ML060240407
| ML060240407 | |
| Person / Time | |
|---|---|
| Site: | Dresden  |
| Issue date: | 05/05/2004 |
| From: | Office of Nuclear Regulatory Research |
| To: | |
| Shared Package | |
| ML060240240 | List: |
| References | |
| Download: ML060240407 (54) | |
Text
LER 249/04-003 1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event. The value reported here is the mean.
1 Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Dresden Unit 3 Unit 3 Scram Due to Loss of Offsite Power and Subsequent Inoperability of the Standby Gas Treatment System for Units 2 and 3 Event Date 5/5/2004 LER 249/04-003 CCDP1 =2.8x10-6 June 30, 2005 Event Summary On May 5, 2004, Dresden Unit 3 was at full power and Dresden Unit 2 was shut down. Offsite power Line 1223 in the Unit 3 switchyard ring bus was out of service for scheduled maintenance. See Appendix D Drawing 1 for information on the switchyard configuration.
Operations personnel were implementing a switching order which cross-tied the Unit 2 and Unit 3 switchyard ring busses to provide an alternative source of power to the Unit 3 Reserve Auxiliary Transformer. Operations personnel manually opened Switchyard Breaker 8-15 in accordance with the switching order. However, when the A and B phases of Breaker 8-15 opened, the C phase of Breaker 8-15 failed to fully open within the required time frame. This failure caused current imbalances in both the Unit 2 and Unit 3 switchyard ring busses. The current imbalances in the switchyard first resulted in a Unit 3 automatic scram due to a turbine load reject. The continued current imbalances then caused a loss of power to the Unit 3 Reserve Auxiliary Transformer which resulted in a Unit 3 Loss of Offsite Power (LOOP) to the safety-related Emergency Core Cooling System (ECCS) Busses.
The licensee declared an Unusual Event in accordance with the Emergency Plan and exited the Unusual Event approximately two and a half hours later following the restoration of offsite power to one onsite safety-related electrical bus. During the event, the licensee also experienced several other anomalies which included the following: the inadvertent opening of a diesel generator output breaker upon unexpected restoration of offsite power to the first safety-related electrical bus; the inability of the standby gas treatment system to maintain the proper differential pressure in secondary containment; and the inability to initially close a bus cross tie breaker needed for the restoration of the condensate system.
The sequence of key events is included in Appendix A.
Analysis Results Conditional Core Damage Probability (CCDP)
The CCDP for this event is 2.8E-006. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP of 1.0 x 10-6. This event is a precursor.
Point Estimate CCDP 2.8E-006 The unmodified Dresden SPAR models CCDP for a LOOP event is 3E-6. This reflects probabilistically-weighted contributions from scenarios having significantly longer durations than the present event, in which offsite power was available in the switchyard early in the event.
Correspondingly, most of the changes made to reflect the present event tend to drive CCDP down from the above value.
Uncertainty analysis was not performed because the CCDP differs minimally from that of the base model, and is reduced from the CCDP calculated for the Dresden model without the specific conditions obtaining in this event.
Dominant Sequences The dominant sequences are LOOP-40-05 (30% of the total CCDP), LOOP-40-27 (23%
of the total CCDP), LOOP-10 (20% of the total CCDP), LOOP-39 (15% of the total CCDP), LOOP-38 (2% of the total CCDP), LOOP-42-02 (2% of the total CCDP),
LOOP-40-14 (2% of the total CCDP), LOOP-41-06 (1% of the total CCDP), and LOOP-43-06-18 (1% of the total CCDP).
LOOP-40-05:
One SRV sticks open; containment heat removal fails. This sequence did not change significantly in frequency as a result of the current assessment.
LOOP-40-27:
One SRV sticks open; high-pressure makeup and depressurization fail. This sequence did not change significantly in frequency as a result of the current assessment.
LOOP-10:
The isolation condenser fails and containment heat removal fails.
This sequence did not change significantly in frequency as a result of the current assessment.
LOOP-39:
The isolation condenser fails, high-pressure makeup fails, and depressurization fails. This sequence did not change significantly in frequency as a result of the current assessment.
LOOP-38:
The isolation condenser fails, high-pressure makeup fails, and low-pressure makeup fails. This sequence increases in CCDP relative to the default model as a result of the way in which power recovery has been modeled (refer to the human error worksheets in Appendix B; as a result of issues mentioned in the event description above, increased values were assigned to human error probability in bus recovery). In the SPAR model, most crosstie possibilities are modeled but given probabilities of unity; this treatment was extended to crosstie of the SBO busses, which the default SPAR model credits. (Note that a more detailed model of this action would need to reflect dependence with other recovery actions modeled.)
LOOP-42-02:
In the current assessment, this sequence decreased in frequency relative to the frequency calculated in the default model.
Contributors to this outcome are the following. (1) The other unit did not suffer a LOOP, so the swing diesel did not need to align to the other unit. The default model conservatively assumes that the swing diesel ALWAYS aligns to the other unit. (2) Offsite power was available in the switchyard early in the event, and the present result is conditioned on that circumstance. The default model applies a more generic power recovery model.
LOOP-40-14:
One SRV sticks open; HPCI succeeds, but the safety-class low-pressure injection paths fail. Alternate low-pressure makeup succeeds but containment heat removal fails. This sequence increases in CCDP relative to the default model as a result of the way in which power recovery has been modeled (refer to the human error worksheets in Appendix B; as a result of issues mentioned in the event description above, increased values were assigned to human error probability in bus recovery). In the SPAR model, most crosstie possibilities are modeled but given probabilities of unity; this treatment was extended to crosstie of the SBO busses, which the default SPAR model credits. (Note that a more detailed model for this action would need to reflect dependence with other recovery actions modeled.)
LOOP-41-06:
Two or more SORVs stick open; low-pressure makeup succeeds, but containment heat removal fails (including venting). This sequence did not change significantly in frequency as a result of the current assessment.
LOOP-43-06-18:
Scram fails; the power conversion system is unavailable and manual depressurization fails. This sequence did not change significantly in frequency as a result of the current assessment.
Results tables S
The CCDP values for the dominant sequences are shown in Table 1.
S The event tree sequence logic for the dominant sequences is presented in Table 2a.
S Table 2b defines the nomenclature used in Table 2a.
S The most important cut sets for the major dominant sequences are listed in Table 3.
S Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to model this event, and (2) basic events that are important to the CCDP result.
Modeling Assumptions Analysis Type This analysis is an initiating event analysis.
Unique Design Features Features of Dresden affecting the assessment include:
Swing diesel shared between units Each unit has a SBO diesel generator, in addition to the diesel generators tied directly to safety busses Numerous crossties linking Unit 2 busses to Unit 3 busses Modeling Assumptions Summary This event was modeled as a loss of offsite power initiating event (IE-LOOP). The frequency of IE-LOOP was set to 1.0. The frequencies of the other initiating events were set to 0.0. The duration of the LOOP is taken to be that of the actual event. The LOOP initiating event and its duration are the key boundary conditions for this analysis.
Equipment and operator actions that were successful during the actual event are assigned their normal failure probabilities. Equipment and operator actions that failed during the event are failed (set to TRUE) in the analysis.
For this analysis, the statistically based non-recovery curves contained in the SPAR model are replaced with specific human actions in order to analyze a LOOP event of known duration. LOOP recovery basic events that are required to occur at a time before offsite power was actually available in the event are set to TRUE (failed). (Possible examples: recovery actions that need to succeed early because of a transient-induced LOCA). These events cannot be successful, because the known duration of the LOOP is greater than the time available for the recovery action. LOOP recovery basic events
that occur after offsite power is available are set consistent with the human error probabilities associated with re-energizing the ESF buses.
Since the LOOP duration is known, the status of power to the switchyard is known at any given time. However, the failure probabilities of the actions to re-energize the ESF buses, given that switchyard power is available, need to be determined. The human error likelihood is determined using the SPAR-H methodology (Ref. 5).
The EDG run mission times have been adjusted consistent with the time it took to re-energize the first ESF bus from offsite power following the event.
The other key modeling assumptions are listed below. Refer to Appendix A for a summary of the key events on which these assumptions are based.
Offsite power was available for recovery immediately following the initiating event.
In order to support testing on Line 1223, the Unit 2/3 Switchyard Tie Breaker 4-8 was closed to power Unit 3 ECCS buses from Unit 2's switchyard. Breaker 8-15 was then opened to complete the isolation of Line 1223. See Appendix D Drawings 1 and 2.
However, the C phase failed. This occurred at 13:27:31. Due to the resulting switchyard current imbalances, Line 1222's switchyard breakers open. Unit 3 scrammed at 13:27:40 due to turbine load reject since its output to the grid was only through Line 1222. The current imbalance continued until protective relaying isolated the Breaker 4-8 fault by opening the Unit 2/3 tie breaker at 13:27:54. This resulted in the loss of offsite power to Unit 3 ECCS and also isolated the Unit 3 fault from Unit 2. Power to Unit 2 remained available. A manual cross-tie was available during the entire event between Unit 2 and Unit 3, through the Unit 2 Reserve Auxiliary Transformer TR-22. The cross-tie was safety-related and capable of supplying offsite power to one Division of accident loads for Unit 3 and both Divisions of Safe-Shutdown loads for Unit 3. Therefore, power was available for recovery from Unit 2's switchyard immediately. (Reference 2)
The trip of the EDG 2/3 (a swing EDG) output breaker did not adversely impact the plants response to this event. Following the manual closure of Switchyard Breaker 4-8 which re-energized Reserve Auxiliary Transformer TR-32 with offsite power, EDG 2/3 output breaker opened on reverse power. This occurred at 15:38 ( Reference 2).
Although this resulted in an unanticipated EDG breaker trip, the associated ECCS buses, Bus 33-1 and Bus 33, remained energized.
The failure of cooling to Reserve Auxiliary Transformer (RAT) TR-32 did not adversely impact the plants response to this event. During the recovery, Unit 3 Station Blackout Diesel was manually started and Bus 34 was energized at 13:40.
Licensee personnel attempted to re-energize onsite Bus 36 from Bus 34 but the 4 kV cross-tie breaker tripped open. An important load on Bus 36 is power for cooling RAT TR-32. As a result, cooling was not available when RAT TR-32 was re-energized at 15:38. At 21:17 licensee personnel replaced the Bus 34 cross-tie breaker and energized Bus 36. This action restored the plants remaining internal loads including cooling to RAT TR-32 (Reference 2). As a result of the cross-tie breaker fault, power for RAT TR-
32 cooling was not available for some hours. However, no adverse consequences to the RAT TR-32 were noted during this event.
The inability to maintain secondary containment differential pressure does not contribute to the risk of core damage. Because Unit 2 was in a forced outage prior to the event, both Unit 2 drywell fans were running. The discharge from these fans goes into a common header shared with Unit 3 and contributed to the inability of Unit 3 to maintain secondary containment differential pressure (Reference 2). The secondary containment function is associated with barrier integrity in that it contributes to protection of the public from radionuclide releases caused by accidents or events. Since this analysis does not address radionuclide releases, this unit-to-unit interaction is not evaluated.
Modifications to event trees and fault trees Note: the SPAR model event nomenclature is for Unit 2. This nomenclature was preserved although the event occurred at Unit 3.
The existing SPAR model contains logic reflecting considerations relevant to a generic loss of offsite power event, namely, gate ROOP (Recovery of Offsite Power) within the EPS fault tree. This logic contains basic events corresponding to nonrecovery within 1 or 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />; sequence-specific flag sets toggle this logic so that the appropriate nonrecovery event appears in any given sequences cut sets. In order to reflect the specific characteristics of this event, this generic ROOP logic is replaced with event-specific, safety-bus-specific logic, as summarized in tabular form below and presented in Figures 3-8 (Appendix C).
Actions taken to reflect these considerations in the fault trees are the following.
Action Rationale Develop safety-bus-specific Recovery of Offsite Power (ROOP) tree logic Preferred restoration path different for different safety busses Change the operator failure event within ROOP logic to more complex, bus-specific events Condition the analysis on the characteristics of this specific event. Address diagnosis, execution, and breaker failures. Reflect inspection report observations on procedural issues in human error probability assessment (Appendix B).
Capture dependency between restoration of different busses by incorporating a common diagnosis event for all busses Some dependency is appropriate.
Basic Event Probability Changes
Table 4 includes existing basic events whose probabilities were changed to reflect the event being analyzed. Some of these events were created anew per the above discussion, and others (the initiating events) are changed as part of the initiating event assessment process.
Following is a summary of basic event probability changes made for this analysis.
Hardware Failure of Breakers Linking ESF Busses to Offsite or to SBO Bus (ACP-BKR-23-1-1, ACP-BKR-24-1-1H, ACP-BKR-61-23, ACP-BKR-61-24). Typically either 2 or 3 breakers are required to change state in order to align ESF Busses to other sources. Each breaker failure is assigned 5E-4 (Ref. 4).
Hardware Failure of Breakers Linking ESF Busses to Offsite or to SBO Bus, and failure to recover (ACP-BKR-24-1-10H, ACP-BKR-61010H, ACP-BKR-23-1-10).
Typically either 2 or 3 breakers are required to change state in order to align ESF Busses to other sources. Each breaker failure is assigned 5E-4 (Ref. 4). Within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, however, recovery of breaker hardware failure is possible (such a recovery took place within this event, though not on a safety bus), so a factor of 0.5 is applied to the hardware failure.
Event defined to toggle analysis between event analysis and unmodified model (ASP-ANAL-Case). This event switches on the fault tree modifications needed for this analysis, and is set to TRUE for the ASP case.
Operator Failures to Crosstie Busses (EPS-XHE-XM-S3XTIE, EPS-XHE-XM-U3D1X2, EPS-XHE-XM-U3D2X2). Two of these are set to 1" in the base model, and for this analysis, the other was set to 1" as well. In this analysis, all non-SBO bus recoveries for a given time frame (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />) have been given a common basic event for failure to diagnose (OEP-XHE-NODIA-10H or OEP-XHE-NODIA-1H, as appropriate), reflecting a conservative assessment of dependence between recovery events for different busses. If these events were not set to 1", they would also include this logic, and the dominant contribution to the failure of recovery of all busses would continue to be this basic event.
Swing diesel aligns to other unit (FLAG-SWING-EDG-TO-U3). In the base model, this event is set to 1, conservatively assuming that the DG will always align to the other unit.
In this event, the other unit did not lose offsite power, so the event was set to FALSE.
(The DG can, of course, still fail.)
Initiating Event Frequencies (IE-....). For this analysis, all initiating event frequencies except IE-LOOP were set to 0. IE-LOOP was set to 1.0.
Operator Failure to Execute Bus-Specific, Time-Frame-Specific Recovery Actions (OEP-EX-23-1-10H, OEP-EX-23-1-1H, OEP-EX-24-1-10H, OEP-EX-24-1-1H, OEP-EX-
61-10H, OEP-EX-61-1H, OEP-EX-61-23-1H, OEP-EX-61-24-1H). These basic events model failure of the execution portion of the recovery actions. Refer to the worksheets in Appendix B.
Blackout-related recovery actions (OEP-XHE-ASP-NR01H, OEP-XHE-ASP-NR10H, OEP-XHE-ASP-NR30M). These actions have been specialized from the base model to reflect the point that offsite power was in principle available. Refer to Appendix B.
Operator Failure to diagnose need to recover power to safety busses in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> (OEP-XHE-NODIA-10H, OEP-XHE-NODIA-1H). These time-frame-specific basic events reflect the failure of the diagnosis portion of the operator action within the indicated time frame in non-SBO sequences. In this ASP analysis, these events are common to the ESF busses and the SBO bus, and are single-element cut sets for the joint recovery failure within the indicated time frame.
Diesel Generator Fails to Run (template event ZT-DGN-FR-L). The mission time for this event is set to 1.5, reflecting the present mission time of 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. The first hour of the mission is reflected in another template event (ZT-DGN-FR-E).
Other basic event changes shown in the GEM file are applied to basic events that do not figure in the present analysis, and have correspondingly been eliminated from Table 4.
SPAR Model Corrections While this analysis was underway, a new version of the SPAR model became available (3.11). It has been confirmed that the results of the present analysis are not affected by the model changes resulting in the 3.11 version. First, the present analysis has been carried out in such a way that the event-specific modifications can be toggled off, so that the modified model can be driven as the original SPAR model. The results of such a run were obtained and compared with an unmodified version of the 3.11 model, yielding consistent results. Moreover, the Activity Log on the SAPHIRE web site indicates that the changes resulting in the 3.11 version "did not impact CDF," and would affect only uncertainty analysis or the modeling of large common cause groups, neither of which has been a factor in this analysis.
Analysts Lead analyst - Robert Youngblood Consultants - Gary Demoss Technical reviewer - Bruce Mrowca
References 1.
Licensee Event Report 249/04-003-01, Unit 3 Scram Due to Loss of Offsite Power and Subsequent inoperability of the Standby Gas Treatment System for Units 2 and 3, event date October 29, 2004 2.
NRC Special Inspection Report (IR) 05000249/2004009, and Preliminary White Finding -
Dresden Nuclear Power Plant Unit 3, June 21, 2004 (ADAMS Accession No. ML041730504).
3.
John A. Schroeder, Standardized Plant Analysis Risk Model for Dresden 2 and 3 (ASP BWR C), Revision 3.10, December 10, 2004.
4.
Steve Eide, Generic Component Failure Data Base for Light Water and Liquid Sodium Reactor PRAs, EGG-SSRE-8875, 1990.
5.
Idaho National Engineering and Environmental Laboratory, The SPAR-H Human Reliability Analysis Method INEEL/EXT-02-01307", May 2004.
LER 249/04-003 10 Table 1. Conditional probability associated with the highest probability sequences.
Event Tree Name Sequence Number CCDP1
% Contribution LOOP 40-05 8.4E-007 30 LOOP 40-27 6.3E-007 23 LOOP 10 5.6E-007 20 LOOP 39 4.1E-007 15 LOOP 38 5.1E-008 2
LOOP 42-02 4.9E-008 2
LOOP 40-14 4.7E-008 2
LOOP 41-06 3.5E-008 1
LOOP 43-06-18 3.3E-008 1
Total (all sequences)2 2.8E-006 100 1.
Values are point estimates 2.
Total CCDP includes all sequences (including those not shown in this table).
Table 2a. Event tree sequence logic for the dominant sequences.
Event Tree Name Sequence Number Logic
(/ denotes success; see Table 2b for top event names)
LOOP 40-05
/RPS /EPS P1 /HC1 /LCS SPC CSS CVS LOOP 40-27
/RPS /EPS P1 HC1 DE2 LOOP 10
/RPS /EPS /SRV ISO /HCI SPC /DEP SDC CSS CVS LOOP 39
/RPS /EPS /SRV ISO HCI DEP LOOP 38
/RPS /EPS /SRV ISO HCI /DEP LCS LCI LOOP 42-02
/RPS EPS /SRV /ISO /SEALS AC-04H LOOP 40-14
/RPS /EPS P1 /HC1 LCS LCI /VA SPC CSS CVS LOOP 41-06
/RPS /EPS P2 /LCS SPC CSS CVS LOOP 43-06-18 RPS /PPR /RRS PC2 /SLC /NX /TAF DE1
LER 249/04-003 11 Table 2b. Definitions of fault trees listed in Table 2a.
Top Event Definition AC-04H Developed Event CSS CONTAINMENT SPRAY CVS CONTAINMENT VENTING DE2 CONTAINMENT VENTING DEP MANUAL REACTOR DEPRESS EPS EMERGENCY POWER HC1 HPCI FAILS TO PROVIDE SUFFICIENT FLOW TO RX VESSEL HCI HPCI ISO ISOLATION CONDENSER LCI LOW PRESS COOLANT INJECTION LCS CORE SPRAY NX OPERATOR FAILS TO INHIBIT ADS P1 ONE SORV FAILS TO CLOSE P2 TWO SORVS FAIL TO CLOSE PC2 POWER CONVERSION SYSTEM IS UNAVAILABLE PPR SAFETY RELIEF VALVES FAIL TO OPEN RPS REACTOR SHUTDOWN RRS RECIRC PUMP TRIP FAILS SDC SHUTDOWN COOLING SEALS RECIRC PUMP SEALS SURVIVE SLC STANDBY LIQUID CONTROL FAILS SPC SUPPRESSION POOL COOLING SRV SRVS CLOSE TAF OPERATOR FAILS TO CONTROL LEVEL TO TAF VA LONG-TERM LOW PRESS INJECTION
LER 249/04-003 12 Table 3. Conditional cut sets for dominant sequences.
CCDP Percent Contribution Minimal Cut Set (of basic events)
Event Tree: LOOP, Sequence: 40-05 7.9E-007 94.24 PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR CVS-XHE-XM-VENT2 1.6E-008 1.85 CVS-XHE-XM-LOOP PPR-SRV-OO-1VLV RHR-XHE-XM-ERROR 8.4E-007 100 Total (all cutsets)1 CCDP Percent Contribution Minimal Cut Set (of basic events)
Event Tree: LOOP, Sequence 40-27 3.70E-07 59.39 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-TDP-TM-TRAIN 8.10E-08 12.91 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN 3.10E-08 4.95 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-XHE-XO-ERROR 3.10E-08 4.95 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-MOV-CC-F035 3.10E-08 4.95 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-MOV-OO-F006 3.10E-08 4.95 PPR-SRV-OO-1VLV HCI-MOV-CC-F036 ADS-XHE-XM-MDEP1 1.60E-08 2.47 PPR-SRV-OO-1VLV ADS-XHE-XM-MDEP1 HCI-TDP-FS-TRAIN HCI-XHE-XL-START 7.10E-09 1.13 ADS-SRV-CF-VALV1 PPR-SRV-OO-1VLV HCI-TDP-TM-TRAIN 6.3E-007 100 Total (all cutsets)1 CCDP Percent Contribution Minimal Cut Set (of basic events)
Event Tree: LOOP, Sequence 10 2.8E-007 49.91 RHR-XHE-XM-ERROR ISO-VCF-FC-FTO ISO-XHE-XL-FRFTO CVS-XHE-XM-VENT2 2.6E-007 45.88 RHR-XHE-XM-ERROR ISO-VCF-FC-FMU ISO-XHE-XL-FRFMU CVS-XHE-XM-VENT2 5.6E-007 100 Total (all cutsets)1
LER 249/04-003 13 CCDP Percent Contribution Minimal Cut Set (of basic events)
Event Tree: LOOP, Sequence 39 1.30E-07 32.18 DCP-BAT-CF-ALL 7.70E-08 18.93 DCP-BCH-CF-ALL 6.50E-08 16.06 ADS-XHE-XM-MDEPR HCI-TDP-TM-TRAIN ISO-VCF-FC-FTO ISO-XHE-XL-FRFTO 6.00E-08 14.76 ADS-XHE-XM-MDEPR HCI-TDP-TM-TRAIN ISO-VCF-FC-FMU ISO-XHE-XL-FRFMU 1.40E-08 3.49 ADS-XHE-XM-MDEPR HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN ISO-VCF-FC-FTO ISO-XHE-XL-FRFTO 1.30E-08 3.21 ADS-XHE-XM-MDEPR HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN ISO-VCF-FC-FMU ISO-XHE-XL-FRFMU 6.00E-09 1.48 DCP-BAT-LP-UNIT3 ADS-XHE-XM-MDEPR 5.40E-09 1.34 ADS-XHE-XM-MDEPR HCI-XHE-XO-ERROR ISO-VCF-FC-FTO ISO-XHE-XL-FRFTO 5.40E-09 1.33 HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT ADS-XHE-XM-MDEPR HCI-MOV-CC-IVFRO ISO-VCF-FC-FTO ISO-XHE-XL-FRFTO 5.00E-09 1.23 ADS-XHE-XM-MDEPR HCI-XHE-XO-ERROR ISO-VCF-FC-FMU ISO-XHE-XL-FRFMU 5.00E-09 1.23 HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT ADS-XHE-XM-MDEPR HCI-MOV-CC-IVFRO ISO-VCF-FC-FMU ISO-XHE-XL-FRFMU 4.1E-007 100 Total (all cutsets)1 1.
Total includes all cutsets (including those not shown in this table).
LER 249/04-003 14 Table 4. Definitions and probabilities for modified or dominant basic events.
Event Name Description Probability/
Frequency (per hour)
Modified ACP-BKR-23-1-1 FAILURE OF BKRS OFFSITE =>23 1.5E-003 Yes1 ACP-BKR-23-1-10 FAILURE OF BKRS OFFSITE=>23-1.5E-004 Yes1 ACP-BKR-24-1-10H FAILURE OF BKRS OFFSITE => 2 1.5E-004 Yes1 ACP-BKR-24-1-1H FAILURE OF BKRS OFFSITE =>24 1.5E-003 Yes1 ACP-BKR-61-10H FAILURE OF BKRS OFFSITE=> 61 1.0E-004 Yes1 ACP-BKR-61-1H FAILURE OF BKRS OFFSITE=>61 1.0E-003 Yes1 ACP-BKR-61-23 FAILURE OF BREAKERS LINKING 2.0E-003 Yes1 ACP-BKR-61-24 FAILURE OF BKRS LINKING 61 TO 24 AND NO REC 2.0E-003 Yes1 ADS-SRV-CC-ERV3B ELECTROMATIC RELIEF VALVE 203-3B FAILS TO OPE 2.5E-003 No ADS-SRV-CC-ERV3C ELECTROMATIC RELIEF VALVE 203-3C FAILS TO OPE 2.5E-003 No ADS-SRV-CC-ERV3D ELECTROMATIC RELIEF VALVE 203-3D FAILS TO OPE 2.5E-003 No ADS-SRV-CC-ERV3E ELECTROMATIC RELIEF VALVE 203-3E FAILS TO OPE 2.5E-003 No ADS-SRV-CC-TRV3A TARGET ROCK RELIEF VALVE 203-3A FAIL TO OPEN 2.5E-003 No ADS-SRV-CF-VALV1 ADS VALVES FAIL FROM COMMON CAUSE 1.90E-05 No ADS-XHE-XM-MDEP1 OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 1.00E-03 No ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 5.00E-04 No ASP-ANAL-CASE TRUE IF DOING THE ASP EVENT, 1.0E+000 TRUE Yes1 CVS-XHE-XM-LOOP FAILURE TO RESTART IA FOLLOWING LOOP (REQUIRE 1.00E-03 No CVS-XHE-XM-VENT2 DEPENDENT OPERATOR ACTION TO VENT CONTAINMENT 5.10E-02 No DCP-BAT-CF-ALL STATION BATTERIES FAIL FROM COMMON CAUSE 1.30E-07 No
LER 249/04-003 Event Name Description Probability/
Frequency (per hour)
Modified 15 DCP-BAT-LP-UNIT3 UNIT 3 250 VDC BATTERY IS UNAVAILABLE 1.20E-05 No DCP-BCH-CF-ALL CONTROL POWER BATTERY CHARGERS FAIL FROM COMM 7.70E-08 No DCP-BCH-LP-UNIT2A UNIT 2 STANDBY BATTERY CHARGER 2A IS UNAVAILA 1.20E-04 No DCP-BDC-LP-BUS3 DIVISION II (BATT BUS 3) 125 VDC BUS IS UNAVA 4.80E-06 No DCP-XHE-XM-BCHGR OPERATOR FAILS TO ALIGN STANDBY BATTERY CHARG 1.00E-03 No EPS-DGN-CF-RUN COMMON CAUSE FAILURE OF DIESEL GENERATORS TO 3.10E-05 No EPS-DGN-FR-DG2 DIESEL GENERATOR 2 FAILS TO RUN 4.20E-03 Yes2 EPS-DGN-FR-DG23 DIESEL GENERATOR 2/3 FAILS TO RUN 4.20E-03 Yes2 EPS-DGN-FR-SBODG2 SBO DG-2 FAILS TO RUN 4.20E-03 Yes2 EPS-DGN-FS-DG2 DIESEL GENERATOR 2 FAILS TO START 4.00E-03 No EPS-DGN-FS-DG23 DIESEL GENERATOR 2/3 FAILS TO START 4.00E-03 No EPS-DGN-FS-SBODG2 SBO DG-2 FAILS TO START 4.00E-03 No EPS-DGN-TM-DG2 DG 2 IS UNAVAILABLE BECAUSE OF MAINTENANCE 9.00E-03 No EPS-DGN-TM-DG23 DIESEL GENERATOR 2/3 UNAVAILABLE DUE TO TEST 9.00E-03 No EPS-DGN-TM-SBODG2 SBO DG-2 UNAVAILABLE DUE TO TEST AND MAINTENANCE 9.00E-03 No EPS-XHE-XL-NR04H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 4H 5.00E-01 No EPS-XHE-XM-S3XTIE OPERATOR FAILS TO CROSSTIE SBO DG-3 TO BUS 61 1.0E+000 Yes1 EPS-XHE-XM-U3D1X2 OPERATOR FAILS TO CROSSTIE U3 DIVISION 1 1.0E+000 No EPS-XHE-XM-U3D2X2 OPERATOR FAILS TO CROSSTIE U3 DIVISION 2 1.0E+000 No
LER 249/04-003 Event Name Description Probability/
Frequency (per hour)
Modified 16 ESW-MDP-FS-23 DIESEL GENERATOR SERVICE WATER MDP 23 FAILS TO START 1.50E-03 No ESW-MDP-FS-2B DIESEL GENERATOR SERVICE WATER MDP 2B FAILS TO START 1.50E-03 No ESW-MDP-TM-23 DG SERVICE WATER MDP 2/3 UNAVAILABLE DUE TO TEST AND MAINTENANCE 2.00E-02 No ESW-MDP-TM-2B DG SERVICE WATER MDP 2B UNAVAILABLE DUE TO TEST AND MAINTENANCE 2.00E-02 No FLAG-SWING-EDG-TO-U3 SWING EDG 2/3 IS ALIGNED TO
+0.0E+000 FALSE Yes1 HCI-MOV-CC-F035 TORUS SUCTION VALVE 2-2301-35 FAILS TO OPEN 1.00E-03 No HCI-MOV-CC-F036 TORUS SUCTION VALVE 2-2301-36 FAILS TO OPEN 1.00E-03 No HCI-MOV-CC-IVFRO HPCI INJECTION VALVE FAILS TO REOPEN 2.0E-002 No HCI-MOV-OO-F006 CST ISOLATION VALVE 2-2301-6 FAILS TO CLOSE 1.00E-03 No HCI-MULTIPLE-INJECT MULTIPLE HPCI INJECTIONS REQUIRED 6.0E-002 No HCI-TDP-FR-TRAIN HPCI PUMP TRAIN FAILS TO RUN 4.1E-003 No HCI-TDP-FS-TRAIN HPCI PUMP FAILS TO START 6.0E-003 No HCI-TDP-TM-TRAIN HPCI TRAIN IS UNAVAILABLE BECAUSE OF MAINTENANCE 1.20E-02 No HCI-XHE-XL-RUN OPERATOR FAILS TO RECOVER HPCI FAILURE TO RUN 6.30E-01 No HCI-XHE-XL-START OPERATOR FAILS TO RECOVER HPCI FAILURE TO START 8.30E-02 No HCI-XHE-XO-ERROR OPERATOR FAILS TO START/
CONTROL HPCI INJECTION 1.00E-03 No IE-LOOP LOSS OF OFFSITE POWER 1.0E+000 Yes3 ISO-VCF-FC-FMU MAKEUP TO THE ISOLATION CONDENSER FAILS 4.00E-02 No ISO-VCF-FC-FTO ISOLATION CONDENSER FAILS TO 6.40E-02 No
LER 249/04-003 Event Name Description Probability/
Frequency (per hour)
Modified 17 OPERATE ISO-XHE-XL-FRFMU FAILURE TO RECOVER FROM FAILURE OF MAKEUP 2.50E-01 No ISO-XHE-XL-FRFTO FAILURE TO RECOVER FROM FAILURE TO OPERATE 1.70E-01 No OEP-EX-23-1-10H OPERATOR FAILURE TO EXECUTE 1.0E-003 Yes1 OEP-EX-23-1-1H FAILURE TO EXECUTE RESTORATI 1.0E-002 Yes1 OEP-EX-24-1-10H FAILURE TO EXECUTE PROC TO R 1.0E-003 Yes1 OEP-EX-24-1-1H FAILURE TO EXEQ PROC TO RECO 1.0E-002 Yes1 OEP-EX-61-10H OPERATOR FAILURE TO EXEQ REC 1.0E-003 Yes1 OEP-EX-61-1H FAILURE TO EXEQ RESTORATION 1.0E-002 Yes1 OEP-EX-61-23-1H FAILURE TO EXEQ ALIGNMENT OF 61 TO 23 IN 1 H 1.0E-002 Yes1 OEP-EX-61-24-1H FAILURE TO EXEQ ALIGNMENT OF 61 TO 24 IN 1 H 1.0E-002 Yes1 OEP-EX-SBO-23-1-1H FAILURE TO EXECUTE ALIGNMENT 1.0E-002 Yes1 OEP-XHE-ASP-NR01H OPERATOR FAILS TO RECOVER AC 4.0E-002 Yes1 OEP-XHE-ASP-NR04H OPERATOR FAILS TO RECOVER OFFSITE IN 4H 4.0E-003 Yes1 OEP-XHE-ASP-NR30M OPERATOR FAILS TO RECOVER OFFSITE IN 30M 2.2E-001 Yes1 OEP-XHE-NODIA-10H FAILURE TO DIAGNOSE NEED TO RECOVER OFFSITE IN 10H 5.0E-004 Yes1 OEP-XHE-NODIA-1H FAILURE TO DIAGNOSE NEED TO RECOVER OFFSITE IN 1H 5.0E-003 Yes1 PPR-SRV-OO-1VLV ONE SRV FAILS TO CLOSE 3.10E-02 No PPR-SRV-OO-2VLVS TWO OR MORE SRVS FAIL TO CLOSE 1.3E-003 No RHR-XHE-XM-ERROR OPERATOR FAILS TO START/
CONTROL RHR 5.00E-04 No RPS-SYS-FC-CRD CONTROL ROD DRIVE MECHANICAL FAILURE 2.5E-007 No RPS-SYS-FC-PSOVS HCU SCRAM PILOT SOVS FAIL 1.7E-006 No
LER 249/04-003 Event Name Description Probability/
Frequency (per hour)
Modified 18 RPS-SYS-FC-RELAY TRIP SYSTEM RELAYS FAIL 3.8E-007 No ZT-DGN-FR-L DIESEL GENERATOR FAILS TO RU 1.2E-003 Yes2 Notes:
- 1. Changed to reflect actual plant conditions during the event.
- 2. Changed total mission time to 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to reflect time of restoration of offsite power to safety bus.
- 3. All other initiating event frequencies set to 0.0.
LER 249/04-003 19 Appendix A Sequence of Key Events
LER 249/04-003 20 Key Events (Excerpted, Summarized, and Paraphrased From Inspection Report)
Note: The event description reflects the Unit 3 nomenclature (Bus designations, etc.) (the event occurred at Unit 3). The models nomenclature is based on Unit 2.
Time Event Significance 13:27:
31-54
- Failure of C phase of breaker 8-15 leads to a series of events culminating in LOOP to safety buses of Unit 3
- U-3 DG starts & energizes Bus 34-1
- DG 2/3 starts and energizes Bus 33-1 Initiating LOOP, successful diesel starts on both safety busses 13:29 HPCI, Isolation condenser, LPCI for torus cooling Successful inventory control and DHR 13:40 SBO diesel started, Bus 34 energized Successful SBO diesel start 14:03 Licensee personnel attempted to energize onsite Bus 36 from Bus 34, and the 4kV crosstie breaker tripped open.
This obliged the operators to remain on HPCI rather than restoring condensate. Restoring condensate, though preferred by the operators, is not credited in the SPAR LOOP model anyhow, so this impact is not considered significant.
However, lack of power to Bus 36 also meant that Reserve Auxiliary Transformer (RAT) had no cooling.
See 19:44 entry.
15:38 Reserve Auxiliary Transformer (RAT) TR-32 Reenergized Ultimately, offsite was restored from this source. But it could have been recovered earlier.
15:58 RAT automatically energized the 4kV Busses 33-1 and 33 unexpectedly. Emergency Diesel Generator 2/3 output breaker tripped open on reverse power.
Bus 33-1 and 33 remained energized via offsite power through RAT TR-32.
Offsite power was recovered to safety bus 33-1 from this time forward. By convention, this defines the end of the mission time for the diesel generators.
This recovery sequence was abnormal, but culminated in no equipment damage and left offsite power on the bus. Increased conditional CDP associated with this abnormality would be associated with conjunctions of failures, such as:
losing power to the bus AND failure to restore (as a result of newly damaged components, independent component failures, or operator error) AND failures in the other division. These
LER 249/04-003 Time Event Significance 21 contributors appear to be higher-order than those already modeled.
17:29 RAT paralleled with U3 SBO diesel 17:31 Bus 34 energized via offsite 18:59 Bus 34-1 separated from DG U-3 and connected to Bus 34 The other safety bus (34-1) is now also on offsite power.
19:44 The RAT was identified as having no cooling because Bus 36 remained de-energized.
See next entry. This related to a breaker failure preventing recovery of power to Bus 36. Staff replaced a breaker.
21:37 Licensee personnel noted that all RAT TR-32 auxiliary systems, including cooling, were restored and normal.
Lack of RAT cooling had not caused failure up to this time in the sequence.
Conditional CDP associated with a postulated failure of the RAT at some later time would entail a chain of additional failures, since many options were available by then, so this possibility is not considered risk-significant.
LER 249/04-003 22 Appendix B Human Error Modeling
LER 249/04-003 23 For this analysis, the failure probability of recovery of offsite power to selected busses during non-SBO, non-SORV sequences was estimated using the standard SPAR Model Human Error Worksheet. The worksheet used to determine the value is included below.
Although this action for a single bus would be considered primarily action, this recovery action is modeled as having both a diagnosis contribution and an action contribution, and the first two pages of the worksheet are filled out correspondingly. The diagnosis contribution is then applied as a common basic event to each of the three busses to which this class of recovery events applies. The dependency between different busses recoveries is deemed to have been captured in this way. Separate basic events then reflect the action contributions and the hardware (breaker) contributions.
LER 249/04-003 24 SPAR Model Human Error Worksheet (Page 1 of 3)
Plant: Dresden 3 Event Name: OEP-XHE-NODIA-10H (sheet 1),
OEP-EX-23-1-10H,OEP-EX-24-1-10H, OEP-EX-61-10H (sheet 2)
Task Error
Description:
Failure to recover power to 4160 kV busses in 10 hr Does this task contain a significant amount of diagnosis activity ? YES T NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.
Table 1. Diagnosis worksheet.
PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Significant time available in Non-SBO, non-SORV scenarios to which this action applies (the SPAR model event is failure to recover in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />)
Barely adequate < 20 m 10 Nominal. 30 m 1
Extra > 60 m 0.1 T Expansive > 24 h 0.01
- 2. Stress Extreme 5
High 2
Nominal 1 T
- 3. Complexity Highly 5
Moderately 2
Nominal 1 T
- 4. Experience/
Training Low 10 Nominal 1 T High 0.5
- 5. Procedures Not available 50 This factor has been assessed because symptoms of loss of power are considered straightforward.
Available, but poor 5
Nominal 1
Diagnostic/symptom oriented 0.5 T
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
LER 249/04-003 25 SPAR Model Human Error Worksheet (Page 2 of 3)
Table 2. Action worksheet.
PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Significant time available in Non-SBO, non-SORV scenarios to which this action applies (the SPAR model event is failure to recover in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />)
Time available. time required 10 Nominal 1
Available > 5x time required 0.1 T Available > 50x time required 0.01
- 2. Stress Extreme 5
High 2
Nominal 1 T
- 3. Complexity Highly 5
Power recovery is moderately complex.
Moderately 2 T Nominal 1
- 4. Experience/
Training Low 3
Nominal 1 T High 0.5
- 5. Procedures Not available 50 Procedure issues were cited in the inspection report related to breaker manipulation specifically in the context of switchyard breakers.
Available, but poor 5 T Nominal 1
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
Table 3. Task failure probability without formal dependence worksheet.
Task Portion Nom.
Prob.
Time Stress Compl.
Exper./
Train.
Proced.
Ergon.
Fitness Work Process Prob.
Diag.
1.0E-2 x 0.1 x 1.0 x 1.0 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 5.0E-4 Action 1.0E-3 x 0.1 x 1.0 x 2 x 1.0 x 5 x 1.0 x 1.0 x 1.0 1.0E-3 Total Note: diagnosis contribution and execution contributions applied in separate BEs 1.5E-3 SPAR Model Human Error Worksheet (Page 3 of 3)
For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.
LER 249/04-003 26 Table 4. Dependency condition worksheet.
Condition Number Crew (same or different)
Location (same or different)
Time (close in time or not close in time)
Cues (additional or not additional)
Dependency Number of Human Action Failures Rule 1
s s
c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.
2 s
s nc na high 3
s s
nc a
moderate 4
s d
c high 5
s d
nc na moderate 6 T s
d nc a
low 7
d s
c moderate 8
d s
nc na low 9
d s
nc a
low 10 d
d c
moderate 11 d
d nc na low 12 d
d nc a
low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):
For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =
Additional Notes:
LER 249/04-003 27 SPAR Model Human Error Worksheet (Page 1 of 3)
Plant: Dresden 3 Event Name: OEP-XHE-NODIA-1H (sheet 1),
OEP-EX-23-1-1H,OEP-EX-24-1-1H, OEP-EX-61-1H (sheet 2)
Task Error
Description:
Failure to recover power to 4160 kV busses Does this task contain a significant amount of diagnosis activity ? YES T NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.
Table 1. Diagnosis worksheet.
PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1 T Extra > 60 m 0.1 Expansive > 24 h 0.01
- 2. Stress Extreme 5
High 2
Nominal 1 T
- 3. Complexity Highly 5
Moderately 2
Nominal 1 T
- 4. Experience/
Training Low 10 Nominal 1 T High 0.5
- 5. Procedures Not available 50 This factor has been assessed because symptoms of loss of power are considered straightforward.
Available, but poor 5
Nominal 1
Diagnostic/symptom oriented 0.5 T
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
LER 249/04-003 28 SPAR Model Human Error Worksheet (Page 2 of 3)
Table 2. Action worksheet.
PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Time available. time required 10 Nominal 1 T Available > 5x time required 0.1 Available > 50x time required 0.01
- 2. Stress Extreme 5
High 2
Nominal 1 T
- 3. Complexity Highly 5
Power recovery is moderately complex.
Moderately 2 T Nominal 1
- 4. Experience/
Training Low 3
Nominal 1 T High 0.5
- 5. Procedures Not available 50 Procedure issues were cited in the inspection report related to breaker manipulation specifically in the context of switchyard breakers.
Available, but poor 5 T Nominal 1
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
Table 3. Task failure probability without formal dependence worksheet.
Task Portion Nom.
Prob.
Time Stress Compl.
Exper./
Train.
Proced.
Ergon.
Fitness Work Process Prob.
Diag.
1.0E-2 x 1.0 x 1.0 x 1.0 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 5.0E-3 Action 1.0E-3 x 1.0 x 1.0 x 2 x 1.0 x 5 x 1.0 x 1.0 x 1.0 1.0E-2 Total Note: diagnosis contribution and execution contributions applied in separate BEs 1.5E-2 SPAR Model Human Error Worksheet (Page 3 of 3)
For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.
LER 249/04-003 29 Table 4. Dependency condition worksheet.
Condition Number Crew (same or different)
Location (same or different)
Time (close in time or not close in time)
Cues (additional or not additional)
Dependency Number of Human Action Failures Rule 1
s s
c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.
2 s
s nc na high 3
s s
nc a
moderate 4
s d
c high 5
s d
nc na moderate 6 T s
d nc a
low 7
d s
c moderate 8
d s
nc na low 9
d s
nc a
low 10 d
d c
moderate 11 d
d nc na low 12 d
d nc a
low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):
For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =
LER 249/04-003 30 SPAR Model Human Error Worksheet (Page 1 of 3)
Plant: Dresden 3 Event Name: OEP-XHE-ASP-NR01H (SBO Recovery)
Task Error
Description:
Failure to recover power to 4160 kV busses Does this task contain a significant amount of diagnosis activity ? YES T NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.
Table 1. Diagnosis worksheet.
PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1 T Extra > 60 m 0.1 Expansive > 24 h 0.01
- 2. Stress Extreme 5
SBO scenarios; power available offsite but multiple failures in plant, including the ones (SRV) that drive 1-hr time scale High 2 T Nominal 1
- 3. Complexity Highly 5
SBO scenarios; power available offsite but multiple failures in plant, including the ones (SRV) that drive 1-hr time scale Moderately 2 T Nominal 1
- 4. Experience/
Training Low 10 Nominal 1 T High 0.5
- 5. Procedures Not available 50 This factor has been assessed because symptoms of loss of power are considered straightforward.
Available, but poor 5
Nominal 1
Diagnostic/symptom oriented 0.5 T
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
LER 249/04-003 31 SPAR Model Human Error Worksheet (Page 2 of 3)
Table 2. Action worksheet.
PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Time available. time required 10 Nominal 1 T Available > 5x time required 0.1 Available > 50x time required 0.01
- 2. Stress Extreme 5
SBO with multiple failures High 2 T Nominal 1
- 3. Complexity Highly 5
Power recovery is moderately complex (note there were issues in this event).
Moderately 2 T Nominal 1
- 4. Experience/
Training Low 3
Nominal 1 T High 0.5
- 5. Procedures Not available 50 Procedure issues were cited in the inspection report related to breaker manipulation specifically in the context of switchyard breakers.
Available, but poor 5 T Nominal 1
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
Table 3. Task failure probability without formal dependence worksheet.
Task Portion Nom.
Prob.
Time Stress Compl.
Exper./
Train.
Proced.
Ergon.
Fitness Work Process Prob.
Diag.
1.0E-2 x 1 x 2.0 x 2.0 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 2E-2 Action 1.0E-3 x 1 x 2.0 x 2.0 x 1.0 x 5 x 1.0 x 1.0 x 1.0 2E-2 Total 4E-2 SPAR Model Human Error Worksheet (Page 3 of 3)
For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.
LER 249/04-003 32 Table 4. Dependency condition worksheet.
Condition Number Crew (same or different)
Location (same or different)
Time (close in time or not close in time)
Cues (additional or not additional)
Dependency Number of Human Action Failures Rule 1
s s
c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.
2 s
s nc na high 3
s s
nc a
moderate 4
s d
c high 5
s d
nc na moderate 6 T s
d nc a
low 7
d s
c moderate 8
d s
nc na low 9
d s
nc a
low 10 d
d c
moderate 11 d
d nc na low 12 d
d nc a
low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):
For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =
Additional Notes:
LER 249/04-003 33 SPAR Model Human Error Worksheet (Page 1 of 3)
Plant: Dresden 3 Event Name: OEP-XHE-ASP-NR30M (SBO Recovery)
Task Error
Description:
Failure to recover power to 4160 kV busses in 30 min Does this task contain a significant amount of diagnosis activity ? YES T NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.
Table 1. Diagnosis worksheet.
PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1 T Extra > 60 m 0.1 Expansive > 24 h 0.01
- 2. Stress Extreme 5
SBO scenarios; power available offsite but multiple failures in plant, including the ones (SRV) that drive 1-hr time scale High 2 T Nominal 1
- 3. Complexity Highly 5
SBO scenarios; power available offsite but multiple failures in plant Moderately 2 T Nominal 1
- 4. Experience/
Training Low 10 Nominal 1 T High 0.5
- 5. Procedures Not available 50 This factor has been assessed because symptoms of loss of power are considered straightforward.
Available, but poor 5
Nominal 1
Diagnostic/symptom oriented 0.5 T
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
LER 249/04-003 34 SPAR Model Human Error Worksheet (Page 2 of 3)
Table 2. Action worksheet.
PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a Need to recover within 30 min when this event is invoked Time available. time required 10 T Nominal 1
Available > 5x time required 0.1 Available > 50x time required 0.01
- 2. Stress Extreme 5
SBO with multiple failures High 2 T Nominal 1
- 3. Complexity Highly 5
Power recovery is moderately complex (note there were issues in this event).
Moderately 2 T Nominal 1
- 4. Experience/
Training Low 3
Nominal 1 T High 0.5
- 5. Procedures Not available 50 Procedure issues were cited in the inspection report related to breaker manipulation specifically in the context of switchyard breakers.
Available, but poor 5 T Nominal 1
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
Table 3. Task failure probability without formal dependence worksheet.
Task Portion Nom.
Prob.
Time Stress Compl.
Exper./
Train.
Proced.
Ergon.
Fitness Work Process Prob.
Diag.
1.0E-2 x1.0 x2 x2 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 2E-2 Action 1.0E-3 x 10 x2 x 2 x 1.0 x 5 x 1.0 x 1.0 x 1.0 2E-1 Total
.22 SPAR Model Human Error Worksheet (Page 3 of 3)
For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.
LER 249/04-003 35 Table 4. Dependency condition worksheet.
Condition Number Crew (same or different)
Location (same or different)
Time (close in time or not close in time)
Cues (additional or not additional)
Dependency Number of Human Action Failures Rule 1
s s
c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.
2 s
s nc na high 3
s s
nc a
moderate 4
s d
c high 5
s d
nc na moderate 6 T s
d nc a
low 7
d s
c moderate 8
d s
nc na low 9
d s
nc a
low 10 d
d c
moderate 11 d
d nc na low 12 d
d nc a
low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):
For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =
Additional Notes:
LER 249/04-003 36 SPAR Model Human Error Worksheet (Page 1 of 3)
Plant: Dresden 3 Event Name: OEP-XHE-ASP-NR04H (SBO Recovery)
Task Error
Description:
Failure to recover power to 4160 kV busses in 4H Does this task contain a significant amount of diagnosis activity ? YES T NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.
Table 1. Diagnosis worksheet.
PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a 4-hour time frame Barely adequate < 20 m 10 Nominal. 30 m 1
Extra > 60 m 0.1 T Expansive > 24 h 0.01
- 2. Stress Extreme 5
SBO scenarios; power available offsite but multiple failures in plant High 2 T Nominal 1
- 3. Complexity Highly 5
SBO scenarios; power available offsite but multiple failures in plant Moderately 2 T Nominal 1
- 4. Experience/
Training Low 10 Nominal 1 T High 0.5
- 5. Procedures Not available 50 This factor has been assessed because symptoms of loss of power are considered straightforward.
Available, but poor 5
Nominal 1
Diagnostic/symptom oriented 0.5 T
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
LER 249/04-003 37 SPAR Model Human Error Worksheet (Page 2 of 3)
Table 2. Action worksheet.
PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column
- 1. Available Time Inadequate 1.0a 4-hour time frame Time available. time required 10 Nominal 1
Available > 5x time required 0.1 T Available > 50x time required 0.01
- 2. Stress Extreme 5
SBO with multiple failures High 2 T Nominal 1
- 3. Complexity Highly 5
Power recovery is moderately complex (note there were issues in this event).
Moderately 2 T Nominal 1
- 4. Experience/
Training Low 3
Nominal 1 T High 0.5
- 5. Procedures Not available 50 Procedure issues were cited in the inspection report related to breaker manipulation specifically in the context of switchyard breakers.
Available, but poor 5 T Nominal 1
- 6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1 T Good 0.5
- 7. Fitness for Duty Unfit 1.0a Degraded Fitness 5
Nominal 1 T
- 8. Work Processes Poor 2
Nominal 1 T Good 0.8
- a. Task failure probability is 1.0 regardless of other PSFs.
Table 3. Task failure probability without formal dependence worksheet.
Task Portion Nom.
Prob.
Time Stress Compl.
Exper./
Train.
Proced.
Ergon.
Fitness Work Process Prob.
Diag.
1.0E-2 x0.1 x2 x2 x 1.0 x 0.5 x 1.0 x 1.0 x 1.0 2E-3 Action 1.0E-3 x 0.1 x2 x 2 x 1.0 x 5 x 1.0 x 1.0 x 1.0 2E-3 Total 4E-3 SPAR Model Human Error Worksheet (Page 3 of 3)
For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.
LER 249/04-003 38 Table 4. Dependency condition worksheet.
Condition Number Crew (same or different)
Location (same or different)
Time (close in time or not close in time)
Cues (additional or not additional)
Dependency Number of Human Action Failures Rule 1
s s
c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.
If this error is the 4th error in the sequence, then the dependency is at least high.
This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.
2 s
s nc na high 3
s s
nc a
moderate 4
s d
c high 5
s d
nc na moderate 6 T s
d nc a
low 7
d s
c moderate 8
d s
nc na low 9
d s
nc a
low 10 d
d c
moderate 11 d
d nc na low 12 d
d nc a
low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):
For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20 For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / =
Additional Notes:
LER 249/04-003 39 Appendix C Event Tree and Fault Tree Figures
LER 249/04-003 40 VA LONG-TERM LOW PRESS INJECTION CRD CRD INJECTION (1 PUMP)
CVS CONTAINMENT VENTING CSS CONTAINMENT SPRAY SDC SHUTDOWN COOLING DEP MANUAL REACTOR DEPRESS SPC SUPPRESSION POOL COOLING LCI LOW PRESS COOLANT INJECTION LCS CORE SPRAY DEP MANUAL REACTOR DEPRESS HCI HPCI ISO ISOLATION CONDENSER SRV SRVS CLOSE EPS EMERGENCY POWER RPS REACTOR SHUTDOWN IE-LOOP LOSS OF OFFSITE POWER STATE 1
OK 2
OK 3
OK 4
OK 5
OK 6
CD 7
OK 8
OK 9
CD 10 CD 11 OK 12 CD 13 OK 14 CD 15 CD 16 OK 17 OK 18 OK 19 CD 20 OK 21 OK 22 CD 23 OK 24 OK 25 CD 26 CD 27 OK 28 OK 29 OK 30 CD 31 OK 32 OK 33 CD 34 OK 35 OK 36 CD 37 CD 38 CD 39 CD 40 T
LOOP-1 41 T
LOOP-2 42 T
SBO 43 T
ATWS P1 P2 LOOP - LOSS-OF-OFFSITE POWER EVENT 2004/12/31 Figure 1. Event Tree for Loss of Offsite Power
LER 249/04-003 41 VA1 LONG-TERM LOW PRESS INJECTION CVS CONTAINMENT VENTING CSS CONTAINMENT SPRAY SPC SUPPRESSION POOL COOLING VA ALTERNATE LOW PRESS INJECTION LCI LOW PRESS COOLANT INJECTION LCS CORE SPRAY DE2 MANUAL REACTOR DEPRESS HC1 HPCI P1 ONE SRV FAILS TO CLOSE STATE 1
OK 2
OK 3
OK 4
CD 5
CD 6
OK 7
OK 8
OK 9
CD 10 CD 11 OK 12 OK 13 OK 14 CD 15 CD 16 OK 17 OK 18 OK 19 CD 20 CD 21 OK 22 OK 23 OK 24 CD 25 CD 26 CD 27 CD VA0 LOOP TRANSFER - LOOP WITH ONE SORV 2002/01/15 Figure 2. Transfer from LOOP Event Tree: LOOP with One Stuck-Open SRV
LER 249/04-003 42 AC AC POWER RECOVERY VA1 FIREWATER INJECTION DEP MANUAL REACTOR DEPRESS HCI HPCI SEALS RECIRC PUMP SEALS SURVIVE ISO ISOLATION CONDENSER SRV SRVS CLOSE EPS TRANSFER BRANCH SBO STATE 1
OK 2
CD 3
OK 4
CD 5
OK 6
CD 7
OK 8
CD 9
OK 10 CD 11 OK 12 CD 13 OK 14 CD 15 OK 16 CD 17 OK 18 CD 19 OK 20 CD 21 OK 22 CD 23 OK 24 CD 25 OK 26 CD 27 OK 28 CD 29 OK 30 CD 31 OK 32 CD 33 CD AC-04H AC-04H AC-04H AC-04H AC-04H AC-04H AC-04H AC-04H AC-30M AC-01H AC-04H AC-04H AC-04H AC-04H AC-04H AC-04H SBO - TRANSFER - STATION BLACKOUT 2004/08/23 Figure 3. Transfer from LOOP Event Tree: Station Blackout
LER 249/04-003 43 ACP-BAC-LP-B23-1 DI V-23-1-AC-1 23-1-AC-3 DIV-23-1-AC-6 31 DG3 33 D G3-SBO D IV-23-1-AC -4 40 D IV-61-AC DI V-61-OP-ALIGN D IV-61-OP-A SP TRU E ASP-ANAL-C ASE AS POP-ALI GN 23 2.0E-3 ACP-BKR 23 1.0E-2 OEP-EX-61-23-1H 5.0E -3 OEP-XHE -NODI A-1H D IV-61-OP-D EFAULT 1.0E-3 EPS-X HE-XM-6XU2D1 NOT-AS P-61-23 TR UE ASP-ANA L-CASE DI V-23-1-AC-5 4.8E-6 AC P-B AC-LP-B33-1 1.0E+0 EPS-XHE-XM-U 3D 1X2 DEFAULT MOD EL (N OT AS P) FOR ALIGN ING 61 TO 23 ASP AN ALYSI S OPERA TOR ACTIONS TO ALIGN 61 TO 23 DEFAU LT C ASE FOR N OT ALIGNIN G BU S 61 TO BUS 23 A SP AN ALYSIS CASE FOR NOT A LIGNI NG SBO BU S OPERA TOR FAI LS TO ALIGN BUS 61 TO BU S 23 D IVISI ON I CR OSS TI E FA ILS BU S 61 AC POWER IS U NAVAI LABLE SB O BU S 61 I S UNA VAILABLE SB O D G-3 I S U NAVAILABLE FROM DG2/3 S U NAVA ILAB LE DIESEL GENER ATOR 3 I S UN AVAILABLE SWI NG EDG 2/3 ALIGNED TO U NIT 3
FAILUR E TO EXEQ ALIGNMEN T OF 61 TO 23 IN 1H FAILUR E OF BREAK ERS LINKI NG 61 TO 23 AND NO RE C I N 1H FAILU RE TO D IAGN OSE NEED TO R ECOVER OFFSITE IN 1 HR TRU E IF D OIN G THE ASP E VENT, FALSE IF D OIN G BASE CASE TRU E IF D OI NG TH E ASP EVENT, FALSE I F DOI NG BAS E CASE OP ERATOR FAILS TO A LIGN SBO BU S 61 TO UN IT 2 DIVI SION I OPERATOR FAI LS TO CR OSS TI E UN IT 3 DIVI SION I TO UNI T 2 B US 33-1 IS U NAVAI LABLE DIV-23-1-AC - DRESDEN 2 & 3 DIVISION BUS 23-1 AC POWER FAULT TREE 2004/12/29 Page 35 Figure 4. Portion of Fault Tree for AC Power at Bus 23-1
LER 249/04-003 44 DIV-24-1-AC-2 FALSE LOOP-II 136 ROOP-TOGGLE-24 DIV-24-1-AC-3 40 DIV-61-AC DIV-61-OP-AL24 DIV-61-24-ASP TRUE ASP-ANAL-CASE ASPOP-ALIGN-61-24 2.0E-3 ACP-BKR-61-24 1.0E-2 OEP-EX-61-24-1H 5.0E-3 OEP-XHE-NODIA-1H DIV-61-24-DEFAULT 1.0E-3 EPS-XHE-XM-6XU2D2 NOT-ASP-61-24 TRUE ASP-ANAL-CASE DIV-24-1-AC-4 4.8E-6 ACP-BAC-LP-B34-1 1.0E+0 EPS-XHE-XM-U3D2X2 DEFAULT CASE NOT ALIGNING 61 TO 24 ASP ANAL OP ACTIONS TO ALIGN 61 TO 24 DEFAULT CASE FAIL TO ALIGN 61 TO 24 ASP ANALYSIS CASE FAIL TO ALIGN 61 TO 24 OPERATOR FAILS TO ALIGN BUS 61 TO BUS 24 BUS 61 AC POWER IS UNAVAILABLE DIVISION II CROSSTIE FAILS SBO BUS 61 IS UNAVAILABLE ROOP OR ROOP-24-1 OFFSITE POWER IS UNAVAILABLE FAILURE TO EXEQ ALIGNMENT OF 61 TO 24 IN 1H FAILURE OF BKRS LINKING 61 TO 24 AND NO REC IN 1 H FAILURE TO DIAGNOSE NEED TO RECOVER OFFSITE IN 1 HR TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE OPERATOR FAILS TO ALIGN SBO BUS 61 TO UNIT 2 DIVISION II OPERATOR FAILS TO CROSSTIE UNIT 3 DIVISION II TO UNIT 2 LOSS OF OFFSITE POW ER TO DIVISION II BUS 34-1 IS UNAVAILABLE DIV-24-1-AC - DRESDEN 2 & 3 DIVISION BUS 24-1 AC POWER FAULT TREE 2004/12/29 Page 36 Figure 5.
Portion of Fault Tree for AC Power at Bus 24-1
LER 249/04-003 45 DIV-61-AC 4.8E-6 ACP-BAC-LP-B61 DIV-61-AC-1 28 DG2-SBO DIV-61-AC-2 FALSE LOOP-B61 138 ROOP-TOGGLE-61 DIV-61-AC-3 4.8E-6 ACP-BAC-LP-B71 1.0E+0 EPS-XHE-XM-S3XTIE 33 DG3-SBO SBO DG-2 IS UNAVAILABLE SBO BUS 71 CROSSTIE FAILS OFFSITE POWER IS UNAVAILABLE LOSS OF POWER TO 4160V AC BUS BUS 61 AC POWER IS UNAVAILABLE ROOP OR ROOP-61 SBO DG-3 IS UNAVAILABLE BUS 71 IS UNAVAILABLE OPERATOR FAILS TO CROSSTIE SBO DG-3 TO BUS 61 BUS 61 IS UNAVAILABLE LOSS OF OFFSITE POWER TO BUS 61 DIV-61-AC - DRESDEN 2 & 3 SBO BUS 61 AC POW ER FAULT TREE 2004/12/17 Page 40 Figure 6. Portion of Fault Tree for AC Power at SBO Bus
LER 249/04-003 46 ROOP-TOGGLE ASP-MODEL-ROOP TRUE ASP-ANAL-CASE 134 ROOP-23-1 BASE-MODEL-ROOP NOT-ASP-ANALYSIS TRUE ASP-ANAL-CASE 103 ROOP MODIFIED ROOP TREE ACTIVATED OFFSITE POWER IS UNAVAILABLE BASE CASE ROOP IF NOT ASP; IF ASP, BUS-SPECIFIC ROOP ROOP FOR BUS 23-1 ROOP TREE FROM BASE MODEL ACTIVATED ROOP OR ROOP-23-1 TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE ROOP-TOGGLE - ROOP OR ROOP-23-1 2004/12/15 Page 133 Figure 7. Portion of Fault Tree Logic Determining Recovery Actions to be Applied at Bus 23-1
LER 249/04-003 47 ROOP-TOG GLE-24 ASP-MODEL-ROOP-24 TRUE ASP-ANAL-CASE 137 ROO P-24-1 BASE-MODEL-ROOP-24 NOT-ASP-24 TRUE ASP-ANAL-CASE 103 ROOP DEFAULT CASE FOR BUS 24 ROOP FOR BUS 24-1 ROOP TREE FROM BASE MODEL ACTIVATED MODIFIED RO OP-24 TREE ACTIVATED ROOP OR ROOP-24-1 OFFSITE POWER IS UNAVAILABLE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE ROOP-TOGGLE-24 - ROOP OR ROOP-24-1 2004/12/29 Page 136 Figure 8. Portion of Fault Tree Logic Determining Recovery Actions to be Applied at Bus 24-1
LER 249/04-003 48 ROOP-TOGGLE-61 ASP-MODEL-ROOP-61 TRUE ASP-ANAL-CASE 139 ROOP-61-1 BASE-MODEL-ROOP-61 NOT-ASP-61 TRUE ASP-ANAL-CASE 103 ROOP DEFAULT ROOP FOR BUS 61 ROOP FOR BUS 61 ROOP TREE FROM BASE MODEL ACTIVATED MODIFIED ROOP TREE ACTIVATED ROOP OR ROOP-61 OFFSITE POWER IS UNAVAILABLE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE TRUE IF DOING THE ASP EVENT, FALSE IF DOING BASE CASE ROOP-TOGGLE-61 - ROOP OR ROOP-61 2004/12/29 Page 138 Figure 9. Portion of Fault Tree Logic Determining Recovery Actions to be Applied at SBO Bus
LER 249/04-003 49 ROOP-23-1 ROOP-23-1-10HR FALSE LOOP-10HR ROOP-23-1-10HR-1 1.5E-4 ACP-BKR-23-1-10 1.0E-3 OEP-EX-23-1-10H 5.0E-4 OEP-XHE-NODIA-10H ROOP-23-1-1HR FALSE LOOP-01HR ROOP-23-1-1HR-1 1.5E-3 ACP-BKR-23-1-1 1.0E-2 OEP-EX-23-1-1H 5.0E-3 OEP-XHE-NODIA-1H OPERATO R OR BREAKER FAILURES TO RESTORE PWR TO 23-1 AT 1HR OPERATO R OR BREAKER FAILURES TO RESTORE PWR TO 23-1 AT 10HR OFFSITE IS UNAVAILABLE TO 23-1 AT 1 HR OFFSITE PWR NOT RESTO RED TO 23-1 AT 10 HR ROOP FOR BUS 23-1 FAILURE TO DIAGNOSE NEED TO RECO VER OFFSITE IN 1 HR FAILURE OF BKRS OFFSITE =>23-1 AND NO RECOVERY IN 1 HR OPERATOR FAILURE TO EXECUTE RECO VERY TO BUS 23-1 AT 10H FAILURE OF BKRS OFFSITE=> 23-1 AND NO RECOVERY IN 10 HR FAILURE TO EXECUTE RESTORATION OF OFFSITE TO 23-1 IN 1 HR FAILURE TO DIAGNOSE NEED TO RECO VER OFFSITE IN 10 HR OFFSITE PO WER MUST BE RECOVERED IN 1 HR OFFSITE POW ER MUST BE RECOVERED IN 10 HRS ROOP-23-1 - ROOP FOR BUS 23-1 2004/12/22 Page 134 Figure 10. Recovery Actions at Bus 23-1
LER 249/04-003 50 ROOP-24-1 ROOP-24-1-10HR FALSE LOOP-10HR ROOP-24-1-10HR-1 1.5E-4 ACP-BKR-24-1-10H 1.0E-3 OEP-EX-24-1-10H 5.0E-4 OEP-XHE-NODIA-10H ROOP-24-1-1HR FALSE LOOP-01HR ROOP-24-1-1HR-1 1.5E-3 ACP-BKR-24-1-1H 1.0E-2 OEP-EX-24-1-1H 5.0E-3 OEP-XHE-NODIA-1H OPERATOR OR BKR FAILURES TO RESTORE PWR TO 24-1 AT 1 HR OPERATOR OR BKR FAILURES TO RESTORE PWR TO 24-1 AT 10 HR OFFSITE PWR NOT RESTORED TO 24-1 AT 1 HR OFFSITE PWR NOT RESTORED TO 24-1 AT 10 HR ROOP FOR BUS 24-1 FAILURE TO EXEQ PROC TO RECOVER THIS BUS AT 1H FAILURE TO EXECUTE PROC TO RECOVER THIS BUS AT 10H FAILURE OF BKRS OFFSITE =>24-1 AND NO RECOVERY IN 1 HR FAILURE OF BKRS OFFSITE => 24-1 AND NO RECOVERY IN 10 HR FAILURE TO DIAGNOSE NEED TO RECOVER OFFSITE IN 1 HR FAILURE TO DIAGNOSE NEED TO RECOVER OFFSITE IN 10 HR OFFSITE POWER MUST BE RECOVERED IN 1 HR OFFSITE POWER MUST BE RECOVERED IN 10 HRS ROOP-24-1 - ROOP FOR BUS 24-1 2004/12/29 Page 137 Figure 11. Recovery Actions at Bus 24-1
LER 249/04-003 51 ROOP-61-1 ROOP-61-1-10HR FALSE LOOP-10HR ROOP-61-1-10HR-1 1.0E-4 ACP-BKR-61-10H 1.0E-3 OEP-EX-61-10H 5.0E-4 OEP-XHE-NODIA-10H ROOP-61-1-1HR FALSE LOOP-01HR ROOP-61-1HR-1 1.0E-3 ACP-BKR-61-1H 1.0E-2 OEP-EX-61-1H 5.0E-3 OEP-XHE-NODIA-1H OPERATO R OR BKR FAILURES TO RESTORE PWR TO 61 AT 1 HR OPERATO R OR BKR FAILURES TO RESTORE PW R TO 61 AT 10 HR OFFSITE PWR NOT RESTO RED TO 61 AT 1 HR OFFSITE PWR NOT RESTO RED TO 61 AT 10 HR ROOP FOR BUS 61 FAILURE OF BKRS OFFSITE=>61 AND NO RECO VERY AT 1 HR FAILURE TO EXEQ RESTORATION OF OFFSITE TO 61 IN 1 HR OPERATOR FAILURE TO EXEQ RECOVERY TO 61 IN 10 HR FAILURE OF BKRS O FFSITE=> 61 AND NO RECOVERY IN 10 HR FAILURE TO DIAGNOSE NEED TO RECO VER OFFSITE IN 1 HR FAILURE TO DIAGNOSE NEED TO RECO VER OFFSITE IN 10 HR OFFSITE PO WER MUST BE RECOVERED IN 1 HR OFFSITE POW ER MUST BE RECOVERED IN 10 HRS ROOP-61-1 - ROOP FOR BUS 61 2004/12/29 Page 139 Figure 12. Recovery Actions at SBO Bus
52 Appendix D Single Line Drawings
53 Drawing 1: Switchyard Single Line
LER 50-249/04-003 54 Drawing 2:
4160 kV Electric Power System