ML050960252

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - NMP-2 Grid Loop
ML050960252
Person / Time
Site: Nine Mile Point Constellation icon.png
Issue date: 12/17/2004
From: Christopher Hunter
NRC/RES/DRAA/OERAB
To:
Shared Package
ML060030075 List:
References
LER 03-002
Download: ML050960252 (18)
v  d  e


Text

Enclosure Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Nine Mile Point 2 Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout Event Date 8/14/2003 LER: 410/03-002 CCDP1 = 2x10-5 December 17, 2004 Event Summary At 1611 hours0.0186 days <br />0.448 hours <br />0.00266 weeks <br />6.129855e-4 months <br /> on August 14, 2003, Nine Mile Point 2 experienced a disturbance on the electrical grid and a subsequent turbine trip followed by reactor trip while operating at 100 % power.

Undervoltage conditions occurred on each of the three emergency buses at 1612 hours0.0187 days <br />0.448 hours <br />0.00267 weeks <br />6.13366e-4 months <br />. Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored. Attachment A is a timeline of significant events. (Refs. 1 and 2).

Cause. The reactor trip and loss of offsite power (LOOP) were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Other conditions, failures, and unavailable equipment. No other significant conditions, failures, or unavailable equipment occurred during the event.

Recovery opportunities. Offsite power was available and within normal voltage and frequency limits at approximately 1756 hours0.0203 days <br />0.488 hours <br />0.0029 weeks <br />6.68158e-4 months <br />.2 Offsite power was restored to the Division 1 emergency bus at 0122 hours0.00141 days <br />0.0339 hours <br />2.017196e-4 weeks <br />4.6421e-5 months <br /> on August 15, to the Division 3 emergency bus at 0356 hours0.00412 days <br />0.0989 hours <br />5.886243e-4 weeks <br />1.35458e-4 months <br />, and to the Division 2 emergency bus at 0708 hours0.00819 days <br />0.197 hours <br />0.00117 weeks <br />2.69394e-4 months <br />.

Analysis Results

! Conditional Core Damage Probability (CCDP)

The CCDP for this event is 2x10-5. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP of 1x10-6. This event is a precursor.

Mean 5% 95%

Best estimate 2x10-5 3x10-6 7x10-5 1

For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The reported value is the estimated mean CCDP.

2 Time that offsite power was first available was changed from preliminary analysis after discussion with licensee and senior resident inspector.

1

LER 410/03-002

! Dominant Sequences The dominant core damage sequences for this assessment are LOOP sequence 05 (47.8%

of the total CCDP) and LOOP/Station Blackout (SBO) sequence 46-59 (34.3% of the total CCDP). The LOOP and station blackout event trees are shown in Figures 1 and 2.

The events and important component failures in LOOP Sequence 05 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is available, S high pressure core spray succeeds, S suppression pool cooling fails, S manual reactor depressurization succeeds, S shutdown cooling fails, S containment spray fails, and S containment venting fails.

The events and important component failures in LOOP Sequence 46-59 are:

S loss of offsite power occurs, S reactor shutdown succeeds, S emergency power is unavailable, S Division 3 power is unavailable, S safety relief valves (SRVs) reclose, S reactor core isolation cooling fails, and S ac power is not recovered in 30 minutes

! Results Tables S The CCDP values for the dominant sequences are shown in Table 1.

S The event tree sequence logic for the dominant sequences is presented in Table 2a.

S Table 2b defines the nomenclature used in Table 2a.

S The most important cut sets for the dominant sequences are listed in Table 3.

S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2) basic events whose probabilities were changed to model this event, and (3) basic events that are important to the CCDP result.

Modeling Assumptions

! Assessment Summary This event was modeled as a loss of offsite power initiating event. Rev. 3.10 (SAPHIRE

7) of the Nine Mile Point 2 SPAR model (Ref. 3) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 31, 2004.

2

LER 410/03-002 Since this event involves a LOOP of significant duration (potentially longer than the battery depletion time), probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best estimate: Offsite power was available and within normal voltage and frequency limits at approximately 1756 hours0.0203 days <br />0.488 hours <br />0.0029 weeks <br />6.68158e-4 months <br />. Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures.

The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes are necessary to restore power to an emergency bus given that offsite power is available in the switchyard. The time available for operators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 4).

Assumptions described below, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.

! Important Assumptions Important assumptions regarding power recovery modeling include the following:

S No opportunity for the recovery of offsite power to safety-related loads is considered for any time prior to power being available in the switchyard.

S At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

S SPAR models do not credit offsite power recovery following battery depletion.

The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when power was restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a general description of analysis of loss of offsite power events in the Accident Sequence Precursor Program. It includes a description of the approach to estimating offsite power recovery probabilities.

! Basic event probability changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

S Probability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 30 minutes and OEP-XHE-XL-NR30M was set to TRUE.

3

LER 410/03-002 S Probability of failure to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H).

During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and OEP-XHE-XL-NR01H was set to TRUE.

S Probability of failure to recover offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (OEP-XHE-XL-NR02H). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 30 minutes to recover offsite power to the vital safety buses.

Using the SPAR human error model to determine the value (see Attachment C),

OEP-XHE-XL-NR02H was set to 1.0x10-1.

S Probability of failure to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (OEP-XHE-XL-NR04H). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses.

Using the SPAR human error model to determine the value (see Attachment C),

OEP-XHE-XL-NR04H was set to 1.0x10-2.

S Probability of failure to recover offsite power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (OEP-XHE-XL-NR08H). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses.

Using the SPAR human error model to determine the value (see Attachment C),

OEP-XHE-XL-NR08H was set to 1.0x10-3.

S Probability of failure to recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-XL-NR10H). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 8.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses.

Using the SPAR human error model to determine the value (see Attachment C),

OEP-XHE-XL-NR10H was set to 1.0x10-3.

S Probability of failure to recover offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (OEP-XHE-XL-NR12H). During the event, offsite power of sufficient quality was not available in the switchyard until approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the LOOP. Therefore, the operators had approximately 10.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to recover offsite power to the vital safety buses.

Using the SPAR human error model to determine the value (see Attachment C),

OEP-XHE-XL-NR12H was set to 1.0x10-3.

S Probability of diesel generators failing to run (ZT-DGN-FR-L). The default diesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (9.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following:

ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 8.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />.

4

LER 410/03-002 References

1. Licensee Event Report 410/03-002, Revision 0, Reactor Scram Due to Electric Grid Disturbance, event date August 14, 2003 (ADAMS Accession No. ML0329701090).
2. NRC Region 1 Grid Special Report, October 15, 2003 (ADAMS Accession No. ML0324102160).
3. J. A. Schroeder, Standardized Plant Analysis Risk Model for Nine Mile Point 2 (ASP BWR C), Revision 3.11, December 2004.
4. D. Gertman, et al., SPAR-H Method, INEEL/EXT-02-10307, Draft for Comment, November 2002 (ADAMS Accession No. ML0315400840).

5

LER 410/03-002 Table 1. Conditional probabilities associated with the highest probability sequences.

Conditional core damage Percentage Event tree Sequence no. probability (CCDP)1 contribution name LOOP 05 1.1x10-5 47.8%

-6 LOOP/SBO 46-59 7.9x10 34.3%

2 -5 Total (all sequences) 2.3x10

1. Values are point estimates. (File name: GEM 410-03-002 03-21-2005.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for top event names)

LOOP 05 /RPS, EPS, /SRV, /HCS, SPC, /DEP, SDC, CSS, CVS LOOP/SBO 46-59 /RPS, EPS, B1, /SRV, RCI, AC-30MIN Table 2b. Definitions of fault trees listed in Table 2a.

B1 DIVISION III AC POWER IS UNAVAILABLE CSS CONTAINMENT SPRAY FAILS CVS CONTAINMENT VENTING FAILS DEP MANUAL DEPRESSURIZATION FAILS EPS EMERGENCY POWER IS UNAVAILABLE HCS HPCS FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL RCI RCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR VESSEL RPS REACTOR SHUTDOWN FAILS SDC SHUTDOWN COOLING FAILS SPC SUPPRESSION POOL COOLING FAILS SRV OPEN SRVS FAIL TO CLOSE 6

LER 410/03-002 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP, Sequence 05 6.0x10-6 54.2 RHR-XHE-XM-ERROR CVS-XHE-XM-VENT 9.0x10-7 8.1 RHR-XHE-XM-ERROR CVS-AOV-CC-AV101

-7 9.0x10 8.1 RHR-XHE-XM-ERROR CVS-AOV-CC-AV109

-7 9.0x10 8.1 RHR-XHE-XM-ERROR CVS-AOV-CC-AV111 1.1x10-5 Total (all cut sets)3 Event Tree: LOOP, Sequence 46-59 2.9x10-6 36.7 EPS-DGN-CF-RUN EPS-XHE-XL-NR30MIN RCI-TDP-TM-TRAIN 9.2x10-7 11.6 EPS-DGN-CF-START EPS-XHE-XL-NR30MIN RCI-TDP-TM-TRAIN 8.2x10-7 10.3 EPS-DGN-CF-RUN EPS-XHE-XL-NR30MIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START 7.9x10-6 Total (all cut sets)3

1. Values are point estimates.
2. See Table 4 for definitions and probabilities for the basic events.
3. Totals include all cut sets (including those not shown in this table).

7

LER 410/03-002 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description Modified frequency CVS-AOV-CC-AV101 ISOLATION VALVE AOV101 FAILS TO OPEN 9.0x10-4 No

-4 CVS-AOV-CC-AV109 ISOLATION VALVE AOV109 FAILS TO OPEN 9.0x10 No CVS-AOV-CC-AV111 ISOLATION VALVE AOV111 FAILS TO OPEN 9.0x10-4 No

-3 CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT 6.0x10 No COMMON CAUSE FAILURE OF DIESEL EPS-DGN-CF-RUN 2.7x10-4 No GENERATORS TO RUN COMMON CAUSE FAILURE OF DIESEL EPS-DGN-CF-START 8.4x10-5 No GENERATORS TO START OPERATOR FAILS TO RECOVER EDG IN 30 EPS-XHE-XL-NR30M 9.2x10-1 No MINUTES IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 1.0 Yes1 OFFSITE POWER NOT RECOVERED IN 30 OEP-XHE-XL-NR30M TRUE Yes2 MINUTES OFFSITE POWER NOT RECOVERED IN 1 OEP-XHE-XL-NR01H TRUE Yes2 HOUR OFFSITE POWER NOT RECOVERED IN 2 OEP-XHE-XL-NR02H 1.0x10-1 Yes2 HOURS OFFSITE POWER NOT RECOVERED IN 4 OEP-XHE-XL-NR04H 1.0x10-2 Yes2 HOURS OFFSITE POWER NOT RECOVERED IN 8 OEP-XHE-XL-NR08H 1.0x10-3 Yes2 HOURS OFFSITE POWER NOT RECOVERED IN 10 OEP-XHE-XL-NR10H 1.0x10-3 Yes2 HOURS OFFSITE POWER NOT RECOVERED IN 12 OEP-XHE-XL-NR12H 1.0x10-3 Yes2 HOURS RCI-TDP-FS-TRAIN RCIC PUMP FAILS TO START 6.0x10-3 No RCIC PUMP IS UNAVAILABLE DUE TO TEST RCI-TDP-TM-TRAIN 1.2x10-2 No AND MAINTENANCE OPERATOR FAILS TO RECOVER RCIC RCI-XHE-XL-START 5.6x10-1 No FAILURE TO START RHR-XHE-XM-ERROR OPERATOR FAILS TO START/CONTROL RHR 1.0x10-3 No ZT-DGN-FR-L DIESEL GENERATOR FAILS TO RUN (LATE) 6.6x10-3 Yes3

1. Initiating event assessment- all other initiating event frequencies set zero.
2. Evaluated per the SPAR-H method (Ref. 4). See report and Attachment C for further details.
3. Changed mission times to correspond to the time offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.

8

LER 410/03-002 Attachment A Event Timeline Table A.1 Timeline of significant events.

Date Time Event 1611 Turbine trip and reactor trip due to grid instability 1612 Offsite power is lost to emergency buses; emergency diesel generators 8/14/03 automatically start and load to power the emergency buses 2235 Offsite power is restored to the switchyard 0122 Division 1 emergency bus is switched to offsite power source 8/15/03 0356 Division 3 emergency bus is switched to offsite power source 0708 Division 2 emergency bus is switched to offsite power source 9

LER 410/03-002 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis3. LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

3 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

10

LER 410/03-002 Attachment C Power Recovery Modeling

! Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). Although the load limit was adequate to energize plant equipment and, if necessary, prevent the occurrence of an SBO sequence, plant operators did not immediately load safety buses onto the grid. This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

! Human Error Modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S Probability of failure to successfully perform the desired action S Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

11

LER 410/03-002 The probability of failure to perform an action is the product of a nominal failure probability (1.0x10-3) and the following eight performance shaping factors (PSFs):

S Available time S Stress S Complexity S Experience/training S Procedures S Ergonomics S Fitness for duty S Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 15 minutes for the best estimate), the ac power nonrecovery probability is 1.0 (TRUE).

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

! Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability OEP-XHE-XL-NR30M 1.0x10-3 Inadequate -- TRUE OEP-XHE-XL-NR01H 1.0x10-3 Inadequate -- TRUE OEP-XHE-XL-NR02H 1.0x10-3 10 10 1.0x10-1 OEP-XHE-XL-NR04H 1.0x10-3 1 10 1.0x10-2 OEP-XHE-XL-NR08H 1.0x10-3 0.1 10 1.0x10-3 12

LER 410/03-002 PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability OEP-XHE-XL-NR10H 1.0x10-3 0.1 10 1.0x10-3 OEP-XHE-XL-NR12H 1.0x10-3 0.1 10 1.0x10-3 13

LER 410/03-002 Attachment D Response to Comments Comments were provided by the licensee (Ref. 1).

1. Comment from Licensee - EDG failure data The NRC PPA uses older data for EDG failure probability. Also, as can be seen from Tables DATA-2 and DATA-3, NMP2 EDG performance has improved substantially over time. Therefore, it is recommended that the NRC consider using lower values for EDG failure rate. It is also recommended that NRC delete the statement that NMP2 EDG failure rate is "... higher than industry average..." or at least modify the statement to clarify that the data used is over 11 years old and not reflective of current reliability.

Response: The EDG data used in the final analysis has been updated.

2. Comment from Licensee - EDG recovery No basis for the assumption that Emergency Diesel Generators (EDGs) cannot be recovered is provided in the PPA. The NMP2 PRA model includes credit for EDG recovery based on NUREG-1032. It is recommended that the PPA consider crediting EDG recovery.

Response: Credit is given for EDG recovery in the final analysis.

3. Comment from Licensee - Offsite power recovery The assumption that offsite power failed and was not recoverable for over 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is overly conservative. The PPA assumes that offsite power was unavailable until reported stable by load dispatchers but this assumption unduly penalizes the plant for appropriate conservative operational decision-making...

Response: After examination of the plant information provided by the licensee, and after conversation with the SRI, this analysis credits that power was available to the switchyard 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 45 minutes after the loss of offsite power occurred. This is consistent with the NMP-1 final analysis.

4. Comment from Licensee - Sequence specific comments Sequence 46-02: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Division 1 EDG failure, Division 2 EDG failure, Division 3/High Pressure Core Spray (HPCS) success, and failure to recover AC power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.

Given this sequence, operators have procedural direction to cross-tie the HPCS EDG to the Division 1 or 2 switchgear. This alignment allows the HPCS EDG to maintain Safety-Related Direct Current (DC) power over the long term, as well as providing for Low Pressure Coolant Injection (LPCI)/Residual Heat Removal (RHR) with low pressure ECCS.

This capability is modeled in the NMP2 PRA as redundant to AC power recovery and should be credited in the PPA as well. The alignment is fairly time-consuming and the NMP2 PRA does not credit the action before 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after the initiating event occurs.

14

LER 410/03-002 Response: In the final analysis Sequence 46-02 has lower CCDP and therefore the changes proposed by the licensee would have a negligible effect on the quantitative result.

Therefore, the change was not made.

Sequence 46-49: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Div 1 EDG failure, Div 2 EDG failure, Div 3 EDG Failure, and failure of RCIC to start. For this event, condensate-feedwater would have been available and redundant to RCIC. Condensate-feedwater is supplied by the non-safety AC system which remained available from offsite power. With loss of 115 kV to the emergency switchgear and no EDGs operating, service water pumps would be idle. This would eliminate the heat sink for Turbine Building Closed Loop Cooling (TBCLC), which is required for pump cooling. Therefore, condensate-feedwater could not be credited with RPV level control over the long term but it would support success throughout the first phases of Station Blackout (SBO) response. It is recommended that the PPA analysis model this case using an "AND" gate for feedwater and early RCIC operation such that these sequences would be recoverable up to 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. When combined with fire pump or Control Rod Drive (CRD) operation, see below, AC recovery for up to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> may also be justifiable in the PPA model. Note that CRD has a similar support requirement to feedwater in that reactor building closed loop cooling (RBCLC) is required for long term component cooling.

Response: We agree with the licensee that some credit should be given for condensate and feed in Sequence 46-49 (Sequence 46-59 in new model). However, the change was not made due to model and time constraints. In addition, the change would not have affected the overall CCDP greatly.

Sequence 46-41: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Div 1 EDG failure, Div 2 EDG failure, Div 3 EDG failure, and failure of the diesel fire pump (DFP). The SBO event tree included in the analysis appears to require fire water for long-term RPV injection following RCIC success. Fire water is required for the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> AC recovery case but not the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> case. However, RCIC can support RPV control for at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> independent of Diesel Fuel Pump (DFP) operation. The NMP2 PRA requires the DFP only if RCIC operates for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and then fails prior to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. If RCIC operates successfully for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> AC recovery case is applied independent of DFP status. It is recommended that the PPA model success criteria be reconsidered. Also, independent of the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> versus 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> success criteria, in the 8/2003 event, the electric fire pump was available from powerboard 2NNS-SWG012.

Also, CRD was available from powerboards 2NNS-SWG014 and 2NNS-SWG015. For the evaluation of this event, these sources should be considered redundant to the DFP.

Response: In the final analysis Sequence 46-41 has lower CCDP and therefore the changes proposed by the licensee would have a negligible effect on the quantitative result.

Therefore, the change was not made.

8-hour Offsite Power Recovery: In the PPA analysis, the value for failure to recover AC power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was increased from IE-3 to 1E-2. This appears to be due to the time window available between when load dispatchers declared the grid stable and the expiration of the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time window. Even if it were assumed that operators would have waited for the load dispatchers before trying to recover offsite power given EDG failures, it is highly doubtful that they would also wait for the load dispatchers before staging their actions. In this regard, the reduction from 1E-3 to IE-2 is overly conservative. Operator focus 15

LER 410/03-002 regarding offsite power recovery would have been keen throughout the event. Given failure of EDGs, elapse of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />, and staffing of the emergency response facilities, it is difficult to believe the PPA's 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> recovery window (i.e., from hour 6 to hour 8) is reflective of the non-response probability related to the conditions encountered in this event. It is therefore recommended that NRC reconsider the penalty applied to the 8-hour AC power recovery basic event.

Response: Due to the change explained in the response to Comment 3, this comment is no longer applicable.

References:

1. Constellation Energy Nuclear Operations, Inc. Review and Comment: Nine Mile Point Unit 2 Preliminary Accident Sequence Precursor Analysis of the August 14, 2003 Operational Event, Letter from William C. Holston to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041480354).

16

LER 410/03-002 LOSS OF OFFSITE POWER REACTOR EMERGENCY SRV'S HPCS RCIC MANUAL CRD LPCS LPCI ALTERNATE SUPPRESSION MANUAL SHUTDOWN CONTAINMENT CONTAINMENT CRD LONG-TERM SHUTDOWN POWER CLOSE REACTOR INJECTION LOW PRESS POOL REACTOR COOLING SPRAY VENTING INJECTION LOW PRESS DEPRESS (2 PUMPS) INJECTION COOLING DEPRESS (1 PUMP) INJECTION IE-LOOP RPS EPS SRV HCS RCI DEP CRD LCS LCI VA SPC DEP SDC CSS CVS CR1 VA2 # END-STATE 1 OK 2 OK 3 OK 4 OK 5 CD 6 OK 7 OK 8 CD 9 OK 10 OK 11 OK 12 OK 13 CD 14 OK 15 OK 16 CD 17 CD 18 OK 19 CD 20 OK 21 CD 17 22 CD 23 OK 24 OK 25 OK 26 OK 27 CD 28 OK 29 OK 30 OK 31 OK 32 CD 33 OK 34 OK SP1 35 OK SD1 CS1 36 OK 37 CD 38 CD 39 OK 40 OK 41 OK 42 CD 43 CD P1 T44 LOOP-1 P2 T45 LOOP-2 T46 SBO T47 ATWS Figure 1: Nine Mile Point 2 LOOP event tree with dominant sequence highlighted.

LER 220/03-002 TRA NSFE R DIV IS IO N I II DI VI SI ON II I HPCS SR V'S RC IC HPCS M AN UAL FI RE W A TER RCIC O PERAT OR A C PO W E R BRA NCH PO W E R CRO S S-TI E CL OS E RE ACT OR I NJE CTI ON ST EA M L INE S HEDS DC RE CO VE RY SB O AV A IL AB L E DE PRE S S DEP RE SS L OADS EP S B1 DG X HCS SR V RC I HCS DE P FW 2 DE3 DCL AC # EN D-STA TE T1 SB O -1 AC -8 HR 2 OK 3 CD 4 OK AC -2 HR 5 CD AC -3 0 M IN 6 OK 7 CD AC -8 HR 8 OK 9 CD AC -2 HR 10 OK 11 CD 12 OK AC -8 HR 13 CD AC -2 HR 14 OK 15 CD 16 OK AC -8 HR 17 CD AC -2 HR 18 OK 19 CD 20 OK AC -8 HR 21 CD AC -2 HR 22 OK 23 CD 24 OK AC -4 HR 25 CD AC -2 HR 26 OK 27 CD 28 OK 18 AC -3 0 M IN 29 CD 30 OK AC -8 HR 31 CD AC -2 HR 32 OK 33 CD AC -4 HR 34 OK P1 35 CD AC -2 HR 36 OK 37 CD 38 CD AC -1 HR 39 OK P2 40 CD 41 CD AC -8 HR 42 OK 43 CD AC -2 HR 44 OK 45 CD AC -8 HR 46 OK 47 CD AC -2 HR 48 OK 49 CD 50 OK AC -8 HR 51 CD AC -2 HR 52 OK 53 CD 54 OK AC -4 HR 55 CD AC -2 HR 56 OK 57 CD 58 OK AC -3 0 M IN 59 CD AC -8 HR 60 OK 61 CD 62 OK AC -2 HR 63 CD AC -4 HR 64 OK P1 65 CD AC -2 HR 66 OK 67 CD 68 CD AC -1 HR 69 OK P2 70 CD 71 CD Figure 2: Nine Mile Point 2 SBO event tree with dominant sequence highlighted.

Retrieved from "https://kanterella.com/w/index.php?title=ML050960252&oldid=2594412"