Text

Attachment 1, Revision 0 to PSA-ES63, Probabilistc Safety Assessment Temporary Alignment of Service Water Division 1 Gland Water Supply to SW Pumps in Both Divisions
	ML042250218
Person / Time
Site:	Cooper
Issue date:	08/11/2004
From:	; Nebraska Public Power District (NPPD)
To:	; Office of Nuclear Reactor Regulation
References
	FOIA/PA-2006-0007, NLS2004106 PSA-ES63, Rev 0
	Download: ML042250218 (104)
	v • d • e

NLS2004 106 Attachment I Page I of 94 ATTACHMENT I PROBABILIISTIC SAFETY ASSESSMENT TEMPORARY ALIGNMENT OF SERVICE WATER DIVISION I GLAND WATER SUPPLY TO SW PUMPS IN BOTH DIVISIONS PSA-ES63, REV 0 COOPER NUCLEAR STATION NRC DOCKET 50-298, DPR-46

PROBABILISTIC SAFETY ASSESSMENT COOPER NUCLEAR STATION ENGINEERING STUDY Temporary Alignment of Service Water Division I Gland Water Supply to SW Pumps in Both Divisions PSA-ES63 Revision 0 Prepared By:

Risk Management Engineer Prepared By:

Entergy NNE PSA Engineer Prepared By:

Entergy NNE PSA Engineer Reviewed By:

Risk Management Supervisor Entergy NNE PSA Supervisor Approval:

Equipment Reliability Manager Revisions:

Signature/Date JoW~~gmc

/Xx

&llo Agg' IfQS 9 R I o

gz~~t&

di-o CLEJI )El /6-Ae-GZUSJA CI4AtTE~ JA/Fo-01

?,/

_v

'FOA- -roo a

I Reviewed Approved Number Description By Date By Date 0

Original Issue See Above See Above

TABLE OF CONTENTS Description Executive Summary Nomenclature Definitions

1. Introduction 1.1 Purpose

1.2 Background

2. Evaluation 2.1 Assumptions and Characteristics of the Model 2.2 Event Tree Analysis 2.2.1 Core Damage Sequences 2.3 Data Analysis 2.3.1 Diesel Generator Reliability Data 2.3.2 Initiating Events Analysis 2.3.3 Human Error Probabilities 2.3.4 AC Power Non-recovery 2.3.5 Support Data 2.4 Large Early Release Frequency Analysis 2.5 Accident Sequence Quantification

3. Conclusions Page 3

5 7

10 10 10 13 13 18 26 28 28 28 29 31 32 33 37 40 Appendix A Appendix B Appendix C Appendix D Appendix E Cooper SWS-GW Misalignment Event Tree Sequence Description Human Reliability Analysis Data Analysis Loss Of Offsite Power Initiating Event Analysis Recovery Of Loss Of Offsite Power (OSP)

Page 1 of 40

TABLE OF CONTENTS (continued)

LIST OF FIGURES Page Figure 1.1 Service Water System Flow Diagrams 10 Figure 2.1 Cooper SWS-GW Misalignment Event Tree 20 LIST OF TABLES Page Table 2.1 Emergency Diesel Generator Updated Data (Jan 2001 to Jun 2004) 28 Table 2.2 Loss of Offsite Power Updated Frequency and Sensitivity Analysis 28 Table 2.3 CNS Updated Human Error Probabilities 30 Table 2.4 CNS Updated Conditional Human Error Probabilities 30 Table 2.5 AC Power Non-Recovery Event Probabilities 31 Table 2.6 Support Data Used In the Sequence Quantification and Their Sources 32 Table 2.7 Plant Damage State Binning 33 Table 2.8 Conditional Non-Recovery Probabilities 35 Table 2.9 Summary of Cooper SWS-GW Misalignment Event Tree Core Damage Sequences 38 Page 2 of 40

EXECUTIVE

SUMMARY

A focused probabilistic safety assessment (PSA) based on the Cooper Nuclear Station and updated Individual Plant Examination (IPE) model has been performed to evaluate the safety significance of a temporary alignment of Service Water pump gland water supply. Specifically, on February I1, 2004, operators discovered that the gland water for Service Water Pumps B & D was being supplied from the Subsystem A header.

This condition had existed since the B Subsystem Zurn Strainer was returned to service 21 days earlier.

While the normal operation of SW pumps without gland water does not apply to CNS, the potential exists during emergency conditions due to the temporary cross-divisional configuration of gland water supply. The gland water supply provides effective lubrication of bushings that provide lateral support for the vertical SW pump shaft. This becomes particularly important when gland water supply is lost and not restored within 90 minutes of continuous pump operation.

The Cooper PSA model includes a large spectrum of initiating events and examines the accident sequences that can lead to core damage that result from the initiating event coupled with system failures. The PSA success criteria for SW system operation rely on the gland water supply to lubricate the SW pump bushings. Emergency operation of the SW pumps without gland water could compromise the success criteria used in the PSA. Therefore, this PSA evaluation includes the development of an event tree to depict this accident scenario, modifications to the SW model, detailed human reliability analysis and updated plant specific event and component data to account for the postulated effect.

The increased probability of accident scenarios resulting from potential failures resulting from the cross-divisional alignment of gland water supply to the SW pumps was evaluated.

The events of primary concern are accident scenarios that can require operation of Division 2 (B Subsystem) SW pumps to successfully mitigate an accident and which are initially dependent on the Division 1 (A Subsystem) SW pumps that provide SW pump B & D gland water supply.

These events are identified and analyzed as the following:

Random Failure of Division I SW while at power Failure of Division I Emergency Diesel Generator following LOOP Loss of Division I SW following loss of 4160VAC Bus IF A detailed evaluation of these postulated events was performed to understand the expected plant response and the actions of the operations staff to address indicated conditions. This information provided the basis for detailed analysis of operator actions (human reliability analysis) related to timely restoration of gland water supply. In addition, the containment response during accident progression was reviewed for each of these events to understand the impact.

The detailed containment response model (Level 2 PSA) was employed to characterize the potential for large early releases from containment.

Page 3 of 40

Based on the Cooper plant specific probability of these events and the estimated failure probability of gland water human recovery actions, the incremental core damage is less than I E-6 and incremental large early release is less than I E-7. Based on these conservative estimates, the overall incurred plant risk during the temporary configuration was not safety significant.

This evaluation is consistent with the level of rigor expected from a Phase 3 Significance Determination Process (SDP) evaluation. These results indicate that the incurred risk does not exceed the regulatory thresholds established for conditional core damage probability significance nor conditional large early release probability significance.

Page 4 of 40

NOMENCLATURE CD Core Damage CS Core Spray CDF Core Damage Frequency CET Containment Event Tree CNS Cooper Nuclear Station ACDP Delta Core Damage Probability ALERP Delta Large Early Release Probability DG Diesel Generator DIV I Division I DIV II Division II EPRI Electrical Power Research Institute FI Functional Impact GW Gland Water System HEP Human Error Probability HPCI High Pressure Coolant Injection IPE Individual Plant Examination IPF Initial Plant Fault LERF Large Early Release Frequency LOOP Loss of Offsite Power LOSP Loss of Offsite Power LPCI Low Pressure Coolant Injection NPSH Low Net Positive Suction Head.

Page 5 of 40

NOMENCLATURE (continued)

NRC United States Nuclear Regulatory Commission PDS Plant Damage State PRA Probabilistic Risk Analysis PSA Probabilistic Safety Assessment RCIC Reactor Core Isolation Cooling REC Reactor Equipment Cooling RHR Residual Heat Removal RHRSW Residual Heat Removal Service Water RPV Reactor Pressure Vessel SDP Significance Determination Process SWS Service Water System TEC Turbine Equipment Cooling Page 6 of 40

DEFINITIONS Accident sequence - a representation in terms of an initiating event followed by a combination of system, function and operator failures or successes, of an accident that can lead to undesired consequences, with a specified end state (e.g., core damage or large early release). An accident sequence may contain many unique variations of events (minimal cut sets) that are similar.

Containment event tree - a quantifiable, logical network that begin with a core damage endstate and progresses to possible containment conditions affecting the radionuclide release magnitude and timing.

Core damage - uncovery and heatup of the reactor core to the point at which prolonged oxidation and severe fuel damage is anticipated and involving enough of the core to cause a significant release.

Core damage frequency - expected number of core damage events per unit of time.

Cutsets - Accident sequence failure combinations.

End State - is the set of conditions at the end of an event sequence that characterizes the impact of the sequence on the plant or the environment. End states typically include: success states, core damage sequences, plant damage states for Level I sequences, and release categories for Level 2 sequences.

Event tree - a quantifiable, logical network that begins with an initiating event or condition and progresses through a series of branches that represent expected system or operator performance that either succeeds or fails and arrives at either a successful or failed end state.

Initiating Event - An initiating event is any event that perturbs the steady state operation of the plant, if operating, or the steady state operation of the decay heat removal systems during shutdown operations such that a transient is initiated in the plant. Initiating events trigger sequences of events that challenge the plant control and safety systems.

Large early release - the rapid, unmitigated release of airborne fission products from the containment to the environment occurring before the effective implementation of off-site emergency response and protective actions.

Large early release frequency - expected number of large early releases per unit of time.

Level I - identification and quantification of the sequences of events leading to the onset of core damage.

Level 2 - evaluation of containment response to severe accident challenges and quantification of the mechanisms, amounts, and probabilities of subsequent radioactive material releases from the containment.

Page 7 of 40

Plant damage state - Plant damage states are collections of accident sequence end states according to plant conditions at the onset of severe core damage. The plant conditions considered are those that determine the capability of the containment to cope with a severe core damage accident. The plant damage states represent the interface between the Level I and Level 2 analyses.

Probability - is a numerical measure of a state of knowledge, a degree of belief, or a state of confidence about the outcome of an event.

Probabilistic risk assessment - a qualitative and quantitative assessment of the risk associated with plant operation and maintenance that is measured in terms of frequency of occurrence of risk metrics, such as core damage or a radioactive material release and its effects on the health of the public (also referred to as a probabilistic safety assessment, PSA).

Release category - radiological source term for a given accident sequence that consists of the release fractions for various radionuclide groups (presented as fractions of initial core inventory),

and the timing, elevation, and energy of release. The factors addressed in the definition of the release categories include the response of the containment structure, timing, and mode of containment failure; timing, magnitude, and mix of any releases of radioactive material; thermal energy of release; and key factors affecting deposition and filtration of radionuclides. Release categories can be considered the end states of the Level 2 portion of a PSA.

Risk - encompasses what can happen (scenario), its likelihood (probability), and its level of damage (consequences).

Severe accident - an accident that involves extensive core damage and fission product release into the reactor vessel and containment, with potential release to the environment.

Vessel Breach - a failure of the reactor vessel occurring during core melt (e.g., at a penetration or due to thermal attack of the vessel bottom head or wall by molten core debris).

Page 8 of 40

1.0 INTRODUCTION

On February I1, 2004, a Station Operator was validating a valve line-up on the Service Water System (SWS)/Gland Water System (GW) to assess the cause of low gland water supply pressure. The Station Operator discovered SW-V-28 closed, SW-V-1479 open, and SW-V-1480 open which was not the expected configuration. The effect of this lineup was that SWS GW Subsystem B was being supplied by SWS Subsystem A. SWS GW Subsystem B was in this configuration since maintenance was performed on the B Zurn Strainer on January 21, 2004.

1.1 PURPOSE In order to assist in a significance determination of these identified conditions, a risk assessment is provided. This risk assessment evaluates this condition for an exposure time of 2 1-days. This risk assessment predicts the changes in core damage frequency (CDF), increase in core damage probability (ACDP), change in large early release frequency (LERF) and increased in large early release probability (ALERP).

1.2 BACKGROUND

Discussion Of Service Water System The Service Water system, depicted in Figure 1.1 consists of four vertical SW pumps located in the Intake Structure, and two associated strainers, piping, valving, and instrumentation. The SW pumps discharge to a common header from which independent piping supplies two essential (Seismic Class IS) cooling water loops and one Turbine Building loop. In the event of a loss of header pressure below 20 psig, automatic valving is provided to shutoff all supply to the Turbine Building loop, thus assuring supply to the critical loops. Each critical loop feeds one diesel generator, two RHR service water booster pumps, and one REC heat exchanger. Valves are included in the common discharge header to permit the SW system to be operated as two independent loops. Either loop can supply normal cooling water to the REC Critical Loops and the diesel generators.

Each SW pump is provided with two control switches, a remote start and stop switch and an operational mode selector switch. The mode selector switch is a three-position control switch and determines the operating mode for its associated pump. Its switch positions are: MANUAL, STANDBY, and AUTO. The normal operating configuration during power operations is one pump in each loop running in STANDBY and the other pump in each loop selected to AUTO.

In AUTO, the SW pump will auto start on a low header pressure of 17 psig or auto trip on a high header pressure of 75 psig.

Page 9 of 40

Figure 1.1 Service Water System Flow Diagram I

CI A

AXt REC NORTMSOUTH C"XA

lSOCHRGE,

, TO Ca DSCH TUNNEL IA Page 10 of 40

Each set of SW pumps has a normal gland water bearing lubrication supply utilizing the safety-related discharge of the SW pumps. A back-up supply of gland water from the Fire Protection system can also provide water directly to the SW pump gland water system when manual actions are taken.

The normal GW supply valve alignment is flow from the discharge of the SW pump down stream of the (Zurn) strainer. The normal flow path for Division I is through an open SW-V-21 and MO-2128 to SW pumps A and C. Similarly, for Division 2 flow is through an open SW-V-28 and MO-2129 to SW pumps B and D. The manual valves the common GW supply line (V-1479 and V-1480) are normally closed.

However, during a 21 -day period the GW flow from Division 2 was closed and Division I GW provided flow to all 4 pumps (refer to configuration illustrated in Figure 1.1). The GW flow is provided from the Division I discharge through SW-V-21 and MO-2128 to the Division I pumps and Division 2 pumps through V-1479 and V-1480. To restore Division 2 supply to the GW supply, opening the closed SW-V-28 would be required at a minimum.

The focus of this assessment is to determine the safety significance of the temporary alignment of SW Division I GW supply to SW pumps in both Divisions over this 21 -day period.

Configuration Impact on Normal Operation During normal operations the SW system is cross-connected such that all 4 SW pumps can provide water to any load. This cross connect is via SW-MOV-36MV and SW-MOV-37MV.

Thus adequate GW flow was provided to all 4 pumps from Division 1. During this time I SW pump was operating in each Division and any single pump trip would automatically cause isolation of turbine loads. The SW pump with control switch in AUTO would auto start on low header pressure after divisional isolation had occurred. Therefore, to avoid a plant trip, a minimum of opening the MOV-36MV and MOV-37MV from the control room would be required immediately. It should be noted that if the operator response was successful in avoiding a plant trip, then continued GW supply to all pumps was assured. This could be accomplished in two ways, either the tripped Division I pump was restarted, or a second Division 2 pump was successful in maintaining the cross-connection between headers open. Therefore, the GW configuration during this time period did not appreciably affect plant availability (i.e. increased trip probability due to loss of SW.) (Note that during the 21 -day period interest the GW system did not experience a loss of flow, either from pump trip or plugging event.) Therefore impact of the GW configuration is limited to post-trip safety functions where the gland water supply from Div. I was not immediately restored.

Page 11 of 40

Configuration Impact on Emergency Operation During a plant emergency, the SW system provides water to critical loads supplied by individual SW headers. To ensure there is enough cooling water available for the critical loads, automatic system realignment of flow valves occurs to isolate the non-essential service loop and to separate the essential headers. This action ensures a supply of cooling to the REC loops, two RHR SWB pumps, and the in-service REC heat exchanger. Either loop can supply cooling water to both the REC critical loops. On a loss of all AC power, all SW pumps will trip and the pump with selector switch in STDBY will start during the emergency equipment starting sequence.

The SW system response was evaluated in detail following a postulated LOOP event with subsequent EDG I failure'. In reviewing the expected heat loads, it was anticipated that restoring system pressure to 38 psig using both Division 2 SW pumps would restore GW flow through the cross-connect. However, it was determined that manual isolation and then throttling of the SW-V-1490, "SW Supply to Nonessential Header Isolation Valve" would be required to maintain the system cross-connect open. The SW system cannot support both essential and nonessential loads without local action in the SW pump room to manually adjust V-1490.

Although these actions are supported by procedure, it was determined that manual operation of the GW valve alignment to restore Division 2 supply is the primary recovery action required by the operations staff to correct the condition. Therefore a human reliability analysis was performed to evaluate the operator action related to restoring GW flow through SW-V-28.

It should also be noted that a similar evaluation of the SW system response was performed for restoration of GW flow following loss of 4160VAC Bus IF due to fire. The evaluation identified an instance where GW would be restored from the control room (based on pump selector switch position being in AUTO for the idle Div. 2 SW pump.) However, this credit is not appropriate for the limiting configuration being addressed in this study. A future time-averaged configuration assessment could be completed, if needed to demonstrate the effectiveness of these actions to restore SW system pressure and cross-divisional flow.

However, the actions to restore GW flow through SW-V-28 also apply to this scenario.

ICNS System Engineering Letter Log Number 04-7002, Assessment of the Survivability of the Service Water Pumps when Gland Water was Lost".

Page 12 of 40

2.0 EVALUATION 2.1 ASSUMPTIONS AND CHARACTERISTICS OF TIlE MODEL

1)

The condition evaluated is limited to the valve line-up for the Service Water Gland System that existed on February 11, 2004. Namely, SW-V-28 closed, SW-V-1479 open, and SW-V-1480 open.

2)

Given a single stuck-open SRV and subsequent RCIC failure, reactor depressurization is required to allow for low-pressure injection to prevent core damage. Otherwise RCIC is capable of matching break flow and maintaining reactor water level until reactor pressure falls below 115 psig.

3)

Given a primary system stuck-open relief valve (SORV) event, both HPCI and RCIC, even if initially successful, will eventually fail due to the depressurization of the reactor through the SORV.

4)

Venting as Alternate Containment Heat Removal The viability of LPCI and Core Spray as low-pressure make-up sources is subject to a number of dependencies when taking suction from the suppression pool in combination with containment venting. Typically LPCI and Core Spray pump operation can be degraded (NPSH limits) by high suppression pool temperature experienced in these sequences. It is noted that containment backpressure increases as the pool is saturated (increases available NPSH.) In some cases, it may be appropriate to credit operation of LPCI and Core Spray with adequate NPSH maintained. Since uncontrolled venting can cause steam binding, neither system was credited as successful in these sequences while taking suction from the suppression pool. However, both systems can be aligned to an alternate suction source (CST) which eliminates this concern.

It should be noted here that the use of the diesel driven Fire Protection pump has been postulated as a mitigation system during several emergency drills by the Emergency Response Organization. The system can provide either RPV injection (through RHR spool piece) or alternate cooling to the emergency DG. The procedures and equipment needed to accomplish RPV injection using the fire protection pump are currently being developed and will be in place later this year. While calculations are not currently available to support FP injection mode, validation of its effectiveness is expected. The current model does not credit this diverse independent system.

5)

Upon a loss of service water system flow and potential degradation of the Reactor Equipment Cooling system heat exchangers, the control rod drive (CRD) system will maintain adequate reactor water level, once the reactor power falls--provided that core make-up systems had previously operated. The use of the CRD system for long-termn injection is credited as a recovery action.

Page 13 of 40

6)

The onset of core damage is defined as the time at which more than two-thirds of the active fuel core height becomes uncovered, without sufficient injection available to recover the core or maintain steam cooling. Using site-specific thermal-hydraulic calculations, core damage is interpreted as water level below one third core height and falling with calculated peak core temperatures exceeding 1800 0F. This is consistent with the definition in the ASME PRA Standard2.

7)

CNS considered three core damage timing classifications in the PSA and for this risk assessment, as follows:

I. Immediate timing is defined as those accident sequences where the onset of core damage is less than I hour.

2. Short term is generally defined as those accident sequences where the onset of core damage occurs in the time period of approximately 1 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

3. Delayed is generally defined as those accident sequences where the onset of core damage occurs in the period 4 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

4. Long term is then generally defined as those accident sequences where the onset of core damage occurs at greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

8)

LERF multipliers from CNS Level 2 PSA 1998 Update are used for this risk assessment3.

9)

Definition of the release timing categories is based on the reference point of the General Emergency declaration, as this is the point at which offsite response will be initiated. Three release timing classifications were considered in the CNS PSA study and for this assessment, as follows:

a. Early less than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after General Emergency Declaration

b. Intermediate greater than or equal to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , but less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months

c. Late greater than or equal to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after General Emergency declaration.

The definition of the categories is based upon past experience with offsite responses:

04 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is conservatively assumed to include cases in which minimal offsite protective measures have been observed to be performed in non-nuclear accidents.

4-24 hours is a time frame in which much of the offsite nuclear plant protective measures can be assured to be accomplished.

2 American Society of Mechanical Engineers, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications," ASME RA-S-2002, April 2002.

Cooper Nuclear Station Level 2 PSA 1998 Update, November 1998.

Page 14 of 40

24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months are times at which the offsite measures can be assumed to be fully effective.

II) A large early release from containment is defined as a radionuclide release of sufficient magnitude to have the potential to cause early fatalities and occurs in less than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months following declaration of General Emergency, typically when minimal offsite protective measures have been accomplished. Using site-specific thermal-hydraulic calculations, this is interpreted as fractional release of CsI compound exceeding 10% of core inventory in less than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of the expected Emergency Action Level requiring General Emergency and evacuation. This treatment is consistent with Reg. Guide 1.174 definitions4.

12) Offsite and On-site AC Power The diesel generator run times are treated in the CNS PRA with a lumped parameter approximation. All run failures are treated as failures occurring at accident initiation (t=0.) This treatment results in not accounting for diesel offsite power recovery at extended times associated with these failure modes even though adequate AC power is available during the initial diesel run. To minimize the conservative impact of this lumped parameter assumption, a run time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is typically used in establishing run failure probability. The 8-hour mission time is an adequate mission time for the consideration of DG unavailability. The diesel generator mission time accounts for two competing effects. The first is the running failure rate of the DG and the second is the recovery of offsite or on-site AC power. These competing effects have large uncertainty, but it is found that after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months the recovery and failure probabilities are approximately equal.

For the purposes of this study, the mission time for the DG run was adjusted to agree with the time at which the probability of offsite AC power recovery reaches 95%, i.e. 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months . This results in a conservative failure to run probability that tends to mask initial DG unavailability term. The impact of ignoring the delayed diesel run failures on core damage appears to be overly conservative for the lumped parameter treatment of AC recovery.

In addition, reviewing the recent industry data it is observed that the non-recovery factor is dominated by weather related events out beyond say the 6-hour time frame.

The exclusion of weather related events for the purposes of this study would appear to be appropriate given the time of the year.

However, weather related events have been included.

13) The CNS Level I and Level 2 PSA model was developed based on plant specific functions and system success criteria for each of the important safety functions and support systems relied upon for accident prevention or mitigation for the duration of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months following an event. The systems included in the model were those that supported the overall objective of 4 USNRC, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Regulatory Guide 1. 174, Revision 1, November 2002.1 Page 15 of 40

maintaining adequate core and containment cooling.

There are two figures-of-merit for meeting these objectives: core damage frequency and large early release frequency. The definitions used in this study are consistent with the CNS PSA.

14) In addition, any system required for successful accomplishment of an important safety function is required to perform its intended function for a period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Thus to satisfy a success criterion, an equipment mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is generally applied with a few exceptions. The exceptions important to this study include the diesel generator run time, station batteries, RCIC and HPCI operation under SBO conditions.

15) Extended SW Pump Operation Without Gland Water A detailed assessment of the survivability of the SW pumps following loss of adequate GW was performed refer to "CNS System Engineering Letter Log Number 04-7002, Assessment of the Survivability of the Service Water Pumps when Gland Water was Lost".

This assessment concludes:

"A temporary loss of gland water, for 90 minutes will not severely damage or incapacitate the pump.

Some damage to the bushings may occur, especially those bushings near the center of the pump shaft above the water line, and some damage to the upper packing may occur. The damage in both cases will primarily result in moderately larger clearances in the affected components that become dry, and a corresponding moderate increase in lateral pump vibrations. Packing leakage will also increase.

Damage will not be so severe, however, that vibrations will be excessive and destructive. The pump will be able to operate and function in a reasonable manner for at least another 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months afterwards when gland water is restored. "

This determination is supported by vendor dynamic rotor analysis and review of applicable industry operating history. Given the excellent material condition of the SW pumps and the evaluation of extended pump operation without GW water, the analysis will apply 90 minutes as the time available for restoration. The 48-hour operation following restoration supports SW pump repair activities post-accident. This bounds the time to replace a failed Division 2 pump with an intact Division 1 pump. When crediting timely restoration of GW supply, the overall impact of pump degradation on the baseline reliability parameters of the SW function is considered to be negligible over the 24-hour mission time of the model.

Therefore the overall dependency of service water pump operation on gland water flow is summarized as follows:

a. The SW function becomes unavailable with inadequate GW flow (< 2 gpm) for longer than 90 minutes duration.

Page 16 of 40

b. For an idle SW pump, dry-start is allowed per original design (un-wetted, no GW flow condition.) GW flow is established about 5-10 seconds following pump start.

c. For a running SW pump, a loss of GW flow (< 2 gpm) does not cause immediate pump failure, although substantial bushing damage could occur.

d. Restoration of GW flow (> 2 gpm) within 90 minutes does not appreciably affect the reliability over the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time.

It was further postulated that the packing would most likely begin to discharge smoke during the 90-minute run-time without gland water. Any smoke would be immediately detected, resulting launching of the fire brigade. This impact was considered in the evaluation of operations response to correct the valve alignment.

16) Expected Operations Response Following Indication of Loss of GW A detailed evaluation the operations staff response was performed for the postulated loss of GW (Reference "Operations Department Letter OPS2004SW/GW, "Operator/Station Response to a Loss of Service Water (SW)/Gland Water (GW)"). Of particular interest is the available indication of the condition and subsequent plant staff response as directed by procedural steps and guidance. As stated previously, based on system response and various configurations over the period in question, the manual operation of the GW valve alignment to restore Division 2 supply is the primary recovery action being investigated.

The response of the organization to deal with various other conditions was considered in the human reliability analysis. Depending on the initial event, there are numerous types and sequences of alarms that annunciate in the control room. For the GW configuration that existed, should loss of Division 1 SW pumps occur, alarms would annunciate (Service Water Pump B/D Brg Wtr Low Flow and SW Gland WTR Supply System Trouble) in the control room indicating a degraded condition of GW supply. In addition, eventual receipt of alarms associated with a detected fire in the SW pump room would lead to the dispatch of the Fire Brigade. Although, this represents a separate success path for eventual restoration of GW valve alignment based on steps in CNS Procedures 5.4FIRE and 5.4POST-FIRE, it was not considered. The adverse impact on the execution of tasks related to GW system trouble was considered by assuming donning of fire fighting PPE prior to entry to the SW pump room.

Upon arriving to the SW pump room, local indications are available to confirm GW flow is less than 2 gpm (the pressure and flow instruments would indicate zero.) The operator would then contact the control room to feedback what was observed and that the annunciator response procedure does not directly provide guidance to restore GW flow or pressure. The control room would direct the station operator to check the valve alignment in response to the reference to CNS Procedure 2.2.71 (Service Water System). As a result, the operator would identify that the Division 2 GW supply valve is closed (V-28) and the common line valves are open (V-1479 and V-1480.) Upon completion of valve manipulation, the dispatched operator would verify GW pressure and flow are nominal. The completion of these actions constitutes the basis for crediting human recovery actions that correct the valve mis-alignment condition.

Page 17 of 40

2.2 EVENT TREE ANALYSIS To facilitate the review and explicitly model the operator response of this event, the event tree for Cooper Nuclear Station Service Water System to gland water misalignment is developed and presented in Figure 2. 1, "Cooper SWS-GW Misalignment Event Tree." This event tree displays only the combination of events (operator/systems) required to prevent core damage for internal and external events. Definitions of each of the events in the Cooper SWS-GW Misalignment event tree are given below.

Initiating Events. A variety of anticipated plant initiators could occur creating conditions that use the gland water (GW) [require cooling for the safety-related Service Water System (SWS) pumps]. Subsequently, plant challenges that involve failure of systems or functions based on initiating event, plant design and operating procedures could present a challenge to the ability to maintain coolant inventory in the reactor vessel. Four types of plant initiators are examined:

Transient Initiator (LOOP). Loss of offsite power event occurs. The initiating event is a loss of normal AC power to the station start-up buses and the auxiliary transformers. This requires the diesel generators to start and provide power to the emergency AC safeguard buses.

Support System Initiator (TP-SWS). A loss division I SWS pumps A and C event occurs.

Subsequently, because the GW supply valve SW-V-28 is inadvertently closed, the division II SWS B and D pumps gland water supply is provided by operation of division I SWS pumps A and C. Therefore, this configuration requires the successful restoration of GW supply to SWS B and D pumps for successful mitigation.

Support System Initiator (TF-SWS). A complete loss of service water system (SWS) event occurs. Subsequently, a loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling occurs.

Fire at Switchgear iF (F-iF). A plant fire occurs that damages division I switchgear IF.

The loss of division I switchgear 1 F renders inoperable Core Spray pump "A", RHR pumps "A" and "B", RHR Service Water Booster pumps "A" and "C", CRD pump "A" and SWS pumps "A" and "C". In addition, due to the misalignment of GW supply water SW-V-28 the division II SWS "B" and "D" pumps gland water supply is being provided by operation of division I SWS pumps "A" and "C". However, because the initiator results in the lost of SWS pumps A and C, successful continued operation from SWS B and D requires the restoration of gland water supply to SWS pumps B and D.

The above plant initiators are depicted in the sequence event tree, Figure 2.

AC Power. The AC power event refers to the status of offsite and onsite AC power. Loss of offsite/onsite AC power implies total loss of AC power to the plant. System failures associated with total loss of AC power can influence accident progression leading to core damage fission product evolution and transport. The AC power event is represented as follows:

Page 18 of 40

Figure 2.1 Cooper SWS-GW Misalignment Event Tree (Page 1)

IE PLAlhTTRJ 3T l

fri I..

I

_RSl Rf I

lcc I bA"',N l A

w lt I ccb lu )fI I

AO 4:-HRl.L2h srSlvw xere

~~~~~~~~~~~~~l l

lML X

ST I A

E I=

IIIV I

Al PIMMI

, 1114; PUWR,O 14111111111 1

11111"IIArR UMPTATER MEM" WrXVEFEDN FECUVEWMIN WOCIVEMON LGAMSXTCED WCCNERMR RPEICS-)FERIL7114-WEUI"E,!

.1

, I OIF".NIWLLMWII CNMLMOF MNUR3 MWES 4 "Otm TO 11morw I [IC, QW.UM CFDSrISM LIM -

wmwmchl fATTEW OU Pe

&MP-"%

6AR I-IWIEKIWA 111 I I1 1 'W " "F 0""L"W, I "c

PON l

l l

l t

l a

l q

l l

VC!&t FPS-II FaL gm WF 1f cp DW x

33 M

b I

I 09M 5 1 GV qT.3 VAr ST-S" A

a-R 4AT MSTO GOT 37ow LC4 LCoo I.riX

~Cape 10MI1 LCV-12 Omf3 LOCPWS Law9 LCOOP.ta

<23 Ce.0l251 Wxn t~x L: I K

FPr.

lo Piow DCAL K

OCFAME pt newIOs I

I can lx I

"St FULL WM sCFAU Page 19 of 40

Figure 2.1 Cooper SWS-GW Misalignment Event Tree (Page 2)

TRANSFER LANT RANSIEN GW FPS SRV RCIC HPCI DEP CS-B I

LPC-C I

PCVENT RCVR BUS IF Iu Oto -

LRT SE!NC 1RANSFER SPECIFIC-RECWVERYOFI FIRE WATER SRMS CLOSE RCIC FPV 8PrA RPV RLACTR LO PRFSSURE.LUINE PRI4RY Ricw Er F SEJE STATE NME FROM PAGE 1 TRANSIENT GLAND WATER ALIGHIENT TO IETION IJECTIC XPRESSURIZEI CRE SPRAY PUMPS C 0 CONTAINMENT BUS IF OCCURS: FIRE GIVEN LC6S OF SWS GLAND PLIP 8 WNTING POST-FIRE AT EOTH DMSION I WATER IIII 4K FME-IF i0 OK 0C GW-4 PO

-FL==co OK WOT rWUT 4A rwDT JJA rWDT rWOT

~wcn rWOT rWDN ro~

P-F

-1P P-IF-2 P.1P-3 F-IF-4

-IF46 r-IF6 F-IF-?

F-IF4 P-IF4 F-IF-10 F-IF-1 F-IF-12 F-IF-13 F-IF-14 PFIF-1 rFIF-16 F-IF-17 F-IF-18 F-IF-IS F-IF-2D PAGE 3 FPF53 OK co 4 U P1i P2 TfRANSFER A.

Page 20 of 40

Figure 2.1 Cooper SWS-GW Misalignment Event Tree (Page 3)

TRANSFER SRV RCIC DEP CS-B LPCI-C&D PC VENT RCVR BUS 1F r OUTCOME PLANT SEQUENCE I

OF DAMAGE NUMBER TRANSFER SRVS CLOSE RCIC RPV REACTOR LOWPRESS L PEPCI INJECTION PRUI1ARY RECOVERY OF S EO QDUENCE STATE FROM PAGE 2 INJECTION EPRESSURIZED CORE SPRAY PUMPS C & D CONTAINMENT BUS 1 F l

PUMP B VENTING POST-FIRE I

OK CD I

L 4CD CD P1 L

CD I

I N/A TWDT NtA TWOT TWDT NIA TWDT N/A TWDT TPUV TPUV N/A TWDT N/A TWDT TPUV F-1F-21 F-I F-22 F-1 F-23 F-I F-24 F-I F-25 F-1 F-26 F-I F-27 F-1 F-28 F-1 F-29 F-1 F-30 F-1 F-31 F-1 F-32 F-i F-33 F-1 F-34 F-i F-35 F-1 F-36 CO n

rn OIK P2 I

iD OK 1

CD A

b a -

h Page 21 of 40

AC Onsite Power Available (DG-OK). This top event is considered only for a loss-of-offsite power event and models the availability of Diesel Generator 1 (DG-I) and Diesel Generator 2 (DG-2) to feed safeguard AC buses division I (DIV I) and division II (DIV II),

respectively.

AC Onsite Power Available (DG-DIVI-I). This top event is considered only for a loss-of-offsite power event and models the failure of DG-1. Loss of DG-I implies the loss of DIV I Core Spray pump "A", RHR pumps "A" and "B", RHR Service Water Booster pumps "A" and "C", CRD pump "A" and SWS pumps "A" and "C".

AC Onsite Power Available (DG-DIV-II). This top event is considered only for a loss-of-offsite power event and models the failure DG-2. Loss of DG-2 implies the loss of DIV II Core Spray pump "B", RHR pumps "C" and "D", RHR Service Water Booster pumps "B" and "D", CRD pump "B" and SWS pumps "B" and "D".

AC Onsite Power Available (DG-ALL). This top event is considered only for a loss-of-offsite power event and models the unavailability diesel generators I and 2 respectively.

Therefore, this failure results in a plant station blackout, given a loss of offsite power event.

AC Power Restoration. The restoration of ac power allows balance-of-plant systems, emergency core cooling systems, and containment heat removal systems to become operable.

Restoration of AC power is accomplished by successfully restoring the main off-site power source. Restoration of AC power is required before battery depletion. This allows for adequate time in restoring power conversion systems or other AC power driven systems for safe plant shutdown.. The AC power restoration event is represented as follows:

Offsite Power recovered in 30 minutes (OSP-0.5). Given an immediate RCIC failure or one stuck-open SRV. Successful AC offsite power recovery within 30 minutes is sufficient to allow for low-pressure systems restoration to prevent core damage.

Offsite Power recovered in 90 minutes (OSP-1.5). Given RCIC success and one stuck-open SRV. Successful AC offsite power recovery within 90 minutes is sufficient to allow for low-pressure systems restoration to prevent core damage.

Offsite Power restored within 04 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (OSP-4). Given RCIC success with an estimated battery life of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Successful AC offsite power recovery from within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is sufficient to allow for low-pressure systems restoration to prevent core damage.

Division I DC Loads Switched to Division II DC Battery (DC-1). This top event considers the likelihood of plant operators to perform the instructions of plant Emergency Procedure 5.3AC480, "480 VAC BUS FAILURE" 5 and subsequent transfer of 1 25-Vdc Distribution Panel A and RCIC Starter Rack to emergency DC power per Procedure 2.2.25.1, "125 VDC Electrical System - Div I". During a postulated loss of 4160-Vac bus IF, plant 5 Cooper Nuclear Station Emergency Procedure 5.3AC480 "480 VAC Bus Failure" Page 22 of 40

operators are instructed to switch certain RCIC DC loads to the division II DC battery. This prolongs RCIC operation when no AC power is available from the battery charger.

Therefore, success implies DC load transfer from division I to division II is completed within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from the time that Emergency Procedure 5.3AC480 is entered. Failure implies inadequate DC power and battery depletion at eight hours.

Offsite Power restored within 0-8 hours (OSP-8). Given RCIC success and successful transfer of RCIC DC division I loads to the DC division II battery, the combined estimated battery life is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Successful AC offsite power recovery within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months is sufficient to allow for low-pressure systems restoration to prevent core damage.

Reactor Vessel Pressure Control. After the onset of a transient which causes closure of the MSIVs, which causes a pressure increase in the primary system. The main steam line safety/relief valves (SRVs) provide protection against over-pressurizing the reactor vessel. As a result, a sufficient number of SRVs open to relive primary system pressure to the Torus. Should any of the SRVs fail to reclose, continuous flows of steam to the Torus results. The resulting primary system depressurization threatens continued RCIC operation The reactor vessel pressure control event is represented as follows:

SRV Reclosure (P). Success implies reclosure of open SRVs when reactor pressure drops below the closure setpoint. One and two SRVs failing to reclose are designated as P1 and P2 events, respectively.

Reactor Vessel Level Control-High Pressure Injection. Given a SBO, the preferred course of action is to stabilize reactor water level with high-pressure injection systems followed by adequate pressure control. Because Feedwater is unavailable since the condensate pumps and feedwater controller are powered from the balance of plant AC power buses. HPCI and RCIC although steam-turbine-driven are used. However, because HPCI and RCIC rely on DC power for starting and control. Both become unavailable after battery depletion.

The reactor vessel level control high-pressure injection top event is represented as follows:

RCIC RPV Injection (RCIC). Success in this top event is initiation and continued operation of RCIC to inject the required amount of coolant into the vessel.

HPCI RPV Injection (HPCI). This top event is considered only for a plant fire at switchgear IF and subsequent loss of both division I and division II service water system flow. Success in this event is initiation and continued operation of HPCI to inject the required amount of coolant into the vessel if feedwater is not available. Failure requires that other reactor make-up systems perform.

Reactor Vessel Level Control-Low Pressure. After the reactor vessel is depressurized the low-pressure systems are required for injection. These systems are core spray and low-pressure coolant injection (LPCI). These systems are AC motor driven and are required to operate following depressurization and after failure of the high-pressure systems. Success in this event is Page 23 of 40

defined as initiation and continued operation of these systems to inject the required amount of coolant into the vessel if the high-pressure systems were inadequate. Success requires one of two core spray pumps or one of four RHR/LPCI pumps. System actuation is automatic with manual backup by operator action.

The reactor vessel level control low-pressure make-up event is represented as follows:

Low Pressure Core Spray Pump B (CS-B). This top event is considered only for a plant fire at switchgear IF and subsequent loss of both division I and division II service water system flow. Success implies the use one core spray pump to provide sufficient reactor make-up. Failure requires that other reactor make-up systems perform.

LPCI Injection Pumps C & D (LPCI-C&D). This top event is considered only for a plant fire at switchgear IF and subsequent loss of both division I and division II service water system flow. Success implies the use of at least one of the four RHR pumps in the LPCI mode of operation to provide sufficient reactor make-up. Failure requires that other reactor make-up systems perform.

Service Water System. The Service Water System (SWS) assists the Residual Heat Removal Service Water (RHRSW) Booster system as well as providing cooling water, during normal operation or accident conditions, to the following:

a) Turbine Equipment Cooling (TEC) system heat exchangers b) Reactor Equipment Cooling (REC) system heat exchangers c) The Diesel Generator cooling systems The SWS top event is represented as follows:

Service Water System Available to Perform Cooling Function (SWS DIV I OK). This top event is considered only for a loss-of-offsite power event and models the availability of the DIV I SWS pumps IA and IC to provide essential cooling loads during a postulated LOOP event.

Loss of Service Water System DIV I Pumps (SWS DIV I LOSS). This event considers the failure of DIV I SWS Pumps IA and IC. Loss of DIV I SWS Pumps because of the misalignment of valve SW-V-28 implies a challenge to continued operation of the DIV II SWS Pumps.

Loss of Service Water System Pumps (FULL SWS LOSS). This event considers the total loss of SWS Pumps essential loads cooling. The loss SWS Pumps challenges plant equipment required for vessel level and containment pressure control.

Service Water Pump Gland Iniection. Service Water System (SWS) Pump gland injection is provided by two loops, each serving two SWS Pumps, with a provision for manually cross-connecting the two loops. The SWS Pump discharge header normally supplies SWS Pump gland injection, via SW-V-21 and SW-MO-2128 for DIV I SWS Pumps IA and IC; and SW-V-28 and Page 24 of 40

SW-MO-2 129 for DIV II for SWS Pumps I B and I D. The Fire Protection System can backup the normal gland injection supply in the event of valve failures involving SW-V-2 1, SW-MO-2128, SW-V-28 or SW-MO-2129.

The service water pump gland injection event is represented as follows:

Recovery of Gland Water Given Loss of Division I SWS Pumps (G`W). This top event considers the non-recovery of gland water injection to DIV II SWS Pumps I B and ID upon the functional loss of DIV I SWS Pumps IA and IC. Success implies restoration of GW within 90 minutes to preclude the mechanical loss of SWS Pumps I B and I D. Failure requires the alignment of Fire Protection System supply into the gland water injection pathway. GW-1, GW-2, and GW-3 represent operator fails to recover gland water injection to DIV II SWS pumps lB and ID. HEPs are presented in Appendix B, "Human Reliability Analysis."

Fire Water Alignment to SWS Gland Water (FPD). This top event considers the alignment of the Fire Protection System for gland water injection to the SWS pumps upon a loss of normal gland water supply. Failure for this event implies the functional loss of SWS pumps. FPS-1, FPS-2, and FPS-3 represent operator fails to align firewater for gland water injection to DIV II SWS pumps IB and ID. HEPs are presented in Appendix B, "Human Reliability Analysis."

Containment Pressure Control. The containment pressure control function entails the maintenance of containment integrity by removing the continuous heat discharged from the primary coolant system to either the main condenser or the torus suppression pool. Plant personnel have a large number of options for containment pressure control and a long time to align a containment heat removal system for containment pressure control.

For this risk assessment, because both the main condenser and the RHR system are not available for containment heat removal, containment pressure control event can be achieved as follows:

Primary Containment Venting (PC-VENT). This top event assesses the state where containment integrity is threatened but the core has sufficient coolant makeup. Cooper procedures specify a number of steps to reduce containment pressure. After the normal methods of containment heat removal have failed, controlled venting of the containment is required to prevent containment failure and therefore possible core damage. Control room operators will implement the venting procedure 5.8.186 to vent and scrub the torus air space to maintain primary containment pressure limit per EOP Graph I 1. This controlled release of the containment atmosphere to relieve pressure while violating containment integrity may prevent core damage if coolant injection can be maintained.

6 Cooper Nuclear Station Procedure 5.8.18, "Primary Containment Venting For Pcpl, Psp, Or Primary Containment Flooding" Page 25 of 40

2.2.1 CORE DAMAGE SEQUENCES This section summarizes the salient core damage sequences resulting from the affect on the plant due to the SWS gland water valve misalignment. The specific events represented by these sequences can be understood by referring to system "top event" given in the Event Tree Section above. In addition, it is helpful to note that to allow easier scrutiny, the sequence listing contains only the failed top events, Table 2.9. The actual sequence frequencies are calculated using both success and failure terms. Appendix A provides a detailed description of all sequences evaluated in this assessment.

Loss of Offsite Power (LOOP) Sequences Sequences LOOP-6, 7, and 8. These sequences involve a loss of offsite power transient occurs (LOOP) and emergency onsite AC power to safeguard buses IF and I G is supplied by DG-1 and DG-2. A plant station blackout (SBO is induced when random mechanical faults fail the DIV I SWS Pumps I A and I C. With the DIV II SWS Pumps I B and I D gland water supply aligned to DIV I SWS Pumps discharge header, due to the misalignment of SW-V-28, continued operation of DIV II SWS Pumps I B and I D are not assured. Core damage ensues when plant operators are unsuccessful in restoring gland water supply to DIV II SWS Pumps and subsequently, RCIC fails due to random mechanical faults or failure to restore AC power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from the start of the SBO, or upon successful transfer of RCIC division I DC loads to division II DC battery (/DC-1) a failure to restore AC power within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from the start of the SBO.

Sequences LOOP-14, 15, and 17. These sequences involve a loss of offsite power transient occurs (LOOP) and failure of the division I diesel generator. Similar to sequences 6, 7, and 8, a SBO is induced when random mechanical faults of DG-I fail the DIV I SWS Pumps IA and IC.

With the DIV II SWS Pumps I B and ID gland water supply aligned to DIV I SWS Pumps discharge header, due to the misalignment of SW-V-28, continued operation of DIV II SWS Pumps IB and ID are not assured. Core damage ensues when plant operators are unsuccessful in restoring gland water supply to DIV II SWS Pumps and subsequently, RCIC fails due to random mechanical faults or failure to restore AC power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from the start of the SBO, or upon successful transfer of RCIC division I DC loads to division II DC battery (/DC-1) a failure to restore AC power within 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from the start of the SBO.

Sequences LOOP 19, 21, and 22. These sequences involve a loss of offsite power transient occurs (LOOP), failure of the division I diesel generator, the unsuccessful restoration of gland water supply to DIV II SWS Pumps, either one or two stuck-open SRVs. Core damage ensues because AC power is not restored in 90 minutes for one stuck-open SRV case, or AC power is not restored within 30 minutes given an immediate RCIC failure due to random mechanical faults or the occurrence of two stuck-open SRVs.

Loss of Division I Service Water Pumps IA and 1C (TP-SWS) Sequences Sequence TP-SWS-3. This sequence involves a loss division I SWS pumps coupled with the loss of DIV II SWS pumps due to the DIV II GW supply valve SW-V-28 being inadvertently closed. The loss of SWS flow results in the loss of Turbine Equipment Cooling and Reactor Page 26 of 40

Equipment Cooling system heat exchangers and Diesel Generator cooling. With the loss of Reactor Equipment Cooling containment pressure control and ultimately core cooling is challenged long-term.

Plant Fire at Switchgear iF (F-1F) Sequences Sequences 4, 6, 10, 12, 16, 18, 22, 24, 27, 29, 33, and 35. These sequences involve a plant fire that damages division I switchgear IF. The loss of division I switchgear IF renders inoperable SWS pumps IA and IC. In addition, due to the misalignment of GW supply water SW-V-28, the division II SWS l B and 1 D pumps fail, because gland water supply is being provided by operation of division I SWS pumps lA and IC. Late core damage ensues because of containment overpressurization cause by the functional loss of the RHR heat exchangers and failure of primary containment venting.

Sequence 7, 8, 13, 14, 19, 20, 25, 30, 31, 36. These sequences involve a plant fire that damages division I switchgear IF. The loss of division I switchgear IF renders inoperable SWS pumps IA and 1C. In addition, due to the misalignment of GW supply water SW-V-28, the division II SWS lB and ID pumps fail, because gland water supply is being provided by operation of division I SWS pumps lA and IC. Early core damage ensues because random mechanical failures of all low-pressure injection systems, Core Spray B and LPCI C and D, or reactor depressurization fails.

Page 27 of 40

2.3 DATA ANALYSIS The data analysis involved updating the DG reliability data, the LOSP initiator frequency, and the Loss of Service Water initiator frequency. In addition, a major effort was undertaken to update the human error probabilities used throughout this analysis.

2.3.1 Diesel Generator Reliability Data The diesel generator data was updated using the latest plant-specific data in conjunction with the latest generic data sources. Tables 2.1 summarize the results of the analysis. Detail information in the methodology can be found in Appendix C.

Table 2.1 Emergency Diesel Generator Updated Data (Jan 2001 to Jun 2004)

Unavailability Fail to Start Fail to Run Total EDG Common Common

(/IHR)

Reliability Cause Cause Failure of Failure of Both to Start Both to Run 8.92E 03 2.95E-03 2.41 E-04 1.21E 02 9.20E-05 2.32E-04 1.I515E-02 1__

.47E-02 DG#1 DG#2

This failure rate is per hour and must be multiplied by the appropriate mission time.

2.3.2 Initiating Event Frequencies The Loss of Offsite Power frequency was revised using the latest industry data available in conjunction with CNS plant-specific data to generate a more realistic and representative value for the initiator frequency. Table 2.2 lists the recommended TI frequency. This frequency was generated using the EPRI LOSP data and performing a Bayesian analysis using CNS plant-specific data. The other frequencies listed are from NUREG-5750 and are presented for information purposes only. Further detail for the initiating events analysis can be found in Appendix D.

Table 2.2 Loss of Offsite Power Updated Frequency and Sensitivity Analysis Source TI Generic Frequency(/ry)

TI Plant-Specific Frequency(/ry)

EPRI LOSP Reports 0.028 0.0 19 (Recommended)

NUREG-5750 IPF 0.024 0.017 NUREG-5750 FI 0.046 0.025 Page 28 of 40

The initiating frequency for Loss of Division I of Service Water is taken from NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, February 1999. From Table 3-1, the frequency of a partial loss of SW is 8.92E-3/yr. This value is divided by 2 since the initiating frequency for loss Division I Service Water is required. Therefore, TP-SWS-DIVI is 4.46E-3/yr.

The initiating frequency for a fire at Switchgear IF is taken from the CNS Individual Plant Evaluation for External Events Submittal, October 1996. The initiating frequency for a fire in the Critical Switchgear IF room is 3.71 E-3/yr.

2.3.3 Human Error Probabilities (HEPs)

The HEPs for operator actions GW-1 and GW-2 (with values of 3.OE-3 and 5.OE-3, respectively) both represent failure to recover gland water cooling by re-opening valve SW-28. Event GW-I is used for sequences where offsite power is available, whereas GW-2 is used for sequences in which a loss of offsite power occurs. In addition, event GW-3 (with an HEP of 4.1 E-2) was modeled to represent failure to recover gland water cooling in the event of a fire in the Switchgear Room.

The HEPs for operator actions FPS-1 and FPS-2 (with values of 2.1 E-3 and 4.1 E-3, respectively) both represent failure to recover gland water cooling by aligning fire protection water. Event FPS-I is used for sequences where offsite power is available, whereas FPS-2 is used for sequences in which a loss of offsite power occurs. In addition, event FPS-3 (with an HEP of 4.1 E-2) was modeled to represent failure to recover gland water cooling by aligning fire protection water in the event of a fire in the Switchgear Room.

Event DC-I has an HEP of 4.1E-3 and models failure of the operator to transfer RCIC 125 VDC starter rack from Div I to Div II following loss of Division I dc power and subsequent loss of RCIC.

Event NR-CSP-CST has an HEP of 4.4E-3 and models failure to align the core spray pump suction to the CST. Event NR-CS-CLG has an HEP of 2.2E-3 and models failure to establish alternate cooling to the SE core spray quad.

Derivation of the above HEPs is documented in Appendix B and summarized in the Table 2.3 below:

Page 29 of 40

Table 2.3 CNS Updated Human Error Probabilities Operator Action Description Mean HEP DC-1 Failure to Transfer RCIC 125 VDC Starter 4.1 E-3 Rack From Div I To Div II FPS-1 Failure to Align Fire Water to the Gland 2.1 E-3 Water System (Offsite Power Available)

FPS-2 Failure to Align Fire Water to the Gland 4.1 E-3 Water System (Loss of Offsite Power)

FPS-3 Failure to Align Fire Water to the Gland 4.1 E-2 Water System (Switchgear Room Fire)

GW-1 Failure to Recover Gland Water Cooling 3.OE-3 (Offsite Power Available)

GW-2 Failure to Recover Gland Water Cooling 5.OE-3 (Loss of Offsite Power)

GW-3 Failure to Recover Gland Water Cooling 4.1 E-2 (Switchgear Room Fire)

NR-CSP-CST Failure to Align Core Spray Pump 4.4E-3 Suction to the CST NR-CS-CLG Failure to Establish Alternate Cooling 2.2E-3 to the SE Core Spray Quad Actual quantification of the above HEPs needs to take into account dependency between failure to perform one action and failure to perform one or more subsequent actions when the failures occur in the same sequence. Event FPS-GW-l, which has an HEP of 1.1 E-3, represents the combined probability of GW-I and FPS-1. Event FPS-GW-2, which has an HEP of 2.1 E-3, represents the combined probability of GW-2 and FPS-2. Event DC-FPS-GW-1, which has an HEP of l.5E-4, represents the combined probability of GW-1, FPS-l and DC-1. Event DC-FPS-GW-2, which has an HEP of 3.OE-4, represents the combined probability of GW-2, FPS-2 and DC-1. For fires in the Switchgear Room, event FPS-GW-3, which has an HEP of 2.1E-2, represents the combined probability of GW-3 and FPS-3. Derivation of the above combined HEPs is documented in Appendix B and summarized in the Table 2.4 below:

Table 2.4 CNS Updated Conditional Human Error Probabilities Dependent Dependent Events Mean HEP DC-FPS-GW-1 GW-1, FPS-1 & DC-1 1.5E-4 DC-FPS-GW-2 GW-2, FPS-2 & DC-1 3.OE-4 FPS-GW-1 GW-1 & FPS-1 1.1 E-3 FPS-GW-2 GW-2 & FPS-2 2.1 E-3 FPS-GW-3 GW-3 & FPS-3 2.1 E-2 Page 30 of 40

2.3.4 AC Power Non-recovery The AC power non-recovery values used in this study are discussed in Appendix E and only credit recovery of offsite power. Table 2.5 summarizes the results. These values are based on NUREG/CR-5496 7.

Table 2.5 AC Power Non-Recovery Event Probabilities Non-Recovery Description Value Event OSP-8 Non-Recovery of AC Power in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 0.069 OSP-4 Non-Recovery of AC Power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.138 OSP-1.5 Non-Recovery of AC Power in 90 minutes 0.312 OSP-0.5 Non-Recovery of AC Power in 30 minutes 0.565 7 C. L. Atwood, et al, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980 - 1996",

NUREG/CR-5496 (INEELEXT=-97-00887), prepared for the US NRC by INEEL, November 1998.

Page 31 of 40

2.3.5 Support Data Additional data values were required to quantify the core damage sequences. The values are listed in the Table 2.6 below.

Table 2.6 Support Data Used In the Sequence Quantification and Their Sources Event Description Value Source SWS-DIV1 w LOOP Probability of Loss of Division I of Service Water 0.016 1

given a Loss of Offsite Power IE has occurred with both Diesel Generators successful.

RCIC w LOOP Probability of Failure of RCIC given a LOOP IE has 0.101 I

occurred. Failure of SW has also occurred.

RCIC w F-IF Probability of Failure of RCIC given a fire has 0.101 I

occurred in the Critical Switchgear IF Room which disables 4160 VAC bus IF. Failure of SW has also occurred.

HPCI Probability of Failure of HPCI given a fire has 0.571 1

occurred in the Critical Switchgear IF Room which disables 4160 VAC bus IF. Failure of SW has also occurred.

DG-Div-1 Probability of Loss of DG I given a LOOP has 2.4E-02 1

occurred. This value does not include SW failures since those failure are treated later in the event trees.

Pi Probability of one stuck open relief valve 0.01 2

P2 Probability of two or more stuck open relief valves 1.2E-3 2

PC-Vent Probability of failure to vent Primary Containment IE-2 3

CS-B Probability of Failure of CS-B given a fire has occurred 0.026 1

in the Critical Switchgear IF Room which disables 4160 VAC bus IF. Failure of SW has also occurred.

LPCI-C&D Probability of Failure of LPCI given a fire has occurred 0.51 1

in the Critical Switchgear IF Room which disables 4160 VAC bus IF. Failure of SW has also occurred.

DEP Probability of Failure to depressurize the Reactor given 2.6E-4 a fire has occurred in the Critical Switchgear IF Room which disables 4160 VAC bus IF. Failure of SW has also occurred.

CRD Long term recovery for Loss of SW sequences using 0.1 3

alternate methods to provide cooling for REC and long term core injection using CRD.

Sources:

1. Evaluation using CNS CAFTA base model with average test and maintenance terms.

Note: the DG values calculated in this study were used as inputs.

2. Basis Event values from the CNS CAFTA base model.

3. CNS Phases II SDP Worksheets.

Page 32 of 40

2A LARGE EARLY RELEASE FREQUENCY ANALYSIS The CNS Level I PSA model is coupled to the Level 2 PSA Containment model by binning the dominant core damage sequences into a few groups of plant damage states with similar characteristics. These characteristics included availability of plant equipment and conditions in the reactor pressure vessel. Based on an evaluation of the accident progression and containment response to postulated severe accident loads, the conditional probability of large early release was determined for each of the sequences being evaluated.

The core damage sequences are binned to plant damage states (PDS) as defined in the CNS Level 2 PSA model. The PDS associated with particular sequence end states are listed in Table 2.7 below with the associated LERF multipliers.

Table 2.7 Plant Damage State Binning Plant Damage State Core Damage Seq.

LERF Multiplier ST-SBHP LOOP-8, 17 8.35E-02 DT-SBHP LOOP-6, 7,14, 15 3.94E-04 ST-SBLP LOOP-21, 22 2.77E-02 DT-SBLP LOOP-19 1.84E-04 TQUV F-IF-19 3.47E-02 TWDT a TP-SWS-3, 0.

F-IF-4, 6 to 8, 10, 12, 13, 14, 16, 18, 22, 24, 25, 27, 29, 33, 35 TQUX b F-I F-20 0.

TPUV F-IF-30, 31, 36 0.

Notes: a) Time to containment failure is >4 hours from time to General Emergency per CNS EAL, these sequences are not early releases. b) CCDP for these sequences screen out less than I E-07, therefore CLERP is also less than I E-07.

Impacted Plant Damage States Each PDS potential impacted by the SW-GW condition is discussed in general in terms separately below.

ST-SBHP: Involves a station blackout with immediate failure of both RCIC and HPCI to provide injection (all other injection sources are unavailable due to the lack of AC power). With the loss of coolant injection, core damage occurs in one hour. The vessel is at high pressure when core damage starts. Coolant injection sources and decay heat removal sources may be employed once AC power is recovered to halt core damage progression in-vessel.

Page 33 of 40

ST-SBLP: Involves a station blackout with immediate failure of both RCIC and HPCI to provide injection and a stuck-open SRV (all other injection sources are unavailable due to the lack of AC power). The SORV allows the RPV to depressurize prior to vessel failure.

With the loss of coolant injection, core damage occurs within one hour. Coolant injection sources and decay heat removal sources may be employed once AC power is recovered to halt core damage progression in-vessel.

DT-SBHP: Involves a station blackout with initial operation of either RCIC or HPCI until battery depletion occurs at minimum of four hours (without battery swap.) The battery depletion results in closure of any operating SRVs and failure of the steam-driven systems (RCIC and HPCI). Core damage follows at about 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or more after initiation of the transient, with the RPV at high pressure. Coolant injection sources and decay heat removal sources may be employed once AC power is recovered.

DT-SBLP: This PDS is the same as DT-SBHP except that a stuck-open SRV exists in this case. The SORV allows the RPV to depressurize prior to vessel failure.

PDS-TQUV: Involves a transient with loss of high pressure coolant injection, successful vessel depressurization, but failure of low pressure injection. Core damage occurs within one hour of initiation of the transient in a depressurized vessel. The operation of CRD may be able to halt the core damage progression. All other coolant injection systems are unavailable in the Level 2 models as they have already been questioned in the Level 1 and have failed. SPC, containment sprays, or containment vent are not necessarily precluded from operation post-core damage.

PDS-TWDT: Involves a transient with successful injection but failure of all decay heat removal methods. The failure of containment decay heat removal results in suppression pool heat-up and loss of NPSH for ECCS pumps after four hours. Available recovery actions include recovery of the condenser as heat sink, CRD, SW cross-tie, and condensate. If these efforts fail, core damage may occur at approximately six hours with the vessel depressurized. All coolant injection and containment decay heat removal systems are not operable post-core damage.

PDS-TQUX: Involves loss of all coolant injection and failure to depressurize the vessel for low pressure injection. Core damage occurs with the vessel at high pressure in one hour after the initiation of the transient. The operation of CRD may be able to halt the core damage progression as long-term recovery action. Low pressure injection is possible following successful depressurization (alternate methods) during in-vessel core damage progression or after vessel breach.

PDS-TPUV%: Involves a transient with a stuck-open SRV, loss of high pressure coolant injection, successful vessel depressurization, but failure of low pressure injection. Core damage occurs within one hour of initiation of the transient in a depressurized vessel.

The use of SPC, containment sprays, or containment vent are not necessarily precluded from operation post-core damage. The operation of CRD may be able to halt the core damage progression as an in-vessel recovery action.

Page 34 of 40

Several plant unique features and sequence specific characteristics tend to reduce LERF contribution. A discussion of these key aspects follow.

Recovery of AC Power An additional 4 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is available during the core boil-off to core damage and eventual vessel breach.

The recovery of offsite AC power used 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months as the period available for recovery during battery depletion sequences. However, an additional 2 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is available prior to vessel breach. Accounting for the non-recovery of AC power during this period reduces the sequence frequency by a factor of 2 to 4. Table 2.8 below lists the conditional non-recovery for the specified period, assuming an initial 4-hour period for non-recovery of AC power for the CCDP sequence.

Table 2.8 Conditional Non-Recovery Probabilities Nonrecovery 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 7.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 8 hours 10.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 14 hours At 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.138 0.091 0.073 0.069 0.053 0.040 Cond.

Prob. 0.66 0.53 0.50 0.38 0.29 Nonrecovery Given 4 hr Severe Accident Guidelines During the implementation of the BWROG EPG/SAG, CNS elected to include guidance to operate containment injection to flood the DW flood prior to vessel breach. In SAG 2, Strategy E, aligning injection into containment is a priority in order to help mitigate liner melt-through following vessel breach. Thus, during an emergency the use of diesel driven fire-water to flood the DW floor (as part of ERO response) would be recommended if all other injection sources have been lost. This SAG guidance reduces the likelihood of large early release by avoiding a dry containment floor prior corium breach of the reactor vessel.

Under-vessel Sumps There are two sumps inside the reactor pedestal, below the vessel that have the potential to retain core debris upon vessel breach. These sumps and the connecting pipes have the capacity to hold between 30 to 37% of the total volume of discharged debris. Water present in the sumps act to both quench the debris and limit debris contact with DW liner.

This tends to reduce the probability of immediate DW liner melt-through which is 0.67 for a dry containment.

Timing of Release The Emergency Action Level (EAL) for LOOP sequences that progress to SBO requires that General Emergency (GE) be declared when two conditions exist: 1) AC power cannot be restored within 15 minutes and 2) loss of core cooling such that the core cannot be maintained Page 35 of 40

covered. Based on plant specific thermal-hydraulic calculations, except for the most limiting SBO sequence (failure of RCIC and HPCI), sufficient time exists between declaration of GE and vessel breach that the release will not considered early.

Page 36 of 40

2.5 ACCIDENT SEQUENCES QUANTIFICATION The core damage sequences have been quantified using the supporting data presented above.

The results are summarized in the Table 2.9 below:

Page 37 of 40

Table 2.9 Summary of Cooper SWS-GW Misalignment Event Tree Core Damage Sequences Sequence Sequence Designator Time to Time to Number Recovery Core Damage Plant LERF LERF Core Damage Containment Frequency Damage Multiplier Release State__

Early Late Early Late LOOP-6 LOOP*SWS DIV I LOSS*GW-I*FPS-I*/DC-2.19E-08 DT-SBHP 3.94E-04 8.64E-12 X

X LOOP-7 LOOP*SWS DIV I LOSS*GW-I*FPS-I*OSP-7.85E-09 DT-SBHP 3.94E-04 3.09E-12 X

X 4*IDC.1 LOOP-8 LOOP*SWS DIV I LOSS*GW-I*FPS-I*RCIC 3.22E-08 ST-SBHP 8.35E-02 2.69E-09 X

X LOOP-14 LOOP*DG-DIV-I *GW-2*FPS-2*/DC-I *OSP-8 6.46E-08 DT-SBHP 3.94E-04 2.54E-I I X

X LOOP-15 LOOP*DG-DIV-I*GW-2*FPS-2*0SP-4*DC-1 2.31 E-08 DT-SBHP 3.94E-04 9.1 OE-12 X

X LOOP-17 LOOP*DG-DIV-I *GW-2*FPS-2*RCIC*OSP-0.5 2.96E-08 ST-SBHP 8.35E-02 2.47E-09 X

X LOOP-19 LOOP*DG-DIV-I *GW-2*FPS-2*P I *OSP-I.5 2.93E-09 DT-SBLP 1.84E-04 5.39E-13 X

X LOOP-21 LOOP*DGDIV-I *GW-2*FPS-2*PI *RCIC*OSP-5.36E-10 ST-SBLP 2.77E-02 1.48E-I I X

X 0.5.

LOOP-22 LOOP*DG-DIV-I *GW-2*FPS-2*P2 1.13E-09 ST-SBLP 2.77E-02 3.12E-II X

X TP-SWS-3 TP-SWS*GW-I *FPS-I CRD 4.68E-07 TWDT O.OOE+00 0.00E+00 X

X F-I F-4 F-I F*GW-3*FPS-3*PC-VENT 8.12E-07 TWDT O.OOE+00 O.OOE+00 X

X F-IF-6 F-I F*GW-3*FPS-3*CS-B*PC-VENT 2.11 E-08 TWDT O.OOE+00 O.OOE+00 X

X F-IF-7 F-IF*GW-3*FPS-3*CS-B*LPCI-C&D 1.08E-06 TWDT O.OOE+00 O.OOE+00 X

X F-I F-8 F-I F*GW-3*FPS-3*DEP 2.11 E-08 TWDT O.OOE+00 O.OOE+00 X

X F-IF-10 F-IF*GW-3*FPS-3*RCIC*PC-VENT 8.20E-08 TWDT O.OOE+00 O.OOE+00 X

X F-IF-12 F-IF*GW-3*FPS-3*RCIC*CS-B*PC-VENT 2.13E-09 TWDT O.OOE+00 O.OOE+00 X

X F-I F-1 3 F-I F*GW-3 *FPS-3 *RCIC*CS-B*LPCI-C&D 1.09E-07 TWDT O.OOE+00 O.OOE+00 X

X F-IF-14 F-I F*GW-3 *FPS-3 *RCIC*DEP 2.131E-09 TWDT O.OOE+00 O.OOE+00 X

X F-IF-16 F-IF*GW-3*FPS-3*RCIC*HPCI*PC-VENT 4.68E-08 TWDT 0.00E+00 O.OOE+00 X

X F-IF-18 F-I F*GW-3 *FPS-3 *RCIC**HPCI*CS-B*PC-1.22E-09 TWDT O.OOE+00 0.00E+00 X

X VENT Page 38 of 40

Table 2.9 Summary of Cooper SWS-GW Misalignment Event Tree Core Damage Sequences Sequence Sequence Designator Time to Time to Number Recovery Core Damage Plant LERF LERF Core Damage Containment Frequency Damage Multiplier Release S ta te Early Late Early Late F-IF-19 F-I F*GW-3*FPS-3*RCIC*HPCI*CS-B*LPCI-6.21 E-08 TQUV 3.47E-02 2.15E-09 X

X C & D_

F-IF-20 F-I F*GW-3*FPS-3*RCIC*HPCI*DEP 1.22E-09 TQUX O.OOE+00 O.OOE+00 X

X F-I F-22 F-I F*GW-3*FPS-3*P I *PC-VENT 8.12E-09 TWDT O.OOE+00 O.OOE+00 X

X F-IF-24 F-I F*GW-3*FPS-3*P I *CS-B*PC-VENT 2.11 E-I 0 TWDT O.OOE+00 O.OOE+00 X

X F-I F-25 F-I F*GW-3 *FPS-3 *P I *DEP 2.11 E-10 TWDT O.OOE+00 O.OOE+00 X

X F-IF-27 F-IF*GW-3*FPS-3*PI*RCIC*PC-VENT 8.20E-10 TWDT O.OOE+00 O.OOE+00 X

X F-I F-29 F-IF*GW-3*FPS-3*PI*RCIC*CS-B*PC-VENT 2.13E-I I TWDT O.OOE+00 O.OOE+00 X

X F-I F-30 F-I F*GW-3 *FPS-3 *P I *RCIC*CS-B*LPCI-C&D 1.09E-09 TPUV O.OOE+00 O.OOE+00 X

X F-IF-31 F-I F*GW-3 *FPS-3*P I *RCIC*DEP 2.13E-I I TPUV O.OOE+00 O.OOE+00 X

X F-lF-33 F-IF*GW-3*FPS-3*P2*PC-VENT 9.75E-10 TWDT O.OOE+00 O.OOE+00 X

X F-IF-35 F-IF*GW-3*FPS-3*P2*CS-B*PC-VENT 2.53E-I I TWDT O.OOE+00 O.OOE+00 X

X F-IF-36 F-I F*GW-3 *FPS-3*P2*CS-B*LPCI-C&D 1.29E-09 TPUV O.OOE+00 O.OOE+00 X

X Total CDF 2.90E-06 7.41 E-09

= Total LERF

(/Yyr) =/__

Total CDP 1.67E-07 4.26E-10

= Total LERP Page 39 of 40

3.0 CONCLUSION

When examining the risk significance of the GW valve mis-alignment, a focused PRA similar to the CNS SPAR model treatment was used to evaluate the dominant sequences. From these results, it was concluded that treatment of three initiators, Loss of SW, LOOP and Critical Switchgear I F fire appropriately capture the risk impact of this condition.

The temporary alignment of Service Water Division I gland water supply to SW pumps in both Divisions was determined not to be safety significant. The risk due to increased core damage probability was determined to be less than I E-6. The risk due to increased large early release probability was determined to be less than I E-7.

The results are judged to be bounding due to the following conservatisms:

1. Emergency Diesel mission times were increased to 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months . This increase represents roughly a 175% increase in DG fail to run probability over the previously used 8-hour mission time.

2. The loss of on-site power is assumed to be unrecoverable. This is conservative, since the recovery of AC power would reduce calculated incremental CDF and LERF contributions.

3. The average SW conditions were used such that potential restoration of GW flow from the control room was not credited. A review of plant conditions and expected system response indicates a significant fraction of evaluated events could have been recoverable with minimal operator action.

4. In establishing recovery periods for SBO sequences, the operation of the Div. 2 SW pumps for 90 minutes prior to DG 2 failure was not included. This is conservative since existing 30 min, 60 min and 90 minutes recovery periods would be doubled or tripled.

5. During SBO conditions, RCIC injection could be extended beyond 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months by dropping DC loads from the battery. No credit was taken for DC load shedding.

NRC Directive 8.3 suggests that consideration of the uncertainties involved in significance determination process (probabilistic risk assessments) be used to evaluate degraded conditions. As an alternative to the determination of uncertainties, conservative inputs and assumptions are used to ensure the estimate is bounding.

The overall conclusion is that the safety impact associated with the GW valve misalignment is not risk significant. This was established by evaluating the incremental change to CCDP and CLERP based on expected plant specific response and treatment of operator actions to correct the condition.

These conclusions are supported by the results of previous analysis using the CNS PSA model.

Page 40 of 40

APPENDIX A COOPER SWS-GW MISALIGNMENT EVENT TREE SEQUENCE DESCRIPTION Loss of Offsite Power (LOOP) Sequences In defining a sequence, a slash (/) preceding an event designator indicates the event is a success.

Asterisks (*) separate the event designators.

Sequence LOOP-I: LOOP*/DGS-OK*/SWS DIV I OK. A loss of offsite power transient occurs (LOOP) and both divisions of emergency onsite AC power supplies safeguard buses IF and I G (/DGS-OK). With onsite power available, the SWS pumps provide adequate cooling for essential loads and plant conditions such as vessel injection and containment pressure control are not challenged due to SWS pumps cooling. This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-2: LOOP*/DGS-OK*SWS DIV I LOSS*/GW-I. A loss of offsite power transient occurs (LOOP) and both divisions of emergency onsite AC power supplies safeguard buses IF and I G (/DGS-OK). Subsequently, random mechanical faults fail the DIV I SWS Pumps IA and IC (SWS DIV I LOSS). With the DIV II SWS Pumps IB and ID gland water supply align to DIV I SWS Pumps discharge header, due to the misalignment of SW-V-28, continued operation of DIV II SWS Pumps lB and ID are not assured. Therefore, to preclude a total loss of SWS flow, plant operators successfully diagnosis and restore the gland water supply to the DIV II SWS Pumps (GW-1). This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-3: LOOP*/DGS-OK*SWS DIV I LOSS*GW1-*/FPS-1. Same as sequence LOOP-2, except that gland water supply to the DIV II SWS Pumps lB and ID is not restored (GW-1). Subsequently, plant operators align the Fire Protection System for gland water injection for DIV II SWS Pumps (/FPS-1). This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP4: LOOP*/DGS-OK*SWS DIV I LOSS*GW-1*FPS-1*/RCIC*/OSP 4.

Same as sequence LOOP-2, except that plant operators are not successful in restoring gland water supply to the DIV II SWS Pumps (GW-I *FPS-1). This results in the loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling. With the loss of Diesel Generator cooling a Station Blackout (SBO) ensues.

The SBO renders all core cooling systems, except HPCI and RCIC inoperable. Since the feedwater system cannot provide reactor make-up, reactor water level falls. At a reactor water level of 116 in. above top-of-active-fuel (TAF), HPCI and RCIC are automatically initiated.

After the initial reflooding with water provided by HPCI and RCIC, plant operators select the use Page AI of A7

of RCIC to provide reactor level control (IRCIC). After 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , however, RCIC will fail unless AC power is restored prior to battery depletion. Subsequently, recovery of offsite power supply occurs (/OSP-4). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-5: LOOP*/DGS-OK*SWS DIV I LOSS*GW-1*FPS-1*/RCIC*OSP-4*/DC-1*/OSP-8. Same as sequence LOOP-4, except that plant operators are not successful in restoring offsite power within 4-hours from the start of the SBO (OSP-4). In order to provide the operating staff with a large cushion of time in which to recover a source of onsite or offsite AC power, plant operators are instructed via Procedures 5.3AC480, "480 VAC BUS FAILURE" and 2.2.25.1, "125 VDC Electrical System - Div I" to transfer 125-Vdc Distribution Panel A and RCIC Starter Rack to emergency DC division II battery power (/DC-l). This prolongs RCIC operation (/RCIC). With successful division II DC switch, plant personnel have up to 8-hours to restored offsite power. Subsequently, recovery of offsite power supply occurs (/OSP-8). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-6: LOOP*/DGS-OK*SWS DIV I LOSS*GW-1*FPS-1*/RCIC*OSP-4*/DC-1*OSP-8. Same as sequence LOOP-5, except that offsite power is not recovered (OSP-8). Therefore, after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , RCIC fails because of battery depletion. This sequence results in core damage and the potential for a late containment release.

Sequence LOOP-7: LOOP*/DGS-OK*SWS DIV I LOSS*GW-1*FPS-1*/RCIC*OSP-4*DC-1. Same as sequence LOOP-5, except that plant operators fail to perform the DC load switch from division I to division II and offsite power is not restored within 4-hours (OSP-4*DC-1). As a result, after 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , RCIC will fail because of battery depletion. This sequence results in core damage and the potential for a late containment release.

Sequence LOOP-8: LOOP*/DGS-OK*SWS DIV I LOSS*GW-1*FPS-1*RCIC. Same as sequence LOOP-4, except that RCIC fails to operate (RCIC). With no high-pressure core injection system, and no alternative low-pressure core injection systems this sequence results in core damage and the potential for an early containment release.

Sequence LOOP-9: LOOP*/DGS-OK*FULL SWS LOSS. A loss of offsite power transient occurs (LOOP) and both divisions of emergency onsite AC power supplies safeguard buses IF and IG (/DGS-OK). Subsequently, random mechanical faults fail both DIV I and DIV II SWS Pumps (FULL SWS LOSS). This results in the loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling. With the loss of Diesel Generator cooling a Station Blackout (SBO) ensues. Because the SWS Pumps fail due random mechanical faults and not due to the misalignment of SW-V-28, this sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-10: LOOP*DG-DIV-1*/GWV-2.

A loss of offsite power transient occurs (LOOP) and division I diesel generator onsite AC power fails due to random faults (DG-DIV-I).

Subsequently, with the DIV II SWS Pumps l B and 1 D gland water supply align to DIV I SWS Pumps discharge header, due to the misalignment of SW-V-28, continued operation of DIV II SWS Pumps l B and ID are not assured. Therefore, to preclude a total loss of SWS flow, plant Page A2 of A7

operators successfully diagnosis and restore the gland water supply to the DIV 11 SWS Pumps (GW-2). This sequence is considered baseline in terms of core damage and large early release.

Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-11:LOOP*DG DIV-1*GW-2*/FPS-2. Same as sequence LOOP-10, except that gland water supply to the DIV II SWS Pumps l B and ID is not restored (GW-2).

Subsequently, plant operators align the Fire Protection System for gland water injection for DIV II SWS Pumps (/FPS-2). This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-12: LOOP*DG-DIV-1*GWV-2*FPS-2*/SRV*/RCIC*/OSP4.

Same as LOOP-l 0, except that plant operators are not successful in restoring gland water supply to the DIV II SWS Pumps (GW-2*FPS-2). This results in the loss of Diesel Generator cooling. With the loss of Diesel Generator cooling a SBO ensues. The SBO renders all core cooling systems, except HPCI and RCIC inoperable. Since the feedwater system cannot provide reactor make-up, reactor water level falls. At a reactor water level of 116 inches above TAF, HPCI and RCIC are automatically initiated. After the initial reflooding with water provided by HPCI and RCIC, plant operators select the use of RCIC to provide reactor level control (/RCIC). After 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , however, RCIC will fail unless AC power is restored prior to battery depletion. Subsequently, recovery of offsite power supply occurs (/OSP-4). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-13: LOOP*DGDn7-1*GV-2*FPS-2*/SRV*/RCIC*OSP 4*DC-1*/OSP-

8. Same as sequence LOOP-12, except that plant operators are not successful in restoring offsite power within fours from the start of the SBO (OSP-4). In order to provide the operating staff with a large cushion of time in which to recover a source of onsite or offsite AC power, plant operators are instructed via Procedures 5.3AC480, "480 VAC BUS FAILURE" and 2.2.25.1, "125 VDC Electrical System - Div I" to transfer 125-Vdc Distribution Panel A and RCIC Starter Rack to emergency DC division II battery power (/DC-1). This prolongs RCIC operation

(/RCIC). With successful division II DC switch, plant personnel have up to 8-hours to restored offsite power. Subsequently, recovery of offsite power supply occurs (/OSP-8). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-14: LOOP*DG-DIV-1 *GV-2*FPS-2*/SRV*/RCIC*OSP4*DC-1 *OSP-

8. Same as sequence LOOP-12, except that offsite power is not recovered (OSP-8). Therefore, after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , RCIC fails because of battery depletion. This sequence results in core damage and the potential for a late containment release.

Sequence LOOP-i5: LOOP*DGDIV-1*GV-2*FPS-2*/SRV*/RCIC*OSP4*DC-1.

Same as sequence LOOP-12, except that plant operators fail to perform the DC load switch from division I to division II and offsite power is not restored within 4-hours (OSP-4*DC-I). As a result, after 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , RCIC will fail because of battery depletion. This sequence results in core damage and the potential for a late containment release.

Sequence LOOP-16: LOOP*DGDlV-1*GV-2*FPS-2*/SRV*RCIC*/OSP0.5.

Same as sequence LOOP-12, except that RCIC fails to operate (RCIC). Subsequently, plant operators Page A3 of A7

restored AC power within 30 minutes (/OSP-0.5). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-17: LOOP*DG-DIV-1*GWV-2*FPS-2*/SRV*RCIC*OSP-0.5.

Same as sequence LOOP-16, except that offsite power is not recovered in 30 minutes (OSP-0.5).

Therefore, without adequate core makeup, core damage ensues with the potential for an early containment release.

Sequence LOOP-18: LOOP*DG-DIV-1*GWV-2*FPS-2*P1*/RCIC*/OSP-1.5.

Same as LOOP-12, except that one SRV fails to reclose (P 1), creating a loss of coolant accident.

However, RCIC will eventually isolate because of low reactor vessel steam supply--a safety relief valve is open. Without adequate core makeup, core damage ensues unless offsite power is recovered within 90 minutes. Offsite power is successfully restored in 90 minutes (OSP-1.5).

With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-19: LOOP*DG-DIV-1*Gv-2*FPS-2*Pl*/RCIC*OSP-1.5.

Same as LOOP-18, except that offsite power is not recovered in 90 minutes (OSP-1.5). Therefore, without adequate core makeup, core damage ensues with the potential for an early containment release.

Sequence LOOP-20: LOOP*DG-DINV-1*GW-2*FPS-2*Pl*RCIC*/OSP-0.5.

Same as LOOP-18, except that RCIC fails to operate (RCIC). Subsequently, plant operators restored AC power within 30 minutes (/OSP-0.5). With AC power restored this sequence results in a safe core and containment.

Sequence LOOP-21: LOOP*DGDIV-1*GV-2*FPS-2*Pl*RCIC*OSP0.5.

Same as LOOP-18, except that offsite power is not recovered in 30 minutes (OSP-0.5). Therefore, without adequate core makeup, core damage ensues with the potential for an early containment release.

Sequence LOOP-22: L00P*DG-DIV-1*GW-2*FPS-2*P2.

Same as LOOP-12, except that two SRVs fail to reclose (P2), creating a medium loss of coolant accident. However, both HPCI/RCIC fail quickly on low steam supply and there is a negligible chance in restoring AC power. Therefore core damage ensues with the potential for an early containment release.

Sequence LOOP-23: LOOP*DG-DIV-II*/SWS DIN7 I LOSS. A loss of offsite power transient occurs (LOOP) and division II diesel generator onsite AC power fails due to random faults (DG-DIV-II). With onsite power available from DG-1, the DIV I SWS pumps provide adequate cooling for essential loads and plant conditions such as vessel injection and containment pressure control are not challenged due to SWS pumps cooling. This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-24: LOOP*DG-DIV-II*SWS DIN' I LOSS. A loss of offsite power transient occurs (LOOP) and division II diesel generator onsite AC power fails due to random faults (DG-DIV-II). Subsequently, random mechanical faults fail the DIV I SWS Pumps IA and I C (SWS DIV I LOSS). The loss of DIV I SWS Pumps results in the loss of Diesel Generator cooling.

Page A4 of A7

With the loss of Diesel Generator cooling a SBO ensues. However, because the DIV I SWS Pumps fail due random mechanical faults and not due to the misalignment of SW-V-28, this sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence LOOP-25: LOOP*DG-ALL. A loss of offsite power transient occurs (LOOP) and emergency onsite AC power is unavailable (DG ALL). This sequence results in a SBO.

However, because the onsite AC power from DG-I and DG-2 fail due random mechanical faults and not due to the misalignment of SW-V-28, this sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Loss of Division I Service Water Pumps 1A and IC (TP-SWS) Sequences Sequence TP-SWS-1: TP-SWS*/GW-1. A loss division I SWS pumps A and C event occurs.

Subsequently, because the DIV II GW supply valve SW-V-28 is inadvertently closed, the division II SWS B and D pumps gland water supply is provided by operation of division I SWS pumps A and C. Therefore, to preclude a total loss of SWS flow, plant operators successfully diagnosis and restore the gland water supply to the DIV II SWS Pumps (GW-1). This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence TP-SWS-2: TP-SWS*GW1-*/FPS-1. Same as sequence TP-SWS-I, except that gland water supply to the DIV II SWS Pumps IB and ID is not restored (GW-1). Subsequently, plant operators align the Fire Protection System for gland water injection for DIV II SWS Pumps

(/FPS-1). This sequence is considered baseline in terms of core damage and large early release.

Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence TP-SWS-3: TP-SWS*GW1-*FPS-1. Same as sequence TP-SWS-1, except that plant operators are not successful in restoring gland water supply to the DIV II SWS Pumps (GW-1*FPS-l). This results in the loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling. With the loss of Reactor Equipment Cooling containment pressure control is challenged long-term. Therefore, this sequence results in core damage with the potential for late containment release.

Loss of Service Water Pumps (TF-SWS) Sequences Sequence TF-SWS-1: TF-SWS. A complete loss of service water (SSW) system event occurs due to random mechanical faults. Subsequently, a loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling occurs.

However, because the DIV I SWS Pumps fail due random mechanical faults and not due to the misalignment of SW-V-28, this sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Page A5 of A7

Plant Fire at Switchiear IF (F-IF) Sequences Sequence F-iF-1: F-1F*/GW-3. A plant fire occurs that damages division I switchgear IF.

The loss of division I switchgear IF renders inoperable Core Spray pump "A", RHR pumps "A" and "B", RHR Service Water Booster pumps "A" and "C", CRD pump "A" and SWS pumps "A" and "C". In addition, due to the misalignment of GW supply water SW-V-28, the division II SWS "B" and "D" pumps gland water supply is being provided by operation of division I SWS pumps "A" and "C". However, because the initiator results in the lost of SWS pumps A and C, successful continued operation from SWS B and D requires the restoration of gland water supply to SWS pumps B and D. Plant operators successfully diagnosis and restore the gland water supply to the DIV II SWS Pumps (GW-3). This sequence is considered baseline in terms of core damage and large early release. Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence F-IF-2: F-1F*GW-3*/FPS-3. Same as sequence F-IF-I, except that gland water supply to the DIV II SWS Pumps IB and ID is not restored (GW-3). Subsequently, plant operators align the Fire Protection System for gland water injection for DIV II SWS Pumps

(/FPS-3). This sequence is considered baseline in terms of core damage and large early release.

Therefore, the misalignment of valve SW-V-28 does not impact CDF or LERF.

Sequence F-1F-3: F-lF*GW-3*FPS-3*/SRV*/RCIC*/DEP*/CS-B*/PC-VENT.

A plant fire occurs that damages division I switchgear IF. The loss of division I switchgear IF renders inoperable Core Spray pump "A", RHR pumps "A" and "B", RHR Service Water Booster pumps "A" and "C", CRD pump "A" and SWS pumps "A" and "C". In addition, due to the misalignment of GW supply water SW-V-28, the division II SWS "B" and "D" pumps gland water supply is being provided by operation of division I SWS pumps "A" and "C". Plant operators are not successful in restoring gland water supply to the DIV II SWS Pumps (GW-3*FPS-3). This results in the loss of Turbine Equipment Cooling and Reactor Equipment Cooling system heat exchangers and Diesel Generator cooling. RCIC provides core makeup until a high RCIC turbine exhaust trip fails RCIC. Reactor make-up is then provided from Core Spray B pump (/CS-B), following vessel depressurization (/DEP). With the loss of Reactor Equipment Cooling containment pressure control is challenged long-term. Therefore, containment pressure control is provided by containment venting (/PC-VENT). This sequence results in a safe core and containment.

Sequence F-iF4: F-iF*GW-3*FPS-3*/SRV*/RCIC*/DEP*/CS-B*PC-VENT.

Same as sequence F-1F-3, except that containment venting fails (PC-VENT). This sequence results in core damage and late containment failure.

Sequence F-iF-5: F-lF*GV-3*FPS-3*/SRV*/RCIC*/DEP*CS-B*ALPCI-C&D/*PC-'%ENT.

Same as sequence F-I F-3, except that random mechanical faults fail Core Spray pump B); plant operators then use LPCI for reactor makeup (LPCI-C&D). This sequence results in a safe core and containment.

Page A6 of A7

Sequence F-i F-6: F-lF*GV-3*FPS-3*/SRV*/RCIC*/DEP*CS-B*/LPCI-C&D*PC-VENT.

Same as sequence F-IF-5, except that containment venting fails (PC-VENT). This sequence results in core damage and late containment failure.

Sequence F-i F-7: F-i F*GW-3*FPS-3*/SRV*/RCIC*/DEP*CS-B*LPCI-C&D.

Same as sequence F-IF-3, except that after reactor depressurization (/DEP) all low-pressure reactor make-up systems fail (CS-B*LPCI-C&D), precluding adequate core cooling. This sequence results in early core damage and the potential for early containment release.

Sequence F-iF-8: F-iF*GW-3*FPS-3*/SRV*/RCIC*DEP.

Same as sequence F-IF-3, that reactor depressurization fails (DEP). This sequence results in early core damage and the potential for early containment release.

Sequences F-iF-9 to F-IF-14. Sane as sequences F-IF-3 to f-lF-8, except that RCIC fails and pant operator use HPCI for reactor level control.

Sequences F-iF-15 to F-1F-20. Sane as sequences F-IF-3 to f-lF-8, except that RCIC and HPCI fail due to random mechanical faults; reactor make-up is then provided by low-pressure injection systems Core Spray B or LPCI C/D, following vessel depressurization.

Sequences F-1F-21 to F-iF-31. Similar to sequences F-lF-3 to F-lF-20, except that a single stuck-open SRV occurs. Subsequently, HPCI isolates because of low reactor vessel steam supply.

Sequences F-1F-32 to F-1F-36. Similar to sequences F-IF-3 to F-IF-20, except that two stuck-open SRVs occur. Subsequently, RCIC and HPCI isolate because of low reactor vessel steam supply.

Page A7 of A7

APPENDIX B HUMAN RELIABILITY ANALYSIS B.1 OPERATOR ACTION GW%' OPERATOR RECOVERS GLAND WATER COOLING GIVEN PARTIAL LOSS OF DIV I SW PUMPS Summary Description This operator action models operator action to recover SW gland water cooling in the event of failure of Division I SW.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm I B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-361B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3_B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator I B/A-3, on SW Gland Water Panel B. Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System). Section 10.2 of procedure 2.2.71 provides instructions for aligning the service water discharge supply to gland water subsystem B, which includes ensuring that valve SW-28 is open.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.2.3.8) and involves opening valve SW-28.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 21 minutes, which includes time for an operator to travel to the SW pump room. Therefore, the time available for diagnosis is 69 minutes.

b.

Stress. Stress is considered nominal, both for diagnosis and for execution.

BI of B33

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.71, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 2.OE-3 (see Table B.l).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of L.OE-3 (see Table B.l).

Result The total HEP for operator action GW-I is 3.OE-3, as shown in Table B. 1.

B2 of B33

Table B.1 Human Error Probability for Operator Action GW-1 Performance Shaoina Factors (PSFs)*

Time Available Stress Complexity Training Procedures Ergonomics Recovery (D/E/R)

Basic Loc (VUUISN S)

(W/HE) (OD/N/MC/HC (HN/LL (DSIN/AP/NC (GN/PIMP Steps Mean Critical Task HEP Type x

Level x Level x

Level x

R# I x HEP Diagnosis D

1.OE-2 C/L L

0.10 N

1 MC 2

N 1

N I

2.OE-3 Execution E

1.OE-3 L

N 1.00 N

1 N

1 1.OE-3 GW-1 3.OE-3

Performance ShaDing Factors (PSFs)

Time Available:

- VL (Very Long)

-L (Long)

- N (Nominal)

- S (Short)

- VS (Very Short)

Stress:

Complexity:

Training Procedures Ergonomics 69 minutes (90 minutes less 21 minutes for execution)

Diagnosis:>24 hours Execution: Time available >50x time required Diagnosis:>60 minutes Execution: Time available >5x time required Diagnosis:20<x<60 minutes Execution: Nominal time Diagnosis:<20 minutes Execution: Time available is about equal to the time required Diagnosis:lnadequate time Execution: Inadequate time N = Nominal; H = High; E = Extreme OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvye: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B3 of B33

B.2 OPERATOR ACTION GW OPERATOR RECOVERS GLAND WATER COOLING GIVEN LOSS OF DIV I EDG Summary Description This operator action models operator action to recover SW gland water cooling in the event of failure of the Division I EDG.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm 1 B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-36 I B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3_B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator lB/A-3, on SW Gland Water Panel B.

Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System).

Section 10.2 of procedure 2.2.71 provides instructions for aligning the service water discharge supply to gland water subsystem B, which includes ensuring that valve SW-28 is open.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.2.3.8) and involves opening valve SW-28.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 21 minutes, which includes time for an operator to travel to the SW pump room. Therefore, the time available for diagnosis is 69 minutes.

b.

Stress. Stress is considered high for diagnosis based on the occurrence of a loss of offsite power and subsequent failure of the Division I EDG; stress is considered nominal for execution.

B4 of B33

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.71, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.2).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 1.OE-3 (see Table B.2).

Result The total HEP for operator action GW-2 is 5.OE-3, as shown in Table B.2.

B5 of B33

Table B.2 Human Error Probability for Operator Action GW-2 Performance ShaDing Factors (PSFs)*

Time Available Stress Complexity Training Procedures Ergonomics Recovery (D/EIR)Basic Loc (VUUNISN)

(NIH/Ej (ODNHMCHC C DS/N/AP/NC_(GINIPIM Step s

Mean Critical Task HEP

Y*

I Tyev x

Level x

R#

x HEP Diagnosis D

1.OE-2 C/L L

0.10 H

2

_MC 2

N 1

4.OE-3 Execution E

11.OE-3 L

N 1.00 N

1 N

1

=

1.OE-3 I

1 t

t1

1ttt 4114 4-4-4 1

4 t1 1tt4 4

+

4-4 4

4-4-4 4-4.4.-4-4 4-4-4 4-4 4-4-4-4 I

4 4--+

4-4-4-4 4

4-4-4 4

4-4-I 4

4 4

4-4.

4-4-4-4 4-4 4-4 4

4 4-4-4 4

4 4-4.-4-4-4 4

.4.

4-4 4

4-4-1 4

J J.

J.+/-

J.........L......L4 1.L......A..........+/-

4 _____

L J..L............J I

GW-2 5.0E-3

Performance ShaDing Factc Time Available:

- VL (Very Long)

- L(Long)

- N (Nominal)

- S (Short)

- VS (Very Short)

Stress:

Complexity:

Training Procedures Ergonomics irs (PSFs) 69 minutes (90 minutes less 21 minutes for execution)

Diagnosis:>24 hours Execution: Time available >50x time required Diagnosis:>60 minutes Execution: Time available >5x time required Diagnosis:20cx<60 minutes Execution: Nominal time Diagnosis:<20 minutes Execution: Time available is about equal to the time required Diagnosis:lnadequate time Execution: Inadequate time N = Nominal; H = High; E = Extreme OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvye: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B6 of B33

B.3 OPERATOR ACTION GW OPERATOR RECOVERS GLAND WATER COOLING GIVEN LOSS OF DIV I EDG (SWITCHGEAR ROOM FIRE)

Summary Description This operator action models operator action to recover SW gland water cooling in the event of failure of the Division I EDG following a fire in the Switchgear Room.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm I B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-361B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3_B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator IB/A-3, on SW Gland Water Panel B.

Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System).

Section 10.2 of procedure 2.2.71 provides instructions for aligning the service water discharge supply to gland water subsystem B, which includes ensuring that valve SW-28 is open.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.2.3.8) and involves opening valve SW-28.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 21 minutes, which includes time for an operator to travel to the SW pump room. Given the occurrence of a fire in the Switchgear Room, an additional 20 minutes was conservatively assumed for suppressing the fire prior to directing the action to restore gland water cooling. Therefore, the time available for diagnosis is 49 minutes.

b.

Stress. Stress is considered high for diagnosis based on the occurrence of a fire in the Switchgear Room; stress is considered nominal for execution.

B7 of B33

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.71, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.3).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 1.OE-3 (see Table B.3).

Result The total HEP for operator action GW-3 is 5.OE-3, as shown in Table B.3.

B8 of B33

Table B.3 Human Error Probability for Operator Action GW-3 ParfnrmanrA Shanina Factors (PSFsl*

Time Available Stress Complexity Training Procedures Ergonomics Recovery (D/E/R)

Basic Loc (VUUNSNS)

(N/H1E) (OD/NIMCIHC (Hj/L (DS/N AP/NC (G/N1P M)

Steps Mean Critical Task HEP Type x

Level x Level x

Level x

R#

x HEP Diagnosis D

1.OE-2 C/L N

1.00 H

2 MC 2

N 1

4.OE-2 Execution E

1.OE-3 L

N 1.00 N

1 N

1

=

1.OE-3 GW-3 4.1E-2

Parforrmner Shaninn Factors (PSFs)

Time Available:

- VL (Very Long)

L (Long)

- N (Nominal)

- S (Short)

- VS (Very Short)

Stress:

Complexity:

Training Procedures Ergonomics 49 minutes (90 minutes less 21 Diagnosis:>24 hours Diagnosis:>60 minutes Diagnosis:20<xc60 minutes Diagnosis:<20 minutes Diagnosis:lnadequate time minutes for execution less 20 minutes to suppress fire)

Execution: Time available >50x time required Execution: Tlime available >5x time required Execution: Nominal time Execution: Time available is about equal to the time required Execution: Inadequate time N = Nominal; H = High; E = Extreme OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Type: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B9 of B33

B.4 OPERATOR ACTION FPS-1 -- OPERATOR ALIGNS FIRE WATER TO THE GLAND WATER SYSTEM Summary Description This operator action models operator action to recover SW gland water cooling in the event of failure of Division I SW by aligning fire water to the gland water system.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm I B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-361B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3 B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator I B/A-3, on SW Gland Water Panel B.

Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System).

Section 10.3 of procedure 2.2.71 provides instructions for aligning the fire protection backup supply to gland water subsystem B, which involves opening valve SW-1 98.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.3.4.4) and involves opening valve SW-198.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 15 minutes, which includes time for an operator to travel to the SW pump room. Therefore, the time available for diagnosis is 75 minutes.

b.

Stress. Stress is considered nominal, both for diagnosis and for execution.

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.71, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

B10 of B33

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 2.OE-3 (see Table B.4).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of L.OE4 (see Table B.4).

Result The total HEP for operator action FPS-I is 2.1 E-3, as shown in Table B.4.

BIl of B33

Table B.4 Human Error Probability for Operator Action FPS-1 Performance ShaDing Factors (PSFs)*

lime Available Stress Complexity Training Procedures Ergonomics Recovery (DIEIR)

Basic Loc (VUULNSNS)

(N//E)

(ODIN/MC/HC (DSINIAP/NC (G/NPIPMM Steps Mean Critical Task HEP

- - Type x

Level x Level x

Level x

R#

x HEP Diagnosis D

1.OE-2 C/L L

0.10 N

1 MC 2

N 1

2.OE-3 Execution E

1.OE-3 L

L 0.10 N

I N

1 N

1 1.OE-4 FPS-1 2.1E-3

Performance Shapina Factors (PSFs) lime Available:

75 minutes (90 minutes less 15 minutes for execution)

- VL (Very Long)

Diagnosis:>24 hours Execution: Time available >50x time required

- L (Long)

Diagnosis:>60 minutes Execution: Time available >5x time required

- N (Nominal)

Diagnosis:20<x<60 minutes Execution: Nominal time

- S (Short)

Diagnosis:<20 minutes Execution: Time available is about equal to the time required

- VS (Very Short)

Diagnosis:lnadequate time Execution: Inadequate time Stress:

N = Nominal; H = High; E = Extreme Complexity:

OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex Training H = High; N = Nominal; L = Low Procedures DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete Ergonomics G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvpe: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B12 of B33

B.5 OPERATOR ACTION FPS OPERATOR ALIGNS FIRE WATER TO THE GLAND WATER SYSTEM GIVEN LOSS OF DIV I EDG Summary Description This operator action models operator action to recover SW gland water cooling in the event of failure of the Division I EDG by aligning fire water to the gland water system.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm I B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-361B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3_B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator IB/A-3, on SW Gland Water Panel B.

Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System).

Section 10.3 of procedure 2.2.71 provides instructions for aligning the fire protection backup supply to gland water subsystem B, which involves opening valve SW-198.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.3.4.4) and involves opening valve SW-198.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 15 minutes, which includes time for an operator to travel to the SW pump room. Therefore, the time available for diagnosis is 75 minutes.

b.

Stress. Stress is considered high for diagnosis based on the occurrence of a loss of offsite power and subsequent failure of the Division I EDG; stress is considered nominal for execution.

B13 of B33

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.7 1, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.5).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 1.OE-4 (see Table B.5).

Result The total HEP for operator action FPS-2 is 4.1E-3, as shown in Table B.5.

B14 of B33

Table B.5 Human Error Probability for Operator Action FPS-2 Performanca Shanino Fac~torm IPSFq)*

lime Available Stress Gomplexty Training Procedures Ergonornics Recovery (DIEIR)

Basic Loc (VILJNSNS)

(N1H1E)

(OD/WMOHC (H/J (DSIN/APINC (GIN/P/PMM Steps Mean Critical Task HEP yp x

Level x Level x

Level x

R#

x HEP Diagnosis D

1.OE-2 C/L L

0.10 H

2 MC 2

N 1

4.OE-3 Execution E

1.OE-3 L

L 0.10 N

1 N

I N

1 N

1 1.OE-4 FPS-2 AA1E-ft F.

Performance Shaping Factors (PSFs) lime Available:

- VL (Very Long)

- L(Long)

- N (Nominal)

- S (Short)

- VS (Very Short)

Stress:

Complexity:

Training Procedures Ergonomics 75 minutes (90 minutes less 15 minutes for execution)

Diagnosis:>24 hours Execution: Time available >50x time required Diagnosis:>60 minutes Execution: Time available >5x time required Diagnosis:20cx<60 minutes Execution: Nominal time Diagnosis:<20 minutes Execution: Time available is about equal to the time required Diagnosis:lnadequate time Execution: Inadequate time N = Nominal; H = High; E = Extreme 00 = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error TyDe: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B15 of B33

B.6 OPERATOR ACTION FPS-3 -- OPERATOR ALIGNS FIRE WATER TO THE GLAND WATER SYSTEM GIVEN LOSS OF DIN I EDG (SWITCHGEAR ROOM FIRE)

Summary Description This operator action models operator action to recover gland water cooling in the event of a fire in the Switchgear Room by aligning fire water to the gland water system.

Cue(s)

CR annunciator B-3, Window D-6 (Service Water Pump B/D Brg Wtr Low Flow)

CR annunciator B-3, Window E-6 (SW Gland Wtr Supply Sys B Trouble)

Indication(s)

Service Water Pump Room local alarm 1 B/A-3 (Gland Water System B Low Pressure)

SW-PI-394 (Seal Water to SW Pump B&D Seals) reading 0 psig SW-FIS-361 B (Seal Water to SW Pump B Seals) reading 0 gpm SW-FIS-361 D (Seal Water to SW Pump D Seals) reading 0 gpm Procedural Guidance.

Following a loss of Division I service water, control room annunciators B-3/D-6 (SERVICE WATER PUMP B/D BRG WTR LOW FLOW) and B-3/E-6 (SW GLAND WTR SUPPLY SYS B TROUBLE) will alarm. Step 2.2 of the alarm response procedure (2.3 B-3) directs an operator to be dispatched to the SW Pump Room to take action per procedure 2.3_SW-GLND-B, Annunciator lB/A-3, on SW Gland Water Panel B.

Procedure 2.3_SW-GLND-B references procedure 2.2.71 (Service Water System).

Section 10.3 of procedure 2.2.71 provides instructions for aligning the fire protection backup supply to gland water subsystem B, which involves opening valve SW-198.

Critical Operator Actions The critical action is proceduralized in procedure 2.2.71 (Section 10, Step 10.3.4.4) and involves opening valve SW-198.

PERFORMANCE SHAPING FACTORS

a. Time Available.

Based on plant analyses, the time available to restore gland water cooling prior to the SW pumps failing is 90 minutes. Based on discussions with plant operators, the time required to perform the required actions is 15 minutes, which includes time for an operator to travel to the SW pump room. Given the occurrence of a fire in the Switchgear Room, an additional 20 minutes was conservatively assumed for suppressing the fire prior to directing the action to align firewater to provide gland water-cooling. Therefore, the time available for diagnosis is 55 minutes.

b.

Stress. Stress is considered high for diagnosis based on the occurrence of a fire in the Switchgear Room; stress is considered nominal for execution.

B16 of B33

c.

Task Complexity. Since the operator must recognize the need to enter reference procedure 2.2.71, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.6).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 1.OE-4 (see Table B.6).

Result The total HEP for operator action FPS-3 is 4.1 E-3, as shown in Table B.6.

B17 of B33

Table B.6 Human Error Probability for Operator Action FPS-3 Pi~rffnrmantrA Shsninn Faentnrq IPSFsl*

w M

\\*

Time Available Stress Complexity Training Procedures Ergonomics Recovery (DIEIR)

Basic Loc (VULNISNS) (jH1E) (OD/IWMCIHC (HVWL)

(DS/NIAP/NC (GINPI MM)

Ste s Mean Critical Task HEP Type x

Level x Level x

Level x

R x

HEP Diagnosis D

1.OE-2 C/L N

1.00 H

2 MC 2

N 1

4.OE-2 Execution E

1.OE-3 L

N 1.00 N

1 N

1 1.OE-3

_L =- ==

FPS.3 4.1E-2

Performance ShaDing Factors (PSFs)

Time Available:

55 minutes (90 minutes less 15 minutes for execution less 20 minutes to suppress fire)

- VL (Very Long)

Diagnosis:>24 hours Execution: Time available >50x time required

- L (Long)

Diagnosis:>60 minutes Execution: Time available >5x time required

- N (Nominal)

Diagnosis:20<x<60 minutes Execution: Nominal time

- S (Short)

Diagnosis:<20 minutes Execution: Time available is about equal to the time required

- VS (Very Short)

Diagnosis:lnadequate time Execution: Inadequate time Stress:

N = Nominal; H = High; E = Extreme Complexity:

OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex Training H = High; N = Nominal; L = Low Procedures DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete Ergonomics G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvye: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B18 of B33

B.7 OPERATOR ACTION DC OPERATOR TRANSFERS RCIC 125 VDC STARTER RACK FROM DIV I TO DIV II Summary Description This operator action models operator action to transfer the 125Vdc RCIC starter rack from normal (Div I) power to emergency (Div II) power following a loss of offsite power and depletion of the Division I battery.

Cue(s)/Indication(s)

Loss of Division I dc power and resulting loss of RCIC Procedural Guidance.

Following a loss of offsite power and unplanned loss of power on any 480V bus, the operator is directed to enter procedure 5.3AC480 (480 VAC Bus Failure). Attachment 8 of procedure 5.3AC480 directs actions to take for failures involving Bus IF. Step 1.17 of instructs the operator to transfer 125 Vdc Distribution Panel A and RCIC Starter Rack to emergency power per procedure 2.2.25.1 (125 VDC Electrical System -

Div 1). The actions required to perform the transfer are proceduralized in Section 34 of procedure 2.2.25.1. The transfer is made in Step 34.3 by unlocking and closing the 125 VDC switchgear I B breaker for the emergency feeder 125 VDC RCIC starter rack and in Step 34.4 by pressing the EMERG button at the transfer switch. To verify that the transfer was successful, Step 34.5 directs the control room operator to check that Annunciator C-2/B-5 (125V DC SYS TRANSFER) alarms.

Critical Operator Actions The critical actions are proceduralized in procedure 2.2.25.1 and involves unlocking and closing the 125 VDC switchgear IB breaker for the emergency feeder 125 VDC RCIC starter rack (Step 34.3) and pressing the EMERG button at the transfer switch (Step 34.4).

PERFORMANCE SHAPING FACTORS

a. Time Available.

The time available to transfer the RCIC 125 VDC Starter Rack from Division I to Division II is 90 minutes based on the time to uncover the core once RCIC is lost, which is assumed to occur at the time of battery depletion (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ). Based on discussions with plant operators, the time required to perform the required actions is 15. Therefore, the time available for diagnosis is 75 minutes.

b.

Stress. Stress is considered high for diagnosis based on the occurrence of a loss of offsite power and subsequent failure of the Division I EDG; stress is considered nominal for execution.

c.

Task Complexity. Since the operator must recognize the need to enter procedure 5.3AC480, diagnosis is considered to be moderately complex. However, execution is considered to involve nominal complexity.

B19 of B33

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.7).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 1.OE-4 (see Table B.7).

Result The total HEP for operator action DC-I is 4.1E-3, as shown in Table B.7.

B20 of B33

Table B.7 Human Error Probability for Operator Action DC-1 ParfnrwnnteP Ah~ninn Factnrs IPSqF@a*

Time Available Stress Complexdty Training Procedures Ergonorics Recovery (DIE/R)

Basic Loc (VUUSNS) (NIE) (OD/WMC/HC (FV (DS/NJAP/NC (G/NIP/MM1 Steps Mean Critical Task HEP py x

Level x Level x

Level x

R#

x HEP Diagnosis D

1.OE-2 C/L L

0.10 H

2 MC 2

N 1

4.OE-3 Execution E

1.OE-3 L

L 0.10 N

I N

1 N

1 1.OE-4 DC-1 4.1E-3

Performance Shapina Factors (PSFs)

Time Available:

- VL (Very Long)

- L (Long)

- N (Nominal)

- S(Short)

- VS (Very Short)

Stress:

Complexdty:

Training Procedures Ergonomics 75 minutes (90 minutes less 15 minutes for execution)

Diagnosis:>24 hours Execution: Time available >50x time required Diagnosis:>60 minutes Execution: Time available >5x time required Diagnosis:20<x<60 minutes Execution: Nominal time Diagnosis:<20 minutes Execution: Time available is about equal to the time required Diagnosis:lnadequate time Execution: Inadequate time N = Nominal; H = High; E = Extreme OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvge: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B21 of B33

B.8 OPERATOR ACTION NR-CSP-CST -- OPERATOR ALIGNS CORE SPRAY PUMP SUCTION TO CST Summary Description This operator action models operator action to re-align CS pump suction to the condensate storage tank.

Cue(s)/Indication(s)

Low RPV water level Procedural Guidance Step RC/L-3 of Emergency Procedure 5.8 (Attachment 1, Flowchart IA) directs the operator to restore and maintain RPV water level between +3 in. and +54 in. with one or more injection systems listed in Table 3 of the procedure. RCIC would be operating until it is challenged by high exhaust pressure (caution 2) or NPSH/vortex limits if suction is from the suppression pool (caution 3). Core Spray System operation (per procedure 2.2.9) is also listed on Table 3 with caution 3. Step 9.3 of procedure 2.2.9 provides the detailed steps for shifting Core Spray Pump B suction to the CST.

Critical Operator Actions The critical actions are proceduralized in Step 9.3 (and substeps) of procedure 2.2.9 and involve closing CS-MO-7B and opening CS-67.

PERFORMANCE SHAPING FACTORS

a. Time Available.

The time available is 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (150 minutes), based on the time to boil down to TAF once RCIC is tripped, assuming RCIC was maintaining level at normal prior to being tripped. The execution time is 20 minutes for performing the action.

b.

Stress. Stress is considered high.

c.

Task Complexity. Task complexity is considered moderately complex for diagnosis and nominal for execution.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION B22 of B33

Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 4.OE-3 (see Table B.8).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in a total execution HEP of 4.0E-4 (see Table B.8).

Result The total HEP for operator action NR-CSP-CST is 4.4E-3, as shown in Table B.8.

B23 of B33

Table B.8 Human Error Probability for Operator Action NR-CSP-CST Performance Shaoina Factors (PSFs)_

Time Available Stress Complewdty Training Procedures Ergonomics Recovery (D/E/R)

Basic Loc (VUUNIIS)

(NI/FE)

(OD/N MCIHC (UL)

(DS/N AP/NC (GINIP/MM)

Steps Mean Critical Task HEP Type x

Level x Level x

Level x

R#

x HEP Diagnosis D

1.OE-2 C

L 0.10 H

2 MC 2

N 1

4.OE-3 Close CS-MO-7B E

1.OE-3 C

L 0.10 H

2 N

1 N

1 2.OE-4 Open CS67 E

1.0E-3 L

L 0.10 H

2 N

1 N

1 2.OE-4 NR-CSP-CST 4.4E-3

Performance Shapina Factors (PSFs)

Time Available:

130 minutes: 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (150 minutes) to reach TAF less 20 minutes for execution

- VL (Very Long)

Diagnosis:>24 hours Execution: Time available >50x time required

- L (Long)

Diagnosis:>60 minutes Execution: Time available >5x time required

- N (Nominal)

Diagnosis:20cxc60 minutes Execution: Nominal time

- S (Short)

Diagnosis:<20 minutes Execution: Time available is about equal to the time required

- VS (Very Short)

Diagnosis:lnadequate time Execution: Inadequate time Stress:

N = Nominal; H = High; E = Extreme Complexity:

OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex Training H = High; N = Nominal; L = Low Procedures DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete Ergonomics G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvye: Diagnosis (D), Execution (E) or Recovery (R#)

- - Location of Action: Central Control Room (C) or Local (L)

B24 of B33

B.9 OPERATOR ACTION NR-CS-CLG -- OPERATOR PROVIDES ALTERNATE COOLING TO SE CORE SPRAY QUAD Summary Description This operator actions models establishment of alternate cooling to SE Core Spray Quad on a loss of cooling due to loss of SW.

Cue(s)/Indication(s)

Annunciator R-2/A-5, REACTOR BLDG PUMP ROOM HIGH TEMP RWCU-TS-l 17F (temperature switch in the SE Quad and SPDS 16 for plant information system)

Procedural Guidance.

In the event that SW System pressure is less than 38 psig in both loops and SW cooling cannot be restored to TEC, Step 4.2 of procedure 5.2SW directs the operator to perform following:

4.2.1 SCRAM and enter Procedure 2.1.5.

4.2.2 Trip main turbine.

4.2.3 Rapidly reduce reactor pressure to 500 to 600 psig using main turbine BPVs per Procedure 2.2.77.1.

4.2.4 Trip both reactor recirculation pumps.

4.2.5 Use RCIC, per Procedure 2.2.67.1, as primary means to maintain reactor vessel water inventory.

4.2.6 Enter following:

4.2.6.1 Attachment 1.

4.2.6.2 Procedure 5.2REC.

Step 4.10 of procedure 5.2REC directs the operator to concurrently enter procedure 2.4HVAC if CSCS Quad cooling cannot be established. Procedure 2.4HVAC, Step 4.1, directs the operator to enter Attachment I for Rx Building. Attachment 1, Step 2, states that if a CSCS FCU has failed, monitor CSCS Quad temperatures and perform following applicable steps to maintain Annunciator R-2/A-5, REACTOR BLDG PUMP ROOM HIGH TEMP, clear:

2.1 If temperature rises 500F above normal, shut down affected equipment, unless equipment is required to assure adequate core cooling or inject boron.

2.2 Establish Fire Watches and open following doors:

2.2.1 NE and SE Quads - Open 903 level door to quad.

2.2.2 NW Quad - Open stairwell doors on 859 level to RHR Pump Room and 958 NW stairwell door.

2.2.3 SW Quad - Open stairwell doors on 859 level to RHR Pump Room and 958 SW stairwell door. Do not open HPCI Room door.

2.3 If more air flow to quad is required, rig temporary ventilation as follows:

2.3.1 NE and SE Quads - Place fans on 903 level and rig portable ducting to 859 level of quad.

B25 of B33

2.3.2 NW Quad - Place fans in 859 NW stairwell and force air from stairwell into RHR Pump Room.

2.3.3 SW Quad - Place fans in 859 SW stairwell and force air from stairwell into RHR Pump Room.

Critical Operator Actions The critical actions are listed in procedure 2.4HVAC and consist of opening the door to quad on 903 level (Step 2.2.1 ) and, if necessary, establishing temporary ventilation to the SE quad (Step 2.3.1).

PERFORMANCE SHAPING FACTORS

a. Time Available.

The time available is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months based on the time for quad heatup on a loss of cooling, given actual quad temperature is at or less than 827F during normal operating conditions. The time required to perform the action is assumed to be 20 minutes.

b.

Stress. Stress is considered high.

c.

Task Complexity. Task complexity is considered nominal.

d.

Training/Experience. Training is considered to be nominal.

e.

Procedures. Procedure quality is considered to be nominal.

f.

Ergonomics. Ergonomics are considered to be nominal.

QUANTIFICATION Diagnosis Error Using the SPAR-H method and the above performance shaping factors results in a diagnosis HEP of 2.OE-3 (see Table B.9).

Execution Failure Using the SPAR-H method and the above performance shaping factors results in an execution HEP of 2.OE-4 (see Table B.9).

Result The total HEP for operator action NR-CS-CLG is 2.2E-3, as shown in Table B.9.

B26 of B33

Table B.9 Human Error Probability for Operator Action NR-CS-CLG Performance Shapina Factors (PSFsl*

Time Available Stress Complexity Training Procedures Ergonomics Recovery (D/E/R)

Basic Loc (VULUN1 SS) (WH/jE) (ODIN/MC/HC (H/ LQ (DS/NA P/NC (G/N1P M)

StepS Mean Critical Task HEP Type ve x Levei x

Level x

R#

x HEP Diagnosis D

1.0E-2 C

L 0.10 H

2 N

1 N

1 2.OE-3 Execution E

1.OE-3 L

L 0.10 H

2 N

1 N

1 2.OE-4 NR.CS-CLG IZ.ZE-3

Performance Shaping Factors (PSFs)

Time Available:

- VL (Very Long)

- L (Long)

- N (Nominal)

- S (Short)

- VS (Very Short)

Stress:

Complexity:

Training Procedures Ergonomics 460 minutes: 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (480 minutes) for room heatup less 20 minutes to perform action Diagnosis:>24 hours Execution: Time available >50x time required Diagnosis:>60 minutes Execution: Time available O5x time required Diagnosis:20<x<60 minutes Execution: Nominal time Diagnosis:<20 minutes Execution: Time available is about equal to the time required Diagnosis:lnadequate time Execution: Inadequate time N = Nominal; H = High; E = Extreme OD = Obvious diagnosis (diagnosis only); N = Nominal; MC = Moderately complex; HC = Highly complex H = High; N = Nominal; L = Low DS = Diagnostic/symptom oriented (diagnosis only); N = Nominal; AP = Available, but poor; NC = Not complete G = Good; N = Nominal; P = Poor; MM = Missing or misleading

- Error Tvoe: Diagnosis (D), Execution (E) or Recovery (Rf)

- - Location of Action: Central Control Room (C) or Local (L)

I B27 of B33

B.10 OPERATOR ACTION DEPENDENCY Sequences or cutsets which involve failure of multiple post-accident operator actions must be examined for human dependency. Such dependency can occur due to a common cue or short/limited time separation between different cues. In addition, performance of a previous action can decrease the time available to perform subsequent actions. The model used to address dependency between multiple operator actions generally follows the dependency model used in the SPAR-H method with two exceptions. First, if a different crew is involved in the performance of a separate action, zero dependency is assumed (versus low dependency assigned in the SPAR-H method). Second, if a successful action occurs in between failures, the dependency level between the failed operator actions is judged to be lower than if the intervening success were not present.

When applying the dependency model, the dependency was applied to the HEP with the higher HEP (versus assigning the dependency to the action which occurs later in time).

This is consistent with the probability theorem that states P(AB) = P(A)P(BIA) =

P(B)P(AIB). In other words, the joint probability should be the same regardless of which action is performed first or which action has the higher HEP. Modeling the dependency in this fashion is necessary, otherwise it is possible to calculate a combined HEP that is larger than one of the individual HEPs. For example, assume the first sequential action has an HEP of 0.01 and the second action has an HEP of IE-4. Further assume that the dependency model suggests moderate dependency between the two actions. If dependency is assigned to the HEP for the second action, the conditional HEP is 0. 15, resulting in a combined HEP of 1.5E-3. However, this is not logical given that the unconditional HEP for the second action is I E-4. The proper method for assessing the combined HEP is to apply the dependency to the Is' action, which results in a combined HEP of 1.5E-5.

The dependencies that were evaluated are shown in Tables B. 10 - B. 14.

B28 of B33

Table B.10 Dependency for Operator Actions GW-1 and FPS-1 1st Action 2nd Actinn 3rd Arcion I 4th Actinn Multiple Smor Time Between Same or Adtoa nevnn Human SDifferentCrew Events Close or Different Additional Intervening FPS-1 GW-1 Errors Difrn rw Not Close Location Ce?

Sces Same NUA INAComplete Complete Complete Close in time l

=

High Complete Complete Yes (related)

Low Moderate High No Yes (not related)

Moderate High Complete Same No High Complete Complete Yes (reted)o Low Moderate Yes (not reted)Low Moderate High Yes NoA Moderate High Complete Not close in time Yes (related)

Zero Low Moderate No Yes (not related)

Low Moderate High NoModerate High Complete Different Yes (related)

Zero Low Moderate Yes Yes (not related)

Zero Low Moderate Yes o

Low Moderate High Different Zero Low Moderate Comment Independent 2.1OE-03 3.OOE-03 Dependence Level HD FPS-GW-1 1.05E-03 B29 of B33

Table B.11 Dependency for Operator Actions GW-2 and FPS-2 1st Action 2nd Action 3rd Action I 4th Action Multiple S

eor Time Between Same or Adtoa nevnn uman SDifferent Crew Events Close or Different l

eAdditnal l

cIntereni FPS-2 GW-2 Errors Difrn rw Not Close Location Ce?

Sces S

N Complete Complete Complete if NA Hgh Complete Complete Yes (related)

Low Moderate High No Yes (not related)

Moderate High Complete Same No High Complete Complete Yes (reted)o Low Moderate Yes (not reated)Low Moderate High Yes No Moderate High Complete Not close in meYes (reted)Zero Low Moderate No Yes (not related)

Low Moderate High No Moderate High Complete Different Yes (related)

Zero Low Moderate Yes Yes (not related)

Zero Low Moderate Yes Low Moderate High Different Zero Low Moderate Comment Independent 4.1 OE-03 5.OOE-03 Dependence Level HD FPS-GW-2 2.06E-03 B30 of B33

Table B.12 Dependency for Operator Actions GW-1, FPS-1 & DC-1 1st Action 2nd Action 3rd Action 4th Action Multiple laeo ime Between Same or Adtoa nevnn Human SDifferentCrew Events Close or Different Additional cIntervenis FPS-1 GW-1 CH-1 Errors Not Cbose Location___________

Same NWA NA Complete Complete Complete DiffretHigh Complete Complete Yes (related)

Low Moderate High No Yes (not related)

Moderate High Complete Same No High Complete Complete Yes (related)

Zero Low Moderate Y

Yes (not related)

Low Moderate High NoA Moderate High Complete Not cbse in time Yes (related)

Zero Low Moderate No Yes (not related)

Low Moderate High No Moderate High Complete Different Yes (related)

Zero Low Moderate

_ es Yes (not related)

Zero Low Moderate Yes Low Moderate High Different Zero LOW Moderate Comment:

Independent 2.1OE-03 3.OOE-03 4.1OE-02 Dependence Level HD MD DC-FPS-GW-1 1.87E-04 B31 of B33

Table B.13 Dependency for Operator Actions GW-2, FPS-2 & DC-1 1st Action 2nd Action 3rd Action 4th Action Multiple Smor Time Between Same or Adfoa nevnn Human SDiffearenotCr Events Close or Different Additial ltecrensisn?

FPS-2 GW-2 CH-1 Errors Difrn rw Not Close Location Ce?

Sces lSame NA NAComplete Complete Complete High Complete Complete Yes (reted)ow Moderate High No Yes (not related)

Moderate High Complete Same No High Complete Complete Yes (reted)o Low Moderate Yes Yes (not relted)Low Moderate High Yes NoNA Moderate High Complete Not close in irneYes (reted)Zero Low Moderate No Yes (not related)

Low Moderate High No Moderate High Complete Different Yes (related)

Zero Low Moderate Yes (not related)

Zero Low Moderate Yes No Low Moderate High Zero Low Moderate Different Comment Independent 4.101E-03 5.OOE-03 4.1 OE-02 HEP Level MD Dependence Level HD MD DC-FPS-GW-2 3.67E-04 B32 of B33

Table B.14 Dependency for Operator Actions GW-3 & FPS-3 1stAction I 2ndAction 3rd Action I 4th Action Multiple Smor Time Between Same or Adtoa nevnn Saman DifferentCrew Events Close or Different eAdditonal Intersenin FPS-3 Gw-3 Errors ifretCe Not Close Location Ce?

Sces CloeSame NA NA Complete Complete High Complete Complete Yes (related)

Low Moderate High No Yes (not related)

Moderate High Complete Same No High Complete Complete Zero Low Moderate Yes (not reted)w Moderate High Yes NoNA Moderate High Complete Not close in meYes (reted)Zero Low Moderate No Yes (not related)

Low Moderate High No Moderate High Complete Different Yes (related)

Zero Low Moderate Yes (not related)

Zero Low Moderate No Low Moderate High Different Zero Low Moderate Comment Independent 4.20E-02 4.20E-02 Dependence Level HD FPS-GW-3 2.19E-02 B33 of B33

APPENDIX C DATA ANALYSIS The following section describes the process and results of the updated failure and CCF data for the CNS DGs.

The raw data used for this analysis is from January 2001 through June 2004 and was obtained from CNS DG system engineering. This data was concluded to represent the current as built, as operated, as maintained diesel generators. The data also reflects a string of improvements in all aspects of DG reliability such as maintenance, operation, and monitoring. In order to illustrate the magnitude of the recent efforts taken to improve diesel generator reliability and availability, the following improvement areas and some specific examples, are provided:

Improved Maintenance Strategies:

In 2002, CNS implemented the CNS Standby Diesel Generator Reliability Initiative. This initiative was founded on the basis that engine reliability and availability would increase by reducing the number of intrusive inspections. Frequent exposure to internal engine components for the purpose of visual inspections has contributed very little to increased reliability and availability and has in some instance had a negative effect. Technological advances on testing (analyzer) equipment and improved trending techniques, allow responsible personnel to more accurately assess engine health than arbitrary inspection intervals. As a result of this initiative, the CNS diesel generator mechanical inspection interval has been extended from every 18-months to every 6-years. The RE21 outage marked the first outage in CNS history that these inspections were not performed.

Improved Operating Strategies:

In order to insure optimum engine life and reliability, it is important to operate an engine in a manner that allows for gradual temperature increase and stabilization. This is especially of concern in nuclear standby applications where the ratio of engine starts to total operating hours is very high. In order to achieve that goal, in 2001 CNS implemented the Cooper Bessemer Owners Group recommended engine loading, operating, and unloading strategy during diesel generator routine surveillance runs.

Resolution of Long-Standing Issues:

Proper engine balancing is vital in order to reduce unnecessary engine wear. DG-2 had operated since the mid-80's with a cylinder-to-cylinder peak-fire-pressure delta in excess of the manufacturer limit. Several major steps were taken, which included camshaft timing adjustment and 4-left cylinder rebuild, including replacement of a bent articulated rod. These actions successfully restored DG-2 to a properly balanced condition in 2003.

Page Cl of C3

Improved use of Operating Experience:

CNS has demonstrated an increased responsiveness to industry OE relative to the diesel generators. The following examples are provided:

In June 2001, Engine Systems Incorporated issued a 1 OCFR21 notification alerting users of Woodward model 2301A electronic governors of three age-related failures. ESI attributed the failures to age related degradation of the 2301 A Governor's secondary power supply capacitors. In conjunction with the Cooper Bessemer Owners Group, a CNS specific capacitor life study was sanctioned. The study concluded that the capacitors in the CNS units were acceptable for continued use until there replacement during RE2 1. The DG-1 and DG-2 DRU and 2301A units were successfully replaced during RE21.

In December 2003 a catastrophic Cooper Bessemer KSV engine failure occurred at the South Texas Project. In April 2004, CNS performed phased array UT inspections on the DG-I and DG-2 master connecting rods. Inspection results concluded that the flaws responsible for the South Texas Project engine failure do not exist on the CNS engines.

Improved use of Training:

In September 2003, a 4-day Diesel Generator training course, conducted by recognized industry expert Allen Lambert, was provided to 19 personnel from Mechanical Maintenance, I&C, DED, and PED.

Improved Execution of On-line Maintenance:

Improvements in the CNS work control process (i.e. both planning and execution) have resulted in significant improvements in the performance of online diesel maintenance from both a quality and reduced out of service time standpoint. CNS is now performing more online diesel maintenance than at any time in its history, which affords the resolution of material condition concerns in a more timely fashion.

System Improvements:

In March 2004, CNS installed duplex strainers on the fuel oil transfer system and removed the day tank float valve inlet strainers. These changes eliminate the potential for strainer fouling induced interruptions in fuel transfer system flow.

The net result of these numerous improvements is illustrated by the fact CNS diesel generator reliability is at or near its highest level in history. As the following data shows, during this 3-1/2 year period, the CNS diesel generators were subjected to 149 demands with zero valid failures.

The data was used to develop the DG maintenance unavailability terms by dividing the maintenance hours by the total critical hours for the analysis period. The plant-specific failure to run and failure to start data was used to perform a Bayesian update of generic data obtain from Page C2 of C3

EGG-SSRE-8875 8 (Reference 1). This data was then used with the CCF Alpha Methodology for a CCCG of two DGs and using Alpha Factors from NUREG/CR-5497 9 to calculate the common-cause failure of the DGs to run and to start. The final results are presented in Table Cl below.

Table Cl Emergency Diesel Generator Updated Data (Jan 2001 to Jun 2004)

Unavailability Fail to Start Fail to Run Total EDG Common Common

(/HR)

Reliability Cause Cause Failure of Failure of Both to Start Both to Run 8.92E-03 2.95E-03 2.41 E-04 1.21E-02 9.20E-05 2.32E-04

1. 15E-02 1.47E-02

This failure rate is per hour and must be multiplied by the appropriate mission time.

DG#1 DG#2

' S. A. Eide, et al., 'Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs," EG&G Idaho, Inc., Informal Report EGG-SSRE-8875, February 1990 9 U.S Nuclear Regulatory Commission, 'Common-Cause Failure Parameter Estimations," NUREGICR-5497, (INEEUEXT 01328), October 1998.

Page C3 of C3

APPENDIX D LOSS OF OFFSITE POWER INITIATING EVENT ANALYSIS The Loss of offsite Power (LOOP) frequency for CNS was also revised using the latest industry sources available. The frequency was derived using the latest EPRI LOSP reports EPRI-TR-100988910 and EPRI-100298711. The error factors were developed using Nureg-5750' 2.

The approach involved generating a generic frequency for TI by removing any CNS plant-specific data from the EPRI data. Once a generic frequency was obtained, a Bayesian update is performed using CNS plant-specific data from January 1978 to July 2004. The result of the calculation and the equations are found in Appendix D.

A sensitivity analysis was also performed utilizing NUREG-5750 data for both Initial Plant Fault (IPF) and Functional Impact (Fl) initiating events categories. Table DI below summarizes the results.

Table Dl Loss of Offsite Power Updated Frequency and Sensitivity Analysis Source Ti Generic Frequency (/ry)

Ti Plant-Specific Frequency (/ry)

EPRI LOSP Reports_

0.028 0.019 (Recommended)

NUREG-5750 IPF 0.024 0.017 NUREG-5750 FI 0.046 0.025 The following sections describe the calculation for each frequency described above and the method used.

0 Electric Power Research Institute, 'Losses of off-site Power at U.S. Nuclear Power Plants-Through 2003," EPRI TR-1009889, April 2004.

l"ElectricPower Research Institute, "Losses of off-site Power at U.S. Nuclear Power Plants-Through 2001," EPRI TR-1009889, April 2002.

12 Ja.P Poloski, D.G. Marksberry, C.L. Atwood and W.J. Galyean, "Rates of Initiating Events at U.S. Nuclear Power Plants:

1987-1995," U. S. Nuclear Regulatory Commission, NUREG/CR-5750, February 1999.

Page Dl of D7

Inilating Event Frequencies T I - LeGS of Off-Site Power (Reactor Power =25t)

Insert rnw Error Factor-LUing NURGE/CR-5750 bop 95 and 5 percentile numbers for each initiator Tl-, =4.110 T

Tl;l 5610 2 E ThJ EF = 3.696 m is fhe generic vahle calculated f7m EPRI-TR-1009889 minus CNS numbers from 1990-20D3 using CNS Cabndar Yeers and CNS trip data.

LCiWtJUR xzr..

t 1477.2 T-Cal.CNS,i

-14 TI. W New.-T rit TiPR11 c, '2w3 - T.Cal CtS9,.

Tfal.&Necw= 1.K1 x IC?

nTlEJPR~ljgW,2tr,. =41 n-T I CNS, I.

,:0 nTIV Nw _ nTI. EPRlp. 3aI nTI., C-N-S,,,

o nTlNLw = 41 rnTIJ{PWRINcw:= (nTI New +.5) rTlJEPRINew= a2t k is the number of Mioator everts (1978 - July 2004) from CNS trip data.

kTl-CNSTJI :0=O T is the amount of CNS critical years (1978 - Judy 2004) from CNS Critical hours.

TCNS := M 135 1.64 a=

ILI>

rnTl_ MPRIJN&e um is the updated frequency of initiator for CNS mN + kTLC-NSTOW urnTIfNS :

p + TfN9 uEF is the upd3ted Error Factor for the initiator at CNS Page D2 of D7

ininitisn Event Frequencies T1 - L0ss of Off-Site Pa~er (Reocbr Powerm=25%) -

continued

[.M a + I

-TLCNSToj

+ If i

a + kncNsrw )

Results:

a = 1.127 p = 3'9.722 wl l -CNS = D.Di9 urFFT ICNS = 3.696 Page D3 of D7

Cooper Nurlear Slstbn Update Loss of Offsite Power Frequency Using NUREG-5750 Inital Plant Fault Frequency.

Initiabng Event Frequencies T I - Loss of Off-Sie aPower (Reactor Power>-25% or - Rx Power

< 25% and storm related -)

Insert new Error Factor - Using NURGEICR-5750 bop 95 and 5 percentile numbers for each initiator EF:=

TIEF=1W6_

110,

_).-0

( -rl,5 m is fIe generic value calcubted tom NUREGICR-5750 minus CNS numbers from 1937-1995 using CNS Critical hours.ids and CNS Initiating Events.

T_.Cit.JV50

_,7

_995 _ 729 T-CrThCNSI9R7 _t9"-g 6.56 T-CnMN

-=1 TCrm. 7597ffO,;

-1T. 1IQ CNS,".!

TCriLNct = 72.44 nTL.5S75O,~,-jas:= 17 nTICNSS-1

,_s,:=O nTl_.Ncw-nT1-575Ow 199 - nTlCNSjgv 1995 nTl-Ncw = 17 Tl5750...New:= (nTlNew+.5)

TSCrituNew mnT1 5750.New = 0.024 kI lthe number of initatr events (1978 - August 2004) from CNS hitisting Events-ids kTlCNST,I0:=° T isthe amaunt of CNS clendar years (1978-August 20O4) from CNS Ctriical hours.

T_CNS.- 31135 a

m7Tl¶75OLNew um is the updated frequency of initistor for CNS a + kTLCNSrw umTI CNS:=

Page D4 of D7

Initiabir Event Frequencies Ti - Loss of Off-Site Power (Re3ctor Powepo=25% or - Rx Power c 25% and storm related - ) - 2001 years continued uEF is the updated Error Factor for the initiator at CNS uET...

TI'NS:

I.64 In u_+ kTl-XNSr + I 8 a + kMTCNSI 1,l )

Results:

a = 1.127 I = 46X51 unT I -CMS= 0.017 uPF.-I CNS = 3.6 Page D5 of D7

Cooper Nuclear Statbn Update Loss of Ofthit Power Frequency using NUREG-5750 Functional Impact Frequency. Please note MIat Iis frequency is ovedy coneervstive and best suited for PRA analyses where the occurence of a risk-significant event category is not specifically modeled in the accident sequence event tree as a conditionral failure' (Referenoe page

4. NUREG-5750).

Inibatirg Event Frequencies T1 - Lcss of Of-Site Pcwer (Reactor Powero=25% or - Rx Power c 25% and storm related -)

Insert new Error Factor-Using NURGEJCR-5Z7 top 95 and 5 percentile numbers for each initiator TIQ,4.1 107' TIy= 5.611r'

(*'=36T6 m is Ihe generic value calcubted ftcrn NUREGCR-5750 minus CNS numbers from 1987-1995 using CNS Critical hours amd CNS Initiating Events I.Ct-5.75019,7f99s-729 T_Crit, CNSjgts_95 := 6.5%

TiCrNcw:=ri C

Ne T_0 57L5_1gl l-TMltCNSI,

.r T..CrilNcw= 722.4-4 nTI 5 750Ire7 g95= 33 nTl 0CNS19%7

=

nilNew = nTI_5750Dj9Iteo3 - nTJXNSMj9-gs5 nTl New = 3 MiTI 5750 jW

= (Tfr.Ntw+ 5) mTI_575DM4w= 0.046 k is the number of iitator events (1 978 - August 2004) from CNS Initiating Events.

kTI _CNS <,, :=0 T is the amount of CNS critcal years (1978 - August 2004) from CNS Critical hours.

T_CNS -

M 135

[(1.64

]

a mTI.3750_N*%-

um Is the updated frequency of hniiator for CNS n - kTlCNSrcW

,ITl CNS--

P 4-T~CNS Page D6 of D7

Initiating Event Frequencies TI - Loew of Off-Site Power (Reactor Power>=25% or - Rx Power c 25% and stcrm related -

continued uEF is the updated Error Fector for the Initiatcr at CNS tiI+~iSNS it~

.64. In

[(rit

+ kTI~tNS1ou +1I) at + kTlCNSr.u1

)

Results:

a= 1.127 I= 24.291 umTlCN5%= 0.025 uTEFTl_-ENS = 3.696 Page D7 of D7

APPENDIX E RECOVERY OF LOSS OF OFFSITE POWER (OSP)

A transient initiated because of a LOSP can be recovered by the restoration of that power.

With offsite power restored, the power conversion system (PCS) is available for decay heat removal. Therefore, for those cut sets in which offsite power (OSP) restoration is applicable, a non-recovery term (OSP) is incorporated for failure to restore offsite power.

The values for the probability of non-recovery of offsite power for Cooper are given in Table El as a function of time. The updated OSP non-recovery probabilities are based on loss of offsite power data contained in NUREG/CR-5496' 3, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980 - 1996."

Because LOSP durations have been shown in previous studies (e.g. NUREG/CR-5032' 4) to have different recovery times depending on whether the LOSP is caused by a plant-centered, grid-related, or severe-weather event, separate probability distributions were developed for each category. The final OSP non-recovery distribution was obtained using the composite model described in Section 7 of NUREG/CR-5032, which combines the distributions for plant-centered, grid-related and weather-related losses using a weighted average. It should be noted that the offsite power non-recovery values in Table El only include loss of offsite power events with durations of 2 minutes or longer.

13 C. L. Atwood, et al, "Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980 - 1996",

NUREG/CR-5496 (INEEVIEXT-97-00887), prepared for the US NRC by INEEL, November 1998.

14 Iman and S. C. Hora, "Modeling Time to Recovery and Initiating Event Frequency for Loss of Off-Site Power Incidents at Nuclear Power Plants," NUREG/CR-5032, SAND87-2428, January 1988.

Page EI of E2

Table El Recovery of Loss of Offsite Power Time to Recover (HR) 0.5 1

2 3

4 5

6 7

8 9

10 11 12 13 14 15 16 17 18 19 20 23 24 Probability of Non-Recovery 0.565 0.399 0.255 0.182 0.138 0.110 0.091 0.079 0.069 0.062 0.056 0.051 0.047 0.043 0.040 0.038 0.036 0.034 0.032 0.030 0.029 0.025 0.024 Page E2 of E2

NLS2004 106 Page 1 of 5 ATTACHMENT 2 OPERATOR/STATION RESPONSE TO A LOSS OF SERVICE WATER (SW)/GLAND WATER (GW)

COOPER NUCLEAR STATION NRC DOCKET 50-298, DPR-46

OPS2004SW/GW NEBRSKA PUBLIC PowRDismTRicr Date:

August 9, 2004 To:

Todd Hottovy, Equipment Reliability Manager FOR INTRA-DISTRICT From:

Mark Holmes, Shift Manager BUSINESS ONLY

Subject:

Operator/Station Response to a Loss of Service Water (SW)/Gland Water (GW)

Initial conditions:

The plant was operating at 100% power over the 21-day period that the Service Water Gland Water subsystems were cross-connected'. One Service Water pump in each division was operating with the division I and division 2 SW subsystem cross-connect valves open, which is the normal configuration.

The "A" Reactor Equipment Cooling (REC) heat exchanger was in service.

Service Water from both divisions was aligned to each Emergency Diesel Generator, which is the normal system configuration.

Preface For the initial conditions stated, any event that results in the loss of the Division I SW pumps will result in a loss of gland water supply to the division 2 SW pumps. It is anticipated that operation of Service Water pumps without gland water could result in the generation of steam followed by products of combustion as a function of the packing overheating. Smoke detectors in the Service Water pump room would actuate fire alarms and possibly discharge the Halon system. Upon any Service Water pump room fire detection alarm the Operating Staff would enter Procedure 5.4FIRE. An operator would be dispatched to determine if there is a fire and it's extent. The Fire Brigade would be activated upon entry into 5.4FIRE. 5.4POST-FIRE would subsequently be entered due to the location of the fire and it's potential to adversely affect safe shutdown system operation.

In addition, the operating staff is procedurally reminded to monitor DG and SW operation throughout performance of the 5.4POST-FIRE.

The number, types and sequence of alarms that will annunciate in the control room will be a function of the event postulated. For the SW/GW configuration that existed, should a loss of the Division 1 SW pumps occur, then alarms would annunciate (Service Water Pump B/D Brg Wtr Low Flow and SW Gland WTR Supply System Trouble) in the control room indicating a degraded condition with SW/GW.

The loss of the division I SW pump would also result in an automatic closure of SW-MOV-37, and the associated annunciator (yellow bezel) alarm in the control room. The control room response to this alarm requires ensuring both Division 2 SW pumps are operating followed by opening SW-MO-37.

Upon completion of this action GW will be restored from the control room due to a flow path created by the SW cross-connect being reestablished.

Event #1: Loss of Off-Site Power (LOOP) with a Postulated Failure of Division I Emergency Diesel Generator (EDG)

A loss of offsite power results in an immediate reactor scram and turbine trip. The failure of #1 EDG would result in the loss of division 1 SW pumps. The loss of these pumps would result in the loss of

' Division I SW pumps were aligned to supply all of the gland water to all 4 SW pumps through the gland water cross-connect piping.

OPS2004SW/GW gland water flow to the division 2 SW pumps. Loss of the Division I SW pumps would result in a low SW header condition, which in turn would cause SW-MO-37 to close (isolating Division 1 essential loads and the non-essential loads) and the non-running, auto-select Division 2 SW pump to start. Since the Division I power was removed, SW-MO-36 will not close on low SW header pressure. The control room would restore SW to the non-essential loads by opening SW-MO-37. Control Room Operators would be alerted to these conditions by receipt of SW PUMP B/D BRG WTR LOW FLOW alarm and SW GLAND WTR SUPPLY SYS B TROUBLE alarm. Response to either of these two alarms directs dispatching an operator to the local alarm panel to determine cause of alarm.

The crew would enter Emergency Operating Procedures (EOPs) for responding to the reactor scram and turbine trip. Due to no off-site power, Emergency Procedure 5.3EMPWR would be entered with priority given to SW, REC, and Station Air system operations. An operator would be dispatched to the SW Pump room to return the division 2 SW Zurn strainer to service (wiper motor needs to be reset following loss and subsequent restoration of power) per Attachment 2, step 1.3 of 5.3EMPWR. Once on station the operator would observe the local alarm condition (Gland Water System B Low Pressure) that is in the immediate area as the Zurn strainer START button.

Upon receipt of alarms associated with a fire in the SW pump room, the crew will enter procedure 5.4FIRE and dispatch the Fire Brigade. In response to the fire announcement, the Turbine Building station operator would respond to the SW pump room to perform an initial assessment of the fire. The station operator would observe a dull haze in the room with no indications of a working fire. The dispatched operator and/or the fire brigade would observe the local gland water annunciator in an alarm condition, and would contact the Control Room for further instructions.

Restoration:

After validating that no active fire exists in the SW pump room, the alarming condition for the SW gland water will be addressed. Indications in the pump room include GW pressure and flow, and both would indicate zero. This indication is different from what was observed during the earlier GW debris condition in 2003 and the indications observed during the 21-day period when GW was cross-connected.

In these two cases both GW pressure and flow were not at zero. The operator would then contact the control room to feed back what was observed and that the annunciator response procedure did not directly provide enough guidance to restore GW flow or pressure. The control room would direct the station operator to check the valve alignment as a function of the operating procedure (2.2.71) being referenced in the alarm response procedure.

As a result of checking the valve alignment, the operator would identify that the Division 2 GW supply valve was closed and the cross-connect valves were open. Upon restoring GW, the dispatched operator would verify pressure and flow are nominal.

An alternate method that is available for restoration of SW gland water to the division 2 pumps would be by re-establishing the crosstie between the two SW systems. Based upon the system engineer's review of SW system loads, local operator actions must be performed in order for SW-MOV-37 to remain open.

According to this review, there are two methods available to accomplish this.

Directions for both methods are found in Procedure 5.2SW in Subsequent Operator action step 4. 10.

With the "A" REC heat exchanger in service, its SW flow will raise to approximately 6000 gpm.

Placing REC heat exchanger "B" into service and removing the "A" heat exchanger from service would restore adequate SW loop pressure (above 38 psig indicated in the control room) that would result in SW-MOV-37 being able to remain open.

The second option utilizes local closure and subsequent throttling of SW-V-1490 to maintain SW loop pressure above 38 psig indicated in the control room.

OPS2004SW/GW Event #2: Fire in the IF Switchgear For a postulated fire in the IF switchgear, the control room response includes tripping the reactor and turbine generator and de-energizing the affected switchgear. This would result in a consequential loss of Division I SW pumps and loss of GW to the running Division 2 SW pump. Loss of the Division I SW pumps would result in a low SW header condition, which in turn would cause SW-MO-37 to close (isolating Division I essential loads and the non-essential loads) and the non-running, auto-select Division 2 SW pump to start. Since the Division I power was removed, SW-MO-36 will not close on low SW header pressure. The control room would restore SW to the non-essential loads by opening SW-MO-37. When this action is taken, the Division 2 SW pumps would supply GW through the system cross-connect valves (SW-MO-36 and SW-MO-37), essentially establishing a back feed to the GW header through the Division 1.

The crew would enter Emergency Operating Procedures (EOPs) for responding to the reactor scram and turbine trip. By de-energizing 4160 VAC bus IF, the fire can be extinguished using the available C02 hose reel. Due to the loss of one critical bus, the control room crew will enter multiple abnormal and emergency procedures and take appropriate actions.

Upon receipt of alarms associated with a fire in the SW pump room, the crew will be required to re-enter procedure 5.4FIRE and dispatch the Fire Brigade. In response to the fire announcement, the Turbine Building station operator would respond to the SW pump room to perform an initial assessment of the fire. The station operator would observe a dull haze in the room with no indications of a working fire.

The operator may observe the local gland water annunciator in an alarm condition, and would contact the Control Room for further instructions. At this time, the Fire Brigade Leader would keep one fire team at the IF switchgear room and traverse with the second team to the SW pump room. The dispatched operator and/or the fire brigade would observe the local gland water annunciator in an alarm condition, and would contact the Control Room for further instructions.

Restoration After validating that no active fire exists in the SW pump room, the alarming condition for the SW gland water will be addressed. Indications in the pump room include GW pressure and flow, and both would indicate zero. This indication is different from what was observed during the earlier GW debris condition in 2003 and the indications observed during the 21-day period when GW was cross-connected.

In these two cases both GW pressure and flow were not at zero. The operator would then contact the control room to feed back what was observed and that the annunciator response procedure did not directly provide enough guidance to restore GW flow or pressure. The control room would direct the station operator to check the valve alignment as a function of the operating procedure (2.2.71) being referenced in the alarm response procedure.

As a result of checking the valve alignment, the operator would identify that the Division 2 GW supply valve was closed and the cross-connect valves were open. Upon restoring GW, the dispatched operator would verify pressure and flow are nominal.

An alternate method that is available for restoration of SW gland water to the division 2 pumps would be by re-establishing the crosstie between the two SW systems. Based upon the system engineer's review of SW system loads, local operator actions must be performed in order for SW-MOV-37 to remain open.

According to this review, there are two methods available to accomplish this. Directions for both methods are found in Procedure 5.2SW in Subsequent Operator action step 4. 10.

OPS2004SW/GW With the "A" REC heat exchanger in service, its SW flow will raise to approximately 6000 gpm.

Placing REC heat exchanger "B" into service and removing the "A" heat exchanger from service would restore adequate SW loop pressure (above 38 psig indicated in the control room) that would result in SW-MOV-37 being able to remain open. The second option utilizes local closure and subsequent throttling of SW-V-1490 to maintain SW loop pressure above 38 psig indicated in the control room.

Event #3: Assumed failure to restore Gland Water In the event that SW/GW was not recovered (low probability) or the Division I EDG, then the operating SW pump(s) would fail at some time into the event. An additional annunciator (SW Pumps B & D Disch Hdr Low Pressure) would alarm in the control room alerting the operators to a loss of all SW. If that occurred, then a station blackout would result from the shutdown of the division 2 EDG since no cooling water would be supplied and a site area emergency would be declared. HPCI and RCIC would continue to control reactor vessel level. Station blackout procedure (5.3SBO) would be entered and requires NPPD (Doniphan Control Center) to enter the Cooper Nuclear Station - Black Plant Procedure.

In addition, station personnel would be dispatched to recover an emergency diesel generator. The emergency response organization would establish plans to support recovery of power sources (normal and emergency) and SW/GW.

After 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (assumed SBO coping time), it is assumed the station batteries would be lost. Reactor vessel level will begin to lower as a function of steaming. At or before reactor vessel level reached the top of active fuel (approximately 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the batteries fail), a general emergency would be declared. This action would result in a minimum protective action recommendation of evacuation of all sectors out to two miles and the affected sectors out to five miles. If needed all sectors can be evacuated out to ten miles with an average evacuation time of 62 minutes for adverse weather conditions.

Mark A. Holmes Preparer (Shift Manager)

Michael L. Tackett Operations Suervisor Mark D. Schaible Acting Operations Manager

NLS20041 06 Page I of 5 ATTACHMENT 3 ASSESSMENT OF THE SURVIVABILITY OF THE SERVICE WATER PUMPS IF GLAND WATER WERE LOST COOPER NUCLEAR STATION NRC DOCKET 50-298, DPR-46

August 9, 2004 Memornndum To:

Todd Hottovy, Equipment Reliability Manager CNS System Engineering Letter Log Number 04-7002 From:

Richard Fili, System Engineering Manager Date:

8/9/2004 Re:

Assessment of the Survivability of the Service Water Pumps if Gland Water were Lost Problem: Given conditions that existed at Cooper Nuclear Station during the period January 21,2004, to February 11, 2004, if gland water to a service water pump is inadvertently discontinued, can the pump operate for a minimum of 90 minutes? Further, if gland water is restored after 90 minutes, can the service water pump reasonably function for an additional 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months ?

==

Conclusion:==

A temporary loss of gland water for 90 minutes will not severely damage or incapacitate the pump. Upon restoration of gland water after 90 minutes, the pump will at least operate for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months more.

Some damage to the guide bearing bushings may occur, especially those bushings near the center of the pump shaft above the water line, and some damage to the upper packing may occur. The damage in both cases will primarily result in moderately larger clearances in the affected components that become dry, and a corresponding moderate increase in lateral pump vibrations. Packing leakage will also increase when gland water is restored.

Damage will not be so severe, however, that vibrations will be excessive and destructive. The pump will be able to operate and function in a reasonable manner for at least another 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months afterwards when gland water is restored.

Discussion: The given conditions were as follows.

Time frame: January 21 to February 11, 2004.

River elevation: 875.5 to 877.5 feet MSL.

Service water temperature: <45 degrees F.

Pump running at 5500 gpm.

Average discharge pressure, 50 psig.

Gland water flow, 6 to 8 gpm to the enclosing tube at 16 to 24 psi.

The following material conditions existed as of March 2003: 1). New pump assembly, packing, coupling, shafts, cutlass bearings, and impeller. 2). Rebuilt outer column, discharge nozzle, registers, and spider bushing supports.

IST vibrations are normal; concentricity and mass eccentricity are all normal.

I of 4

August 9, 2004 The four service water pumps at Cooper Nuclear Station are Byron-Jackson 28KXL type, mixed flow, single stage, vertical pumps. They operate at 1180 rpm, have a rating of 8000 gpm, and are driven by a 300 hp electric motor. The pump impeller has balance holes.

The following components were considered and it was determined that they would not be impacted by the loss of gland water:

Loss of gland water does not directly affect the motor-driver. Its bearing system is lubricated by oil and is independent of gland water.

Loss of gland water does not directly affect the lower bronze bearing located below the impeller.

It is immersed in the "E" bay and will self lubricate sufficiently even if gland water is lost.

Loss of gland water does not directly affect the impeller and wear ring. They are also immersed in the "E" bay and will self lubricate even if gland water is lost.

Loss of gland water primarily affects the rubber, Cutless brand bushings that are spaced typically five feet apart along the length of the shaft from the bottom to the top. There are ten Cutless rubber bushings.

There is also one bronze bearing located below the impeller. Loss of gland water also affects the packing.

The packing box will not receive water and will dry out.

If gland water is removed while the pump is running, the following will occur. The water level in the enveloping tube will drop slightly below that of the "E" bay. Assuming that the river is at an elevation of 875.5', then three of the Cutless bushings will still have water for lubrication. Intermittent dry contact between the upper seven bushings and the pump shaft, and the packing and the pump shaft will then occur.

Bushings:

Loss of gland water in this scenario would deprive the upper seven Cutless bushings of lubrication water. The lower three bushings, like the lower bearing, will remain immersed in the "E" bay and will not be deprived of lubrication water.

At CNS, when the pumps are refurbished and re-installed, it is the practice to turn the pump by hand when checking the lift adjustment. This is a procedural quality control step in the assembly of the pump that is required to be witnessed and verified. This is important because it ensures that the pump has no significant points of binding or friction. Further, when the lift is reset, the rubber bushings are already wet. Gland water will have already been supplied to the pump when this check is made. Since the rubber is slightly hydrophilic, they will have already swelled to the size they will be in service.

Non-lubricated contact between the bushings and the smooth, polished pump shaft will eventually cause some bushing surfaces to heat up and form a hard glaze at the surface. Heating nitrile rubber causes it to first soften, and then as heating progresses further, it becomes brittle, hard and charred. As nitrile rubber heats up, it also volatilizes and outgases. The net result is that the heat-damaged rubber loses volume and shrinks.

Packing:

The packing box, located at the top of the pump, will not receive water for lubrication and cooling. Like the bushings, it will heat up on those surfaces where the packing directly contacts the shaft. This localized heating will damage the packing. It will cause heat-hardening, scorching, outgassing, and shrinkage due to outgassin& and the clearance will open up. This will allow higher leakage through the packing following restoration of gland water flow. The higher leakage will not adversely affect the function of the pump or motor.

2 of 4

August 9, 2004 Motor Overcurrent Trip Due to Seizure or Drag:

It may be hypothesized that the Cutless bushings will "grab" the shaft and cause it to seize. This is improbable unless there is significant misalignment that has occurred since the pump was re-installed. The pump shaft cannot contact all the rubber in the bushing, that is, the shaft cannot be grabbed on all sides by the rubber. At most, with a continuously applied lateral force, the shaft can only contact no more than half of a bushing's inside diameter, that is, about 180 degrees of the inside diameter, at one instant. If such a misalignment has occurred since re-installation, IST vibration measurements, electrical current measurements of the pump motor, or flow and discharge pressure measurements would detect the problem. Further, because the pump is vertical and the impeller is at the bottom of the shaft, the shaft is self-centering. The weight of the pump combined with the axial loads due to pumping water straight up through the column keeps the pump shaft directed downward and centered.

It is true that drag on the shaft will be increased if the upper bushings run dry. However, the pump motor-driver is rated for 300 hp continuous operation with 15% excess capacity. It has more than enough torque to overcome the increase in drag by intermittent contact with dry bushings. A check for potential harmonic vibration effects that might occur found nothing significant, although lateral vibrations will increase as bushing clearances open up.

As noted previously, the motor has a generous amount of torque available. The dry dynamic frictional coefficient of pump packing material is significantly less than that of dry nitrile rubber.

As the packing that is in direct contact with the shaft heats up, its material properties will degrade and the packing material will also readily be torn and sheared away by friction until the inside diameter "wallows out" to match the lateral movement of the shaft. This obviates the likelihood of seizing by the packing.

Shaft Failure:

It may be hypothesized that the shaft could fail due to increased frictional drag or vibration. As previously discussed, it is improbable that the bushing or the packing will develop enough drag to seize the shaft. It is concluded that a properly maintained pump will be able to withstand the additional drag caused by the dry bushings and packing with no impact to the shaft mechanical strength. Also, as discussed below, the Johnston Pump Company performed a study of the possible vibration problems that might result from the posited loss of gland water condition. A computer model study using XLRotor software was conducted and it was concluded that there were no significant vibration problems.

Operational Experience tOE):

Anecdotal information from various plants has been obtained by both CNS and Mr. Cugal from the Johnston Pump Company that indicates service water pumps of the type used by CNS have successfully operated for short periods of time without gland water. One of the difficulties with citing operational experience information (OE) is that when no direct failure occurs or when there is no regulatory reporting requirement, the event is not in an OE database. Non-anecdotal documentation of this type of success or non-failure is scarce.

Searches in the INPO Nuclear Network database, INPO Plant Events database, along with searches by the Johnston Pump Company and an independent consultant, have not yielded any OE experience that is in disagreement with our findings. Conversely, there is evidence that shows that pumps of our design, and in good operating condition, have not failed for short periods of time without gland water.

3 of 4

August 9, 2004 Corroborative Data:

Johnston Pump Company, an Appendix B certified pump company, was contacted and asked to assess the same condition: loss of gland water to a CNS service water pump. In a report, JP04-20 Rev.2, authored by Michael Cugal, P.E., and checked by Lanka Pannila, P.E., they conclude the following.

We believe that given the ample motor horsepower and the good existing maintenance practice in this case (alignment, good fits, and registers, etc.), the pump could have survived 90 minutes of "dry" operation. When the gland water supply was re-introduced, the pump could have operated (possibly with higher vibration and some damaged bearings [bushings]) for an additional 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months .

To further study the possible vibration problems that might result from the posited loss of gland water condition, a computer model study using XLRotor software was conducted by the Johnston Pump Company. The 54 page detailed report, JP04-18 Rev.0, concluded that there were no significant vibration problems.

A report, ESW Pump Operating Evaluation, by Michael C. Mancini Consulting Services compares the Cooper Service Water pumps with posited loss of gland water condition to similar designs in other plants. The report shows that a properly maintained pump will have minimal bearing wear compared to a poorly maintained pump under the same operating conditions. This report identifies that the CNS attention to tighter fit up tolerances, along with the conditions of assembly and operation, afford the same type of success as the best plants in the comparison with minimal wear to bearing surfaces.

Preparer:

,tGilL s

a c C;.A-'

Date:

fit

. c C4-Randall No6n a

Reviewer:

e God Date:

7/0_

Approved by:

G Date:

Ricky Fili 4 of 4

ML042250218

Contents

Text

1.2 Background

SUMMARY

1.0 INTRODUCTION

1.2 BACKGROUND

3.0 CONCLUSION

_L =- ==

Subject:

Navigation menu