ML052850263

From kanterella
Jump to navigation Jump to search
Final Accident Sequence Precursor Analysis of 06/14/04 Operational Event
ML052850263
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 10/11/2005
From: Fields M
NRC/NRR/DLPM/LPD4
To: Overbeck G
Arizona Public Service Co
Fields M B ,NRR/DLPM,415-3062
References
IR-04-012
Download: ML052850263 (27)
v  d  e


Text

October 11, 2005 Mr. Gregg R. Overbeck Senior Vice President, Nuclear Arizona Public Service Company P. O. Box 52034 Phoenix, AZ 85072-2034

SUBJECT:

PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 -

FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF JUNE 14, 2004, OPERATIONAL EVENT

Dear Mr. Overbeck:

Enclosed for your information is the Final Accident Sequence Precursor (ASP) analysis of an operational event which occurred at the Palo Verde Nuclear Generating Station, Units 1, 2, and 3, on June 14, 2004. The event was a loss-of-offsite power to all three units and failure of a Unit 2 emergency diesel generator. The ASP analyses calculated conditional core damage probabilities for this event were 4x10-5 for Unit 2 and 9x10-6 for Units 1 and 3.

The details of the operational event were documented in U.S. Nuclear Regulatory Commission Inspection Report No. 50-528/2004-012, dated July 16, 2004. This is being issued as a final analysis since the internal and external peer review comments have been incorporated.

Please contact me at 301-415-3062, if you have any questions regarding the enclosure.

Sincerely,

/RA/

Mel B. Fields, Senior Project Manager, Section 2 Project Directorate IV Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530

Enclosure:

As stated cc w/encl: See next page

Mr. Gregg R. Overbeck October 11, 2005 Senior Vice President, Nuclear Arizona Public Service Company P. O. Box 52034 Phoenix, AZ 85072-2034

SUBJECT:

PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2, AND 3 -

FINAL ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF JUNE 14, 2004, OPERATIONAL EVENT

Dear Mr. Overbeck:

Enclosed for your information is the Final Accident Sequence Precursor (ASP) analysis of an operational event which occurred at the Palo Verde Nuclear Generating Station, Units 1, 2, and 3, on June 14, 2004. The event was a loss-of-offsite power to all three units and failure of a Unit 2 emergency diesel generator. The ASP analyses calculated conditional core damage probabilities for this event were 4x10-5 for Unit 2 and 9x10-6 for Units 1 and 3.

The details of the operational event were documented in U.S. Nuclear Regulatory Commission Inspection Report No. 50-528/2004-012, dated July 16, 2004. This is being issued as a final analysis since the internal and external peer review comments have been incorporated.

Please contact me at 301-415-3062, if you have any questions regarding the enclosure.

Sincerely,

/RA/

Mel B. Fields, Senior Project Manager, Section 2 Project Directorate IV Division of Licensing Project Management Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530

Enclosure:

As stated cc w/encl: See next page DISTRIBUTION PUBLIC RidsNrrDlpmDpr PDIV-2 r/f RidsNrrDlpmLpdiv (HBerkow)

RidsNrrDlpmLpdiv2 (DCollins)

GHill (6)

RidsNrrPMMFields RidsNrrLADBaxley RidsOgcRp RidsAcrsAcnwMailCenter RidsRgn4MailCenter (TPruett)

DWilliams GDeMoss ACCESSION NO: ML052850263 NRR-106

  • review of letter only OFFICE PDIV-2/PM PDIV-1/LA*

PDIV-2/(A)SC NAME MFields DBaxley DCollins DATE 9-21-05 9/22/05 10/12/05 OFFICIAL RECORD COPY

1 For an initiating event assessment, the parameter of interest is the measure of the conditional core damage probability (CCDP). This value is obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event.

Enclosure Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Palo Verde Nuclear Generating Station, Units 1, 2, & 3 Loss of Offsite Power to All Three Units and Failure of a Unit 2 Emergency Diesel Generator.

Event Date 6/14/2004 IR 50-528/04-012 CCDP1 =

4x10-5 (Unit 2) 9x10-6 (Units 1 & 3)

March 05, 2005 Event Summary On June 14, 2004, at approximately 7:41 a.m. MST, a ground-fault occurred on Phase C of a 230 kV transmission line in northwest Phoenix, Arizona, between the West Wing and Liberty substations located approximately 47 miles from the Palo Verde Nuclear Generating Station (PVNGS). A failure in the protective relaying resulted in the ground fault not isolating from the local grid for approximately 38 seconds. This uninterrupted fault cascaded into the protective tripping of a number of 230 kV and 500 kV transmission lines, a nearly concurrent trip of all three PVNGS units and the loss of six additional generation units nearby within approximately 30 seconds of fault initiation.

Offsite power was restored to the East Switchyard Bus at 0813, 32 minutes after power was lost.

Licensed operators declared the grid stable at 0830, and at 0838 and 0844, power was restored to the Startup Transformers X01 and X03 respectively. All three units were shutdown and stabilized under hot shutdown conditions.

Important conditions and complications experienced during the event include:

Unit 2 Emergency Diesel Generator (EDG) A failed to load after receiving the start signal due to undervoltage on the Train A 4.16 kV bus. The EDG could not maintain voltage with applied loads and was tripped by control room operators. The cause of the failure was a failed diode in Phase B of the voltage regulator exciter circuit. The failed diode was not diagnosed until several hours after offsite power was restored to the first vital bus, and therefore would not have been recoverable prior to core damage during a postulated core uncovery sequence, such as a station blackout event (SBO).

Unit 2 Train A engineered safeguards (ESF) busses were de-energized due to loss of the Train A EDG. Offsite power was restored, supplying Train A 4.16 kV bus at 0927.

C Units 1 and 3 had a failure of two 13.8 kV circuit breakers (one for each unit) to close during the recovery of offsite power. If needed, alternate breakers were available to supply offsite power to another train of vital busses.

In addition to the equipment malfunctions, two operator performance weaknesses were displayed during the event:

C Unit 2 charging pump E tripped on low suction pressure due to operator error. An operator failed to align the pump to the refueling water storage tank (RWST) and the pump became air bound, and therefore it could not have been recovered prior to postulated core damage (Ref. 1). The pump was recovered 9.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> later.

C Operators failed to drain the steam drain piping for the turbine-driven auxiliary feedwater (AFW) pumps until 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the event started.

Other complications that occurred during the event were:

C Unit 1 experienced an automatic letdown isolation failure.

C Unit 1 atmospheric dump valve (ADV) failed in the manual position.

C Unit 3 underwent an unexpected, automatic main steam isolation.

Further information about the event can be found in References 1 and 2.

Analysis Results Conditional Core Damage Probability (CCDP)

This event was modeled as an initiating event loss of offsite power (LOOP) with complications resulting from component failures and operator actions. The CCDP for this event is 4x10-5 (mean value) for Unit 2, and 9x10-6 for Units 1 and 3. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP $1x10-6. Therefore, these events are precursors.

CCDP 5%

Mean 95%

Unit 1 4x10-7 9x10-6 3x10-5 Unit 2 3x10-6 4x10-5 1x10-4 Unit 3 4x10-7 9x10-6 3x10-5

2 Palo Verde Units do not have the capability to feed and bleed. See Unique Design Features for more information. !

Dominant Sequences Unit 2. The dominant core damage sequences for the Unit 2 analysis are Loss of Offsite Power (LOOP), Station Blackout (SBO) Sequence 15-30 (53.8% of the total CCDP) and LOOP Sequence 14 (22.5% of the total CCDP). The LOOP and SBO event trees with the dominant sequences highlighted are shown in Figure 1 and Figure 2.

The events and important component failures in LOOP/SBO Sequence 15-30 are:

LOOP occurs, Reactor trip succeeds, Emergency power fails, Auxiliary feedwater fails, Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and Operators fail to recover an EDG in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

The events and important component failures in LOOP Sequence 14 are:

LOOP occurs, Reactor trip succeeds, Emergency power succeeds, and Auxiliary feedwater fails.2 Units 1 and 3. The dominant core damage sequence for the Units 1 and 3 analysis is LOOP Sequence 14 (66.3% of the total CCDP). The LOOP event tree with the dominant sequence highlighted is shown in Figure 2.

Results Tables The conditional probabilities for the dominant sequences are shown in Tables 1a and 1b.

The event tree sequence logic for the dominant sequences are presented in Table 2a.

Table 2b defines the nomenclature used in Table 2a.

The most important cut sets for the dominant sequences are listed in Table 3a and 3b.

Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions Analysis Type This event was modeled as a loss of offsite power initiating event (IE-LOOP) using the Palo Verde 1, 2, & 3 Revision 3.11 Standardized Plant Analysis Risk (SPAR) model (Ref. 3).

The subsequent reactor trip experienced by all three units is represented by this initiating event. The probability of IE-LOOP was set to 1.0. The probabilities of the other initiating events were set to 0.0 in the GEM code. Other changes to model the event are described below.

Unique Design Features Lack of feed and bleed capability. Palo Verde Units 1, 2, and 3 do not have reactor coolant system power operated relief valves (PORVs). Thus Palo Verde does not have the capability to feed and bleed, because the head provided by the high pressure safety injection pumps is insufficient to lift the safety relief valves.

Two SBO gas turbine generator sets. A non-safety alternate AC power source consisting of two gas turbine generators (GTGs) is available to provide power to cope with a SBO event. Each GTG can supply emergency power to any single unit; however, Units 2 and 3 cannot be supplied simultaneously. Therefore both GTGs can supply power to Units 1 and 2 or to Units 1 and 3 simultaneously.

Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.

Offsite power to first vital bus recoverable within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Offsite power was restored to the Unit 2 Train A vital bus 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 46 minutes after the LOOP occurred. However, offsite power was available 32 minutes after the event occurred. Therefore, in the event of a postulated core uncovery sequence (i.e., a SBO condition), operators had approximately 30 minutes to close the three breakers required to restore offsite power to a vital bus. See Attachment B for further details.

Unit 2 EDG A failed to start and was not recoverable within the time frame to prevent core uncovery. See Event Description for further details.

Other assumptions. Other assumptions that have a negligible impact on the results due to relatively low importance include the following:

Unit 2 charging pump E tripped on low suction pressure due to operator error. See Event Description for further details.

Fault Tree Modifications 4160V AC power bus PBA and PBB fails (ACP-PBA-AC and ACP-PBB-AC). The gates ACP-PBA-AC-3 and ACP-PBB-AC-3 in fault trees ACP-PBA-AC and ACP-PBB-AC provides the branches for suppling the vital AC power via the GTGs. The gate was replaced with the basic event OEP-XHE-XL-NR01H (operator fails to recover AC power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), which eliminates the ability of the GTGs to supply a single unit vital bus. This

3 The total EDG mission time is 1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />. The first hour of mission time is accounted for with the basic event ZT-DGN-FR-E.

4 The total AFW TDP mission time is 2.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. The first hour of mission time is accounted for with the basic event ZT-TDP-FR-E. change was made because offsite power was available approximately the same time as the GTGs were available. When offsite power is available, it is the preferred power source.

Therefore, operators will attempt to supply the vital busses with offsite power first. The modification was made to prevent crediting AC power recovery twice for certain SBO cutsets where the non-recovery probability of offsite power is multiplied by the probability of operators failing to align the GTGs to the safety buses. The modified fault trees are shown in Figure 3 and Figure 4.

Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. The basis for these changes are provided below.

ALL UNITS Operators fail to recover offsite power in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (OEP-XHE-XL-NR02H). Basic event probability was changed to 4x10-3. See Attachment B for further details.

Operators fail to recover offsite power in 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> (OEP-XHE-XL-NR03H). Basic event probability was changed to 4x10-3. See Attachment B for further details.

Operators fail to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (OEP-XHE-XL-NR04H). Basic event probability was changed to 4x10-4. See Attachment B for further details.

Operators fail to recover offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (OEP-XHE-XL-NR06H). Basic event probability was changed to 4x10-4. See Attachment B for further details.

Operators fail to recover offsite power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (OEP-XHE-XL-NR08H). Basic event probability was changed to 4x10-4. See Attachment B for further details.

Operators fail to recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-XL-NR10). Basic event probability was changed to 4x10-4. See Attachment B for further details.

Operators fail to recover offsite power in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (OEP-XHE-XL-NR24H). Basic event probability was changed to 4x10-4. See Attachment B for further details.

Diesel generator fails to run in the long term (ZT-DGN-FR-L). The mission time was changed to 0.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> to reflect the actual time when offsite power was recovered to the first vital bus and an additional 30 minutes.3 Turbine-driven pump fails to run in the long term (ZT-TDP-FR-L). The mission time was changed to 1.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> to reflect the 95 percentile that offsite power was actually recovered to the first vital bus (1.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />) and an additional 30 minutes to align alternate sources of feeding the steam generators (SGs).4

5 The time to close the remaining breakers, energize the vital busses, and align and start high pressure injection and AFW within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is highly unlikely. UNIT 2 Charging pump E fails to start (CVC-MDP-FS-CHE ). The event was set to TRUE based on actual plant conditions.

Diesel generator A fails to start (EPS-DGN-FS-A). The event was set to TRUE based on actual plant conditions.

Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H). Basic event probability was changed to 4x10-2. See Attachment B for further details.

UNITS 1 & 3 Operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (OEP-XHE-XL-NR01H). Basic event probability was changed to 0.1. See Attachment B for further details.

Other Items of Interest During the event there were a number of other equipment and/or operator issues noted in Reference 1. These issues, which did not result in changes in the SPAR model, are listed below.

Units 1 and 3 failure of two 13.8 kV circuit breakers failed to close during the recovery of offsite power. The two breakers (1ENANS06K and 3ENANS05D) were manually cycled closed 51 minutes after the event initiated. This analysis does not credit the recovery of offsite power using a recovered breaker in the short term (within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />)

SBO sequence.5 Alternate breakers (1ENANS06K and 3ENANS05B) were available to supply offsite power to the other vital busses in the short term. Both the recovered and alternate breakers were available to supply the vital busses for the longer term blackout sequences.

The two breaker failures appear to be from common cause. The switchyard is not modeled in the SPAR model, and therefore the CCDP contribution of the common cause failure is not present in the analysis results. However, the probability of the other breakers (i.e.,

breakers of the same type that could supply the vital busses) failing from the common cause is more than one order of magnitude less than the failure probability of operators to recover offsite power with no breaker failures. Thus, the total CCDP would not change if the common cause failure contribution was included in the analysis.

Unit 1 ADV valve failed in the manual position. The operators were able to operate the valve by increasing the demand to failed valve; however the valve would not maintain the desired position. The inspection team determined that operators had been sufficiently trained to use the other three ADVs for decay heat removal (Ref. 1), and therefore this failure was not modeled.

Unit 1 letdown failed to isolate. The ion exchanger bypass valves opened to prevent overheating the resin and to remove high temperature water from the ion exchanger. No damage occurred due to the malfunction. The failure to isolate did not affect any mitigating system or reactor coolant pump seal cooling.

Unit 3 experienced a unexpected main steam line isolation. An automatic isolation occurred due to fault causing the steam bypass control system to be re-energized in automatic. During a LOOP event, the main condenser is unavailable as a heat sink (loss of circulating water), and decay heat removal is provided by the steam generator (SG)

ADVs. Emergency operating procedures (EOPs) direct operators to manually initiate a main steam isolation signal. Therefore, regardless of the fault, the main steam isolation valves will be closed during a LOOP event.

Operator delay to drain the steam drain piping of the turbine-driven AFW pumps. A potential turbine overspeed trip during startup is possible if sufficient water accumulates in the steam piping supplying the turbine. Operators delayed draining the piping for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the reactor tripped. This was not modeled in the analysis because of two reasons.

First, the turbine-driven pump ran without problems during the event. Second, the turbine-driven AFW pump mission time during the event was approximately 2.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> and procedure requires operators to drain the AFW steam piping every 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> during a main steam isolation. Therefore it is believed that there was insufficient time for enough water to accumulate (prior to expiration of the mission time) that could potentially cause an overspeed trip of the pump.

References 7.

NRC Augmented Inspection Team (AIT) Report 50-528/04-012-00, dated July 16, 2004.

8.

LER 528/04-006-00, Loss of Offsite Power-Three Unit Trip, dated August 13, 2004.

9.

Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk Model for Palo Verde 1, 2, & 3, Revision 3.11, December 31, 2004.

10.

Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method INEEL/EXT-02-01307", May 2004.

Table 1a. Conditional core damage probabilities of dominating sequences (Unit 2).

Event tree name Sequence no.

CCDP1 Contribution SBO 15-30 2.1E-005 53.8 LOOP 14 8.8E-006 22.5 Total (all sequences)2 3.9E-005 100

1. Values are point estimates. (File name: GEM (528-04-006) Unit 2 LOOP.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 1b. Conditional core damage probabilities of dominating sequences (Units 1 & 3).

Event tree name Sequence no.

CCDP1 Contribution LOOP 14 6.1E-006 66.3 Total (all sequences)2 9.2E-006 100

1. Values are point estimates. (File name: GEM (528-04-006) Units 1&3 LOOP.wpd)
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominating sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for top event names)

SBO 15-30

/RPS EPS AFW-B OPR-01H DGR-01H LOOP 14

/RPS /EPS AFW-L Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition AFW-B AFW-L DGR-01H EPS OPR-01H RPS Auxiliary feedwater fails during SBO Auxiliary feedwater fails during LOOP Operator fails to recover EDG in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Emergency power system fails Operator fails to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Reactor fails to trip Table 3a. Conditional cut sets for the dominant sequences (Unit 2).

CCDP Percent Contributio n

Minimum Cut Sets (of basic events)

Event Tree: SBO, Sequence 15-30 4.2E-006 3.5E-006 2.2E-006 1.8E-006 20.5 17.1 10.4 8.8 EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-FS-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-TM-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-CF-STRT AFW-TDP-FR-A EPS-XHE-XL-NR01H OEP-XHE-XL-NR01H EPS-DGN-TM-DGB AFW-TDP-FS-A 2.1E-005 100 Total (all cutsets)1 CCDP Percent Contributio n

Minimum Cut Sets (of basic events)

Event Tree: LOOP, Sequence 14 1.2E-006 8.0E-007 6.6E-007 6.1E-007 6.0E-007 13.7 9.1 7.5 7.0 6.8 OEP-XHE-XL-NR01H AFW-MDP-TM-B AFW-TDP-FS-A OEP-XHE-XL-NR01H OEP-XHE-XL-NR03H AFW-MDP-TM-B AFW-PMP-CF-RUN OEP-XHE-XL-NR01H AFW-MDP-TM-B AFW-TDP-FR-A AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FS-A 8.8E-006 100 Total (all cutsets)1

1. Total CCDP includes all cutsets (including those not shown in this table).

Table 3B. Conditional cut sets for the dominant sequences (Units 1 & 3).

CCDP Percent Contributio n

Minimum Cut Sets (of basic events)

Event Tree: LOOP, Sequence 14 6.6E-007 6.0E-007 4.8E-007 4.0E-007 3.1E-007 10.9 9.9 7.8 6.5 5.0 AFW-PMP-CF-RUN AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FS-A AFW-MDP-CF-START AFW-TDP-FS-A AFW-MDP-CF-START AFW-TDP-TM-A AFW-XHE-XM-TRAINN AFW-MDP-TM-B AFW-TDP-FR-A 6.1E-006 100 Total (all cutsets)1

1. Total CCDP includes all cutsets (including those not shown in this table).

Table 4. Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/

Frequency (per hour)

Modified AFW-MDP-CF-START CCF OF EFW MDPS B & N TO START 7.9E-005 AFW-MDP-TM-B AFW MDP B UNAVAILABLE DUE TO T&M 5.0E-003 AFW-PMP-CF-RUN COMMON CAUSE FAILURE OF ALL AFW PUMPS 6.6E-007 AFW-TDP-FR-A AFW TDP A FAILS TO RUN 3.1E-003 AFW-TDP-FS-A AFW TDP A FAILS TO START 6.0E

-003 AFW-TDP-TM-A AFW TDP A UNAVAILABLE DUE TO T&M 5.0E-003 AFW-XHE-XM-TRAINN OPERATOR FAILS TO ALIGN AND START AFW TRAIN 2.0E-002 CVC-MDP-FR-CHE CHARGING PUMP CHE FAILS TO RUN IGNORE CVC-MDP-FS-CHE CHARGING PUMP CHE FAILS TO START TRUE EPS-DGN-CF-STRT COMMON CAUSE FAILURE OF EDGS TO START 8.4E-005 EPS-DGN-FR-DGA DIESEL GENERATOR A FAILS TO RUN IGNORE EPS-DGN-FS-DGA DIESEL GENERATOR A FAILS TO START TRUE EPS-DGN-TM-DGB DG B UNAVAILABLE DUE TO T&M 9.0E-003 EPS-XHE-XL-NR01H OPERATOR FAILS TO RECOVER EDG IN 1 HR 8.4E-001 IE-LOOP LOOP INITIATING EVENT OCCURS 1.0 OEP-XHE-XL-NR01H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 1.0E-001 OEP-XHE-XL-NR02H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-003 OEP-XHE-XL-NR03H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-003 OEP-XHE-XL-NR04H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR06H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR08H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR10H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 OEP-XHE-XL-NR24H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HR 4.0E-004 ZT-DGN-FR-L TURBINE DRIVEN PUMP FAILS TO RUN IN THE LONG TERM 6.0E-004 ZT-TDP-FR-L EDG FAILS TO RUN IN THE LONG TERM 6.3E-005 No No No No No No No Yes1 Yes2 No Yes1 Yes2 No No Yes3 Yes4 Yes5 Yes5 Yes5 Yes5 Yes5 Yes5 Yes5 Yes6 Yes6

1. Unit 2 only-changed to correctly model the common cause failure probability to run.
2. Unit 2 only-changed to reflect actual plant conditions during the event.
3. All other initiating event frequencies set to zero.
4. Non-recovery probabilities are different between the Unit 2 analysis and the Units 1 & 3 analysis (see Attachment B for further details).
5. Non-recovery probabilities the same for all three units (see Attachment B for further details).

6.

Changed mission times (see Basic Event Probability Changes for further details).

Attachment A Sequences of Key Events Unit 1 Sequence of Key Events 6/14/04 0741 Startup Transformer# 2 Breaker 945 Open Excessive Main Generator and Field Currents Noted Engineered Safeguards Features Bus Undervoltage Loss of Offsite Power Load Shed Train "A" and "B" Emergency Diesel Generator Train "A" and "B" Start Signal Low Departure from Nucleate Boiling Ratio Reactor Trip Master Turbine Trip Main Turbine Mechanical Over Speed Trip Emergency Diesel Generator A Operating (10 Second Start Time)

Emergency Diesel Generator B Operating (13 Second Start Time*)

0751 Manual Main Steam Isolation System Actuation 0758 Declared Notice of Unusual Event (loss of essential power for greater than 15 minutes) 0810 Both Gas Turbine Generator Sets Started, #1 GTG is supplying power to NAN S07 0813 Closed 500 k 552-942. The East bus is powered from Hass #1 0838 Restored power to Startup Transformer X01 0844 Restored power to Startup Transformer X03 0855 Fire reported in 120 ft Aux building. Fire brigade confirmed that no fire existed but paint was heated causing fumes. Later it was confirmed that fumes were caused by the elevated temperature of the letdown heat exchanger when it failed to isolate.

0900 HI Temp Abnormal Operation Procedure entered for Letdown heat exchanger outlet temperature off scale high.

1002 Reset Generator Protective Trips (volts/hertz; Backup under-frequency)

Palo Verde Switchyard Ring Bus restored 1159 Paralleled DG B with bus and cooled down engine restoring the in house buses 1207 Emergency Coordinator terminated NUE for all three units 1248 Paralleled DG A with bus and cooled down 2209 Noted grid voltage greater than 535.5 volts Shift Manager Coordinated with ECC 6/15/04 0005 Restored CVCS letdown per Std Attachment 12 started Chg Pump A 0155 Established RCP seal injection and controlled bleed off 0241 Started 2A RCP, had to secure due to low running amps other two units had RCPs running (what were the amps at the time) exiting of EOP delayed due to switchyard conditions 0305 Exited Loss of Letdown AOP after restoration of letdown per Standard App. 12 of EOPs 0345 Palo Verde Switchyard E-W voltage at approx. 530.7 kV 0818 Started RCPs 2A and 1A 0920 Started RCPs 2B and 1B 0930 Exited EOP 40EP-9E007 Loss of Offsite Power/Loss of Forced Circulation Unit 2 Sequence of Key Events 6/14/04 0740 4.16 kV Switchgear 3 Bus Trouble Alarm Generator Negative Sequence Alarm 4.16 kV Switchgear 4 Bus Trouble Alarm 0741 Main Transformer B Status Trouble Alarm Main Transformer A Status Trouble Alarm ESF Bus Undervoltage Channel A-2 ESF Bus Undervoltage Channel B-2 LOP/Load Shed B ESF Bus Undervoltage Channel B-3 DG Start Signal B LOP/Load Shed A ESF Bus Undervoltage Channel A-4 DG Start Signal A LO DNBR Channels A, B, C, & D Trip RPS Channels A, B, C, & D Trip Main Generator 500 kV Breaker 935 Open Mechanical Overspeed Trip of Main Turbine 0751 Manually initiated Main Steam Isolation Signal 0755 Declared an Alert for Loss of All Offsite Power to Essential Busses for Greater than 15 minutes 0901 Energized 13.8 kV Busses 2E-NAN-S03 and 2E-NAN-S05 0927 Energized 4.16 kV Bus 2E-PBA-S03 0951 Exited Alert 1001 Energized 13.8 kV Bus 2E-NAN-S01 1024 Energized 13.8 kV Bus 2E-NAN-S02 1132 Started Charging Pump A 1618 Engineering and Maintenance review concluded that Charging Pump E was available for service after fill and vent 1714 Started Charging Pump E 1716 Started RCP 1A 1722 Started RCP 2A 1806 Stopped RCPs 1A and 2A on low motor amperage. ECC contacted to adjust grid voltage as-low-as-possible 2040 Started RCPs 1A and 2A 2051 Stopped RCPs 1A and 2A on low running amperage 6/15/04 0400 Started RCPs 1A and 2A 0610 Exited Emergency Operating Procedures Unit 3 Sequence of Key Events 6/14/04 0740 Generator Under Voltage Negative Sequence Trip Master Turbine Trip 3ENANS01 Bus Under Voltage Reactor Trip Circuit Breakers Open 0741 Exciter Voltage Regulator Mode Change Unit 3 Main Generator 500 kV Breaker 985 Opens Engineered Safeguards Features Bus Undervoltage Loss of Offsite Power Load Shed A and B Emergency Diesel Generator A and B Start Signal Main Turbine Overspeed Mechanical Trip Turbine Bypass Valves Quick Open 0742 Low Steam Generator Pressure Alarm Unit 3 Main Generator 500 kV Breaker 988 Opens 0743 Automatic Main Steam Isolation on Low Steam Generator Pressure 2341 Started Reactor Coolant Pump 1A 2345 Started Reactor Coolant Pump 2A 6/15/04 0040 Exited Emergency Operating Procedures 1637 Started Reactor Coolant Pump 1B 6/16/04 0207 Started Reactor Coolant Pump 2B

Attachment B Offsite Power Recovery Modeling

6 This section provides background information and details involving recovery of offsite power for this event. In an ASP analysis, offsite power recovery constitutes the recovery of power to the unit vital busses once power has been restored to the switchyard. ASP analyses do not deal with offsite recovery actions outside the switchyard.

7 The grid was declared stable per Technical Specifications (TS) 49 minutes after the LOOP occurred. During a postulated SBO event, if operators waited until the grid was stable (per TS) they would have approximately 11 minutes to restore power to a vital bus. However, operators would shut two of three breakers as soon as the switchyard was re-energized. Therefore, operators would have sufficient time (approx. 11 minutes) to shut one breaker. Background and Modeling Details of Offsite Power Recovery6 The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the conditional core damage probability (CCDP) given a loss of offsite power (LOOP).

Standardized Plant Analysis Risk (SPAR) LOOP/Station Blackout (SBO) models include various sequence-specific AC power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover AC power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee to the Augmented Inspection Team (AIT). The east switchyard bus was energized from offsite power (Hass-1) in 32 minutes. After the power was restored to the switchyard bus, operators would need to close three Unit 2 breakers (2ENANS05D, 2ENANS03A, and 2EPBAS03L) to supply offsite power to the Unit 2 Train A vital bus. In the event of a blackout condition, operators would have sufficient time (approximately 30 minutes) to shut the three breakers to restore AC power to a vital bus.7 Failure to recover offsite power to plant safety-related loads (if needed because emergency diesel generators (EDGs) fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR-H Human Reliability Analysis Method (Ref. 4) was used to estimate non-recovery probabilities as a function of time following restoration of offsite power to the switchyard.

Diagnosis and Dependency The SPAR Human Reliability Analysis Method considers the following three factors:

! Probability of failure to diagnose the need for action,

! Probability of failure to successfully perform the desired action, and

! Dependency on other operator actions involved in the specific sequence of interest.

This analysis does not consider the probability of failure to diagnose the need to recover AC power because a loss of offsite power diagnosis is obvious. Operators have an overwhelming amount of plant signals which tell them that a LOOP has occurred. Dependency between operator power recovery tasks and any other operator tasks is also not considered. Dependency is considered when multiple operator actions are present in the same cutset. This analysis does not have any

8 In addition, the gas turbine generators (GTGs) could have be aligned to a single unit vital bus within 30 minutes. The GTGs were running 29 minutes after the LOOP occurred. cutsets containing multiple human error basic events. Thus, each estimated AC power non-recovery probability is based solely on the probability of failure to successfully perform the desired action.

Performance Shaping Factors The probability of failure to perform an action is the product of a nominal failure probability (1x10-3) and the following eight performance shaping factors (PSFs):

! Available time

! Stress

! Complexity

! Experience/training

! Procedures

! Ergonomics

! Fitness for duty

! Work processes Time For each AC power non-recovery probability, the PSF for Available Time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action (i.e., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than 5 times the time required. This analysis credits 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as the minimum time that offsite power can be recovered to the first vital bus.

Stress The PSF for Stress is assigned a value of 2 (corresponding to High Stress) for all AC power non-recovery probabilities. Factors considered in assigning this PSF level "higher than nominal level" include sudden onset of the LOOP initiating event, actual and/or postulated compounding equipment failures, and resulting core uncovery and eminent core damage. Extreme Stress is not appropriate because offsite power to the East bus in the switchyard was actually recovered in about 30 minutes.8 The operators knew early that a success path to re-energize a vital bus was viable within the time frame associated with the postulated short-term core uncovery sequence (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> given failure of auxiliary feedwater). Therefore, this event did not present "a level of disruptive stress in which the performance of most people will deteriorate drastically."

Complexity The PSF for Complexity is assigned a value of 2 (corresponding to Moderately Complex) for all non-recovery probabilities except OEP-XHE-XL-NR01H for Units 1 and 3. Factors considered in assigning this PSF level "involved concurrent actions" such as communications and coordination of three organizations outside the control room: the other two control rooms and utility switchyard operators. "Highly Complex" is not appropriate because the task of closing three breakers is a routine task performed periodically during plant normal operations.

The PSF for Complexity is assigned a value of 5 (corresponding to Highly Complex) for probability OEP-XHE-XL-NR01H for Units 1 and 3. Factors considered in assigning this PSF level involved additional variables and actions due to the failure of two 13.8 kV breakers to close; one in each unit. The actual recovery of the breaker took over 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to complete (Ref. 1). Therefore, recovery of the breaker is not an option for short-term offsite power recovery. The operators would have to determine that recovery of the failed breaker is not viable within the short time frame and an alternate success path to energize the other vital bus is required for success.

All Other PSFs For all of the AC power non-recovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are set to be nominal (i.e., are assigned values of 1.0). Details of the event, plant response, and crew performance did not warrant a change from nominal for these PSFs.

Table C.1. AC power non-recovery probabilities.

Non-recovery Factor Units Nominal Value PSF Non-recovery Probability Time Available Stress Complexity OEP-XHE-XL-NR01H 1 & 3 1x10-3 10 2

5 0.1 OEP-XHE-XL-NR01H 2

1x10-3 10 2

2 4x10-2 OEP-XHE-XL-NR02H All 1x10-3 1

2 2

4x10-3 OEP-XHE-XL-NR03H All 1x10-3 1

2 2

4x10-3 OEP-XHE-XL-NR04H All 1x10-3 0.1 2

2 4x10-4 OEP-XHE-XL-NR06H All 1x10-3 0.1 2

2 4x10-4 OEP-XHE-XL-NR08H All 1x10-3 0.1 2

2 4x10-4 OEP-XHE-XL-NR10H All 1x10-3 0.1 2

2 4x10-4 OEP-XHE-XL-NR24H All 1x10-3 0.1 2

2 4x10-4

1. From the SPAR model.

Attachment C Event Tree and Fault Tree Figures

CSR CONTAINMENT COOLING HPR HIGH PRESSURE RECIRC SDC SHUTDOWN COOLING SSC RCS COOLDOWN USING ADVs OPR OFFSITE POWER RECOVERY HPI HIGH PRESSURE INJECTION LOSC RCP SEAL COOLING MAINTAINED SRV SRVs ARE CLOSED AFW AUXILIARY FEEDW ATER EPS EMERGENCY POWER RPS REACTOR TRIP IE-LOOP LOSS OF OFFSITE POWER END-STATE 1

OK 2

T LOOP-1 3

OK 4

OK 5

CD 6

CD 7

OK 8

CD 9

CD 10 OK 11 CD 12 CD 13 CD 14 CD 15 T

SBO 16 T

ATWS Figure 1: Palo Verde LOOP event tree (with dominant sequence highlighted).

IR 50-528/04-012

DGR-02H DIESEL GENERATOR RECOVERY IN 2 HOURS OPR-02H OFFSITE POWER RECOVERY IN 2 HRS RCPSI RCP SEAL INTEGRITY MAINTAINED RSUB REACTOR COOLANT SUBCOOLING MAINTAINED CBO CONTROLLED BLEEDOFF ISOLATED SRV SRVs ARE CLOSED AFW AUXILIARY FEEDWATER SYSTEM EPS EMERGENCY POWER END-STATE 1

OK 2

OK 3

CD 4

T SBO-1 5

OK 6

CD 7

OK 8

OK 9

CD 10 T

SBO-1 11 OK 12 CD 13 OK 14 OK 15 CD 16 T

SBO-1 17 OK 18 CD 19 OK 20 OK 21 CD 22 T

SBO-1 23 OK 24 CD 25 T

SBO-1 26 OK 27 CD 28 OK 29 OK 30 CD Figure 2: Palo Verde SBO event tree (with dominant sequence highlighted).

IR 50-528/04-012

ACP-PBA-AC 9.0E-5 ACP-BAC-LP-PBA ACP-PBA-AC-1 FALSE LOOP-A ACP-PBA-AC-SOURCES 1.0E-1 OEP-XHE-NOREC-ST 48 EPS-DGA FAILURE OF DIESEL GENERATOR PEA-G01 FAILURE OF DIESEL GENERATOR A AND GAS TURBINES LOSS OF POWER TO A 4160V AC BUS PBA-S03 4160V AC BUS PBA POWER FAILS OPERATOR FAILS TO RECOVER AC POWER IN SHORT TERM 4160V AC BUS PBA FAILS LOSS OF 4160V AC BUS PBA OFFSITE POWER FLAG ACP-PBA-AC - PALO VERDE PWR H 4160V AC BUS PBA POWER FAILS 2004/07/26 Page 1 Figure 3: Modified fault tree ACP-PBA-AC.

ACP-PBB-AC 9.0E-5 ACP-BAC-LP-PBB ACP-PBB-AC-1 FALSE LOOP-B ACP-PBB-AC-SOURCES 1.0E-1 OEP-XHE-NOREC-ST 49 EPS-DGB FAILURE OF DIESEL GENERATOR PEB-G02 FAILURE OF DIESEL GENERATOR A AND GAS TURBINES LOSS OF POWER TO 2B 4160V AC BUS PBB-S04 41160V AC BUS PBB POWER FAILS OPERATOR FAILS TO RECOVER AC POWER IN SHORT TERM LOSS OF 4160V AC BUS PBB OFFSITE POWER FLAG 4160V AC BUS PBB FAILS ACP-PBB-AC - PALO VERDE PWR H 4160V AC BUS PBB POWER FAILS 2004/07/26 Page 2 Figure 4: Modified fault tree ACP-PBB-AC.

IR 50-528/04-012

Palo Verde Generating Station, Units 1, 2, and 3 cc:

Mr. Steve Olea Arizona Corporation Commission 1200 W. Washington Street Phoenix, AZ 85007 Douglas Kent Porter Senior Counsel Southern California Edison Company Law Department, Generation Resources P.O. Box 800 Rosemead, CA 91770 Senior Resident Inspector U.S. Nuclear Regulatory Commission P. O. Box 40 Buckeye, AZ 85326 Regional Administrator, Region IV U.S. Nuclear Regulatory Commission Harris Tower & Pavillion 611 Ryan Plaza Drive, Suite 400 Arlington, TX 76011-8064 Chairman Maricopa County Board of Supervisors 301 W. Jefferson, 10th Floor Phoenix, AZ 85003 Mr. Aubrey V. Godwin, Director Arizona Radiation Regulatory Agency 4814 South 40 Street Phoenix, AZ 85040 Mr. Craig K. Seaman,, Director Regulatory Affairs/Nuclear Assurance Palo Verde Nuclear Generating Station Mail Station 7636 Phoenix, AZ 85072-2034 Mr. Hector R. Puente Vice President, Power Generation El Paso Electric Company 310 E. Palm Lane, Suite 310 Phoenix, AZ 85004 Mr. John Taylor Public Service Company of New Mexico 2401 Aztec NE, MS Z110 Albuquerque, NM 87107-4224 Ms. Cheryl Adams Southern California Edison Company 5000 Pacific Coast Hwy Bldg DIN San Clemente, CA 92672 Mr. Robert Henry Salt River Project 6504 East Thomas Road Scottsdale, AZ 85251 Mr. Jeffrey T. Weikert Assistant General Counsel El Paso Electric Company Mail Location 167 123 W. Mills El Paso, TX 79901 Mr. John Schumann Los Angeles Department of Water & Power Southern California Public Power Authority P.O. Box 51111, Room 1255-C Los Angeles, CA 90051-0100 Brian Almon Public Utility Commission William B. Travis Building P. O. Box 13326 1701 North Congress Avenue Austin, TX 78701-3326

Retrieved from "https://kanterella.com/w/index.php?title=ML052850263&oldid=5375077"