ML051790379
| ML051790379 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 06/14/2004 |
| From: | Eliezer Goldfeiz NRC/RES/DRAA/OERAB |
| To: | |
| References | |
| IR 2004012, LER 2004-006-00 | |
| Download: ML051790379 (21) | |
Text
1 For an initiating event assessment, the parameter of interest is the measure of the conditional core damage probability (CCDP). This value is obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event.
1 Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Palo Verde Nuclear Generating Station, Units 1, 2, & 3 Loss of Offsite Power to All Three Units and Failure of a Unit 2 Emergency Diesel Generator.
Event Date: 6/14/2004 LER: 528/04-006 IR: 50-528/04-012 CCDP1 =
4x10-5 (Unit 2) 9x10-6 (Units 1 & 3)
March 05, 2005 Event Summary On June 14, 2004, at approximately 7:41 a.m. MST, a ground-fault occurred on Phase C of a 230 kV transmission line in northwest Phoenix, Arizona, between the West Wing and Liberty substations located approximately 47 miles from the Palo Verde Nuclear Generating Station (PVNGS). A failure in the protective relaying resulted in the ground fault not isolating from the local grid for approximately 38 seconds. This uninterrupted fault cascaded into the protective tripping of a number of 230 kV and 500 kV transmission lines, a nearly concurrent trip of all three PVNGS units and the loss of six additional generation units nearby within approximately 30 seconds of fault initiation.
Offsite power was restored to the East Switchyard Bus at 0813, 32 minutes after power was lost.
Licensed operators declared the grid stable at 0830, and at 0838 and 0844, power was restored to the Startup Transformers X01 and X03 respectively. All three units were shutdown and stabilized under hot shutdown conditions.
Important conditions and complications experienced during the event include:
Unit 2 Emergency Diesel Generator (EDG) A failed to load after receiving the start signal due to undervoltage on the Train A 4.16 kV bus. The EDG could not maintain voltage with applied loads and was tripped by control room operators. The cause of the failure was a failed diode in Phase B of the voltage regulator exciter circuit. The failed diode was not diagnosed until several hours after offsite power was restored to the first vital bus, and therefore would not have been recoverable prior to core damage during a postulated core uncovery sequence, such as a station blackout event (SBO).
Unit 2 Train A engineered safeguards (ESF) busses were de-energized due to loss of the Train A EDG. Offsite power was restored, supplying Train A 4.16 kV bus at 0927.
C Units 1 and 3 had a failure of two 13.8 kV circuit breakers (one for each unit) to
close during the recovery of offsite power. If needed, alternate breakers were available to supply offsite power to another train of vital busses.
In addition to the equipment malfunctions, two operator performance weaknesses were displayed during the event:
C Unit 2 charging pump E tripped on low suction pressure due to operator error. An operator failed to align the pump to the refueling water storage tank (RWST) and the pump became air bound, and therefore it could not have been recovered prior to postulated core damage (Ref. 1). The pump was recovered 9.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> later.
C Operators failed to drain the steam drain piping for the turbine-driven auxiliary feedwater (AFW) pumps until 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the event started.
Other complications that occurred during the event were:
C Unit 1 experienced an automatic letdown isolation failure.
C Unit 1 atmospheric dump valve (ADV) failed in the manual position.
C Unit 3 underwent an unexpected, automatic main steam isolation.
Further information about the event can be found in References 1 and 2.
Analysis Results Conditional Core Damage Probability (CCDP)
This event was modeled as an initiating event loss of offsite power (LOOP) with complications resulting from component failures and operator actions. The CCDP for this event is 4x10-5 (mean value) for Unit 2, and 9x10-6 for Units 1 and 3. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP $1x10-6. Therefore, these events are precursors.
CCDP 5%
Mean 95%
Unit 1 4x10-7 9x10-6 3x10-5 Unit 2 3x10-6 4x10-5 1x10-4 Unit 3 4x10-7 9x10-6 3x10-5 Dominant Sequences Unit 2. The dominant core damage sequences for the Unit 2 analysis are Loss of Offsite Power (LOOP), Station Blackout (SBO) Sequence 15-30 (53.8% of the total CCDP) and
LER 528/04-006 2 Palo Verde Units do not have the capability to feed and bleed. See Unique Design Features for more information.
3 LOOP Sequence 14 (22.5% of the total CCDP). The LOOP and SBO event trees with the dominant sequences highlighted are shown in Figure 1 and Figure 2.
The events and important component failures in LOOP/SBO Sequence 15-30 are:
LOOP occurs, Reactor trip succeeds, Emergency power fails, Auxiliary feedwater fails, Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Operators fail to recover an EDG in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
The events and important component failures in LOOP Sequence 14 are:
LOOP occurs, Reactor trip succeeds, Emergency power succeeds, and Auxiliary feedwater fails.2 Units 1 and 3. The dominant core damage sequence for the Units 1 and 3 analysis is LOOP Sequence 14 (66.3% of the total CCDP). The LOOP event tree with the dominant sequence highlighted is shown in Figure 2.
Results Tables The conditional probabilities for the dominant sequences are shown in Tables 1a and 1b.
The event tree sequence logic for the dominant sequences are presented in Table 2a.
Table 2b defines the nomenclature used in Table 2a.
The most important cut sets for the dominant sequences are listed in Table 3a and 3b.
Definitions and probabilities for modified or dominant basic events are provided in Table 4.
Modeling Assumptions Analysis Type This event was modeled as a loss of offsite power initiating event (IE-LOOP) using the Palo Verde 1, 2, & 3 Revision 3.11 Standardized Plant Analysis Risk (SPAR) model (Ref. 3). The subsequent reactor trip experienced by all three units is represented by this initiating event.
The probability of IE-LOOP was set to 1.0. The probabilities of the other initiating events were set to 0.0 in the GEM code. Other changes to model the event are described below.
Unique Design Features Lack of feed and bleed capability. Palo Verde Units 1, 2, and 3 do not have reactor coolant system power operated relief valves (PORVs). Thus Palo Verde does not have the capability to feed and bleed, because the head provided by the high pressure safety injection pumps is insufficient to lift the safety relief valves.
Two SBO gas turbine generator sets. A non-safety alternate AC power source consisting of two gas turbine generators (GTGs) is available to provide power to cope with a SBO event. Each GTG can supply emergency power to any single unit; however, Units 2 and 3 cannot be supplied simultaneously. Therefore both GTGs can supply power to Units 1 and 2 or to Units 1 and 3 simultaneously.
Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.
Offsite power to first vital bus recoverable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Offsite power was restored to the Unit 2 Train A vital bus 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 46 minutes after the LOOP occurred. However, offsite power was available 32 minutes after the event occurred. Therefore, in the event of a postulated core uncovery sequence (i.e., a SBO condition), operators had approximately 30 minutes to close the three breakers required to restore offsite power to a vital bus. See Attachment B for further details.
Unit 2 EDG A failed to start and was not recoverable within the time frame to prevent core uncovery. See Event Description for further details.
Other assumptions. Other assumptions that have a negligible impact on the results due to relatively low importance include the following:
Unit 2 charging pump E tripped on low suction pressure due to operator error. See Event Description for further details.
Fault Tree Modifications 4160V AC power bus PBA and PBB fails (ACP-PBA-AC and ACP-PBB-AC). The gates ACP-PBA-AC-3 and ACP-PBB-AC-3 in fault trees ACP-PBA-AC and ACP-PBB-AC provides the branches for suppling the vital AC power via the GTGs. The gate was replaced with the basic event OEP-XHE-XL-NR01H (operator fails to recover AC power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), which eliminates the ability of the GTGs to supply a single unit vital bus. This change was made because offsite power was available approximately the same time as the GTGs were available. When offsite power is available, it is the preferred power source. Therefore, operators will attempt to supply the vital busses with offsite power first. The modification was made to prevent crediting AC power recovery twice for certain SBO cutsets where the non-recovery probability of offsite power is multiplied by the probability of operators failing to align the GTGs to the safety buses. The modified fault trees are shown in Figure 3 and
LER 528/04-006 3 The total EDG mission time is 1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />. The first hour of mission time is accounted for with the basic event ZT-DGN-FR-E.
4 The total AFW TDP mission time is 2.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. The first hour of mission time is accounted for with the basic event ZT-TDP-FR-E.
5 Figure 4.
Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. The basis for these changes are provided below.
ALL UNITS Operators fail to recover offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (OEP-XHE-XL-NR02H). Basic event probability was changed to 4x10-3. See Attachment B for further details.
Operators fail to recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (OEP-XHE-XL-NR03H). Basic event probability was changed to 4x10-3. See Attachment B for further details.
Operators fail to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (OEP-XHE-XL-NR04H). Basic event probability was changed to 4x10-4. See Attachment B for further details.
Operators fail to recover offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (OEP-XHE-XL-NR06H). Basic event probability was changed to 4x10-4. See Attachment B for further details.
Operators fail to recover offsite power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (OEP-XHE-XL-NR08H). Basic event probability was changed to 4x10-4. See Attachment B for further details.
Operators fail to recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-XL-NR10). Basic event probability was changed to 4x10-4. See Attachment B for further details.
Operators fail to recover offsite power in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (OEP-XHE-XL-NR24H). Basic event probability was changed to 4x10-4. See Attachment B for further details.
Diesel generator fails to run in the long term (ZT-DGN-FR-L). The mission time was changed to 0.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> to reflect the actual time when offsite power was recovered to the first vital bus and an additional 30 minutes.3 Turbine-driven pump fails to run in the long term (ZT-TDP-FR-L). The mission time was changed to 1.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> to reflect the 95 percentile that offsite power was actually recovered to the first vital bus (1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />) and an additional 30 minutes to align alternate sources of feeding the steam generators (SGs).4 UNIT 2 Charging pump E fails to start (CVC-MDP-FS-CHE ). The event was set to TRUE based on actual plant conditions.
Diesel generator A fails to start (EPS-DGN-FS-A). The event was set to TRUE based
LER 528/04-006 5 The time to close the remaining breakers, energize the vital busses, and align and start high pressure injection and AFW within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is highly unlikely.
6 on actual plant conditions.
Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H). Basic event probability was changed to 4x10-2. See Attachment B for further details.
UNITS 1 & 3 Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H). Basic event probability was changed to 0.1. See Attachment B for further details.
Other Items of Interest During the event there were a number of other equipment and/or operator issues noted in Reference 1. These issues, which did not result in changes in the SPAR model, are listed below.
Units 1 and 3 failure of two 13.8 kV circuit breakers failed to close during the recovery of offsite power. The two breakers (1ENANS06K and 3ENANS05D) were manually cycled closed 51 minutes after the event initiated. This analysis does not credit the recovery of offsite power using a recovered breaker in the short term (within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) SBO sequence.5 Alternate breakers (1ENANS06K and 3ENANS05B) were available to supply offsite power to the other vital busses in the short term. Both the recovered and alternate breakers were available to supply the vital busses for the longer term blackout sequences.
The two breaker failures appear to be from common cause. The switchyard is not modeled in the SPAR model, and therefore the CCDP contribution of the common cause failure is not present in the analysis results. However, the probability of the other breakers (i.e.,
breakers of the same type that could supply the vital busses) failing from the common cause is more than one order of magnitude less than the failure probability of operators to recover offsite power with no breaker failures. Thus, the total CCDP would not change if the common cause failure contribution was included in the analysis.
Unit 1 ADV valve failed in the manual position. The operators were able to operate the valve by increasing the demand to failed valve; however the valve would not maintain the desired position. The inspection team determined that operators had been sufficiently trained to use the other three ADVs for decay heat removal (Ref. 1), and therefore this failure was not modeled.
Unit 1 letdown failed to isolate. The ion exchanger bypass valves opened to prevent overheating the resin and to remove high temperature water from the ion exchanger. No damage occurred due to the malfunction. The failure to isolate did not affect any mitigating system or reactor coolant pump seal cooling.
Unit 3 experienced a unexpected main steam line isolation. An automatic isolation occurred due to fault causing the steam bypass control system to be re-energized in automatic. During a LOOP event, the main condenser is unavailable as a heat sink (loss
of circulating water), and decay heat removal is provided by the steam generator (SG)
ADVs. Emergency operating procedures (EOPs) direct operators to manually initiate a main steam isolation signal. Therefore, regardless of the fault, the main steam isolation valves will be closed during a LOOP event.
Operator delay to drain the steam drain piping of the turbine-driven AFW pumps. A potential turbine overspeed trip during startup is possible if sufficient water accumulates in the steam piping supplying the turbine. Operators delayed draining the piping for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the reactor tripped. This was not modeled in the analysis because of two reasons.
First, the turbine-driven pump ran without problems during the event. Second, the turbine-driven AFW pump mission time during the event was approximately 2.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> and procedure requires operators to drain the AFW steam piping every 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> during a main steam isolation. Therefore it is believed that there was insufficient time for enough water to accumulate (prior to expiration of the mission time) that could potentially cause an overspeed trip of the pump.
References 1.
NRC Augmented Inspection Team (AIT) Report 50-528/04-012-00, dated July 16, 2004.
2.
LER 528/04-006, Loss of Offsite Power-Three Unit Trip, dated August 13, 2004.
3.
Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Palo Verde 1, 2, & 3, Revision 3.11, December 31, 2004.
4.
Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method INEEL/EXT-02-01307", May 2004.
Table 1a. Conditional core damage probabilities of dominating sequences (Unit 2).
Event tree name Sequence no.
CCDP1 Contribution SBO 15-30 2.1E-005 53.8 LOOP 14 8.8E-006 22.5 Total (all sequences)2 3.9E-005 100
- 1. Values are point estimates. (File name: GEM (528-04-006) Unit 2 LOOP.wpd)
- 2. Total CCDP includes all sequences (including those not shown in this table).
Table 1b. Conditional core damage probabilities of dominating sequences (Units 1 & 3).
Event tree name Sequence no.
CCDP1 Contribution LOOP 14 6.1E-006 66.3 Total (all sequences)2 9.2E-006 100
- 1. Values are point estimates. (File name: GEM (528-04-006) Units 1&3 LOOP.wpd)
- 2. Total CCDP includes all sequences (including those not shown in this table).
Table 2a. Event tree sequence logic for dominating sequences.
Event tree name Sequence no.
Logic
(/ denotes success; see Table 2b for top event names)
SBO 15-30
/RPS EPS AFW-B OPR-01H DGR-01H LOOP 14
/RPS /EPS AFW-L Table 2b. Definitions of top events listed in Table 2a.
Top Event Definition AFW-B AFW-L DGR-01H EPS OPR-01H RPS Auxiliary feedwater fails during SBO Auxiliary feedwater fails during LOOP Operator fails to recover EDG in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Emergency power system fails Operator fails to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Reactor fails to trip
Table 3a. Conditional cut sets for the dominant sequences (Unit 2).
CCDP Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: SBO, Sequence 15-30 4.2E-006 3.5E-006 2.2E-006 1.8E-006 20.5 17.1 10.4 8.8 EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-FS-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-TM-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-FR-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-TM-DGB AFW-TDP-FS-A 2.1E-005 100 Total (all cutsets)1 CCDP Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: LOOP, Sequence 14 1.2E-006 8.0E-007 6.6E-007 6.1E-007 6.0E-007 13.7 9.1 7.5 7.0 6.8 OEP-XHE-XL-NR01H AFW-MDP-TM-B AFW-TDP-FS-A OEP-XHE-XL-NR01H OEP-XHE-XL-NR03H AFW-MDP-TM-B AFW-PMP-CF-RUN OEP-XHE-XL-NR01H AFW-MDP-TM-B AFW-TDP-FR-A AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FS-A 8.8E-006 100 Total (all cutsets)1
- 1. Total CCDP includes all cutsets (including those not shown in this table).
Table 3B. Conditional cut sets for the dominant sequences (Units 1 & 3).
CCDP Percent Contribution Minimum Cut Sets (of basic events)
Event Tree: LOOP, Sequence 14 6.6E-007 6.0E-007 4.8E-007 4.0E-007 3.1E-007 10.9 9.9 7.8 6.5 5.0 AFW-PMP-CF-RUN AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FS-A AFW-MDP-CF-START AFW-TDP-FS-A AFW-MDP-CF-START AFW-TDP-TM-A AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FR-A 6.1E-006 100 Total (all cutsets)1
- 1. Total CCDP includes all cutsets (including those not shown in this table).
LER 528/04-006 10 Table 4. Definitions and probabilities for modified and dominant basic events.
Event Name Description Probability/
Frequency (per hour)
Modified AFW-MDP-CF-START CCF OF EFW MDPS B & N TO START 7.9E-005 AFW-MDP-TM-B AFW MDP B UNAVAILABLE DUE TO T&M 5.0E-003 AFW-PMP-CF-RUN COMMON CAUSE FAILURE OF ALL AFW PUMPS 6.6E-007 AFW-TDP-FR-A AFW TDP A FAILS TO RUN 3.1E-003 AFW-TDP-FS-A AFW TDP A FAILS TO START 6.0E-003 AFW-TDP-TM-A AFW TDP A UNAVAILABLE DUE TO T&M 5.0E-003 AFW-XHE-XM-TRAINN OPERATOR FAILS TO ALIGN AND START AFW TRAIN 2.0E-002 CVC-MDP-FR-CHE CHARGING PUMP CHE FAILS TO RUN IGNORE CVC-MDP-FS-CHE CHARGING PUMP CHE FAILS TO START TRUE EPS-DGN-CF-STRT COMMON CAUSE FAILURE OF EDGS TO START 8.4E-005 EPS-DGN-FR-DGA DIESEL GENERATOR A FAILS TO RUN IGNORE EPS-DGN-FS-DGA DIESEL GENERATOR A FAILS TO START TRUE EPS-DGN-TM-DGB DG B UNAVAILABLE DUE TO T&M 9.0E-003 EPS-XHE-XL-NR01H OPERATOR FAILS TO RECOVER EDG IN 1 HR 8.4E-001 IE-LOOP LOOP INITIATING EVENT OCCURS 1.0 OEP-XHE-XL-NR01H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 1.0E-001 OEP-XHE-XL-NR02H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-003 OEP-XHE-XL-NR03H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-003 OEP-XHE-XL-NR04H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR06H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR08H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR24H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 ZT-DGN-FR-L TURBINE DRIVEN PUMP FAILS TO RUN IN THE LONG TERM 6.0E-004 ZT-TDP-FR-L EDG FAILS TO RUN IN THE LONG TERM 6.3E-005 No No No No No No No Yes1 Yes2 No Yes1 Yes2 No No Yes3 Yes4 Yes5 Yes5 Yes5 Yes5 Yes5 Yes5 Yes5 Yes6 Yes6
- 1. Unit 2 only-changed to correctly model the common cause failure probability to run.
- 2. Unit 2 only-changed to reflect actual plant conditions during the event.
- 3. All other initiating event frequencies set to zero.
- 4. Non-recovery probabilities are different between the Unit 2 analysis and the Units 1 & 3 analysis (see Attachment B for further details).
- 5. Non-recovery probabilities the same for all three units (see Attachment B for further details).
6.
Changed mission times (see Basic Event Probability Changes for further details).
LER 528/04-006 11 Attachment A Sequences of Key Events Unit 1 Sequence of Key Events 6/14/04 0741 Startup Transformer# 2 Breaker 945 Open Excessive Main Generator and Field Currents Noted Engineered Safeguards Features Bus Undervoltage Loss of Offsite Power Load Shed Train "A" and "B" Emergency Diesel Generator Train "A" and "B" Start Signal Low Departure from Nucleate Boiling Ratio Reactor Trip Master Turbine Trip Main Turbine Mechanical Over Speed Trip Emergency Diesel Generator A Operating (10 Second Start Time)
Emergency Diesel Generator B Operating (13 Second Start Time*)
0751 Manual Main Steam Isolation System Actuation 0758 Declared Notice of Unusual Event (loss of essential power for greater than 15 minutes) 0810 Both Gas Turbine Generator Sets Started, #1 GTG is supplying power to NAN S07 0813 Closed 500 k 552-942. The East bus is powered from Hass #1 0838 Restored power to Startup Transformer X01 0844 Restored power to Startup Transformer X03 0855 Fire reported in 120 ft Aux building. Fire brigade confirmed that no fire existed but paint was heated causing fumes. Later it was confirmed that fumes were caused by the elevated temperature of the letdown heat exchanger when it failed to isolate.
0900 HI Temp Abnormal Operation Procedure entered for Letdown heat exchanger outlet temperature off scale high.
1002 Reset Generator Protective Trips (volts/hertz; Backup under-frequency)
Palo Verde Switchyard Ring Bus restored 1159 Paralleled DG B with bus and cooled down engine restoring the in house buses 1207 Emergency Coordinator terminated NUE for all three units 1248 Paralleled DG A with bus and cooled down
LER 528/04-006 12 2209 Noted grid voltage greater than 535.5 volts Shift Manager Coordinated with ECC 6/15/04 0005 Restored CVCS letdown per Std Attachment 12 started Chg Pump A 0155 Established RCP seal injection and controlled bleed off 0241 Started 2A RCP, had to secure due to low running amps other two units had RCPs running (what were the amps at the time) exiting of EOP delayed due to switchyard conditions 0305 Exited Loss of Letdown AOP after restoration of letdown per Standard App. 12 of EOPs 0345 Palo Verde Switchyard E-W voltage at approx. 530.7 kV 0818 Started RCPs 2A and 1A 0920 Started RCPs 2B and 1B 0930 Exited EOP 40EP-9E007 Loss of Offsite Power/Loss of Forced Circulation Unit 2 Sequence of Key Events 6/14/04 0740 4.16 kV Switchgear 3 Bus Trouble Alarm Generator Negative Sequence Alarm 4.16 kV Switchgear 4 Bus Trouble Alarm 0741 Main Transformer B Status Trouble Alarm Main Transformer A Status Trouble Alarm ESF Bus Undervoltage Channel A-2 ESF Bus Undervoltage Channel B-2 LOP/Load Shed B ESF Bus Undervoltage Channel B-3 DG Start Signal B LOP/Load Shed A ESF Bus Undervoltage Channel A-4 DG Start Signal A LO DNBR Channels A, B, C, & D Trip RPS Channels A, B, C, & D Trip Main Generator 500 kV Breaker 935 Open Mechanical Overspeed Trip of Main Turbine 0751 Manually initiated Main Steam Isolation Signal 0755 Declared an Alert for Loss of All Offsite Power to Essential Busses for Greater than 15 minutes
LER 528/04-006 13 0901 Energized 13.8 kV Busses 2E-NAN-S03 and 2E-NAN-S05 0927 Energized 4.16 kV Bus 2E-PBA-S03 0951 Exited Alert 1001 Energized 13.8 kV Bus 2E-NAN-S01 1024 Energized 13.8 kV Bus 2E-NAN-S02 1132 Started Charging Pump A 1618 Engineering and Maintenance review concluded that Charging Pump E was available for service after fill and vent 1714 Started Charging Pump E 1716 Started RCP 1A 1722 Started RCP 2A 1806 Stopped RCPs 1A and 2A on low motor amperage. ECC contacted to adjust grid voltage as-low-as-possible 2040 Started RCPs 1A and 2A 2051 Stopped RCPs 1A and 2A on low running amperage 6/15/04 0400 Started RCPs 1A and 2A 0610 Exited Emergency Operating Procedures Unit 3 Sequence of Key Events 6/14/04 0740 Generator Under Voltage Negative Sequence Trip Master Turbine Trip 3ENANS01 Bus Under Voltage Reactor Trip Circuit Breakers Open 0741 Exciter Voltage Regulator Mode Change Unit 3 Main Generator 500 kV Breaker 985 Opens Engineered Safeguards Features Bus Undervoltage Loss of Offsite Power Load Shed A and B Emergency Diesel Generator A and B Start Signal Main Turbine Overspeed Mechanical Trip Turbine Bypass Valves Quick Open
LER 528/04-006 14 0742 Low Steam Generator Pressure Alarm Unit 3 Main Generator 500 kV Breaker 988 Opens 0743 Automatic Main Steam Isolation on Low Steam Generator Pressure 2341 Started Reactor Coolant Pump 1A 2345 Started Reactor Coolant Pump 2A 6/15/04 0040 Exited Emergency Operating Procedures 1637 Started Reactor Coolant Pump 1B 6/16/04 0207 Started Reactor Coolant Pump 2B
LER 528/04-006 6 This section provides background information and details involving recovery of offsite power for this event. In an ASP analysis, offsite power recovery constitutes the recovery of power to the unit vital busses once power has been restored to the switchyard. ASP analyses do not deal with offsite recovery actions outside the switchyard.
7 The grid was declared stable per Technical Specifications (TS) 49 minutes after the LOOP occurred. During a postulated SBO event, if operators waited until the grid was stable (per TS) they would have approximately 11 minutes to restore power to a vital bus. However, operators would shut two of three breakers as soon as the switchyard was re-energized. Therefore, operators would have sufficient time (approx. 11 minutes) to shut one breaker.
15 Attachment B Offsite Power Recovery Modeling Background and Modeling Details of Offsite Power Recovery6 The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the conditional core damage probability (CCDP) given a loss of offsite power (LOOP).
Standardized Plant Analysis Risk (SPAR) LOOP/Station Blackout (SBO) models include various sequence-specific AC power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover AC power prior to core damage.
In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee to the Augmented Inspection Team (AIT). The east switchyard bus was energized from offsite power (Hass-1) in 32 minutes. After the power was restored to the switchyard bus, operators would need to close three Unit 2 breakers (2ENANS05D, 2ENANS03A, and 2EPBAS03L) to supply offsite power to the Unit 2 Train A vital bus. In the event of a blackout condition, operators would have sufficient time (approximately 30 minutes) to shut the three breakers to restore AC power to a vital bus.7 Failure to recover offsite power to plant safety-related loads (if needed because emergency diesel generators (EDGs) fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR-H Human Reliability Analysis Method (Ref. 4) was used to estimate non-recovery probabilities as a function of time following restoration of offsite power to the switchyard.
Diagnosis and Dependency The SPAR Human Reliability Analysis Method considers the following three factors:
! Probability of failure to diagnose the need for action,
! Probability of failure to successfully perform the desired action, and
! Dependency on other operator actions involved in the specific sequence of interest.
LER 528/04-006 8 In addition, the gas turbine generators (GTGs) could have be aligned to a single unit vital bus within 30 minutes. The GTGs were running 29 minutes after the LOOP occurred.
16 This analysis does not consider the probability of failure to diagnose the need to recover AC power because a loss of offsite power diagnosis is obvious. Operators have an overwhelming amount of plant signals which tell them that a LOOP has occurred. Dependency between operator power recovery tasks and any other operator tasks is also not considered. Dependency is considered when multiple operator actions are present in the same cutset. This analysis does not have any cutsets containing multiple human error basic events. Thus, each estimated AC power non-recovery probability is based solely on the probability of failure to successfully perform the desired action.
Performance Shaping Factors The probability of failure to perform an action is the product of a nominal failure probability (1x10-3) and the following eight performance shaping factors (PSFs):
! Available time
! Stress
! Complexity
! Experience/training
! Procedures
! Ergonomics
! Work processes Time For each AC power non-recovery probability, the PSF for Available Time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action (i.e., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than 5 times the time required. This analysis credits 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as the minimum time that offsite power can be recovered to the first vital bus.
Stress The PSF for Stress is assigned a value of 2 (corresponding to High Stress) for all AC power non-recovery probabilities. Factors considered in assigning this PSF level "higher than nominal level" include sudden onset of the LOOP initiating event, actual and/or postulated compounding equipment failures, and resulting core uncovery and eminent core damage. Extreme Stress is not appropriate because offsite power to the East bus in the switchyard was actually recovered in about 30 minutes.8 The operators knew early that a success path to re-energize a vital bus was viable within the time frame associated with the postulated short-term core uncovery sequence (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> given failure of auxiliary feedwater). Therefore, this event did not present "a level of disruptive stress in which the performance of most people will deteriorate drastically."
Complexity The PSF for Complexity is assigned a value of 2 (corresponding to Moderately Complex) for all non-recovery probabilities except OEP-XHE-XL-NR01H for Units 1 and 3. Factors considered in assigning this PSF level "involved concurrent actions" such as communications and coordination of three organizations outside the control room: the other two control rooms and utility switchyard
LER 528/04-006 17 operators. "Highly Complex" is not appropriate because the task of closing three breakers is a routine task performed periodically during plant normal operations.
The PSF for Complexity is assigned a value of 5 (corresponding to Highly Complex) for probability OEP-XHE-XL-NR01H for Units 1 and 3. Factors considered in assigning this PSF level involved additional variables and actions due to the failure of two 13.8 kV breakers to close; one in each unit.
The actual recovery of the breaker took over 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to complete (Ref. 1). Therefore, recovery of the breaker is not an option for short-term offsite power recovery. The operators would have to determine that recovery of the failed breaker is not viable within the short time frame and an alternate success path to energize the other vital bus is required for success.
All Other PSFs For all of the AC power non-recovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are set to be nominal (i.e., are assigned values of 1.0). Details of the event, plant response, and crew performance did not warrant a change from nominal for these PSFs.
Table C.1. AC power non-recovery probabilities.
Non-recovery Factor Units Nominal Value PSF Non-recovery Probability Time Available Stress Complexity OEP-XHE-XL-NR01H 1 & 3 1x10-3 10 2
5 0.1 OEP-XHE-XL-NR01H 2
1x10-3 10 2
2 4x10-2 OEP-XHE-XL-NR02H All 1x10-3 1
2 2
4x10-3 OEP-XHE-XL-NR03H All 1x10-3 1
2 2
4x10-3 OEP-XHE-XL-NR04H All 1x10-3 0.1 2
2 4x10-4 OEP-XHE-XL-NR06H All 1x10-3 0.1 2
2 4x10-4 OEP-XHE-XL-NR08H All 1x10-3 0.1 2
2 4x10-4 OEP-XHE-XL-NR10H All 1x10-3 0.1 2
2 4x10-4 OEP-XHE-XL-NR24H All 1x10-3 0.1 2
2 4x10-4
- 1. From the SPAR model.
LER 528/04-006 18 CSR CONTAINMENT COOLING HPR HIGH PRESSURE RECIRC SDC SHUTDOWN COOLING SSC RCS COOLDOWN USING ADVs OPR OFFSITE POWER RECOVERY HPI HIGH PRESSURE INJECTION LOSC RCP SEAL COOLING MAINTAINED SRV SRVs ARE CLOSED AFW AUXILIARY FEEDWATER EPS EMERGENCY POWER RPS REACTOR TRIP IE-LOOP LOSS OF OFFSITE POWER END-STATE 1
OK 2
T LOOP-1 3
OK 4
OK 5
CD 6
CD 7
OK 8
CD 9
CD 10 OK 11 CD 12 CD 13 CD 14 CD 15 T
SBO 16 T
ATWS Figure 1: Palo Verde LOOP event tree (with dominant sequence highlighted).
Attachment C Event Tree and Fault Tree Figures
LER 528/04-006 19 DGR-02H DIESEL GENERATOR RECOVERY IN 2 HOURS OPR-02H OFFSITE POWER RECOVERY IN 2 HRS RCPSI RCP SEAL INTEGRITY MAINTAINED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED CBO CONTROLLED BLEEDOFF ISOLATED SRV SRVs ARE CLOSED AFW AUXILIARY FEEDWATER SYSTEM EPS EMERGENCY POWER END-STATE 1 OK 2 OK 3 CD 4
T SBO-1 5 OK 6 CD 7 OK 8 OK 9 CD 10 T
SBO-1 11 OK 12 CD 13 OK 14 OK 15 CD 16 T
SBO-1 17 OK 18 CD 19 OK 20 OK 21 CD 22 T
SBO-1 23 OK 24 CD 25 T
SBO-1 26 OK 27 CD 28 OK 29 OK 30 CD Figure 2: Palo Verde SBO event tree (with dominant sequence highlighted).
LER 528/04-006 20 ACP-PBA-AC 9.0E-5 ACP-BAC-LP-PBA ACP-PBA-AC-1 FALSE LOOP-A ACP-PBA-AC-SOURCES 1.0E-1 OEP-XHE-NOREC-ST 48 EPS-DGA FAILURE OF DIESEL GENERATOR PEA-G01 FAILURE OF DIESEL GENERATOR A AND GAS TURBINES LOSS OF POWER TO A 4160V AC BUS PBA-S03 4160V AC BUS PBA POWER FAILS OPERATOR FAILS TO RECOVER AC POWER IN SHORT TERM 4160V AC BUS PBA FAILS LOSS OF 4160V AC BUS PBA OFFSITE POWER FLAG ACP-PBA-AC - PALO VERDE PWR H 4160V AC BUS PBA POWER FAILS 2004/07/26 Page 1 Figure 3: Modified fault tree ACP-PBA-AC.
LER 528/04-006 21 ACP-PBB-AC 9.0E-5 ACP-BAC-LP-PBB ACP-PBB-AC-1 FALSE LOOP-B ACP-PBB-AC-SOURCES 1.0E-1 OEP-XHE-NOREC-ST 49 EPS-DGB FAILURE OF DIESEL GENERATOR PEB-G02 FAILURE OF DIESEL GENERATOR A AND GAS TURBINES LOSS OF POWER TO 2B 4160V AC BUS PBB-S04 41160V AC BUS PBB POWER FAILS OPERATOR FAILS TO RECOVER AC POWER IN SHORT TERM LOSS OF 4160V AC BUS PBB OFFSITE POWER FLAG 4160V AC BUS PBB FAILS ACP-PBB-AC - PALO VERDE PWR H 4160V AC BUS PBB POWER FAILS 2004/07/26 Page 2 Figure 4: Modified fault tree ACP-PBB-AC.