ML050960051

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - IP-3 Grid Loop
ML050960051
Person / Time
Site: Indian Point Entergy icon.png
Issue date: 12/17/2004
From: Christopher Hunter
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060030075 List:
References
LER 03-005
Download: ML050960051 (18)
v  d  e


Text

Enclosure Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Indian Point 3 Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout Event Date 8/14/2003 LER: 286/03-005 CCDP1 = 7x10-6 December 17, 2004 Event Summary At 1611 hours0.0186 days <br />0.448 hours <br />0.00266 weeks <br />6.129855e-4 months <br /> on August 14, 2003, Indian Point 3 experienced grid instability and a subsequent reactor trip while operating at 100% power. Loss of offsite power (LOOP) occurred at 1611 hours0.0186 days <br />0.448 hours <br />0.00266 weeks <br />6.129855e-4 months <br />.

Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs. 1 and 2).

Cause. The reactor trip and LOOP were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Other conditions, failures, and unavailable equipment. The auxiliary feedwater (AFW) flow control valves lost pneumatic control; however, the valves fail open on loss of instrument air so that flow was not lost to the steam generators. Therefore, this condition was not modeled in the assessment.

Recovery opportunities. Offsite power was first available at 1749 hours0.0202 days <br />0.486 hours <br />0.00289 weeks <br />6.654945e-4 months <br />. Power from offsite was first restored to an emergency bus at 2012 hours0.0233 days <br />0.559 hours <br />0.00333 weeks <br />7.65566e-4 months <br />.

Analysis Results

! Conditional Core Damage Probability (CCDP)

The CCDP for this event is 7x10-6. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP of 1x10-6. This event is a precursor.

Mean 5% 95%

Best estimate 7x10-6 8x10-7 2x10-5

! Dominant Sequences The dominant core damage sequences for this assessment are LOOP sequence 02-02-03 (31.9% of the total CCDP) and LOOP/Station Blackout (SBO) 18-03 (30.6% of the total CCDP). The LOOP, SBO, and Loss of Reactor Coolant Pump Seal Cooling event trees are shown in Figures 1, 2, 3.

1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The reported value is the estimated mean CCDP.

1

LER 286/03-005 The events and important component failures in LOOP Sequence 02-02-03 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is available, S auxiliary feedwater is successful, S power operated relief valves close, S loss of RCP seal cooling occurs, S rapid secondary depressurization is successful, S RCP seal stage 1 integrity succeeds, S RCP seal stage 2 integrity fails, S operators restore offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, S high pressure injection succeeds, S reactor coolant system depressurization for low pressure injection succeeds, and S low pressure recirculation fails.

The events and important component failures in LOOP/SBO Sequence 18-03 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is unavailable, S auxiliary feedwater is successful, S power operated relief valves close, S rapid secondary depressurization is successful, S RCP seal stage 1 integrity succeeds, S RCP seal stage 2 integrity succeeds, S operators fail to restore offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, and S operators fail to restore an EDG in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

! Results Tables S The CCDP values for the dominant sequences are shown in Table 1.

S The event tree sequence logic for the dominant sequences are presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequences are listed in Table 3.

S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that are important to the CCDP result.

2

LER 286/03-005 Modeling Assumptions

! Assessment Summary This event was modeled as a LOOP initiating event. Rev. 3.10 (SAPHIRE 7) of the Indian Point 3 SPAR model (Ref. 3) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.

Since this event involves a LOOP of significant duration (within 30 minutes before battery depletion), probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best estimate: Stable and useable offsite power was available in the switchyard at 1749 hours0.0202 days <br />0.486 hours <br />0.00289 weeks <br />6.654945e-4 months <br />, about 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> following LOOP, in this event. Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes are necessary to restore power to an emergency bus given that offsite power is available in the switchyard. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref.

4). Assumptions described below, combined with the assumption of off-site power restoration described above, form the bases for the LOOP nonrecovery probabilities.

! Important Assumptions Important assumptions regarding power recovery modeling include the following:

S No opportunity for the recovery of offsite power to safety-related loads is considered for any time prior to power being available in the switchyard.

S At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

S SPAR models do not credit offsite power recovery following battery depletion.

The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power was restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a general description of analysis of LOOP events in the Accident Sequence Precursor Program. It includes a description of the approach to estimating offsite power recovery probabilities.

3

LER 286/03-005

! Basic Event Probability Changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

S Probability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).

During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.

S Probability of failure to recover offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (OEP-XHE-XL-NR02H). During the event, offsite power was not available in the switchyard until 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had 30 minutes to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR02H was set to 1.0x10-1.

S Probability of failure to recover offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (OEP-XHE-XL-NR06H). During the event, offsite power was available in the switchyard 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR06H was set to 1.0x10-3.

S Probability of diesel generators failing to run (ZT-DGN-FR-L). The overall diesel generator default mission time (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) was changed to reflect the actual time offsite power was restored to the first vital bus (approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.

S Probability of auxiliary feedwater turbine-driven pump failing to run (ZT-TDP-FR-L). Since the AFW TDP is the only ac-power-independent pump in the AFW system, the AFW TDP mission time was set to the actual time that offsite power was restored to the second vital bus (approximately 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-TDP-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-TDP-FR-L =

3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

References

1. Licensee Event Report 286/03-005, Revision 0, Automatic Reactor Trip due to Reactor Coolant Pump Trip on Under-Frequency Caused by a Degraded Off-Site Grid, event date August 14, 2003, (ADAMS Accession No. ML0328902210).
2. NRC Region 1 Grid Special Report, October 15, 2003 (ADAMS Accession No. ML0324102160).
3. R.F. Buell and J. K. Knudsen, Standardized Plant Analysis Risk Model for Indian Point 3 (ASP PWR B), Revision 3.10, December 2004.

4

LER 286/03-005

4. D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November 2002 (ADAMS Accession No. ML0315400840).

5

LER 286/03-005 Table 1. Conditional probabilities associated with the highest probability sequences.

Conditional core damage Percentage Event tree Sequence no. probability (CCDP)1 contribution name LOOP 02-02-03 2.3 x 10-6 31.9%

-6 LOOP/SBO 18-03 2.2 x 10 30.6%

2 -6 Total (all sequences) 7.2 x 10

1. Values are point estimates. (File name: GEM 286-03-005 12-13-2004.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

LOOP 02-02-03 /RPS, /EPS, /AFW-L, /PORV-L, LOSC-L, /RSD, /BP1, BP2, /OPR-02H,

/FW, /HPI, /SSC, /PZR, RHR, LPR LOOP 18-03 /RPS, EPS, /AFW-B, /PORV-B, /RSD, /BP1, /BP2, OPR-02H, DGR-02H Table 2b. Definitions of fault trees listed in Table 2a.

AFW-B NO OR INSUFFICIENT AFW FLOW (SBO)

AFW-L NO OR INSUFFICIENT AFW FLOW (LOOP)

BP1 RCP SEAL STAGE 1 INTEGRITY FAILS BP2 RCP SEAL STAGE 2 INTEGRITY FAILS DGR-02H AN EDG IS NOT RECOVERED IN 2 HOURS EPS EMERGENCY POWER SYSTEM FAILS FW FEEDWATER IS UNAVAILABLE HPI HIGH PRESSURE INJECTION FAILS LOSC-L RCP SEAL COOLING FAILS DURING LOOP LPR LOW PRESSURE RECIRCULATION FAILS OPR-02H OFFSITE POWER IS NOT RECOVERED IN 2 HOURS PORV-B PORVs AND SRVs RECLOSE DURING SBO PORV-L PORVs AND SRVs RECLOSE DURING LOOP PZR RCS DEPRESSURIZATION FOR LPI/RHR FAILS RHR RESIDUAL HEAT REMOVAL FAILS RPS REACTOR FAILS TO TRIP DURING LOOP RSD RAPID SECONDARY DEPRESSURIZATION FAILS SSC SECONDARY SIDE COOLDOWN FAILS 6

LER 286/03-005 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP, Sequence 02-02-03 SWS-XHE-XL-1PUMP /RCS-MDP-LK-BP1 2.6x10-8 1.11 EPS-DGN-FR-33 RCS-MDP-LK-BP2 EPS-DGN-TM-31 /OEP-XHE-XL-NR02H EPS-DGN-TM-33 /RCS-MDP-LK-BP1 2.6x10-8 1.11 SWS-XHE-XL-1PUMP RCS-MDP-LK-BP2 EPS-DGN-FR-31 /OEP-XHE-XL-NR02H EPS-DGN-TM-33 /RCS-MDP-LK-BP1 2.6x10-8 1.11 SWS-XHE-XL-1PUMP RCS-MDP-LK-BP2 EPS-DGN-FR-32 /OEP-XHE-XL-NR02H SWS-XHE-XL-1PUMP /RCS-MDP-LK-BP1 2.6x10-8 1.11 EPS-DGN-FR-33 RCS-MDP-LK-BP2 EPS-DGN-TM-32 /OEP-XHE-XL-NR02H SWS-XHE-XL-1PUMP /RCS-MDP-LK-BP1 2.6x10-8 1.11 EPS-DGN-FR-31 RCS-MDP-LK-BP2 EPS-DGN-TM-32 /OEP-XHE-XL-NR02H SWS-XHE-XL-1PUMP /RCS-MDP-LK-BP1 2.6x10-8 1.11 EPS-DGN-TM-31 RCS-MDP-LK-BP2 EPS-DGN-FR-32 /OEP-XHE-XL-NR02H 2.3x10-6 Total (all cut sets)3 Event Tree: LOOP, Sequence 18-03 SWS-XHE-XL-29-30 EPS-XHE-XL-NR02H 5.7x10-7 26.6 /RCS-MDP-LK-BP1 OEP-XHE-XL-NR02H

/RCS-MDP-LK-BP2 CTG-XHE-XL-NR02H EPS-DGN-CF-RUN EPS-XHE-XL-NR02H 5.6x10-7 26.1 /RCS-MDP-LK-BP1 OEP-XHE-XL-NR02H

/RCS-MDP-LK-BP2 CTG-XHE-XL-NR02H SWS-AOV-CF-DGS EPS-XHE-XL-NR02H 3.8x10-7 17.8 /RCS-MDP-LK-BP1 OEP-XHE-XL-NR02H

/RCS-MDP-LK-BP2 CTG-XHE-XL-NR02H EPS-DGN-CF-STRT EPS-XHE-XL-NR02H 3.8x10-7 12.4 /RCS-MDP-LK-BP1 OEP-XHE-XL-NR02H

/RCS-MDP-LK-BP2 CTG-XHE-XL-NR02H 2.2x10-6 Total (all cut sets)3

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

7

LER 286/03-005 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description Modified frequency OPEARTOR FAILS TO START/ALIGN CTG IN 2 CTG-XHE-XL-NR02H 2.5x10-1 No HOURS CVC-XHE-XM- OPERATOR FAILS TO ALIGN CITY WATER 2.7x10-2 Yes1 BCKCW FOR SEAL COOLING EPS-DGN-FR-31 EDG 31 FAILS TO RUN 5.4x10-3 No EPS-DGN-FR-32 EDG 32 FAILS TO RUN 5.4x10-3 No EPS-DGN-FR-33 EDG 33 FAILS TO RUN 5.4x10-3 No EPS-DGN-TM-31 EDG 31 UNAVAILABLE DUE TO T&M 9.0x10-3 No EPS-DGN-TM-32 EDG 32 UNAVAILABLE DUE TO T&M 9.0x10-3 No EPS-DGN-TM-33 EDG 33 UNAVAILABLE DUE TO T&M 9.0x10-3 No COMMON-CAUSE FAILURE OF DIESEL EPS-DGN-CF-RUN 4.0x10-5 No GENERATORS TO RUN COMMON-CAUSE FAILURE OF DIESEL EPS-DGN-CF-STRT 1.9x10-5 No GENERATORS TO START OPERATOR FAILS TO RECOVER AN EDG IN EPS-XHE-XL-NR02H 7.0x10-1 No 2HOURS IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 1.0 Yes2 OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR01H TRUE Yes3 POWER IN 2 HOURS OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR02H 1.0x10-1 Yes3 POWER IN 2 HOURS OPERATOR FAILS TO RECOVER OFFSITE OEP-XHE-XL-NR06H 1.0x10-3 Yes3 POWER IN 6 HOURS RCP SEAL STAGE 1 INTEGRITY RCS-MDP-LK-BP1 1.3x10-2 No (BINDING/POPPING OF O-RING)

RCP SEAL STAGE 2 INTEGRITY RCS-MDP-LK-BP2 2.0x10-1 No (BINDING/POPPING OF O-RING)

CCF OF SWS OUTLET AOVs 1178/1178A SWS-AOV-CF-DGS 2.7x10-5 No FROM DG COOLERS SWS-MDP-TM-33 SWS MDP 33 UNAVAILABLE DUE TO T&M FALSE Yes4 SWS-MDP-TM-36 SWS MDP 36 UNAVAILABLE DUE TO T&M FALSE Yes4 OPERATOR FAILS TO ALIGN FOR SINGLE SWS-XHE-XL-1PUMP 3.0x10-3 No PUMP OPERATION OPERATOR MISALIGNS ESS & NON ESS SWS-XHE-XL-29-30 4.1x10-5 No HEADERS VALVES ZT-DGN-FR-L DIESEL GENERATOR FAILS TO RUN (LATE) 2.4x10-3 Yes5 8

LER 286/03-005 Probability/

Event name Description Modified frequency TURBINE-DRIVEN PUMP FAILS TO RUN ZT-TDP-FR-L 1.8x10-4 Yes5 (LATE)

1. INEEL probability update.
2. Initiating event assessment- all other initiating event frequencies set zero.
3. Evaluated per the SPAR-H method (Ref. 4). See report and Attachment C for further details.
4. Change due to evaluation of Licensee comment. See Attachment D for details.
5. Changed mission times to correspond to the time offsite power was restored to the first and second vital busses. See report and Basic Event Probability Changes for further details.

9

LER 286/03-005 Attachment A Event Timeline Table A.1 Timeline of significant events.

Time1 Event 1611 Reactor trips due to grid instability 1611 Offsite power is lost to emergency buses; emergency diesel generators automatically start and load to power the emergency buses 1731 Blackout power source (Gas Turbine 1) is started and loaded 1749 Offsite power is restored to the switchyard 2012 First emergency bus is switched to offsite power source 2034 Second emergency bus is switched to offsite power source 2103 Third emergency bus is switched to offsite power source

1. All times are on August 14, 2003.

10 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis2. LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

2 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

11 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 Attachment C Power Recovery Modeling

! Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). Although the load limit was adequate to energize plant equipment and, if necessary, prevent the occurrence of an SBO sequence, plant operators did not immediately load safety buses onto the grid. This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (Ref. 4) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

! Human Error Modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S Probability of failure to successfully perform the desired action S Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

12 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 The probability of failure to perform an action is the product of a nominal failure probability (1.0x10-3) and the following eight performance shaping factors (PSFs):

S Available time S Stress S Complexity S Experience/training S Procedures S Ergonomics S Fitness for duty S Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0 (TRUE).

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

! Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability OEP-XHE-XL-NR01H 1.0x10-3 Inadequate -- TRUE OEP-XHE-XL-NR02H 1.0x10-3 10 10 1.0x10-1 OEP-XHE-XL-NR06H 1.0x10-3 0.1 10 1.0x10-3 13 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 Attachment D Response to Comments Comments were provided by the licensee (Ref. 1).

1. Comment from Licensee - Appendix R EDG It is not clear how Indian Points Appendix R emergency diesel generator was modeled in the analysis. The dominant scenario in this analysis is a valid core damage scenario (i.e.,

failure of all emergency diesel generators [EDG] and subsequent failure to recover AC power). However, it was observed that AC power recovery takes credit for operator action to align the gas turbines, but no credit appears to be taken for use of the Appendix R diesel.

The 2nd cutset in Table 3 for Sequence 19-02 appears to include successful operation of the Appendix R diesel, yet the cutset still results in failure. In fact, all the cutsets in which the Appendix R event appears involve success (/EPS-XHE-XM-APPENDR), not failure, of the Appendix R diesel. Furthermore, the 1st and 2nd cutsets for Sequence 19-02 have the exact same failures (OEP-XHE-XM-GTBD, OEP-XHE-NOREC-BD and EPS-DGN-CF-RUN), and only the successes are different. Therefore, the cutsets are not minimal.

Response: The SPAR model credits the Appendix R EDG only for providing reactor blank/default

2. Comment from Licensee - Appendix R EDG, part 2 If the Appendix R diesel is in fact modeled, it doesnt appear that any credit is taken for its success. It should be noted that in typical station blackout scenarios, the Appendix R diesel can be aligned to the normal 480V AC safeguards buses (i.e., 2A/3A, 5A or 6A) and not just the Appendix R safe shutdown bus (i.e., MCC 312A).

Response: See above.

3. Comment from Licensee - Offsite power recovery following battery depletion The assumption that AC power must be recovered before battery depletion, in lieu of continued operation of the turbine-driven auxiliary feedwater pump and no reactor coolant pump seal LOCA (loss of coolant accident), is overly conservative. Restoring offsite power without DC power is more difficult, it is not improbable. In addition, procedures exist for manually closing breakers in the event of a loss of DC power.

Response: All SPAR station blackout models are built with the assumption that AC power must be recovered before battery depletion. The NRC and INEEL are aware of the concern that this is overly conservative, and are evaluating their position on this issue. For a later 14 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 recovery to be credited would require 1) the existence of a procedure for the recovery, 2) training on the recovery operations, and 3) demonstration that the required actions could be performed under the stated conditions (i.e., no DC power).

In the particular case of this analysis, allowing more time for recovery would not necessarily change the quantitative result. Without crediting extraordinary measures to continue operation of the turbine-driven auxiliary feedwater pump, core damage would occur about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after battery depletion. In this case the offsite power nonrecovery probability estimated using the SPAR Human Error model would be the same as it is at battery depletion.

4. Comment from Licensee - Unallowed maintenance combinations Some cutsets involve maintenance combinations that would not be permitted during plant operation. As an example, the 9th cutset in Sequence 19-02 (2.8E-7) includes maintenance unavailability of 31 EDG simultaneously with maintenance of 36 service water pump (supplied by 32 EDG). The normal work planning process at IP3 would not schedule maintenance on these components simultaneously.

Response: If you send INEEL your mutually exclusive maintenance list, they will factor it into future updates to the SPAR model. The cut set listed above is not significant in the current analysis.

5. Comment from Licensee - Service water system maintenance unavailability A more specific comment with respect to maintenance unavailability regards the inclusion of basic events representing service water (SW) pump maintenance. Test and maintenance activities are not normally done on SW pumps when they are aligned to the essential service water header. When pumps on the essential header require maintenance, the normal process is to re-align them to the nonessential header and then perform the maintenance. As a result, it is inappropriate to assign an average maintenance unavailability value to a cutset where the SW pump is intended to represent a pump aligned to the essential header. If any unavailability is assigned to SW pumps when they are aligned to the essential header, it would only be for the brief period when a failure has occurred prior to realigning the headers. This would be at least an order of magnitude lower than the values used.

Response: Since the preliminary precursor analysis was performed, INEEL has issued an updated model for Indian Point 3. One of the main changes in this new model is a more accurate treatment of the service water system. While this particular issue was not addressed, INEEL has been made aware of the problem, and will address it in future updates. Meanwhile, for the revised analysis of this LER, the two remaining service water pump maintenance events were set to FALSE so they make no contribution to the quantitative result.

References:

1. Entergy Nuclear Operations, Inc. Comments on Preliminary Accident Sequence Precursor Analysis of August 14, 2003 Operational Event, Letter from Michael R. Kansler to U.S.

Nuclear Regulatory Commission, May 17, 2004 (ML041460505).

15 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 286/03-005 OS S OF OFFSITE POWER REA CTO R EMERGENCY AUXILIARY PORVs RCP S EAL HIGH FEED OFFSITE OFFS ITE SECO NDARY RCS RE SIDUAL HIGH S HUTDOWN PO WER FEEDWATER ARE COO LING PRES SURE AND POWER PO WER SIDE DE PRESS HE AT PRE SSURE CLOSE D MAINTAINE D INJECTIO N BLEED RE CO VERY RECOV ERY COOLDO WN FOR LPI/RHR RE MOV AL RECIRC IN 2 HRS IN 6 HRS IE-LO OP RPS EP S AFW PORV LOSC HPI FAB OPR-02H OPR-06H SSC PZR RHR HPR # END-STA TE 1 OK LOS C-L 16 T2 LOO P-1 3 OK 4 OK 5 CD 6 OK 7 CD 8 OK SENSITIVE - NOT FOR PUBLIC DISCLOSURE 9 CD 10 OK PO RV-L HP R-L 11 CD HPI -L 12 CD 13 OK 14 CD 15 OK A FW-L HP R-L 16 CD FAB -L 17 CD T18 SBO T19 ATWS Figure 1: Indian Point 3 LOOP event tree.

LER 286/03-005 EMERGENCY AUXILIARY PORVs RAPID RCP RCP RCP RCP OF FSITE DIESEL POWER FEEDW ATER ARE SECONDARY SEAL SEAL SEAL SEAL POWER GENERAT OR CLOSED DEPRESS ST AGE 1 STAGE 1 STAGE 2 STAGE 2 RECOVERY RECOVERY INTEGRIT Y INT EGRITY INTEGRITY INTEGRITY (IN 2 HR) (IN 2 HR)

EPS AFW PORV RSD BP1 O1 BP2 O2 OPR-02H DGR-02H # END-STATE NOTES 21 gpm/rcp 1 OK 2 OK 17 3 CD 25-hour-Tcu 182 gpm/rcp T4 SBO-1 5 OK 6 CD 4-hour-Tcu 76 gpm/rcp T7 SBO-1 8 OK 9 CD 9-hour-Tcu 480 gpm/rcp T10 SBO-1 11 OK 12 CD 2-hour-Tcu 21 gpm/rcp T13 SBO-2 14 OK 15 CD 25-hour-Tcu 172 gpm/rcp T16 SBO-2 17 OK 18 CD 3-hour-Tcu SENSITIVE - NOT FOR PUBLIC DISCLOSURE 182 gpm/rcp T19 SBO-2 20 OK 21 CD 3-hour-Tcu 61 gpm/rcp T22 SBO-2 23 OK 24 CD 6-hour-Tcu 300 gpm/rcp T25 SBO-2 26 OK 27 CD 2-hour-Tcu 480 gpm/rcp T28 SBO-2 29 OK 30 CD 2-hour-Tcu 76 gpm/rcp T31 SBO-2 32 OK 33 CD 6-hour-Tcu 300 gpm/rcp T34 SBO-2 35 OK 36 CD 2-hour-Tcu 480 gpm/rcp T37 SBO-2 38 OK 39 CD 2-hour-Tcu PORV-B T40 SBO-2 OP R-01 H 41 OK DGR-01H 42 CD 30-min-Tcu AFW-B T43 SBO-3 OP R-01 H 44 OK DGR-01H 45 CD 30-min-Tcu Figure 2: Indian Point 3 SBO event tree with dominant sequence highlighted.

LER 286/03-005 LOSS OF ALL REACTOR RAPID RCP RCP RCP RCP SEAL COOLING COOLANT SECONDARY SEAL SEAL SEAL SEAL PUMPS DEPRESS STAGE 1 STAGE 1 STAGE 2 STAGE 2 TRIPPED INTEGRITY INTEGRITY INTEGRITY INTEGRITY LOSC RCPT RSD BP1 O1 BP2 O2 # END-STATE NOTES 18 1 OK 21-gpm/rcp 0.200 T2 SLOCA 182-gpm/rcp T3 SLOCA 76-gpm/rcp 0.0125 0.200 T4 MLOCA 480-gpm/rcp 5 OK 21-gpm/rcp SENSITIVE - NOT FOR PUBLIC DISCLOSURE 0.500 T6 SLOCA 172-gpm/rcp 0.200 T7 SLOCA 182-gpm/rcp T8 SLOCA 61-gpm/rcp 0.500 0.500 T9 SLOCA 300-gpm/rcp 0.200 T10 SLOCA 300-gpm/rcp T11 SLOCA 76-gpm/rcp 0.500 0.0125 T12 SLOCA 300-gpm/rcp 0.200 T13 MLOCA 480-gpm/rcp T14 MLOCA 480-gpm/rcp Figure 3: Indian Point 3 LOSC event tree with dominant sequence highlighted.

Retrieved from "https://kanterella.com/w/index.php?title=ML050960051&oldid=2594434"