LY A OV F AIL URE OF S G-1 1 S TE A M S UP PLY A OV AF W T DP 11 IS UNAV A ILA B LE A FW TDP -1 2 IS UNA V AIL A BL E AFW-SG-11-ESD - STEAM GENERATOR 11 IS UNAVAILABLE 2006/05/24 Page 179 Figure 2 Fault tree for steam generator 11 coolin LER 318-04-001

AF W - SG -12 -4 1 9 A F W -M DP -13 AF W-SG-1 2-3 A F W-S G-12-6 3.34 8E -5 AF W - AO V-CF-S TM A F W-S G-12-ESD 1.000 E -4 A F W-CKV -CC-S G12 A FW-S G-1 2-1 2.7 60E - 6 AFW -CK V -CF -S TM A FW-S TM 11-A AF W - ST M1 2-A A F W-S G-12-8 13 5 M SS - ST M-12 2.76 0E -6 AF W - CKV - CF-S GS AF W -S G -12 -5

AF W-MDP -2 3 156 AF W-T DP-1 1-E SD 17 8 A FW -TDP - 12-E SD AF W-SG -12 -7

A FW-FCV - S G12M 1 7 A FW -F CV -S G12 T 3.90 4E -7 AF W-P M P -CF -A LL 9.00 0E -4 AF W-AOV - CC-S 40 70 1.0 00 E-4 A FW -CK V -CC-S1 03 9.00 0E-4 A F W -AOV - CC-S 40 71 1.0 00E - 4 A FW-CK V-CC-S 1 06 NO F LOW TO SG -12 F ROM TDP s NO F LOW TO SG -12 FRO M M DP AF W MDP -1 3 IS UNAV A ILA B LE CCF OF TDP S T EA M S UPPL Y AO Vs F A ILURE O F ST EAM S UPP LY ST E AM GE NE RATO R 12 I S UNAV A ILA B LE S T EA M GE NE RAT OR 12 I NLE T CHE CK V A LV E FA IL S NO F LOW TO S G 12 CCF OF S TE A M SUP P LY CHE CK VA LVE S FA ILU RE OF AF W S T EA M SU PPLY T O T DP s ST E AM GE NE RA TOR 12 S T EA M RE LIE F P AT H IS UNA V AIL AB L E CCF O F S T EAM G EN ERA T OR INL ET CHE CK V AL V ES AFW MD P-23 IS UNA V AIL ABL E NO F LO W F ROM PU MP S 13 AND PUM P 23 NO F LOW FRO M T DP s MDP DIS CH FE E D CO NTROL VAL VE TO S G-1 2 F AIL S TDP D ISCHA RGE F E E D CONT ROL VA LV E T O S G-12 FA ILS COM MON CAUS E FA IL URE OF AF W P UMP S FA ILURE O F SG -11 S TE A M S UP PLY A OV 40 70 F AIL URE OF SG-1 1 S TE A M SUP P LY A OV 4 070 F A ILURE O F S G-12 ST EAM S UP PL Y AO V 407 1 FA IL URE OF S G-1 2 S TE A M S UP PLY CK V 1 06 F AIL URE OF S G-1 1 S TEA M S UP P LY A OV F AIL URE OF S G-1 2 S TE A M S UP P LY AOV AF W T DP 11 IS UNAV A ILA B LE A FW TDP -1 2 IS UNA V AIL A BL E AFW -SG-12-ESD - STEAM GENERATOR 12 IS UNAVAILABLE 2006/05/24 Page 184 Figure 2 Fault tree for steam generator 12 coolin LER 318-04-001

AF W -TD P-11-ESD 1.000E -4 AFW-CK V-CC-DI S102 1. 000E-4 AFW-CKV -C C-STM 110 2. 760E-6 AFW-CKV -C F-STM INL 2. 760E-6 AFW-CKV -C F-TDPD IS 3. 904E-7 A FW-PMP -C F-ALL 3. 442E-5 A FW-TDP-CF -R UN 4. 986E-5 A FW-TD P-CF-STA RT 5. 000E-3 AF W-TD P-TM-11

AF W-C ST-TDP -11 AF W-TD P-11-1 6. 000E-3 AF W -TD P-FS-11 TRUE AFW-XH E-XL-TDPF S AFW - TDP -1 1-2 4.141 E-3 AFW-TD P-FR-11 TRUE AFW-XH E-XL-TDPF R AFW-TDP -11-3 5.000E -4 AFW-XHE -X M-TDP RM AFW-TDP -11-4 2.500E -2 AFW-XH E-XO-TDP F ALSE LOSP -S BO AFW -TDP-11-5 2. 500E -2 AFW-XHE -X O-LCTR L AFW-TDP-11-6 1.563E -7 AFW-FCV -C F-FRVS AFW-TDP -11-7 7.200E -5 AFW-FCV -F C-SG11 M 7. 200E-5 AFW-FCV -FC - SG11T A FW-TDP-11-8 7. 200E-5 AFW -FCV -FC - SG12M 7. 200E-5 A FW -FCV -FC -S G12T 10 4 I AS FA LSE E SD-HO USE -E VEN T A FW P UMP C OND ENS ATE S UPP LY IS UN AVAI LAB LE SG -12 OV ERFI LL SG -11 O VERF ILL FLO W C ONTR OL VALV ES FAI L O PEN M ORE FA ILU RES A FW TD P 11 I S UNA VAI LABL E INS TRUM ENT AI R S YSTE M IS U NAVA ILA BLE O PERA TIN G TDP F AILS F ROM S G O VERF ILL FAI LURE O F A FW TDP -11 TO RU N FAI LUR E OF AFW TDP-11 FAI LS T O START STATI ON BLA CKO UT OP ERAT OR AC TIO N TO CO NTRO L F LOW BE CAUS E OF LOS S O F IA AFW FLOW CO NTRO L VALV ES FAI L FROM CO MM ON CA USE TDP DI SC HAR GE FLO W C ONTR OL VAL VE TO SG-12 FAI LS M DP D IS CHAR GE FLO W C ONTR OL VALV E TO SG-12 FAI LS TDP D ISC HAR GE FLO W C ONTR OL VA LVE TO SG-11 FAI LS MD P D IS CHA RGE FLO W C ONTR OL V ALVES TO S G-11 FAI L O PER ATOR FA ILS TO CO NTRO L SG LEVE L FO LLOW I NG LO SS FCV S C CF OF AFW TDP D ISC HAR GE CH ECK V ALVE S A F-102/11 6 OPE RATO R FAI LS TO C ONT ROL AFW TDP FLO W G IV EN SBO A ND LOS S OF I NS AIR S TATI ON BLA CKO UT FLA G C OM MO N CAU SE FA ILU RE OF TDP s TO STA RT COM MO N CAU SE FA ILU RE OF TDP s TO RU N CCF O F S TEAM I NLE T C HEC K V ALVE S M S-108/ 110 OPE RATO R FAI LS TO OPE N DOU BLE DO ORS I N TUR.

BU ILD. OR AL IG N B ACK UP CO OLI NG AFW TDP-11 UNA VAI LABLE DU E T O T & M OP ERAT OR FAI LS TO R ECO VER AF W TD P (F AILS TO STAR T)

A FW T DP-11 FAI LS TO STAR T A FW TD P-11 F AIL S TO RUN OPE RATO R FAI LS TO R ECO VER AF W TD P ( FA ILS TO RUN)

FAI LURE O F A FW TDP D ISC HAR GE CHE CK VALV E AF-102 FAI LURE O F S TEAM I NLET CH ECK V ALVE M S-110 COM MO N CAU SE FA ILU RE OF AFW PU MPS EXC ESSI VE ST EAM D EMA ND EVE NT O CCU RS AFW -TDP-11-ESD - AFW T DP 11 IS UNAVAILABLE 2006/05/24 Page 156 Figure 2 Fault tree for AFW TDP 11 flo LER 318-04-001

A FW - T DP -12-E SD 1.0 00E -4 AF W-C KV -C C - DI S1 16 1. 00 0E-4 A FW -C K V-C C-S TM 10 8 2. 760E -6 A FW -C KV - CF - STM I N L 2.76 0E -6 AF W-CK V-C F-T DP DI S 3. 904 E-7 A FW -P M P-C F-A LL 3.4 42E -5 A FW -TD P -C F-R UN 4. 98 6E-5 AF W-TD P-C F-ST AR T 5. 000E -3 A FW -T DP - TM - 12 4.0 00E -3 AF W-XH E-X M - TD P12 5. 000 E-4 A FW -X HE - XM - T DP RM

A FW -C ST -T D P-12 AF W-TD P1 2-FR 4. 141 E-3 A FW -T DP - FR - 12 T RU E A FW -X HE -X L-TD P FR AF W - TD P1 2-FS 6. 000 E-3 A FW-T DP -FS -12 T R UE A FW - X HE -X L-TD P FS AF W-TD P1 2-SB O 2. 500 E-2 A FW -X HE - XO - TD P F AL SE LO S P-S BO FA LSE E SD - HO U SE - EV EN T AF W PU M P CO N D EN SA TE S UP PLY IS UN AV AI LA BL E S TA TI O N BL AC KO U T O P ER A TO R A CT IO N T O C O NT RO L F LO W BE CA U SE O F L OS S OF IA AF W TD P-12 I S UN AV AI LA BL E FA I LUR E O F A FW TD P -1 2 TO RU N FA I LUR E O F A FW T DP - 12 FA IL S TO ST AR T C CF O F A FW T DP DI S CH AR G E C HE CK VA LV ES A F-10 2/ 116 O P ER A TO R F AI LS TO C ON TR O L AF W TD P FL OW G I VE N SB O A N D LO S S O F I NS AI R S TA TI O N B LAC K O UT FL AG C O M M ON CA US E FA IL UR E O F TD P s TO S TA RT C O M M O N C AU SE FA I LUR E O F T DP s TO RU N CC F O F S TEA M I NLE T C HE CK VA LV ES M S-1 08/ 110 O P ER AT O R FA I LS T O O P EN D O UB LE DO O R S I N TU R.

BU I LD. O R A LI G N B AC KU P C O OL IN G A FW T DP - 12 UN AV A IL AB LE DU E TO T & M F AI LU RE OF AFW T D P DI S CH AR G E CH EC K V AL VE A F-11 6 O P ER AT OR FA IL S TO RE CO V ER AF W TD P ( FA I LS T O ST AR T)

AF W TD P-12 F AI LS TO ST AR T AF W TD P-12 F AI LS TO R UN O PE R AT OR FA IL S TO R E CO V ER AFW TD P (FA I LS T O R U N)

F AI LU RE O F ST EA M I NL ET C HE CK VA LV E M S - 108 CO M M O N C AU SE FA IL UR E O F AF W P UM P S O PE RA TO R F AI LS T O S TA RT A FW TD P-12 E X CE SS IV E S TE AM D EM A ND EV EN T O CC U RS AFW -TDP-12-ESD - AFW T DP-12 IS UNAVAILABLE 2006/05/24 Page 178 Figure 2 Fault tree for AFW TDP 12 flo LER 318-04-001

Appendix C Plant Response to Excessive Steam Demand

LER 318-04-001 1 Letter from Mr. J. A. Spina to NRC (Document Control Center), Response to Preliminary Accident Sequence Precursor (ASP) Analysis for the Unit 2 January 2004 Operational Event, March 31, 2006.

The preliminary event assessment was performed using a conservative assumption such that auxiliary feedwater (AFW) alone cannot provide sufficient steam generator (SG) cooling to prevent core damage in the following two cases of an excessive steam demand (ESD) event:

1)

Both MSIVs fail to close upon Steam Generator Isolation Signals (SGIS), and 2)

Only one MSIV succeeds to close upon SGI In the first case, it was assumed that the ESD event is not recovered; namely, TBVs are not automatically closed by an interlock signal upon loss of condenser vacuum approximately half an hour into the transient due to failure of condenser air removal units on loss of service water as a result of Safety Injection Actuation Signals (SIAS), nor manually closed by the operators.

In the second case, it was assumed that the AFW flow path to the affected SG is not properly blocked. Note that SG cooling by AFW and thereby prevention of core damage was credited in the preliminary event assessment, only in the case where the AFW flow path to the affected SG is properly blocked. The event assessment with the aforementioned conservative assumptions resulted in a conditional core damage probability (CCDP) of 1.2 x 10-5 (i.e., low yellow).

A peer review of this preliminary event assessment was conducted by Constellation Energy operating CCNPP.1 During this review process, a simulator run was made with the quick open signal failing to clear and with the MSIVs failing to close on SGIS in order to evaluate plant response and operator actions. The simulation results (Figure C.1) indicate the following:

1.

Upon receipt of Auxiliary Feedwater Actuation Signals (AFAS), all the AFW pumps were initially started. The turbine-driven AFW pumps functioned until steam pressure dropped to approximately 50 psia in the steam generators and they were secured at this point. Auxiliary feedwater flow, using the motor-driven AFW pump, was maintained during the entire transient after the AFAS actuatio.

During the first 15~20 minutes into the transient, the High Pressure Safety Injection System (HPSI) provided significant flow into the Reactor Coolant System (RCS) following SIAS actuation. The reactor core was not uncovered. There was an indication of lowering reactor coolant level as observed on the Reactor Vessel Level Monitoring System in the 5 to 12 minute time frame. At the lowest point, there was approximately 7 feet of water above the active fuel. The RCS temperature leveled out above 350oF.

5.

Pressure in the RCS leveled out at approximately 1000 psia. Pressure was controlled using operator actions to secure HPSI flow, charging flow, and pressurizer heaters. Auxiliary spray was also used to maintain pressur LER 318-04-001 2 The RELAP-5 model for Calvert Cliffs, originally developed in the early 1980s by EG&G Idaho, was updated in 2001 as part of the NRCs Pressurized Thermal Shock (PTS) Rebaselining Study to reflect the current plant configurations and operating procedures, including system setpoints and control logic.

53 For purposes of simulation, the TBVs remained open. However, the TBVs will be closed on a loss of condenser vacuum which is expected to take place about half an hour into the transient because the condenser air removal units will fail on loss of service water as a result of the SIAS generation, as mentioned earlier.

In short, the most important conclusion from the simulator run is that auxiliary feedwater can successfully prevent core uncovery without once through cooling (OTC). However, the simulation results show that wide range SG level in both SGs drops to approximately -400 inches within the first 10 minutes into the transient and remains at this very low level for the entire time period shown by the results (i.e., ~30 minutes). Given the fact that auxiliary feedwater kept on injecting into the SGs and the core continuously cooled down, the water in the shell side of the SGs remaining at such a low level implies that the RCS heat was removed primarily by the injected AFW flashing into stea In view of a significance of properly understanding the plant behavior expected in the event of an excess steam demand, an independent thermal hydraulic (T/H) analysis was also performed using the Calvert Cliffs RELAP-5 model2 for the following cases involving failure of both MSIVs upon SGIS:

1)

Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)

2)

Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)

and a single Safety Relief Valve (SRV) in each SG 3)

Reactor/turbine trip with stuck-opening of MSIVs, TBVs and ADVs (all valves)

and all SRVs in each SG In the first case (Figure C.2), the water level drops to a minimum of about -320 inches and AFW is able to recover SG water level. In the second case, the water level drops to a minimum of about -370 inches and again, AFW is able to recover SG water level. Finally, in case 3, the water level drops completely (no water left in the SGs) and again, AFW is able to recover SG water level, establishing SG cooling and consequently preventing core damage. Hence, the independent T/H analysis also points out that AFW (300 gpm per SG) can recover SG level because the primary water is relatively cool due to the RCS overcooling cased by the ESD and the declining decay heat.

Note that there are several discrepancies between the simulator runs and the RELAP-5 runs, among others:

The SG level drops below -350 inches (a triggering condition for OTC in the emergency operating procedures) within 10 minutes according to the simulator run; however, the RELAP-5 run (the first case) shows that the SG level decreases only down to -320 inches in about 15 minutes into the transien LER 318-04-001

  • The SG level is recovered by AFW after ~45 minutes as per the RELAP-5 run, but levels out at approximately -400 inches as per the simulator run.

In spite of these differences in the SG level prediction, both T/H analyses (i.e., by the plant simulator and the independent RELAP-5 model) conclude that AFW can prevent core damage without OTC. Therefore, the updated event assessment presented herein was carried out taking into account this conclusio LER 318-04-001

Figure C.1 Simulator run for excessive steam demand with both MSIVs failing to close

LER 318-04-001

Figure C.1 (Contd)

LER 318-04-001

Figure C.1 (Contd)

LER 318-04-001

Figure C.1 (Contd)

LER 318-04-001

Figure RELAP-5 run for excessive steam demand with both MSIVs failing to close

LER 318-04-001

Figure C.2 (Contd)

LER 318-04-001

Figure C.2 (Contd)

LER 318-04-001

Figure C.2 (Contd)

LER 318-04-001

Figure C.2 (Contd)

LER 318-04-001

Appendix D Human Performance Modeling

LER 318-04-001 1 HPI-XHE-XM-OTC3 is similar to human error event HPI-XHE-XM-FB (Operator fails to initiate feed and bleed cooling) in the original SPAR model for CCNPP which assumes that an excessive steam demand event does not occur. Because both MSIVs will close upon the SGIS within about 2-3 minutes following the ESD, the human performance requirements for HPI-XHE-XM-OTC3 and HPI-XHE-XM-FB are considered to be almost identical (i.e., the same performance shaping factors for both cases), and as a result, the same human error probability was estimated for these human actions.

2 Example EOPs requiring OTC include: 1) Contingency Action 31.1 in the HR-1 Functional Recovery Guideline, 2)

Contingency Action 9.1 in the Loss of All Feedwater Recovery Guideline, and 3) Contingency Action 19.1 in the Excess Steam Demand Recovery Guideline.

3 NRC Special Inspection (SI) Team Report, EA-04110, Calvert Cliffs Nuclear Power Plant, Unit 1 and Unit 2 - NRC Inspection Report 05000317/2004008 and 05000318/2004008, July 29, 2004.

The event assessment necessitates evaluating the human actions required to initiate once through cooling (OTC) under various circumstances relevant to the MSIV performance upon actuation of Steam Generator Isolation Signals (SGIS): 1) both MSIVs succeed to close, 2) only one MSIV succeeds to close, and 3) both MSIVs fail to close. The corresponding human actions are modeled in terms of human error events HPI-XHE-XM-OTC3,1 HPI-XHE-XM-OTC4, and HPI-XHE-XM-OTC5, respectivel It was assumed in evaluating these human error events that a significant amount of diagnosis activity would not be required for the operators to identify the need to initiate OTC, because the operators are typically familiar with the requirement of emergency operating procedures (EOPs)

such that OTC should be initiated when wide range SG level in both SGs reaches -350 inches or the RCS cold leg temperature (i.e., TC) rises uncontrollably 5 0F or greater2.

A summary of the human performance evaluation is provided in Table D.1 with the quantified human error probabilities (HEPs) in the last colum More details can be found in the SPAR-H worksheets of this appendix.

Table D.1 shows that three different types of performance shaping factors (i.e., time, stress, and complexity) were adjusted to capture the increased failure probability for the OTC human actions. In particular, it may be noted that higher complexity was applied to actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 as compared to action HPI-XHE-XM-OTC3; the reason is discussed below.

Human factors and procedural issues were identified at Calvert Cliffs during the inspection for the excess steam demand event. In particular, the inspection report3 indicates that:

Calvert Cliffs has increased the time allowed to execute EOP-0, to allow the operators to concurrently implement procedure steps from other EOPs, without executing the entire EOP. Calvert Cliffs allows this practice while in EOP-0, so that key plant parameters can be restored to normal operating bands. This philosophy resulted in the operators performing actions using knowledge-based skills as opposed to procedure-base skills during high stress condition. This practice significantly increased the potential for operator errors, and in the case of the January 23, 2004 event, it resulted in improper transitions in the EOP procedure LER 318-04-001 4 Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method, INEEL/EXT-02-01307, May 2004.

Especially because of the operational practice which was in place at Calvert Cliffs during the event (i.e., performing actions using knowledge-based skills as opposed to procedure-based skills), actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 for the cases where at least one MSIV failed to close are expected to be more difficult to perform, as compared to action HPI-XHE-XM-OTC3 for the case where both MSIVs successfully closed upon SGI In addition, actions HPI-XHE-XM-OTC4 and HPI-XHE-XM-OTC5 are determined to be more complex than action HPI-XHE-XM-OTC3 to perform particularly because of multiple faults, multiple equipment unavailable, and more likelihood of parallel tasks and transitioning between multiple procedures due to an increased possibility of not satisfying safety functions (see Section 2.4.4.3 of the SPAR-H report4).

Finally, it is also notable that the OTC human actions were modeled as not requiring a significant amount of diagnosis activity even though the Calvert Cliffs Unit 2 operators actually mis-diagnosed plant conditions during their response to the ESD event, because:

a)

The term diagnosis in the SPAR-H method generally has to do with attributing the most likely causes of the abnormal event to the level required to identify those systems or components whose status can be changed to reduce or eliminate the proble b)

The operators mis-diagnosed the actual plant conditions; however, this mis-diagnosis relates to not the OTC human actions, but other actions to return the key plant parameters to normal operating bands.

c)

In the actual event, the operators did not need to diagnose in connection with OTC, since the OTC operation was not required due to the early termination of the ESD by the automatic closure of both MSIVs about one minute after the reactor trip, and the subsequent SG cooling by the motor-driven AFW pump and the ADV LER 318-04-001

Table D.1 Summary of human performance evaluation Note: Each of these human error events involves multiple (i.e., 3 or more) non-nominal PSFs, and therefore, the human error probabilities (HEPs) were calculated by applying an adjustment factor in accordance to the formula provided in the SPAR-H report in order to represent the composite PSF influence.

Time Stress Compl-exity Exper-ience Proce-dure Ergono-mics Fitness Work Process HPI-XHE-XM-OTC3 Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs succeed to close upon SGIS)

2

1

1

1 4.0E-02 HPI-XHE-XM-OTC4 Operator fails to initiate once through cooling (given excessive steam demand and only one MSIV closes upon SGIS)

2

1

1

1 9.0E-02 HPI-XHE-XM-OTC5 Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs fail to close upon SGIS)

5

1

1

1 2.0E-01 HUMAN ERROR EVENT Description Performance Shaping Factors (PSFs)

HEP

LER 318-04-001

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC3 Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs succeed to close upon SGIS)

Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table If No, go directly to Table 2.

Table Diagnosis worksheet.

PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a Barely adequate < 20 m

Nominal. 30 m

Extra > 60 m 0.1 Expansive > 24 h 0.01 2. Stress Extreme

High

Nominal

3. Complexity Highly

Moderately

Nominal

4. Experience/

Training Low

Nominal

High 0.5 5. Procedures Not available

Available, but poor

Nominal

Diagnostic/symptom oriented 0.5 6. Ergonomics Missing/Misleading

Poor

LER 318-04-001 PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

Nominal

Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal

8. Work Processes Poor

Nominal

Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table Action worksheet.

PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a It is assumed there is just enough available time for the operators to initiate feed and bleed cooling.

Time available. time required 10U Nominal

Available > 50x time required 0.01 2. Stress Extreme

It is assumed that the stress level is greater than nominal.

High 2U Nominal

3. Complexity Highly

It is assumed that the complexity level is greater than nominal.

Moderately 2U Nominal

4. Experience/

Training Low

Nominal 1U High 0.5 5. Procedures Not available

LER 318-04-001

Available, but poor

Nominal 1U 6. Ergonomics Missing/Misleading

Poor

Nominal 1U Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal 1U 8. Work Processes Poor

Nominal 1U Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

Table Task failure probability without formal dependence worksheet.

Task Portion Nom.

Prob.

Time Stress Compl.

Exper./

Train.

Proced.

Ergon.

Fitness Work Process Prob.

Diag.

N/A Action 1.0E-3 x 10 x 2.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 4.0E-2a Total 4.0E-2 The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three or more) non-nominal PSFs are involved.

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependenc LER 318-04-001

Table Dependency condition worksheet.

Condition Number Crew (same or different)

Location (same or different)

Time (close in time or not close in time)

Cues (additional or not additional)

Dependency Number of Human Action Failures Rule

s s

c

-

complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.

s s

nc na high

s s

nc a

moderate

s d

c

-

high

s d

nc na moderate

s d

nc a

low

d s

c

-

moderate

d s

nc na low

d s

nc a

low

d d

c

-

moderate

d d

nc na low

d d

nc a

low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure

= 1.0 For High Dependence the probability of failure

= (1 + P)/2 For Moderate Dependence the probability of failure

= (1 +6P)/7 For Low Dependence the probability of failure

= (1 + 19P)/20 U

For Zero Dependence the probability of failure

= P Task Failure Probability With Formal Dependence = (1 + ( * )) / = 4.0E-2 Additional Notes:

LER 318-04-001

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC4 Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and only one MSIV closes upon SGIS)

Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table If No, go directly to Table 2.

Table Diagnosis worksheet.

PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a Barely adequate < 20 m

Nominal. 30 m

Extra > 60 m 0.1 Expansive > 24 h 0.01 2. Stress Extreme

High

Nominal

3. Complexity Highly

Moderately

Nominal

4. Experience/

Training Low

Nominal

High 0.5 5. Procedures Not available

Available, but poor

Nominal

Diagnostic/symptom oriented 0.5 6. Ergonomics Missing/Misleading

Poor

LER 318-04-001 PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

Nominal

Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal

8. Work Processes Poor

Nominal

Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table Action worksheet.

PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a It is assumed there is just enough available time for the operators to initiate feed and bleed cooling.

Time available. time required 10U Nominal

Available > 50x time required 0.01 2. Stress Extreme

It is assumed that the stress level is greater than nominal.

High 2U Nominal

3. Complexity Highly 5U It is assumed that the complexity level is much higher than nominal due to the sustained excessive steam demand through the open MSIV and TBVs.

Moderately

Nominal

4. Experience/

Training Low

Nominal 1U High 0.5 5. Procedures Not available

LER 318-04-001 PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column

Available, but poor

Nominal 1U 6. Ergonomics Missing/Misleading

Poor

Nominal 1U Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal 1U 8. Work Processes Poor

Nominal 1U Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

Table Task failure probability without formal dependence worksheet.

Task Portion Nom.

Prob.

Time Stress Compl.

Exper./

Train.

Proced.

Ergon.

Fitness Work Process Prob.

Diag.

N/A Action 1.0E-3 x 10 x 2.0 x 5.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 9.0E-2a Total 9.0E-2 The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three or more) non-nominal PSFs are involve LER 318-04-001

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table Dependency condition worksheet.

Condition Number Crew (same or different)

Location (same or different)

Time (close in time or not close in time)

Cues (additional or not additional)

Dependency Number of Human Action Failures Rule

s s

c

-

complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.

s s

nc na high

s s

nc a

moderate

s d

c

-

high

s d

nc na moderate

s d

nc a

low

d s

c

-

moderate

d s

nc na low

d s

nc a

low

d d

c

-

moderate

d d

nc na low

d d

nc a

low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure

= 1.0 For High Dependence the probability of failure

= (1 + P)/2 For Moderate Dependence the probability of failure

= (1 +6P)/7 For Low Dependence the probability of failure

= (1 + 19P)/20 U

For Zero Dependence the probability of failure

= P Task Failure Probability With Formal Dependence = (1 + ( * )) / = 9.0E-2

LER 318-04-001

SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Calvert Cliffs 1 & 2 Event Name: HPI-XHE-XM-OTC5 Task Error Description: Operator fails to initiate once through cooling (given excessive steam demand and both MSIVs fail to close upon SGIS)

Does this task contain a significant amount of diagnosis activity ? YES NO U If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table If No, go directly to Table 2.

Table Diagnosis worksheet.

PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a Barely adequate < 20 m

Nominal. 30 m

Extra > 60 m 0.1 Expansive > 24 h 0.01 2. Stress Extreme

High

Nominal

3. Complexity Highly

Moderately

Nominal

4. Experience/

Training Low

Nominal

High 0.5 5. Procedures Not available

Available, but poor

Nominal

Diagnostic/symptom oriented 0.5 6. Ergonomics Missing/Misleading

Poor

Nominal

LER 318-04-001 PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal

8. Work Processes Poor

Nominal

Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

SPAR Model Human Error Worksheet (Page 2 of 3)

Table Action worksheet.

PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column 1. Available Time Inadequate 1.0a It is assumed there is just enough available time for the operators to initiate feed and bleed cooling.

Time available. time required 10U Nominal

Available > 50x time required 0.01 2. Stress Extreme 5U It is assumed that the stress level is much higher than nominal due to the excessive steam demand and the failure of both MSIVs to close upon SGIS.

High

Nominal

3. Complexity Highly 5U It is assumed that the complexity level is much higher than nominal due to the sustained excessive steam demand through the open MSIVs and TBVs.

Moderately

Nominal

4. Experience/

Training Low

Nominal 1U High 0.5 5. Procedures Not available

LER 318-04-001 PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column

Available, but poor

Nominal 1U 6. Ergonomics Missing/Misleading

Poor

Nominal 1U Good 0.5 7. Fitness for Duty Unfit 1.0a Degraded Fitness

Nominal 1U 8. Work Processes Poor

Nominal 1U Good 0.8 Task failure probability is 1.0 regardless of other PSFs.

Table Task failure probability without formal dependence worksheet.

Task Portion Nom.

Prob.

Time Stress Compl.

Exper./

Train.

Proced.

Ergon.

Fitness Work Process Prob.

Diag.

N/A Action 1.0E-3 x 10 x 5.0 x 5.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 2.0E-1a Total 2.0E-1 The human error probability was adjusted following a special formula of SPAR-H to represent the composite PSF influence, because multiple (i.e., three or more) non-nominal PSFs are involved.

SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependenc LER 318-04-001

Table Dependency condition worksheet.

Condition Number Crew (same or different)

Location (same or different)

Time (close in time or not close in time)

Cues (additional or not additional)

Dependency Number of Human Action Failures Rule

s s

c

-

complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.

s s

nc na high

s s

nc a

moderate

s d

c

-

high

s d

nc na moderate

s d

nc a

low

d s

c

-

moderate

d s

nc na low

d s

nc a

low

d d

c

-

moderate

d d

nc na low

d d

nc a

low 13 U zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure

= 1.0 For High Dependence the probability of failure

= (1 + P)/2 For Moderate Dependence the probability of failure

= (1 +6P)/7 For Low Dependence the probability of failure

= (1 + 19P)/20 U

For Zero Dependence the probability of failure

= P Task Failure Probability With Formal Dependence = (1 + ( * )) / = 2.0E-1 Additional Notes:

Retrieved from "https://kanterella.com/w/index.php?title=IR_05000317/2004008&oldid=5357401"