Text

Transmittal of Final ASP Analyses (August 14, 2003 Grid Disturbance Events)
	ML060030080
Person / Time
Site:	Nine Mile Point, Perry, Indian Point, Fermi, Ginna, FitzPatrick
Issue date:	02/17/2006
From:	Ader C; NRC/RES/DRAA
To:	Catherine Haney; Plant Licensing Branch III-2
Shared Package
ML060030075	List: ML050950555; ML050950565; ML050960036; ML050960041; ML050960051; ML050960242; ML050960252; ML050960263; ML060030080;
References
	Download: ML060030080 (44)
	v • d • e

February 17, 2006 MEMORANDUM TO:

Catherine Haney, Director Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation FROM:

Charles E. Ader, Director /RA/

Division of Risk Analysis and Applications Office of Nuclear Regulatory Research

SUBJECT:

TRANSMITTAL OF FINAL ASP ANALYSES (AUGUST 14, 2003 GRID DISTURBANCE EVENTS)

This memorandum provides the results of eight Accident Sequence Precursor (ASP) analyses of plants that lost offsite power and tripped as a result of the grid event of August 14, 2003.

These final analyses have been prepared based on our review and evaluation of the licensees and NRC staffs comments on the preliminary analyses. Preliminary analyses were transmitted to NRR in February 2004 (ML040580690). The transmittal of these final ASP analyses was delayed pending resolution of peer review comments on NUREG/CR-6890, Reevaluation of Station Blackout Risk at Nuclear Power Plants. This NUREG/CR was made publicly available on the NRC web site in December 2005.

Nine plants lost offsite power due to an electrical disturbance on the grid. Eight plants (Fermi, Fitzpatrick, Nine Mile Point 1 and 2, Perry, Ginna, Indian Point 2 and 3) were at power, while Davis-Besse was in cold shutdown. Oyster Creek tripped, but did not lose offsite power to the vital buses. The eight analyses are summarized in Enclosure 1 to this memorandum.

Transmittal to licensees requested. Please transmit the final ASP analyses to the appropriate licensee for information. The Adams accession number for each analysis is provided in Enclosure 1.

Results of analyses. The conditional core damage probabilities (CCDPs) of these eight events range from 4x10-6 to 3x10-5, with five analyses with CCDPs greater than 1x10-5.

The final analyses CCDPs are significantly lower as compared to the preliminary analyses results (with the exception of Nine Mile Point 1) largely due to the SAPHIRE 7 standardized plant analysis risk (SPAR) model equipment/hardware data update (SAPHIRE 6 SPAR models were used in the preliminary ASP analyses). Table 1 summarizes the risk at each plant (preliminary and final results) and the duration of the loss of offsite power. Note that these CCDPs are mean estimates.

Comment Response. Many of the comments dealt with SPAR modeling issues and were useful in improving these models. Other comments required clarification of technical approaches to specific analyses or to ASP analyses in general. Enclosure 2 contains the detailed comments and responses.

2 Table 1: ASP Analysis Summary Plant Preliminary CCDP1 (SAPHIRE 6)

Final CCDP (SAPHIRE 7)

Time without power2 Fermi 2 2x10-4 2x10-5 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , 19 minutes Fitzpatrick 9x10-5 4x10-6 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , 49 minutes Ginna 1x10-4 3x10-5 49 minutes Indian Point 2 9x10-5 6x10-6 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 37 minutes Indian Point 3 5x10-5 7x10-6 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 37 minutes Nine Mile Point 1 2x10-5 2x10-5 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 45 minutes Nine Mile Point 2 5x10-4 2x10-5 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 45 minutes Perry 5x10-4 3x10-5 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 27 minutes 1.

Revised preliminary CCDPs after incorporation of licensee and NRC comments (SAPHIRE 6 models were used).

2.

Length of time until power was available to the switchyard.

Public Disclosure. These ASP analyses were determined to suitable for public disclosure per SECY-04-0191. The eight analyses are posted in ADAMS for public access (see Summaries in for applicable report accession numbers). The availability of future ASP analysis reports will be evaluated per the applicable guidance to determine the level of public availability.

If you have any questions about the individual analyses, please contact Christopher Hunter (415-4127).

Enclosures:

As stated

ML060030080 Template No. RES- 006 Package Accession No: ML060030075 Enclosure 1: ML050950555 Enclosure 2: ML050950565 Enclosure 3: ML050960036 Enclosure 4: ML050960041 Enclosure 5: ML050960051 Enclosure 6: ML050960242 Enclosure 7: ML050960252 Enclosure 8: ML050960263 Publicly Available? (Y or N) Y Date of Release to Public: 01/20/2006 Sensitive? N

See previous concurrence To receive a copy of this document, indicate in the box: C = Copy wo/encl E = Copy w/encl N = No copy OFFICE

OERAB E

OERAB E

OERAB C

OERAB C

SISP REVIEW N

SISP REVIEW N

NAME CHunter GDeMoss MCheok NChokshi GDeMoss NChokshi DATE 01/03/06 01/03/06 02/10/06 02/14/06 01/03/06 02/14/06 OFFICE

DRAA C

NAME CAder DATE 02/17/06 3

MEMORANDUM DATED: 02/17/06

SUBJECT:

TRANSMITTAL OF FINAL ASP ANALYSES (AUGUST 14, 2003 GRID DISTURBANCE EVENTS)

Distribution:

OERAB RF JLyons, NRR PMilano, NRR (PM)

DRAA RF MTschiltz, NRR WCook, RI (SRA)

EThornsbury, ACRS MFranovich, NRR CCahill, RI (SRA)

JWiggins/CPaperiello, RES MMelnicoff, NRR WSchmidt, RI (SRA)

JMonniger, RES RJenkins, RES SBurgess, RIII (SRA)

RBarrett, RES GMorris, NRR LKozak, RIII (SRA)

FEltawila, RES RGibbs, NRR DPassehl, RIII (SRA)

WRaughley, RES DJaffe, NRR (PM)

LCline, (SRI)

DRrasmuson, RES JBoska, NRR (PM)

THipschman, (SRI)

EGoldfeiz, RES TBolburn, NRR (PM)

MCox, (SRI)

MCunningham, RES WMacon, NRR (PM)

GHunegs, (SRI)

KKolacyzk, (SRI)

MMorris, (SRI)

RPowell, (SRI)

DOCUMENT NAME: G:\\DRAA\\MEMO-FINAL GRID LOOP TRANSMITTAL JAN 2006.WPD

1.1 Enclosure 1 Summary of Final ASP Results This attachment summarizes the assumptions, approach, and results of eight ASP analyses of the plants affected by the grid disturbance of August 14, 2003.

LOOP Analysis Approach and Assumptions The following is a brief summary of the approach to analyzing these events. The general approach is relatively standard for ASP events. LOOP event analyses are a type of initiating event assessment frequency performed in the ASP program. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses.

Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 For the best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

1.2 3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the time when offsite power was fully restored to all emergency buses. (Note these mission durations are longer than the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

Assumptions The following major assumptions could significantly affect the quantitative risk estimates:

1. Offsite power recovery:

a. Information source. Used inputs from the regions (Blackout Plant Data provided to the Grid Concerns Group-ML0324102160 and ML0324102370) and licensee comments.

b. Best estimate. Time when the regional reports indicated that power was first available to restore power to the safety bus.

Offsite power recovery time assumptions and information were evaluated in individual analyses using sensitivity analysis.

2. About 30 minutes is required to restore power to emergency loads after power is available in the switchyard (used SPAR Human Reliability Assessment method). In the final analyses, this assumptions was adjusted on an analysis-by-analysis basis to account for operator work load early in the event. Sensitivity analysis was used to show that the results were not sensitive to this assumption.

3. SPAR models do not credit offsite power recovery following battery depletion in station blackout sequences. This is a common approach used in PRAs, and a standard assumption used in the development of SPAR models and in previous ASP analyses.

Plant Summaries Fermi At 1610 hours0.0186 days 0.447 hours 0.00266 weeks 6.12605e-4 months on August 14, 2003, Fermi experienced grid instability and a subsequent reactor trip while operating at 100 percent power. Loss of offsite power (LOOP) occurred at 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months . Plant emergency diesel generators (EDGs) started and supplied power to safety-related plant loads until offsite power was restored (Refs. 1 and 10).

Other conditions, failures, and unavailable equipment. The combustion gas turbine generator (CTG) failed to start from the control room due to the failure of a battery-powered inverter. The CTG was manually started 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months into the event using a portable generator as an alternate source of starting power.

Recovery opportunities. Offsite power was first available at 2230 hours0.0258 days 0.619 hours 0.00369 weeks 8.48515e-4 months . Power from offsite was restored to the first emergency bus at 0153 hours0.00177 days 0.0425 hours 2.529762e-4 weeks 5.82165e-5 months on August 15.

1.3 Analysis Results. The mean CCDP for this event is 2x10-5. The complete ASP analysis can be found at ML050950555.

Fitzpatrick At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Fitzpatrick experienced grid instability and a subsequent reactor trip while operating at 100% power. Loss of offsite power (LOOP) occurred at 1613 hours0.0187 days 0.448 hours 0.00267 weeks 6.137465e-4 months . Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored (Refs. 2 and 9).

Other conditions, failures, and unavailable equipment. No other conditions, failures, or unavailable equipment occurred during the event.

Recovery opportunities. Offsite power was recovered over a period of time, commencing at 1900 hours0.022 days 0.528 hours 0.00314 weeks 7.2295e-4 months on August 14, 2003 with restoration of the 115 kV transmission system with an imposed load limit and ending at 2400 hours0.0278 days 0.667 hours 0.00397 weeks 9.132e-4 months on August 14, 2003 with restoration of 115 kV transmission system to full capacity. Offsite power was restored to the first emergency bus at 2307 hours0.0267 days 0.641 hours 0.00381 weeks 8.778135e-4 months and to the second emergency bus at 2328 hours0.0269 days 0.647 hours 0.00385 weeks 8.85804e-4 months .

Analysis Results. The mean CCDP for this event is 4x10-6. The complete ASP analysis can be found at ML05095065.

Ginna At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Ginna experienced grid instability and a subsequent reactor trip while operating at approximately 100% power. Offsite power was never completely lost to the buses supplying the power block area; however, the operators determined that the offsite power supply was unreliable and manually started and loaded the plant EDGs onto the emergency busses. The EDGs supplied power to safety-related plant loads until offsite power was deemed stable (Refs. 3 and 9).

Other conditions, failures, and unavailable equipment. One of the auxiliary feedwater motor-driven pumps (Pump B) was inoperable due to damage sustained because of an error in pump alignment on startup of the pump. Both pressurizer power operated relief valves (PORVs) lifted and re-closed to limit the pressure transient.

Recovery opportunities. Offsite power was considered stable at 1700 hours0.0197 days 0.472 hours 0.00281 weeks 6.4685e-4 months . Power from offsite was first restored to an emergency bus at 2108 hours0.0244 days 0.586 hours 0.00349 weeks 8.02094e-4 months .

Analysis Results. The mean CCDP for this event is 3x10-5. The complete ASP analysis can be found at ML050960036.

1.4 Indian Point 2 At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Indian Point 2 experienced grid instability, a reactor coolant pump trip on under-frequency, and a subsequent reactor trip while operating at 100% power.

Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored (Refs. 4 and 9).

Other conditions, failures, and unavailable equipment. No other significant conditions, failures, or unavailable equipment occurred during the event.

Recovery opportunities. Con Edison System Operators informed the control room that power was restored to the 138kV Buchanan yard feeder at 1749 hours0.0202 days 0.486 hours 0.00289 weeks 6.654945e-4 months . Offsite power was restored to the first emergency bus at 1945 hours0.0225 days 0.54 hours 0.00322 weeks 7.400725e-4 months , to the second emergency bus at 2002 hours0.0232 days 0.556 hours 0.00331 weeks 7.61761e-4 months , and to the third emergency bus at 2021 hours0.0234 days 0.561 hours 0.00334 weeks 7.689905e-4 months .

Analysis Results. The mean CCDP for this event is 6x10-6. The complete ASP analysis can be found at ML050960041.

Indian Point 3 At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Indian Point 3 experienced grid instability and a subsequent reactor trip while operating at 100% power. Loss of offsite power occurred at 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months .

Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored (Refs. 5 and 9).

Other conditions, failures, and unavailable equipment. The auxiliary feedwater (AFW) flow control valves lost pneumatic control; however, the valves fail open on loss of instrument air so that flow was not lost to the steam generators. Therefore, this condition was not modeled in the assessment.

Recovery opportunities. Offsite power was first available at 1749 hours0.0202 days 0.486 hours 0.00289 weeks 6.654945e-4 months . Power from offsite was first restored to an emergency bus at 2012 hours0.0233 days 0.559 hours 0.00333 weeks 7.65566e-4 months .

Analysis Results. The mean CCDP for this event is 7x10-6. The complete ASP analysis can be found at ML050960051.

Nine Mile Point 1 At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Nine Mile Point 1 experienced grid instability and a subsequent turbine trip followed by reactor trip while operating at 100 % power. Loss of offsite power occurred at 1613 hours0.0187 days 0.448 hours 0.00267 weeks 6.137465e-4 months . Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored (Refs. 6 and 9).

1.5 Other conditions, failures, and unavailable equipment. No other significant conditions, failures, or unavailable equipment occurred during the event.

Recovery opportunities. Offsite power was available and within normal voltage and frequency limits at approximately 1746 hours0.0202 days 0.485 hours 0.00289 weeks 6.64353e-4 months . Offsite power was restored to the first emergency bus at 2339 hours0.0271 days 0.65 hours 0.00387 weeks 8.899895e-4 months and to the second emergency bus at 0018 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months on August 15.

Analysis Results. The mean CCDP for this event is 2x10-5. The complete ASP analysis can be found at ML050960242.

Nine Mile Point 2 At 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months on August 14, 2003, Nine Mile Point 2 experienced a disturbance on the electrical grid and a subsequent turbine trip followed by reactor trip while operating at 100%

power. Undervoltage conditions occurred on each of the three emergency buses at 1612 hours0.0187 days 0.448 hours 0.00267 weeks 6.13366e-4 months .

Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored (Refs. 7 and 9).

Other conditions, failures, and unavailable equipment. No other significant conditions, failures, or unavailable equipment occurred during the event.

Recovery opportunities. Offsite power was available and within normal voltage and frequency limits at approximately 1746 hours0.0202 days 0.485 hours 0.00289 weeks 6.64353e-4 months . Offsite power was restored to the Division 1 emergency bus at 0122 hours0.00141 days 0.0339 hours 2.017196e-4 weeks 4.6421e-5 months on August 15, to the Division 3 emergency bus at 0356 hours0.00412 days 0.0989 hours 5.886243e-4 weeks 1.35458e-4 months , and to the Division 2 emergency bus at 0708 hours0.00819 days 0.197 hours 0.00117 weeks 2.69394e-4 months .

Analysis Results. The mean CCDP for this event is 2x10-5. The complete ASP analysis can be found at ML050960252.

Perry At 1610 hours0.0186 days 0.447 hours 0.00266 weeks 6.12605e-4 months on August 14, 2003, Perry experienced a disturbance on the electrical grid and a subsequent main generator trip followed by a turbine trip and a reactor trip while operating at 100% power. Plant EDGs started and supplied power to safety-related plant loads until offsite power was restored. (Refs. 8 and 10).

Other conditions, failures, and unavailable equipment. The A train of Residual heat removal (RHR) was inoperable for approximately 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months because of air binding in the keep-fill system pump. The low-pressure core spray (LCS) system was also affected by the air binding in the keep-fill system, but the LCS system was recoverable from the start of the LOOP.

Approximately 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months into the event, the reactor core isolation cooling (RCIC) turbine-driven

1.6 pump was manually secured to prevent an automatic shutdown because of high steam tunnel temperature. The high steam tunnel temperature was caused by a loss of ventilation, and the RCIC system was recoverable. The Division 1 EDG tripped on reverse power while being removed from service. This had no effect on the CCDP for this event.

Recovery opportunities. Offsite power was first available at 1737 hours0.0201 days 0.483 hours 0.00287 weeks 6.609285e-4 months when one transmission yard breaker was closed. Offsite power was restored to the Division 1 emergency bus at 1813 hours0.021 days 0.504 hours 0.003 weeks 6.898465e-4 months on August 14, to the Division 3 emergency bus at 1214 hours0.0141 days 0.337 hours 0.00201 weeks 4.61927e-4 months on August 15, and to the Division 2 emergency bus at 1548 hours0.0179 days 0.43 hours 0.00256 weeks 5.89014e-4 months on August 15.

Analysis Results. The mean CCDP for this event is 3x10-5. The complete ASP analysis can be found at ML050960263.

References 4.

Licensee Event Report 341/03-002, Revision 1, Automatic Reactor Shutdown Due to Electric Grid Disturbance and Loss of Offsite Power, event date August 14, 2003, (ADAMS Accession No. ML033570189).

5.

Licensee Event Report 333/03-001, Revision 0, Automatic Reactor Shutdown Due to Grid Instability Associated With the August 14th, 2003 Transmission Grid Blackout and Related Plant MODE Change with the A EDG Subsystem Inoperable, event date August 14, 2003 (ADAMS Accession No. ML0329601250).

6.

Licensee Event Report 244/03-002, Revision 0, Major Power Grid Disturbance Causes Loss of Electrical Load and Reactor Trip, event date August 14, 2003, (ADAMS Accession No. ML0328904410).

7.

Licensee Event Report 247/03-005, Revision 0, Automatic Reactor Trip due to Reactor Coolant Pump Trip on Under-Frequency Caused by a Degraded Off-Site Grid, event date August 14, 2003 (ADAMS Accession No. ML0328902230).

8.

Licensee Event Report 286/03-005, Revision 0, Automatic Reactor Trip due to Reactor Coolant Pump Trip on Under-Frequency Caused by a Degraded Off-Site Grid, event date August 14, 2003, (ADAMS Accession No. ML0328902210).

9.

Licensee Event Report 220/03-002, Revision 0, Reactor Scram Due to Grid Disturbance, event date August 14, 2003 (ADAMS Accession No. ML0329701050).

10.

Licensee Event Report 410/03-002, Revision 0, Reactor Scram Due to Electric Grid Disturbance, event date August 14, 2003 (ADAMS Accession No. ML0329701090).

11.

Licensee Event Report 440/03-002, Revision 1, Reactor Scram Due to Electric Grid Disturbance, event date August 14, 2003 (ADAMS Accession No. ML033530117).

12.

NRC Region 1 Grid Special Report, October 15, 2003, (ADAMS Accession No. ML0324102160).

13.

NRC Region 3 Grid Special Report, August 28, 2003, (ADAMS Accession No. ML0324102370).

2.1 Enclosure 2 COMMENT RESPONSE Comments on Preliminary ASP analyses were received on all plants from NRR/DSSA/SPSB, on Ginna from Region 1 and NRR/DLPM and from four licensees covering six of the eight plants.

The SPSB comments can be found at ML041280168, and licensee comments can be found at ML041480357 (Nine Mile Point 1), ML041480354 (Nine Mile Point 2), and ML041460505 (Indian Point 2 & 3 and Fitzpatrick).

2.A. NRC COMMENTS AND RESPONSES SPSB Comments on Preliminary Precursor Analysis of Fitzpatrick Grid Blackout Event

1. Prior to review of the assumptions and methodologies used in the analysis, an attempt was made to duplicate the quantitative result using the basic event change set information provided in Table 4. The result of this effort is presented below:

The reviewer used the latest Fitzpatrick SPAR model, Revision 3i, December 4, 2003, in the GEM software mode (Version 6.79), initiating event analysis, designating a grid-related LOOP, and using a truncation of E-11. (Monte Carlo simulation, 3000 samples).

Point Value Mean 5%

95%

Best Estimate Case 7.1E-5 8.6E-5 1.5E-5 2.4E-4 Review Result 7.7E-5 8.1E-5 5.9E-6 2.7E-4 To address the differences noted, the reviewer checked the basic event probability log at the back of the report and noted only the following two differences:

Best Estimate Case Review Case CVS-MOV-CF-14AB 1.0E-4 1.9E-4 CVS-MOV-CF-VENTS 1.0E-4 1.9E-4 The reviewer considered the difference in these two basic event values to be insufficient to reflect the overall difference in the point values noted in the table above.

2. Since this analysis was performed to predict the probability of core damage at the instant in time when the grid instability occurred, actual plant conditions and equipment status should be used as opposed to averaged conditions. This implies that test and maintenance basic events for the four diesel generators, the two ESW pumps, and the turbine-driven RCIC and HPCI pumps should be set to FALSE. The reviewer added these change sets to the assessment and generated the following results:

2.2 Point Value Mean 5%

95%

Review Result Removing T&M 6.3E-5 6.4E-5 4.4E-6 2.1E-4

3. There exists a typographical error on Page 5 under the topic Probability of failure to recover offsite power in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . The figure of 4.0E-4 is listed, but should be 1.0E-3.

4. In the human error modeling of the offsite power recovery, the PSF value used for stress was 5, corresponding to extreme stress. The reviewer contends that a value of 2 for high stress should have instead been used.

In Section 2.4.4.4, of the draft SPAR-H Method, INEEL/EXT-02-10307, extreme stress is defined as being a case where one is threatened by a potential for radioactive release. In this case, although radioactive release is a possibility, the operators would be confident that a stable, offsite power source was available and that there was ample time to connect it to the vital buses. Their immediate physical well-being would not be at stake such as working next to a tank about to explode. High stress is defined as a situation where the consequences of the task represent a threat to plant safety, and would appear to be more applicable to this situation.

Since recovery of offsite power to a single emergency bus would generally be sufficient for a successful recovery, it is doubtful that a full hour would be needed, especially when the evolution is being expedited in response to an emergency situation.

It also does not make intuitive sense that given an hour of time to connect offsite power to one of two vital buses, operators would fail 10 percent of the time, given that mistakes would generally be detectable and recoverable, and, if not, a redundant bus would be available.

The reviewer changed the following basic events to account for this recommended change to the HRA classification of the event.

The reviewer consulted with officials at a nuclear plant, who stated that offsite power could easily be brought on during an SBO within 15 minutes, given adequate emergency lighting or flashlights. The process would be relatively simple given that no synchronization with the EDGs would be needed. The reviewer considered that a bounding time of 30 minutes to restore offsite power to one vital bus should be used as the nominal value in this analysis.

The reviewer made the following changes:

2.3 Basic Event Previous Value Revised Value OEP-XHE-NOREC-4H 1E-1 4E-3 (nominal time, high stress)

OEP-XHE-NOREC-10H 1E-3 4E-4 (time>5 times required, high stress)

The following result was obtained in GEM:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Recovery of Offsite Power 3.7E-5 3.9E-5 3.6E-6 1.2E-4

5. In the analysis, it was assumed that offsite power was restored within 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months ; therefore, the mission time for the basic event EPS-DGN-FR-FTRL (Diesel Generator Fails to Run 14-24 hours) was set to 0 hours0 days 0 hours 0 weeks 0 months . The SAPHIRE model has a defect and defaults to a mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when a 0 is placed in the mission time for the EPS-DGN-FR-FTRL term.

Therefore, a contribution from the FTRL term is undesirably included in the overall FTR compound event calculation in this situation, as was the case in this ASP analysis. To outwit the program to comply with the correct scenario, the reviewer used 1E-4 hrs. as the mission time. This resulted in a drop in the diesel generator fail-to-run terms, resulting in the following results:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Recovery of Offsite Power and Correcting the FTRL term 3.7E-5 3.8E-5 3.5E-6 1.2E-4

2.4 SPSB Comments on Preliminary Precursor Analysis of Ginna Grid Blackout Event

1. Prior to review of the assumptions and methodologies used in the analysis, an attempt was made to duplicate the quantitative result using the basic event change set information provided in Table 4. The result of this effort is presented below:

The reviewer used the latest Ginna SPAR model, Revision 3i, October 2, 2003, in the GEM software mode, initiating event analysis, designating a grid-related LOOP, and using a truncation of E-11. (Monte Carlo simulation, 3000 samples).

Point Value Mean 5%

95%

Best Estimate Case 1.6E-4 1.9E-4 1.6E-5 6.8E-4 Review Result 2.0E-4 2.4E-4 1.2E-5 8.7E-4 The differences were not qualitatively significant.

2. Since this analysis was performed to predict the probability of core damage at the instant in time when the grid instability occurred, actual plant conditions and equipment status should be used as opposed to averaged conditions. This implies that test and maintenance basic events for the two diesel generators and the turbine-driven AFW pump should be set to FALSE. The reviewer added these change sets to the assessment and generated the following results:

Point Value Mean 5%

95%

Review Result Removing T&M 9.1E-5 1.2E-4 5.8E-6 4.5E-4

3. Table C.1, there is a typographical error, in that the columns for ACP-XHE-NOREC-BD and OEP-XHE-NOREC-2H are interchanged.

4. In Table 4, the frequency for EPS-DGN-CF-FRAB (CCF of Diesel Generators A and B to run) is listed as 6.1E-4. In the review run, this frequency was 8.4E-4. The mission times were the same on both runs. By contrast, the values of EPS-DGN-CF-FSAB (start failures) were consistent at 3.8E-4.

2.5

5. In the human error modeling of the offsite power recovery, the PSF value used for stress was 5, corresponding to extreme stress. The reviewer contends that a value of 2 for high stress should have instead been used. Operators would be dispatched to the switchyard and would be standing by waiting for instructions to reconnect to the grid. During this time they would be mentally preparing for the steps that would need to take place. They would not be particularly concerned about any immediate threat to their well-being and most likely would not be overly concerned about the status of the plant, given that offsite power was available in the yard. The reviewer considered that the HRA under this assumption would still be greater than the value from equipment failure. The reviewer changed the following basic events to account for this recommended change to the HRA classification of the event.

Since recovery of offsite power to a single emergency bus would generally be sufficient for a successful recovery, it is doubtful that a full hour would be needed, especially when the evolution is being expedited in response to an emergency situation.

The reviewer consulted with officials at a nuclear plant, who stated that offsite power could easily be brought on during an SBO within 15 minutes, given adequate emergency lighting or flashlights. The process would be relatively simple given that no synchronization with the EDGs would be needed. The reviewer considered that a bounding time of 30 minutes to restore offsite power to one vital bus should be used as the nominal value in this analysis.

Basic Event Previous Value Revised Value OEP-XHE-NOREC-2H 1E-1 4E-3 (nominal time, high stress)

OEP-XHE-NOREC-SL 1E-2 4E-4 (>5X, high stress)

OEP-XHE-NOREC-6H 1E-2 4E-4 (>5X, high stress)

ACP-XHE-NOREC-BD 1E-2 4E-4 (>5X, high stress)

The following result was obtained in GEM:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Recovery of Offsite Power 6.7E-5 9.0E-5 4.4E-6 3.3E-4

2.6

6. In the discussion of basic event probability changes, mention was not made to adjustments indicated in Table 4 concerning alpha factors for standby service water pumps. The reviewer used the adjusted alpha factors in GEM, but also noted that the effect was negligible in the final result.

7. The analyst adjusted the mission time of the turbine-driven AFW pump to equal 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , because offsite power could have been expected to have been recovered in this time frame.

This caused a change in the value for the basic event AFW-TDP-FR-TDP. However, the reviewer noted that this had no impact on the final result because the SPAR substituted a different basic event (AFW-TDP-FR-TDP1H- (TD Pump Fails to Run for One Hour)) in all sequences associated with the LOOP event tree.

INEEL was consulted on the recovery rule. The stated that the recovery rule that imparted this substitution was not accompanied by explanatory text. The reviewer commented out the recovery rule, which then re-instated the 2-hour run for the AFW turbine-driven pump.

The following results were obtained:

Point Value Mean 5%

95%

Review Result Removing T&M, Adjusting HRA for Recovery of Offsite Power, and Enabling a 2 Hour Run for the AFW TDP 7.0E-5 8.6E-5 4.8E-6 3.1E-4

8. In the analysis, it was assumed that offsite power was restored within 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months ; therefore, the mission time for the basic event EPS-DGN-FR-FTRL (Diesel Generator Fails to Run 14-24 hours) was set to 0 hours0 days 0 hours 0 weeks 0 months . The SAPHIRE model has a defect and defaults to a mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when a 0 is placed in the mission time for the EPS-DGN-FR-FTRL term.

Therefore, a contribution from the FTRL term is undesirably included in the overall FTR compound event calculation in this situation, as was the case in this ASP analysis. To outwit the program to comply with the subject scenario, the reviewer used 1E-4 hrs. as the mission time. This resulted in a drop in the diesel generator fail-to-run terms, resulting in the following results:

2.7 Point Value Mean 5%

95%

Review Result Removing T&M, Adjusting HRA for Recovery of Offsite Power, and Enabling a 2 Hour Run for the AFW TDP and Correcting for EDG FTR Anomaly 5.4E-5 7.0E-5 2.7E-6 2.7E-4 SPSB Comments on Preliminary Precursor Analysis of Nine Mile Point 1 Grid Blackout Event

1. Prior to review of the assumptions and methodologies used in the analysis, an attempt was made to duplicate the quantitative result using the basic event change set information provided in Table 4. The result of this effort is presented below:

The reviewer used the latest Nine Mile Point 1 SPAR model, Revision 3i,February 10, 2004, in the GEM software mode (Version 6.79), initiating event analysis, designating a grid-related LOOP, and using a truncation of E-11. (Monte Carlo simulation, 3000 samples). The reviewer modified the isolation condenser fault tree as described in the report.

Point Value Mean 5%

95%

Best Estimate Case 3.1E-5 3.4E-5 3.8E-6 1.2E-4 Review Result 3.7E-5 3.8E-5 2.5E-6 1.3E-4 The reviewer considered that the difference in the result may be attributable to the reviewers use of a newer version of the Nine Mile Point, Unit 1 SPAR model (February 10, 2004). An older version, March 6, 2003, was used in the precursor analysis.

2. Since this analysis was performed to predict the probability of core damage at the instant in time when the grid instability occurred, actual plant conditions and equipment status should be used as opposed to averaged conditions. The report did not mention that any relevant equipment was in test or maintenance at the time of the event. This implies that test and maintenance basic events for all modeled equipment should be set to FALSE. The reviewer added these change sets to the assessment and generated the following results:

Point Value Mean 5%

95%

Review Result Removing T&M 1.7E-5 2.1E-5 1.0E-6 6.7E-5

2.8

3. In the human error modeling of the offsite power recovery, the PSF value used for stress was 5, corresponding to extreme stress. The reviewer contends that a value of 2 for high stress should have instead been used.

In Section 2.4.4.4, of the draft SPAR-H Method, INEEL/EXT-02-10307, extreme stress is defined as being a case where one is threatened by a potential for radioactive release. In this case, although radioactive release is a possibility, the operators would be confident that a stable, offsite power source was available and that there was ample time to connect it to the vital buses. Their immediate physical well-being would not be at stake such as working next to a tank about to explode. High stress is defined as a situation where the consequences of the task represent a threat to plant safety, and would appear to be more applicable to this situation.

Since recovery of offsite power to a single emergency bus would generally be sufficient for a successful recovery, it is doubtful that a full hour would be needed, especially when the evolution is being expedited in response to an emergency situation.

It also does not make intuitive sense that given an hour of time to connect offsite power to one of two vital buses, operators would fail 10 percent of the time, given that mistakes would generally be detectable and recoverable, and, if not, a redundant bus would be available.

The reviewer consulted with officials at a nuclear plant, who stated that offsite power could easily be brought on during an SBO within 15 minutes, given adequate emergency lighting or flashlights. The process would be relatively simple given that no synchronization with the EDGs would be needed. The reviewer considered that a bounding time of 30 minutes to restore offsite power to one vital bus should be used as the nominal value in this analysis.

The reviewer changed the following nonrecovery probabilities as follows:

Nonrecovery Factor Nominal Value Time Available Product of All Others Non-recovery Probability OEP-XHE-NOREC-1H 1E-3 Inadequate 4

TRUE ACP-XHE-NOREC-2H 1E-3 1.0 4

4E-3 OEP-XHE-NOREC-2H 1E-3 1.0 4

4E-3 OEP-XHE-NOREC-4H 1E-3 0.1 (>5X) 4 4E-4 ACP-XHE-NOREC-8H 1E-3 0.1 4

4E-4 OEP-XHE-NOREC-10H 1E-3 0.1 4

4E-4 The reviewer added these change sets to the assessment and generated the following results:

2.9 Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Offsite Recovery 1.1E-5 1.3E-5 7.5E-7 4.0E-5

4. In the analysis, it was assumed that offsite power was restored within 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months ; therefore, the mission time for the basic event EPS-DGN-FR-FTRL (Diesel Generator Fails to Run 14-24 hours) was set to 0 hours0 days 0 hours 0 weeks 0 months . The SAPHIRE model has a defect and defaults to a mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when a 0 is placed in the mission time for the EPS-DGN-FR-FTRL term.

Therefore, a contribution from the FTRL term is undesirably included in the overall FTR compound event calculation in this situation, as was the case in this ASP analysis. To outwit the program to comply with the correct scenario, the reviewer used 1E-4 hrs. as the mission time. This resulted in a drop in the diesel generator fail-to-run terms, resulting in the following results:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Offsite Recovery and Correcting the FTRL term 9.5E-6 1.2E-5 5.5E-7 3.4E-5 SPSB Comments on Preliminary Precursor Analysis of Nine Mile Point 2 Grid Blackout Event

1. It was not clear why offsite power was restored within one hour at Nine Mile Point 1, but not for over 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to Nine Mile Point 2, and whether power could have been restored much sooner to Nine Mile Point 2 had an emergency situation existed. If that is that case, then the analysis has significantly overstated the risk of the event.

2.10

2. Prior to review of the assumptions and methodologies used in the analysis, an attempt was made to duplicate the quantitative result using the basic event change set information provided in Table 4. The result of this effort is presented below:

The reviewer used the latest Nine Mile Point 1 SPAR model, Revision 3i, January 3, 2003, in the GEM software mode (Version 6.79), initiating event analysis, designating a grid-related LOOP, and using a truncation of E-11. (Monte Carlo simulation, 3000 samples).

Point Value Mean 5%

95%

Best Estimate Case 3.8E-4 4.7E-4 6.2E-5 1.5E-3 Review Result 4.1E-4 5.1E-4 3.0E-5 1.8E-3 The reviewer considered that the difference in the results to be nominal.

3. Since this analysis was performed to predict the probability of core damage at the instant in time when the grid instability occurred (along with a precise foreknowledge of how long the outage would last), actual plant conditions and equipment status should be used as opposed to averaged conditions. The report did not mention that any relevant equipment was in test or maintenance at the time of the event; if this had been the case, this equipment would have been assumed unavailable in the analysis. This implies that test and maintenance basic events for all modeled equipment should be set to FALSE. The reviewer added these change sets to the assessment and generated the following results:

Point Value Mean 5%

95%

Review Result Removing T&M 2.1E-4 2.7E-4 1.9E-5 9.5E-4

4. In the human error modeling of the offsite power recovery, the PSF value used for stress was 5, corresponding to extreme stress. The reviewer contends that a value of 2 for high stress should have instead been used.

In Section 2.4.4.4, of the draft SPAR-H Method, INEEL/EXT-02-10307, extreme stress is defined as being a case where one is threatened by a potential for radioactive release. In this case, although radioactive release is a possibility, the operators would be confident that a stable, offsite power source was available and that there was ample time to connect it to the vital buses. Their immediate physical well-being would not be at stake such as working next to a tank about to explode. The high level of stress experienced during the blackout would be relieved by the realization that reliable power had been restored to the site. High stress is defined as a situation where the consequences of the task represent a threat to plant safety, and would appear to be more applicable to this situation. As an aside, it can be argued that the stress in this situation would cause operators to become more focused and actually less likely to make an error.

2.11 Since recovery of offsite power to a single emergency bus would generally be sufficient for a successful recovery, it is doubtful that a full hour would be needed, especially when the evolution is being expedited in response to an emergency situation, and given that mistakes would generally be detectable and recoverable, and, if not, a redundant bus would be available.

The reviewer consulted with officials at the Columbia Generating Station, who stated that offsite power could easily be brought on during an SBO within 15 minutes, given adequate emergency lighting or flashlights. The process would be relatively simple given that no synchronization with the EDGs would be needed. The reviewer considered that a bounding time of 30 minutes to restore offsite power to one vital bus should be used as the nominal value in this analysis. For this case, that would mean that greater than 5 times the nominal time would be available for the 10- and 12-hour recovery basic events.

The reviewer changed the following nonrecovery probabilities to account for the two underlined points as follows:

Nonrecovery Factor Nominal Value Time Available Product of All Others Non-recovery Probability ACP-XHE-NOREC-30M 1E-3 Inadequate TRUE OEP-XHE-NOREC-1H 1E-3 Inadequate TRUE OEP-XHE-NOREC-2H 1E-3 Inadequate TRUE ACP-XHE-NOREC-2H 1E-3 Inadequate TRUE OEP-XHE-NOREC-4H 1E-3 Inadequate TRUE ACP-XHE-NOREC-4H 1E-3 Inadequate TRUE OEP-XHE-NOREC-8H 1E-3 1

4 4E-3 ACP-XHE-NOREC-8H 1E-3 1

4 4E-3 OEP-XHE-NOREC-10H 1E-3 0.1 4

4E-4 OEP-XHE-NOREC-12H 1E-3 0.1 4

4E-4 The reviewer added these change sets to the assessment and generated the following results:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Offsite Recovery 1.5E-4 2.0E-4 1.4E-5 7.3E-4

2.12

5. In the analysis, it was assumed that offsite power was restored within 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months ; therefore, the mission time for the basic event EPS-DGN-FR-FTRL (Diesel Generator Fails to Run 14-24 hours) was set to 0 hours0 days 0 hours 0 weeks 0 months . The SAPHIRE model has a defect and defaults to a mission time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months when a 0 is placed in the mission time for the EPS-DGN-FR-FTRL term.

Therefore, a contribution from the FTRL term is undesirably included in the overall FTR compound event calculation in this situation, as was the case in this ASP analysis. To outwit the program to comply with the correct scenario, the reviewer used 1E-4 hrs. as the mission time. This resulted in a drop in the diesel generator fail-to-run terms, resulting in the following results:

Point Value Mean 5%

95%

Review Result Removing T&M and Adjusting HRA for Offsite Recovery and Correcting FTRL term 1.3E-4 1.8E-4 1.2E-5 6.7E-4 SPSB Comments on Preliminary Precursor Analysis of Fermi/Perry/IP2/IP3 Grid Blackout Events Issue No.

Page No.

Description 1

(Summary) 2 Claim that the reason for CCDP variation is primarily due to different LOOP durations. It doesnt exactly seem that way, looking at Table 1.

The chart at the end of this table shows the scatter of the CCDPs of the eight plants, relative to LOOP durations. A second plot showing the average short duration LOOP and its CCDP, and the average long duration LOOP with its CCDP indicates that while LOOP duration seems to influence CCDP, it is not that well coupled to LOOP duration. Note that the slope from a hypothetical LOOP-caused CCDP of zero given zero LOOP duration to the average short duration LOOP point is considerably different from the slope between the average short duration LOOP point to the average long duration LOOP point.

Issue No.

Page No.

Description 2.13 2

Fermi 3 Perry 4 IP2 3

IP3 3

3rd paragraph discusses how GEM calculates EDG mission time, which is based on a generic period of time the derives from when it is 95% probable that OSP has been restored to all safety busses, based on historic data. This is in conflict with the discussion on mission times in the summary document, on the first page of Attachment 1, where it describes mission time as extending from LOOP initiation until power is restored to all safety busses as provided in that particular event report.

Need to consistently define EDG mission time.

Page 4 of the Fermi writeup seems to clarify by explaining that the mission time for the EDG is being treated by adjusting the individual mission times of the three-part EDG fail-to-run Basic Event. Perhaps all we need is some clarification in the summary document.

3 Fermi Event Tree LOOP-2 Noted that event (node) SRV has 3 branches; success, 1 SRV stuck open, 2 or more SRVs stuck open. The latter path, P2, leads to transfer subtree LOOP-2. The LOOP-2 subtrees first event, with a description SRVs CLOSE is event P3. I am not 100% sure, but this may lead to problems with having SAPHIRE/GEM quantify the LOOP event tree in total. Please evaluate and correct as needed (including updating the event subtree to reflect path P2).

4 Fermi 4 & 6 The treatment of the CTG overall makes sense. But, instead of setting the new CTG FTS Basic Event to 1.0, and all of the other OR-gated inputs to 0, why didnt you just TRUE the FTS Basic Event, period?

5 Fermi 4 The 2 sequences, 5 & 17, have a number of brothers that are also long-term, that did not receive the adjustment for aligning the DG to a dead bus.

Shouldnt the other brother sequences get the same treatment?

6 Fermi 4 & 6 Along this line, if these are, in fact, long-term sequences, and it is felt that the value for failure to align the DG to a dead bus (EPS-XHE-XM-ALTDG) was too conservative for this case, then it is probably too conservative, period.

i.e. - The base case for Fermi and all other similar SPAR models should be revised to allow for different HEPs for failure to align a DG to a dead bus, based on time available. There is nothing unique about this event that justifies the adjustment only for this case.

Issue No.

Page No.

Description 2.14 7

Fermi EDG FT, (all EDG FTs)

Noticed that there are no inputs into EDG failures for the failure of EDG autostart or Safety Bus stripping circuits or of EDG output breakers.

8 Fermi 5

Perry 5 IP2 4

IP3 4

Noted that are two sets of Basic Events representing the same event (or very similar events) mentioned on this page. They are listed below:

OEP-XHE-NOREC-01H OEP-XHE-NOREC-02H OEP-XHE-NOREC-04H AND ACP-XHE-NOREC-04H OEP-XHE-NOREC-10H There were also the following events:

ACP-XHE-NOREC-30 ACP-XHE-NOREC-90 ACP-XHE-NOREC-BD The existence of all these events is confusing, and leads to the below questions:

1. The ACP non-recoveries appear to make sense in that they address late recovery once officially in an SBO. The OEP non-recoveries apparently are inputs to a gate called ROOP, which is an input into the EPS tree.

However, the EPS tree is evaluated immediately following the LOOP event to determine if we need to transfer to the SBO event tree or not. So why are such long durations (1, 2, 4, or 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months ) to allow for recoveries? The SBO Event Tree already declares victory at the very end of the day should the ACP... events be successful.

To make it even more confusing, the ROOP gate contains each one of the OEP... events, all OR-gated to the ROOP gate. But each one of these individual OEP... events is itself AND gated to a process flag, defaulted to be marked FALSE. This would prevent ROOP from ever being TRUE, hence suggesting that OSP is always available. ROOP then inputs into each of the Safety-Related Electrical Division gates. If ROOP isn't TRUE, then the electrical divisions would have power regardless of whether or not the EDGs are successful, which does not make sense. (There are some event tree linking rules (or process flagsets) which may explain the confusion, but I don't understand them.)"

Response: The new SAPHIRE 7 models have standardized names for power non-recovery events for all plants. For LOOP initiating event assessments, the process flags in the ROOP tree are set to TRUE.

Issue No.

Page No.

Description 2.15 9

Fermi 5, 19 For Basic Event OEP-XHE-NOREC-10H it was noted that the adjustment to the HEP value was made using the SPAR-H method. This analysis was summarized on p. 19, w/o the use of the worksheets. There is a column, Product of All Others in which a factor of 10 was inserted for this Basic Event. Pls explain where the 10" came from.

10 Fermi 5 Perry 6 Suggest clarification of the last statement on the page. Instead of saying Since RCI restart occurred..., I would recommend Since RCI was shutdown and needed to be restarted.... This wording better correlates with the RCI-RESTART Basic Event.

Also, there seems to be a logic error in the RCIC Restart Gate RCI-8. It is an AND gate that combines the requirement for restarting the pump with a pump FTS and the operator failing to restart it. It seems to me that the operator action should be OR gated to the FTS basic event, not AND gated. I agree that the need to restart basic event should remain AND gated to the other two.

11 Fermi 6 Discussion on Sensitivity needs to be clarified. I thought the mean values were always the quoted values. For a short while it appeared that the sensitivity case was going to yield a lower CCDP than the best estimate case (1.6E-04 sensitivity; 1.9E04 best estimate). I finally concluded that you were referring to point values, not means.

12 Fermi 6 Noting that the dominant sequence is 60-04 was confusing at first. It is identical to sequence 60-02, except that sequence 60-02 has successful firewater injection (following depressurization and consequential loss of RCIC & HPCI). The remaining event (AC-BD and AC-4HR) should be identical, since the batteries are assumed to last 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months at Fermi. One would normally figure that any system, even last resort system still have a better than even chance of working, and your discussion on firewater injection (event VA3 in the Fermi Event Tree Documentation suggested that firewater is an alternate source at Fermi). It wasnt until I noticed that event VA3 is treated as a basic event with probability of 1.0, that I realized that there must be no firewater injection source at Fermi. This discussion should be clarified, both here and in the Event Tree documentation.

Issue No.

Page No.

Description 2.16 13 Fermi 8 Table 3 suggests that Sequence 22-23 is the dominant sequence. This is not consistent with Table 2a and previous statements made that Sequence 60-04 is dominant.

Response

14 Fermi 9 No explanation given as to why the basic event for operator fails to depressurize the reactor needed adjustment.

15 Fermi 8 (This comment applies to all plants)

Insights from the numerical results are lacking. For example, according to the Fermi SPAR model results documentation, LOOP-related CCDP (mean value) appears to be about 1.04E-04. In this event we have a mean value best estimate of 1.9E-4, which is an approximate doubling of LOOP-related CCDP as represented by this particular event, which was, for Fermi, are rather innocuous LOOP event. This amount of increase in LOOP CCDP doesnt seem justified on the basis of the very few and minor adverse issues that arose after the initiating event:

1) A delay in getting the CTG started. 4 out of 4 EDGs need to fail (per the EPS fault tree) before the CTG is even needed. Even at that point, one EDG can be used to energize two safety busses.

2) Power restoration took longer than the credited battery life. Granted that this would increase sequence 60-04 (actually all SBO sequences) by the inverse of their (late) AC power recovery probabilities, still with 4 EDGs and a CTG (which did come back before the battery would have failed) all having to fail, SBO should be a very small portion of the overall contribution to LOOP-related CDF.

3) The RCIC pump had to be restarted. This should contribute virtually nothing to the risk associated with this event. In fact, the FTS value should be reduced on the basis that the pump had just had a test in the past hour or so. The constant failure rate notion is not appropriate here.

The Fermi SPAR model results documentation also provide an industry SBO CCDP of 3.2E-04, which is not much more than Fermis LOOP CCDP from this event. This seems hard to believe, given the number of alternate power sources available on-site.

A comparison to Fermis base case, in particular highlighting those sequences showing the greatest change in CCDP with an explanation as to why, would provide the kind of insights that may be useful to an outside audience, including the licensee.

Issue No.

Page No.

Description 2.17 16 Fermi 14, 17 Perry 17 Giving the plant only 30 minutes post-SBO (e.g. - in Fermi sequence 60-14) seems extremely restrictive. Since the SRVs all successfully re-closed, there is no LOCA in progress. Doesnt a BWR develop some sort of thermal driving head and start a natural circ process to keep the upper portion of the fuel rods cooled?

17 Fermi 14 Dont understand, from the viewpoint of the reactor, the difference between sequences 60-10 and 60-22, that survival time drops from 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to 90 minutes. The only obvious difference is a stuck open SRV. Does the impact of that add that much heat load to the suppression pool that HCTL is reached that much quicker, forcing depressurization and the termination of HPCI?

18 Fermi 6, 24 The explanation for Basic Event EPS-XHE-XM-CTG should be greatly clarified by noting that this basic event is being changed from a simple procedurally driven starting operation to an unproceduralized operation to 1) diagnose why it failed to start, and then 2) make arrangements for a workaround (in this case to procure a portable generator to provide field flash for the exciter).

Issue No.

Page No.

Description 2.18 19 Fermi 24, 25 I question whether the stress was Extreme for the situation with the CTG.

The definitions of this categorization in the INEEL/EXT-02-10307 are as follows:

Extreme - a level of disruptive stress in which the performance of most people will deteriorate drastically. This is likely to occur when the onset of the stressor is sudden and the stressing situation persists for long periods. This level is also associated with the feeling of threat to ones physical well being or to ones self-esteem or professional status, and is considered to be qualitatively different from lesser degrees of high stress (e.g., catastrophic failures can result in extreme stress for operating personnel because of the potential for radioactive release).

High - a level of stress higher than the nominal level (e.g., multiple instruments and annunciators alarm, unexpectedly, at the same time; loud, continuous noise impacts ability to focus attention on the task, the consequences of the task represent a threat to plant safety.

Even, in the postulated blackout condition when the CTG would be needed, a PSF for available time already evaluates the issue of time. Unless it is anticipated that the building in which the CTG is housed will go dark in the event of an SBO (probably unlikely, given the reason for having an alternate power source designed for blackout conditions), there seems to be no logical reason for selecting extreme stress. One should presume that plant electricians were dispatched to assist with this - that It wasnt up to operators to do this on their own. However, the PSF for low experience/training appears reasonable.

20 Fermi 25 The assigned PSF for procedures, seems to be excessively pessimistic, also. I would think that available, but poor, would be a closer fit. First, I would bet that there is a user manual for the portable generator. Secondly, I would bet that they broke out a wiring diagram and/or schematics to make sure that they connected the generator output to the proper terminals for field flash. Plus I would bet that they had a supervisor, as well as one of the plant engineers, along for support. Their presence would supplement somewhat for the lack of official procedures.

Issue No.

Page No.

Description 2.19 21 Perry Event Trees It seems that the ability to operate RCIC changes from one subtree to the other, but not for consistent reasons. If EPS is successful but 1 SRV is stuck open, the plant is slowly depressurizing (subtree LOOP-1). HPCS is allowed to operate as long as SPC is available. Why not RCIC?? This same question could be asked about the 2 SRVs stuck open case (subtree LOOP-2).

In the SBO tree, HPCS is allowed to run even without SPC cooling for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , and the number of stuck open SRVs isnt even considered (unless, perhaps, they are in a special HPCS fault for this case). Yet, RCIC isnt even considered to be an eligible source for inventory control if there is >1 SRV stuck open. Why the distinction between these two turbine-driven pumps?

22 Perry Event Trees A similar question could be asked re: CRD pumps. If HPCS & RCIC both fail, the initial LOOP event tree credits CRD with successful inventory control, provided SPC remains successful. (Am not sure why that is so critical, unless the CRD pumps need to draw from the SPC.) (Apparently this is less preferred than to depressurize and go on the low pressure injection sources, based on the event tree structure.) However, if one SRV is stuck open, no credit is given to CRD pumps, even though one of the overall assumptions for the event trees is to give credit to CRD if no more than one SRV is open.

23 Perry Event Trees Linking rule 7 on p.2-66 of the event tree documentation says that if EPS fails and either DEP or FW2 fails, then replace the fault tree AC with fault tree AC-4HR. Yet the SBO event subtree labels each of these event tree node branches AC-3HR. Please make the documentation consistent with the event tree.

24 Perry 1

With regard to the keepfill system air binding, was there an Significance Determination Process evaluation run on this situation? Do we have an idea as to how long these systems have been unavailable due to this condition?

Also, was there a condition assessment ASP run on this?

Issue No.

Page No.

Description 2.20 25 Fermi 3 Perry 3

IP2 2

IP3 3

For Perry & IP3s best estimate cases, 30 minutes was used as the time to energize the first safety bus following restoration of OSP to the switchyard.

The rationale used was because this is what actually happened. Yet for Fermi & IP2, an assumed time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months was used for this operation, because the actual time was much longer (presumably because the site was more wary of bringing on undependable power). Here we have an example of a (probably) unhurried realignment of power to a safety bus. It seems inconsistent, then, to saddle Fermi and IP2 with the 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months assumptions (particularly IP2 & 3 which, from the writeups, appeared to be working together for OSP restoration. Making these distinctions makes little sense.).

In fact, this distinction between IP2 and IP3 results in different mission times for the 0.5 to 14 hour1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months portions of the EDG runs, which results in different failure probabilities for IP2 and IP3's EDGs (basic event EPS-DGN-FR-FTRM) and turbine-driven AFW pumps (basic event AFW-TDP-FR-22 (32)).

This seems to be a completely artificial distinction between the two plants.

26 Perry 4, 7 Given that the Keepfill system has contributed to the unavailability of both LPCS and RHR-A, then this system should be considered for permanent incorporation into the Perry SPAR model (and those SPAR models of plants with similar Keepfill system layouts and dependencies upon it) as a pre-initiator.

27 Perry 4,7 I noticed that the basic events for the Keepfill system for the LPCS fault tree and the RHR fault tree were not the same basic event. It seems that they should be, given that it is apparently the same system that is necessary to maintain the availability of both LPCS and RHR systems. Granted that these new basic events might have had different recovery values (in this case they did not - both at 0.21), but recovery could be handled as a separate AND-gated basic event.

Issue No.

Page No.

Description 2.21 27 Perry 4,7 In addition, the full impact of the Keepfill system failure does not appear to have been fully reflected. It appears that the impact was reflected in the model by adding this basic event into the RHR-A system fault tree. As you know, the RHR pumps have a variety of different uses, and are modeled as such in a number of different fault trees. Inspection of these trees indicated that most of them do use RHR-A fault tree as an input, which would capture the impact of the Keepfill system failure. However, it was observed that the LCI-1 and the SP2 fault tree, while using input from failures associated with RHR Train A, do not use the RHR-A fault tree, Instead, the RHR Train A component failure inputs are individually developed within these fault trees.

Hence, the impact of the Keepfill system failure was not captured in these trees, which are used in the SBO-1 event subtree.

28 Perry 6 Given that a high steam tunnel temperature can lead to the unavailability of RCIC, this should be investigated as a separate failure mode for the Perry SPAR model (and those SPAR models of plants with similar RCIC layouts).

It doesnt, offhand, seem appropriate to consider it as an example of a random fail-to-run event, similar to a bearing wipe, a shaft failure, a turbine blade failure, random closure of the governor valve due to a problem with the governor oil system, etc.

29 Perry 6 The mathematical treatment for handling the high steam tunnel temperature-caused unavailability of RCIC doesnt seem quite correct. To establish this formally, the FTR gate (which logically ANDs a fail-to-run and a recovery from fail-to-run) should be broken up into to such pairs: 1) a mechanical FTR (using existing data) and 2) an environmental FTR (using a value of 1.0 for the failure, and the calculated HEP of 5.5E-3 for the recovery). Lets say that the mechanical FTR pair is represented by events A and B respectively, and the environmental FTR pair are called events C and D respectively, except we already know that C = 1.0. Hence, the input to the overall FTR gate would be A*B+C*D. Since there was no mechanical failure of RCIC, we would leave the value of A is its nominal value. Hence, given this plus substituting 1.0 for C, would result in an overall FTR input of (A*B)+D.

Because you didnt establish a separate environmental FTR, but simply set the FTR term to TRUE, your writeup suggests that the overall input is simply B+D, which is overly conservative.

Issue No.

Page No.

Description 2.22 30 Perry 6 In addition, you gave no credit for RCICs services which lasted for 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

SPAR models seem to make special efforts to recover equipment on long-term sequences. It seems to me that we could also make an effort to derive the benefit of equipment that performs until later in the sequence. Shouldnt we identify those sequences where RCIC is successful, but ultimately has to be shutdown because of SPC considerations, and use the nominal environmental FTR value in those cases, rather than just TRUING that basic event?

31 Perry 22,24 The assignment of Not available for procedures for filling and venting the RHR and LPCS systems doesnt seem appropriate. All safety-related systems should have a fill and vent procedure. They were needed for initial station startup. There was very little description of this issue in the writeup.

Unfortunately, searching for the referenced documents on ADAMS (LERs and Inspection Report) (using the given ML numbers) yielded nothing.

32 Perry (general)

Despite all this, given the unavailability treatment for RCIC and the substantial unavailability of RHR and LPCS, a CCDP of 5E-04, as compared to the nominal LOOP CCDP of about 2.5E-04, may not be all that unreasonable. This equipment was unavailable, regardless of EDG status.

Nonetheless, similar to Issue No. 15 for Fermi, insights to explain the change from a standard LOOP CCDP should be included.

33 IP2 5

IP3 5

In the discussion about the model update it is noted in the IP2 writeup that the SPAR model fault tree for the EDG building ventilation system was modified, turning gate EP-DG-VENT-1 into a 5 out of 6 gate, rather than a 4 out of 6. No mention of this was made in the writeup for Unit 3. Please explain any differences in this section of the IP3 writeup, or replicate the information in the IP2 writeup as appropriate.

Issue No.

Page No.

Description 2.23 34 IP2 5

IP3 5

In the section under Sensitivity, you summarized the assumptions for the best estimate case, but didnt give the results. For the sensitivity case(s) you gave both a summary of assumptions and the key results. For completeness, please add in the key results for the best-estimate case into this section, also.

35 IP3 In investigating how the two IP units could be so far apart in their results (given the similarity of the plants and of the progression of the same event at each plant), it is noted that one of the characteristics that should have driven IP3's CCDP higher than IP2's (actually, the reverse is true, although, the relative increase from the base SPAR CCDP to the best-estimate CCDP for the 8/14/03 loop was a little more for Unit 3 than for Unit 2) is the apparently very low battery capacity (amp-hours). It would seem worthwhile to investigate this unusually low capacity with the licensee, and revise this value if appropriate.

Beyond that, it appears that a thorough examination of the LOOP models between the two units would be needed to explain the difference in LOOP-related CCDP. It is observed that there are substantial differences in the base SPAR model CCDPs, not only for LOOPs, but for other initiators. It is reiterated that the above relative increase in LOOP-related CCDP, from the base SPAR model results to the 8/14/03 LOOP evaluation, is consistent between the two units. Hence, it is reasonably likely that the LOOP-related risk between the two units is real.

2.24 SRI Comment on Preliminary Precursor Analysis of Ginna Grid Blackout Event 1.

Comment from Kenneth Kolaczyk, Ginna SRI - Feedwater control system failure The description of the Ginna event as outlined on page two of the forwarding memo, and page five of attachment one, seems to indicate that the B Motor Driven Auxiliary Feedwater (MDAFW) pump did not start and operate as designed following the trip.

This is incorrect, as the pump did operate as designed. It was damaged only after the operators failed to correctly align the AFW system when they were restoring it to a more "normal" lineup following the trip.

I am not sure if this fact will effect the results of your analysis. If you want additional information regarding the particulars of the error, see NRC inspection report 50-244/2003-006.

Response: Even though the B motor-driven AFW pump failed due to operator error, it did fail to complete its mission time, and therefore it is modeled as failed to run. This had a negligible effect on the quantitative result.

2.25 2.B. Grid LOOP ASP Analyses-Licensee Comments and Responses Fitzpatrick 1.

Comment from Licensee - Reactor coolant boil-off time The ASP analysis did not include the three-hour reactor coolant boil-off time, which would take place in a site blackout sequence after battery depletion with initially successful HPCI/RCIC. Crediting this time in the analysis would increase the maximum offsite power recovery time to 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months and reduce the CCDP. The NRC analysis permitted a maximum recovery time of only 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , i.e. 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months (when the 115kV system was first adequately energized), plus one hour to realign the safety buses, 10500 and 10600.

Response: The SPAR model does not credit recovery of offsite power in a station blackout following depletion of station batteries. Breakers in the switchyard and in the plant would have to be closed, and that may not be possible or feasible without any ac or dc power available. The SPAR model would be revised only if (1) a procedure exists to recover offside power following battery depletion, (2) the procedure has been demonstrated to work, and (3) operators are trained on the procedure. Furthermore, thermal-hydraulic models do not show a three hour boil-off time in this scenario; the time would be closer to one hour.

2.

Comment from Licensee - Firewater backup for EDG jacket cooling The crosstie between the firewater system and EDG jacket coolers can be credited in accident sequence cutsets which involve failures of components in the ESW system with successful closure of 46MOV-102A/B. As an example, for the dominant core damage sequence LOOP/SBO sequence 47-02, fire water cross-tie recovery can be credited for cutsets of CCDP 6.5E-7 and below.

Response: The firewater backup is included for EDG cooling. For sequence 47-02, each cut set in the GEM report with CCDP below 6.5E-7 contains the event FWS-XHE-ERROR. FWS-XHE-ERROR is defined as operator fails to start/control firewater injection/cooling, which is used for alternate injection and for EDG jacket cooling. The probability of FWS-XHE-ERROR is 6.0E-2.

References:

1.

Entergy Nuclear Operations, Inc. Comments on Preliminary Accident Sequence Precursor Analysis of August 14, 2003 Operational Event, Letter from Michael R.

Kansler to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041460505).

Ginna 1.

Comment from Bob Clark, Licensing Project Manager for Ginna - Feedwater control system failure (Ref. D.1)

2.26 There was a failure in the digital feedwater control system at Ginna during the grid event that you may want to consider in the SPAR model. Westinghouse plants have a control signal to close the main feedwater regulating valves (MFRVs) after a reactor trip when the RCS average temperature drops several degrees below the normal value.

This MFRV closure failed at Ginna due to voltage fluctuations which caused the digital feedwater control system to switch to manual. Both SGs filled up to the high-high level setpoint. At that point a safety-related signal closed the MFRVs. This is described in the Ginna LER. AFW was available to both SGs. The primary concern would be an overfill of the SGs, increasing the probability of a steam line break (for example, a SG safety valve opens on high SG pressure, and a slug of water gets accelerated through it, causing it to fail open). However, since the high-high level terminated the overfill, and the setpoint is designed to protect against overfill, it may not be that significant in the risk model.

Response: The analysis gave no credit for MFW working (i.e., it was slightly conservative). Overfilling a steam generator is not addressed by the SPAR model. It is probably not risk significant, as stated above in the comment.

References:

2.

Ginna feed reg valve failure during 8/14/03 event, e-mail from John P. Boska, Licensing Project Manager (Hope Creek), U.S. Nuclear Regulatory Commission, to Gary Demoss, U.S. Nuclear Regulatory Commission, March 11, 2004.

Indian Point 2 1.

Comment from Licensee - Maintenance unavailability The analysis includes cutsets that include equipment in maintenance. Moreover, many of the cutsets involve having more than one major component in maintenance simultaneously. The normal work planning process at IP2 would not schedule maintenance on these components during the same workweek.

A more specific comments with respect to maintenance unavailability regards the inclusion of basic events representing service water pump maintenance. A significant number of the cutsets in the dominant sequence contain such events. The cooling of the emergency diesel generators (EDGs) is not unitized to the service water pumps.

That is, failure (or maintenance) of a specific service water pump (in these cases SWS Pump 26) does not fail the EDG that powers it. Thus, for example, in the cutest in Table 3 that contains AFW-TDP-TM-22, EPS-DGN-FR-22 and SWS-MDP-TM-26, emergency diesel generator EDG 23 (and EDG 21) would continue to receive cooling water and therefore motor driven AFW Pump 23 (which is powered from EDG 23) will continue to be powered.

In addition, test and maintenance activities are not normally done on service water pumps when they are aligned to the essential service water header. When pumps on the essential header require maintenance, the normal process is to re-align them to the nonessential header and then perform the maintenance. As a result, it is in appropriate to assign an average maintenance unavailability value to a cutest where the service water pump is intended to represent a pump aligned to the essential header. If any unavailability is assigned to service water pumps when they are aligned to the essential

2.27 header it would only be for the brief period when a failure has occurred prior to realigning the headers. This would be at least an order of magnitude lower. (Service water system pump unavailability in the ASP is higher than the current plant specific unavailability for any of the service water pumps.)

Response: ABS Consulting changed the project rules to remove combinations of maintenance of the AFW turbine-driven pump and maintenance on either of the EDGs (22 and 23) that provide emergency power for the motor-driven AFW pumps. If you send INEEL your mutually exclusive maintenance list, they will factor all of it into future updates to the SPAR model.

Since the preliminary precursor analysis was performed, INEEL has issued an updated model for Indian Point 3. One of the main changes in this new model is a more accurate treatment of the service water system. While this particular issue was not addressed, INEEL has been made aware of the problem, and will address it in future updates. Meanwhile, for the revised analysis of this LER, the two remaining service water pump maintenance events were set to FALSE so they make no contribution to the quantitative result.

2.

Comment from Licensee - EDG mission time for feed and bleed In a number of the cutsets, it appears that the bleed and feed failure is a result of an emergency diesel generator that powers one of the block valves failing to run. Since the block valve will receive an open signal on rising primary system pressure almost immediately after the LOOP event, the mission time for the EDGs for those cutsets should be very short (no more than a few minutes). If such a mission time were applied, the frequency associated with those cutsets would be much lower.

Response: There is no certainty that the primary system pressure will rise to the set point at which the PORV block valve would receive an open signal until steam generator level is lost. In scenarios involving loss of AFW caused in part by an EDG failing to run, the EDG would fail to run before the PORV block valve would get a signal to open.

3.

Comment from Licensee - EDG maintenance unavailability Emergency diesel generator maintenance unavailability is high by a factor of two compared to recent plant-specific information.

Response: The value EDG unavailability due to test and maintenance, along with other basic event probabilities, has been updated in the revised SAPHIRE 7 SPAR models.

4.

Comment from Licensee - Offsite power recovery following battery depletion The assumption that AC power must be recovered before battery depletion, in lieu of continued operation of the turbine-driven AFW pump and no RCP seal LOCA, also seems overly conservative. While the restoration of offsite power without DC power is more difficult, it is not improbable. In addition, procedures exist for manually closing breakers in the event of a loss of DC power.

Response: All SPAR station blackout models are built with the assumption that AC power must be recovered before battery depletion. The NRC and INEEL are aware of the concern that this is overly conservative, and are evaluating their position on this

2.28 issue. For a later recovery to be credited would require 1) the existence of a procedure for the recovery, 2) training on the recovery operations, and 3) demonstration that the required actions could be performed under the stated conditions (i.e., no DC power).

In the particular case of this analysis, allowing more time for recovery would not necessarily change the quantitative result. Without crediting extraordinary measures to continue operation of the turbine-driven auxiliary feedwater pump, core damage would occur about 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after battery depletion. In this case the offsite power nonrecovery probability estimated using the SPAR Human Error model would be the same as it is at battery depletion.

References:

1.

Entergy Nuclear Operations, Inc. Comments on Preliminary Accident Sequence Precursor Analysis of August 14, 2003 Operational Event, Letter from Michael R.

Kansler to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041460505).

Indian Point 3 1.

Comment from Licensee - Appendix R EDG It is not clear how Indian Points Appendix R emergency diesel generator was modeled in the analysis. The dominant scenario in this analysis is a valid core damage scenario (i.e., failure of all emergency diesel generators [EDG] and subsequent failure to recover AC power). However, it was observed that AC power recovery takes credit for operator action to align the gas turbines, but no credit appears to be taken for use of the Appendix R diesel. The 2nd cutset in Table 3 for Sequence 19-02 appears to include successful operation of the Appendix R diesel, yet the cutset still results in failure. In fact, all the cutsets in which the Appendix R event appears involve success (/EPS-XHE-XM-APPENDR), not failure, of the Appendix R diesel. Furthermore, the 1st and 2nd cutsets for Sequence 19-02 have the exact same failures (OEP-XHE-XM-GTBD, OEP-XHE-NOREC-BD and EPS-DGN-CF-RUN), and only the successes are different.

Therefore, the cutsets are not minimal.

Response: The SPAR model credits the Appendix R EDG only for providing reactor blank/default 2.

Comment from Licensee - Appendix R EDG, part 2 If the Appendix R diesel is in fact modeled, it doesnt appear that any credit is taken for its success. It should be noted that in typical station blackout scenarios, the Appendix R

2.29 diesel can be aligned to the normal 480V AC safeguards buses (i.e., 2A/3A, 5A or 6A) and not just the Appendix R safe shutdown bus (i.e., MCC 312A).

Response: See above.

3.

Comment from Licensee - Offsite power recovery following battery depletion The assumption that AC power must be recovered before battery depletion, in lieu of continued operation of the turbine-driven auxiliary feedwater pump and no reactor coolant pump seal LOCA (loss of coolant accident), is overly conservative. Restoring offsite power without DC power is more difficult, it is not improbable. In addition, procedures exist for manually closing breakers in the event of a loss of DC power.

Response: All SPAR station blackout models are built with the assumption that AC power must be recovered before battery depletion. The NRC and INEEL are aware of the concern that this is overly conservative, and are evaluating their position on this issue. For a later recovery to be credited would require 1) the existence of a procedure for the recovery, 2) training on the recovery operations, and 3) demonstration that the required actions could be performed under the stated conditions (i.e., no DC power).

In the particular case of this analysis, allowing more time for recovery would not necessarily change the quantitative result. Without crediting extraordinary measures to continue operation of the turbine-driven auxiliary feedwater pump, core damage would occur about 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after battery depletion. In this case the offsite power nonrecovery probability estimated using the SPAR Human Error model would be the same as it is at battery depletion.

4.

Comment from Licensee - Unallowed maintenance combinations Some cutsets involve maintenance combinations that would not be permitted during plant operation. As an example, the 9th cutset in Sequence 19-02 (2.8E-7) includes maintenance unavailability of 31 EDG simultaneously with maintenance of 36 service water pump (supplied by 32 EDG). The normal work planning process at IP3 would not schedule maintenance on these components simultaneously.

Response: If you send INEEL your mutually exclusive maintenance list, they will factor it into future updates to the SPAR model. The cut set listed above is not significant in the current analysis.

5.

Comment from Licensee - Service water system maintenance unavailability A more specific comment with respect to maintenance unavailability regards the inclusion of basic events representing service water (SW) pump maintenance. Test and maintenance activities are not normally done on SW pumps when they are aligned to the essential service water header. When pumps on the essential header require maintenance, the normal process is to re-align them to the nonessential header and then perform the maintenance. As a result, it is inappropriate to assign an average maintenance unavailability value to a cutset where the SW pump is intended to represent a pump aligned to the essential header. If any unavailability is assigned to SW pumps when they are aligned to the essential header, it would only be for the brief

2.30 period when a failure has occurred prior to realigning the headers. This would be at least an order of magnitude lower than the values used.

Response: Since the preliminary precursor analysis was performed, INEEL has issued an updated model for Indian Point 3. One of the main changes in this new model is a more accurate treatment of the service water system. While this particular issue was not addressed, INEEL has been made aware of the problem, and will address it in future updates. Meanwhile, for the revised analysis of this LER, the two remaining service water pump maintenance events were set to FALSE so they make no contribution to the quantitative result.

References:

2.

Entergy Nuclear Operations, Inc. Comments on Preliminary Accident Sequence Precursor Analysis of August 14, 2003 Operational Event, Letter from Michael R.

Kansler to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041460505).

Nine Mile Point 1 1.

Comment from Licensee - EDG recovery No basis for the assumption that Emergency Diesel Generators (EDGs) cannot be recovered is provided in the PPA. The NMP1 PRA model includes credit for EDG recovery based on NUREG-1032. It is recommended that the PPA consider crediting EDG recovery.

Response: Credit for EDG recovery is given in the final analysis.

2.

Comment from Licensee - DC load shedding The model used for the PPA includes a basic event for DC Load Shedding under Station Blackout (SBO) conditions. Basic event OEP-XHE-XM-LSHED models operators beginning to shed DC loads within 15 minutes. The value of 2E-2 and associated logic is similar to the O15 Top Event used in the NMP 1 PRA. In the model used for the PPA, failure of the load shed action leads to a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Alternating Current (AC) power recovery requirement. However, given failure of this action, the NMPl model asks, conditionally, if operators begin load shedding within 30 minutes. This is treated with top event O30 which has a value of 0.5. The combined time-depended DC Load shedding criteria allows a 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months AC power recovery if O15 is successful, 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for AC recovery if O15 is failed and 030 is successful, and 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if both O15 and O30 fail.

Please consider the following options to more closely match the NMPl model as the DC Load Shedding basic event shows up in the most dominant cutsets reported in the PPA analysis:

1) Multiply the OEP-XHE-XM-LSHED basic event by the O30 conditional value (0.5) to allow the PPA Event tree node DCL to represent the conditions that lead to a 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months AC power recovery requirement.

2) Add an additional event tree node for the 30 minute conditional action so that the 2, 4, and 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months recovery windows are applied, as appropriate.

2.31 Response: This proposed approach to modeling load shedding appears sound. Based on discussions with INEEL SPAR modeling personnel, changing the SPAR model in this regard would have a minimal impact on the base model results. Thus, there is no need to change the base model. However, as pointed out, the results of this precursor analysis are sensitive to the probability of not successfully shedding DC loads. If the logic leading to sequences 22-02 and 22-03 were changed to credit the factor of 0.5 following failure to shed DC loads in 15 minutes, two new sequences between 22-01 and 22-02 would be created, one resulting in OK where AC power is recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and the other resulting in CD where AC power is not recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

Furthermore, the SPAR human error model would credit a factor of 0.1 between failing to shed DC loads in 15 minutes versus 30 minutes. Therefore applying the additional factor of 0.5 to DC load shedding across the board (i.e., setting the probability of OPR-XHE-XM-LSHED to 0.01 instead of 0.02) makes the precursor analysis more consistent with the NMP 1 PRA, and is conservative with respect to SPAR modeling guidelines.

This change was made, but had a negligible effect on the quantitative result.

3.

Comment from Licensee - Offsite power recovery In the PPA analysis, the values for failing to recover AC power were increased significantly. This appears to be due to the time window available between when load dispatchers declared the grid stable and the expiration of the various time windows.

Even if it were assumed that operators would have waited for the load dispatchers before trying to recover offsite power given EDG failures, it is highly doubtful that they would also wait for the load dispatchers before staging their actions. In this regard, the reductions are overly conservative. Operator focus regarding offsite power recovery would have been keen throughout the event. If EDGs had failed, operators would have aggressively staged offsite power recovery actions, per procedures, and would not have been significantly slowed by interactions with the load dispatchers.

It should be noted that Electrical Design Data has shown that offsite power voltage and frequency were within normal limits at 1 hr and 45 minutes following event initiation. This is consistent with the PPA assumptions wherein the 30 minute and 60 minute offsite power basic events are set to failed. However, the 2, 4, 8, and 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months values should not be penalized to the degree specified in the PPA.

Response: The assumed time to restore power to plant loads following recovery of power to the switchyard has been changed from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 0.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . This changes the probabilities of failing to recover power for times greater than or equal to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

References:

1.

Constellation Energy Nuclear Operations, Inc. Review and Comment: Nine Mile Point Unit 1 Preliminary Accident Sequence Precursor Analysis of the August 14, 2003 Operational Event, Letter from William C. Holston to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041480357).

2.32 Nine Mile Point 2 1.

Comment from Licensee - EDG failure data The NRC PPA uses older data for EDG failure probability. Also, as can be seen from Tables DATA-2 and DATA-3, NMP2 EDG performance has improved substantially over time. Therefore, it is recommended that the NRC consider using lower values for EDG failure rate. It is also recommended that NRC delete the statement that NMP2 EDG failure rate is "... higher than industry average..." or at least modify the statement to clarify that the data used is over 11 years old and not reflective of current reliability.

Response: The EDG data used in the final analysis has been updated.

2.

Comment from Licensee - EDG recovery No basis for the assumption that Emergency Diesel Generators (EDGs) cannot be recovered is provided in the PPA. The NMP2 PRA model includes credit for EDG recovery based on NUREG-1032. It is recommended that the PPA consider crediting EDG recovery.

Response: Credit is given for EDG recovery in the final analysis.

3.

Comment from Licensee - Offsite power recovery The assumption that offsite power failed and was not recoverable for over 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months is overly conservative. The PPA assumes that offsite power was unavailable until reported stable by load dispatchers but this assumption unduly penalizes the plant for appropriate conservative operational decision-making...

Response: After examination of the plant information provided by the licensee, and after conversation with the SRI, this analysis credits that power was available to the switchyard 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and 45 minutes after the loss of offsite power occurred. This is consistent with the NMP-1 final analysis.

4.

Comment from Licensee - Sequence specific comments Sequence 46-02: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Division 1 EDG failure, Division 2 EDG failure, Division 3/High Pressure Core Spray (HPCS) success, and failure to recover AC power in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Given this sequence, operators have procedural direction to cross-tie the HPCS EDG to the Division 1 or 2 switchgear. This alignment allows the HPCS EDG to maintain Safety-Related Direct Current (DC) power over the long term, as well as providing for Low Pressure Coolant Injection (LPCI)/Residual Heat Removal (RHR) with low pressure ECCS. This capability is modeled in the NMP2 PRA as redundant to AC power recovery and should be credited in the PPA as well. The alignment is fairly time-consuming and the NMP2 PRA does not credit the action before 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the initiating event occurs.

Response: In the final analysis Sequence 46-02 has lower CCDP and therefore the changes proposed by the licensee would have a negligible effect on the quantitative result. Therefore, the change was not made.

2.33 Sequence 46-49: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Div 1 EDG failure, Div 2 EDG failure, Div 3 EDG Failure, and failure of RCIC to start. For this event, condensate-feedwater would have been available and redundant to RCIC. Condensate-feedwater is supplied by the non-safety AC system which remained available from offsite power. With loss of 115 kV to the emergency switchgear and no EDGs operating, service water pumps would be idle. This would eliminate the heat sink for Turbine Building Closed Loop Cooling (TBCLC), which is required for pump cooling. Therefore, condensate-feedwater could not be credited with RPV level control over the long term but it would support success throughout the first phases of Station Blackout (SBO) response. It is recommended that the PPA analysis model this case using an "AND" gate for feedwater and early RCIC operation such that these sequences would be recoverable up to 2 to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . When combined with fire pump or Control Rod Drive (CRD) operation, see below, AC recovery for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months may also be justifiable in the PPA model. Note that CRD has a similar support requirement to feedwater in that reactor building closed loop cooling (RBCLC) is required for long term component cooling.

Response: We agree with the licensee that some credit should be given for condensate and feed in Sequence 46-49 (Sequence 46-59 in new model). However, the change was not made due to model and time constraints. In addition, the change would not have affected the overall CCDP greatly.

Sequence 46-41: The PPA summarizes a set of dominant accident cutsets wherein a LOSP initiator occurs followed by Div 1 EDG failure, Div 2 EDG failure, Div 3 EDG failure, and failure of the diesel fire pump (DFP). The SBO event tree included in the analysis appears to require fire water for long-term RPV injection following RCIC success. Fire water is required for the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months AC recovery case but not the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months case.

However, RCIC can support RPV control for at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months independent of Diesel Fuel Pump (DFP) operation. The NMP2 PRA requires the DFP only if RCIC operates for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and then fails prior to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . If RCIC operates successfully for 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months AC recovery case is applied independent of DFP status. It is recommended that the PPA model success criteria be reconsidered. Also, independent of the 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months versus 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months success criteria, in the 8/2003 event, the electric fire pump was available from powerboard 2NNS-SWG012. Also, CRD was available from powerboards 2NNS-SWG014 and 2NNS-SWG015. For the evaluation of this event, these sources should be considered redundant to the DFP.

Response: In the final analysis Sequence 46-41 has lower CCDP and therefore the changes proposed by the licensee would have a negligible effect on the quantitative result. Therefore, the change was not made.

8-hour Offsite Power Recovery: In the PPA analysis, the value for failure to recover AC power in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months was increased from IE-3 to 1E-2. This appears to be due to the time window available between when load dispatchers declared the grid stable and the expiration of the 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time window. Even if it were assumed that operators would have waited for the load dispatchers before trying to recover offsite power given EDG failures, it is highly doubtful that they would also wait for the load dispatchers before staging their actions. In this regard, the reduction from 1E-3 to IE-2 is overly conservative. Operator focus regarding offsite power recovery would have been keen throughout the event. Given failure of EDGs, elapse of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and staffing of the emergency response facilities, it is difficult to believe the PPA's 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months recovery window

2.34 (i.e., from hour 6 to hour 8) is reflective of the non-response probability related to the conditions encountered in this event. It is therefore recommended that NRC reconsider the penalty applied to the 8-hour AC power recovery basic event.

Response: Due to the change explained in the response to Comment 3, this comment is no longer applicable.

References:

3.

Constellation Energy Nuclear Operations, Inc. Review and Comment: Nine Mile Point Unit 2 Preliminary Accident Sequence Precursor Analysis of the August 14, 2003 Operational Event, Letter from William C. Holston to U.S. Nuclear Regulatory Commission, May 17, 2004 (ML041480354).

ML060030080

Contents

Text

SUBJECT:

Enclosures:

SUBJECT:

Response

References:

References:

References:

References:

References:

References:

Navigation menu

ML060030080

Text

SUBJECT:

Enclosures:

SUBJECT:

Response

References:

References:

References:

References:

References:

References:

Navigation menu

Search