ML050950555

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - Fermi Grid Loop
ML050950555
Person / Time
Site: Fermi DTE Energy icon.png
Issue date: 12/17/2004
From:
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060030075 List:
References
LER 03-002
Download: ML050950555 (16)


Text

Enclosure Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Fermi Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout Event Date 8/14/2003 LER: 341/03-002 CCDP1 = 2x10-5 December 17, 2004 Event Summary At 1610 hours0.0186 days <br />0.447 hours <br />0.00266 weeks <br />6.12605e-4 months <br /> on August 14, 2003, Fermi experienced grid instability and a subsequent reactor trip while operating at 100% power. Loss of offsite power (LOOP) occurred at 1611 hours0.0186 days <br />0.448 hours <br />0.00266 weeks <br />6.129855e-4 months <br />. Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs. 1, 2, and 3).

Cause. The reactor trip and LOOP were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Other conditions, failures, and unavailable equipment. The combustion gas turbine generator (CTG) failed to start from the control room due to the failure of a battery-powered inverter. The CTG was manually started 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event using a portable generator as an alternate source of starting power.

Recovery opportunities. Offsite power was first available at 2230 hours0.0258 days <br />0.619 hours <br />0.00369 weeks <br />8.48515e-4 months <br /> (Ref 3). Power from offsite was restored to the first emergency bus at 0153 hours0.00177 days <br />0.0425 hours <br />2.529762e-4 weeks <br />5.82165e-5 months <br /> on August 15 (Ref. 2).

Analysis Results

! Conditional Core Damage Probability (CCDP)

The CCDP for this event is 2x10-5. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP of 1x10-6. This event is a precursor.

Mean 5% 95%

Best estimate 2x10-5 1x10-6 8x10-5 1

For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event.

1

LER 341/03-002

! Dominant Sequences The dominant core damage sequences for this assessment are LOOP sequence 05 (38.3%

of the total CCDP) and LOOP/station blackout (SBO) sequence 60-04 (38.3% of the total CCDP). The LOOP and SBO event trees are shown in Figures 1 and 2.

The events and important component failures in LOOP Sequence 05 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is available, S safety relief valves successfully reclose, S standby feedwater succeeds, S suppression pool cooling fails, S manual depressurization succeeds, S shutdown cooling fails, S containment spray fails, and S containment venting fails.

The events and important component failures in LOOP/SBO Sequence 60-04 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is unavailable, S safety relief valves successfully reclose, S reactor core isolation cooling (RCIC) provides sufficient flow to the reactor vessel, S manual depressurization succeeds, S firewater injection is unavailable, and S ac power is not recovered in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

! Results Tables S The CCDP value for the dominant sequence is shown in Table 1.

S The event tree sequence logic for the dominant sequence is presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequence are listed in Table 3.

S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that are important to the CCDP result.

Modeling Assumptions

! Assessment Summary This event was modeled as a loss of offsite power initiating event. Rev. 3.10 (SAPHIRE

7) of the Fermi SPAR model (Ref. 4) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.

2

LER 341/03-002 Since this event involves a LOOP of significant duration (longer than the battery depletion time), probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best estimate: Detroit Edison was able to isolate an offsite power restoration path between the Monroe Power Plant, Brownstown Station, Fermi nuclear plant, and Trenton Channel plant. This occurred at 2230 hours0.0258 days <br />0.619 hours <br />0.00369 weeks <br />8.48515e-4 months <br />, about 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> following LOOP, in this event.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes is necessary to restore power to an emergency bus given that offsite power is available in the switchyard2. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 5). Assumptions described below, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.

! Important Assumptions Important assumptions regarding power recovery modeling include the following:

S No opportunity for the recovery of offsite power to safety-related loads is considered for any time prior to power being available in the switchyard.

S At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

S SPAR models do not credit offsite power recovery following battery depletion.

The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power was restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a general description of analysis of loss of offsite power events in the Accident Sequence Precursor Program. It includes a description of the approach to estimating offsite power recovery probabilities.

! Event Tree and Fault Tree Modifications The CTG failed to start from the control room due to the failure of a battery-powered inverter. The CTG was manually started 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into the event using a portable generator as an alternate source of starting power. For this analysis, the CTG was modeled as (1) failed for sequences leading to early core damage and (2) recoverable for long-term core 2

Sensitivity analysis has shown that the difference between 30 and 60 minutes restoration time has minimal effect on the results.

3

LER 341/03-002 damage sequences. The following rules were applied to LOOP sequences 56, 57, 58-37, 58-38, 59-11, 60-14, 60-23, 60-25, 60-27 and 60-28 (sequences leading to early core damage):

if EPS-CTG-FS-BLKST then DeleteEvent = EPS-CTG-FS-BLKST; AddEvent = EPS-CTG-FS-BLKST1; elsif (EPS-CTG-TM-CTG + EPS-CTG-FR-BLKST + EPS-XHE-XM-CTG) then DeleteRoot; endif EPS-CTG-FS-BLKST1 is an event whose probability is set to 1.0 to model the early unavailability of the CTG.

Additionally, two long-term LOOP sequences appeared to be very important contributors to the overall CCDP. In the dominant cut sets for these sequences, one operator recovery value, which concerned the operator aligning a dead bus to a functioning EDG (EPS-XHE-XM-ALTDG), was particularly important. While its default value might be appropriate for short-term realignment, the value is too high for these important long-term sequences.

Therefore, the following recovery rule was implemented for LOOP sequences 5 and 17:

if EPS-XHE-XM-ALTDG then DeleteEvent = EPS-XHE-XM-ALTDG; AddEvent = EPS-XHE-XM-ALTDG10; endif The four basic events involved in the these two changes are included in the basic event probability changes section.

! Basic Event Probability Changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

S Probability of blackstart CTG failing to start before 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (EPS-CTG-FS-BLKST1). This event represents the short-term failure to start (< 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />) of the blackstart CTG. Since the CTG was unavailable for the first 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, EPS-CTG-FS-BLKST1 was set to 1.0.

S Probability of operator failing to align dead bus to alternate diesel generator after 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />(EPS-XHE-XM-ALTDG10). This event represents the long-term failure of the operator to realign a dead bus to an alternate diesel generator (> 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />). This value is used in long-term sequence. Using the SPAR human error model to determine the value (see Attachment D), EPS-XHE-XM-ALTDG10 was set to 1.0x10-3.

S Probability of operators failing to recover blackstart CTG (EPS-XHE-XM-CTG).

This event represents the probability of operators failing to recover the blackstart CTG. Using the SPAR human error model to determine the value (see Attachment D), EPS-XHE-XM-CTG was set to 2.5x10-1.

4

LER 341/03-002 S Probability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 30 minutes and OEP-XHE-XL-NR30M was set to TRUE.

S Probability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).

During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.

S Probability of failure to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (OEP-XHE-XL-NR04H). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and OEP-XHE-XL-NR04H was set to TRUE.

S Probability of failure to recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-XL-NR10H). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR10H was set to 1.0x10-3.

S Probability that restart of RCI is required (RCI-RESTART). During the event, RCI and high-pressure coolant injection (HPCI) automatically started to provide flow to the reactor vessel. Upon reaching level 8 in the reactor, both systems were isolated. RCIC was later manually started and used for reactor level control. Since RCI restart occurred, RCI-RESTART was set to TRUE.

S Probability of diesel generators failing to run (ZT-DGN-FR-L). The default diesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (approximately 9.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1.0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> (base case value) and ZT-DGN-FR-L = 8.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

References

1. Licensee Event Report 341/03-002, Revision 1, Automatic Reactor Shutdown Due to Electric Grid Disturbance and Loss of Offsite Power, event date August 14, 2003 (ADAMS Accession No. ML033570189).
2. NRC Region 3 Grid Special Report, August 28, 2003 (ADAMS Accession No. ML0324102370).
3. Michigan Public Service Commission Report on August 14th Blackout, November 2003.
4. R. F. Buell and J. A. Schroeder, Standardized Plant Analysis Risk Model for Fermi 2 (ASP BWR C), Revision 3.10, December 2004.

5

LER 341/03-002

5. D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November 2002 (ADAMS Accession No. ML0315400840).

6

LER 341/03-002 Table 1. Conditional probabilities associated with the highest probability sequences.

Conditional core damage Percent Event tree Sequence no. probability (CCDP)1 contribution name LOOP 05 6.9x10-6 38.3%

-6 LOOP/SBO 60-04 6.9x10 38.3%

2 -5 Total (all sequences) 1.8x10

1. Values are point estimates. (File name: GEM 341-03-002 12-13-2004.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

LOOP 05 /RPS, /EPS, /SRV, /SFW, SPC, /DEP, SDC, CSS, CVS LOOP/SBO 60-04 /RPS, EPS, /SRV, /RCI, /DEP, VA3, AC-04H Table 2b. Definitions of fault trees listed in Table 2a.

AC-04H OPERATOR FAILS TO RECOVER AC POWER IN 4 HOURS CSS CONTAINMENT SPRAY FAILS CVS CONTAINMENT VENTING FAILS DEP MANUAL DEPRESSURIZATION FAILS EPS EMERGENCY POWER FAILS RCI RCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR RPS REACTOR SHUTDOWN FAILS SDC SHUTDOWN COOLING FAILS SFW STANDBY FEEDWATER FAILS SPC SUPPRESSION POOL COOLING FAILS SRV ONE OR MORE SRVS FAIL TO RECLOSE VA3 FIREWATER INJECTION IS UNAVAILABLE 7

LER 341/03-002 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP, Sequence 05 5.0x10-6 72.0 RHR-XHE-XM-ERROR CVS-XHE-XM-VENT 7.4x10-6 Total (all cut sets)3 Event Tree: LOOP/SBO, Sequence 60-04 2.8x10-6 40.1 EPS-XHE-XM-CTG EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 6.3x10-7 9.1 EPS-XHE-XM-CTG EPS-DGN-CF-START EPS-XHE-XL-NR04H 5.5x10-7 8.0 EPS-CTG-TM-CTG EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 4.4x10-7 6.4 EPS-CTG-FS-BLKST EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 6.3x10-6 Total (all cut sets)3

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

8

LER 341/03-002 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Description Modified Event name frequency CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT 1.0x10-2 No

-2 EPS-CTG-FS-BLKST BLACKSTART CTG FAILS TO START 4.0x10 No BLACKSTART CTG FAILS TO START EPS-CTG-FS-BLKST1 1.0 Yes1 BEFORE 3 HOURS EPS-CTG-TM-CTG CTG OUT FOR TEST AND MAINTENANCE 5.0x10-2 No

-5 EPS-DGN-CF-RUN EDGs FAIL FROM COMMON CAUSE 2.2x10 No

-6 EPS-DGN-CF-START EDGs FAIL FROM COMMON CAUSE 5.0x10 No OPERATOR FAILS TO RECOVER EDG IN 4 EPS-XHE-XL-NR04H 5.0x10-1 No HOURS EPS-XHE-XM-ALTDG10 OPERATOR FAILS TO ALIGN ALT EDG TO 1.0x10-3 Yes2 DEAD BUS AFTER 10 HOURS EPS-XHE-XM-CTG OPERATOR FAILS TO START CTG 2.5x10-1 Yes2 LOSS OF OFFSITE POWER INITIATING IE-LOOP 1.0 Yes3 EVENT OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR30M TRUE Yes2 POWER IN 30 MINUTES OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR01H TRUE Yes2 POWER IN 1 HOUR OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR04H TRUE Yes2 POWER IN 4 HOURS OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR10H 1.0x10-3 Yes2 POWER IN 10 HOURS RCI-RESTART RESTART OF RCIC IS REQUIRED TRUE Yes1 OPERATOR FAILS TO START/CONTROL RHR-XHE-XM-ERROR 5.0x10-4 No RHR ZT-DGN-FR-L EDG FAILS TO RUN (LONG TERM) 6.8x10-3 Yes4

1. Events changed to reflect the condition being analyzed. See report and Basic Event Probability Changes for further details.
2. Evaluated per SPAR-H method (Ref. 5). See Attachments C and D for further details.
3. Initiating event assessment- all other initiating event frequencies set to zero.
4. Changed mission time to correspond to the time that offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.

9

LER 341/03-002 Attachment A Event Timeline Table A.1 Timeline of significant events.

Date Time Event 1610 Reactor trips due to grid instability 1611 Offsite power is lost to emergency buses; emergency diesel generators 8/14/03 automatically start and load to power the emergency buses 1622 Unusual Event is declared 2230 Offsite power is restored to the switchyard 0153 First emergency bus (10600) is switched to offsite power source and EDG 14 is shutdown 0412 Second emergency bus (10500) is switched to offsite power source and EDG 13 is 8/15/03 shutdown 1332 Emergency diesel generators are shut down 1348 Unusual Event is terminated 10

LER 341/03-002 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis3. LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

3 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

11

LER 341/03-002 Attachment C Power Recovery Modeling

! Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). Although the load limit was adequate to energize plant equipment and, if necessary, prevent the occurrence of an SBO sequence, plant operators did not immediately load safety buses onto the grid. This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

! Human Error Modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S Probability of failure to successfully perform the desired action S Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

12

LER 341/03-002 The probability of failure to perform an action is the product of a nominal failure probability (1.0x10-3) and the following eight performance shaping factors (PSFs):

S Available time S Stress S Complexity S Experience/training S Procedures S Ergonomics S Fitness for duty S Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0.

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

! Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability OEP-XHE-XL-NR30M 1.0x10-3 Inadequate - TRUE OEP-XHE-XL-NR01H 1.0x10-3 Inadequate - TRUE OEP-XHE-XL-NR04H 1.0x10-3 Inadequate - TRUE OEP-XHE-XL-NR10H 1.0x10-3 0.1 10 1.0x10-3 Attachment D 13

LER 341/03-002 Human Error Modeling For this analysis, the values of two operator recovery events, EPS-XHE-XM-ALTDG10 and EPS-XHE-XM-CTG, were updated using the standard SPAR Model Human Error Worksheet. A summary of the worksheet results is provided by Table D.1.

Table D.1 Human Error Basic Event Probabilities PSF Complexity Training Procedures Time Stress Nominal Nonrecovery Factor Value Nonrecovery Probability EPS-XHE-XM-ALTDG10 1.0x10-3 All PSFs are Nominal 1.0x10-3 (Action)

EPS-XHE-XM-CTG 1.0x10-2 0.1 5 1 1 20 1.0x10-1 (Diagnosis) 2.5x10-1 (Total)

EPS-XHE-XM-CTG 1.0x10-3 0.1 5 2 3 50 1.5x10-1 (Action) 14

LER 341/03-002 LOSS OF REACTOR EMERGENCY SRV'S STANDBY RCIC HPCI MANUAL CORE LOW PRESS ALTERNATE SUPPRESSION MANUAL SHUTDOWN CONTAINMENT CONTAINMENT CRD LONG-TERM OFFSITE SHUT DOWN POWER CLOSE FEEDWATER REACTOR SPRAY COOLANT LOW PRESS POOL REACTOR COOLING SPRAY VENTING INJECTION LOW PRESS POWER DEPRESS INJECTION INJECTION COOLING DEPRESS (1 PUMP) INJECTION IE-LOOP RPS EPS SRV SFW RCI HCI DEP LCS LCI VA SPC DEP SDC CSS CVS CR1 VA1 # STATE 1 OK 2 OK 3 OK 4 OK 5 CD 6 OK 7 OK 8 CD 9 OK 10 OK 11 OK 12 OK VA2 13 CD 14 OK 15 OK 16 CD 17 CD 18 OK 19 CD 20 OK 21 CD 22 CD 23 OK 24 OK 25 OK VA2 26 27 OK CD 15 28 OK 29 OK 30 CD 31 CD 32 OK 33 CD 34 OK 35 CD 36 CD 37 OK 38 OK 39 OK 40 OK 41 OK 42 CD 43 CD 44 OK 45 OK 46 OK 47 OK 48 OK 49 CD 50 CD 51 OK 52 OK SP1 53 OK SD1 CS1 54 OK 55 CD 56 CD 57 CD P1 T58 LOOP-1 P2 T59 LOOP-2 T60 SBO T61 ATWS Figure 1: Fermi LOOP event tree with dominant sequence highlighted.

LER 341/03-002 TR ANSFER SRV'S RCIC HPCI MANUAL FIREWATER AC BRANCH CLOSE REACTOR INJECT ION POW ER SBO DEPRESS RECOVERY EPS SRV RCI HC I DEP VA3 AC # STATE 1 OK AC-04H 2 CD 3 OK AC-04H 4 CD 5 OK AC-04H 6 CD 7 OK AC-04H 8 CD 9 OK AC-04H 10 CD 11 OK AC-04H 12 CD 13 OK 16 AC-30M 14 CD 15 OK AC-04H 16 CD 17 OK AC-04H 18 CD P1 19 OK AC-04H 20 CD 21 OK AC-04H 22 CD H C1 23 CD 24 OK AC-01H 25 CD P2 26 OK AC-01H 27 CD H C1 28 CD Figure 2: Fermi SBO event tree with dominant sequence highlighted.