Text

Final Precursor Analysis, LER 341/03-002, Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2003, Transmission Grid Blackout
	ML060720146
Person / Time
Site:	Fermi
Issue date:	12/17/2004
From:	; Office of Nuclear Regulatory Research
To:	;
	jaffe D, NRR/DORL, 415-1439
Shared Package
ML060650069	List: ML060650068; ML060720146;
References
	LER 03-002-00
	Download: ML060720146 (16)
	v • d • e

Enclosure Final Precursor

.* .j. . .N diu Analysis I

Fermi _Automatic Reactor Trip and Loss of Offsite Power Due to the August 14, 2C003, Transmission Grid Blackout Event Date 8/14/2003 LER: 341/03-002 I CCDP1 = 2x 1 0-5

. i December 17, 2004 Event Summary e:=

At 1610hoursonAugust14, 2003, Fermi experienced grid instability and asubsequentreactortrip while operating at 100% power. Loss of offsite power (LOOP) occurred at 1611 hours0.0186 days 0.448 hours 0.00266 weeks 6.129855e-4 months . Plant emergencydiesel generators (EDGs)started and supplied powertosafety-related plantloads until offsite power was restored. Attachment A is a timeline of significant events. (Refs. 1,2, and 3).

Cause. The reactor trip and LOOP were caused by grid instability associated with the regional transmission system blackout that occurred on August 14, 2003.

Otherconditions, failures, andunavailable equipment. The combustion gas turbine generator (CTG) failed to start from the control room due to the failure of a battery-powered inverter. The CTG was manually started 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months into the event using a portable generatoras an alternate source of starting power.

Recovery opportunities. Offsite power was first available at 2230 hours0.0258 days 0.619 hours 0.00369 weeks 8.48515e-4 months (Ref 3). Power from offsite was restored to the first emergency bus at 0153 hours0.00177 days 0.0425 hours 2.529762e-4 weeks 5.82165e-5 months on August 15 (Ref. 2).

Analysis Results -_r zn c :=

Conditional Core Damage Probability (CCDP)

The CCDP for this event is 2x1 0-5. The acceptance threshold for the Accident Sequence Precursor Program is a CCDP of 1x10 6 . This event is a precursor.

Mean 5% 95%

Best estimate 2x105 1X104 8x10-5 1 For the initiating event assessment, the parameter of interest isthe measure of the CCDP. This isthe value obtained when calculating the probability of core d image for an initiating event with subsequent failure of one or more components following the initiating event.

1

LER 341/03-002

Dominant Sequences The dominant core damage sequences forthis assessmentare LOOP sequence 05 (38.3%

of the total CCDP) and LOOP/station blackout (SBO) sequence 60-04 (38.3% of the total CCDP). The LOOP and SBO event trees are shown in Figures 1 and 2.

The events and important component failures in LOOP Sequence 05 are:

- loss of offsite power occurs,

- reactor shutdown succeeds,

- emergency power is available,

- safety relief valves successfully reclose,

- standby feedwater succeeds,

- suppression pool cooling fails,

- manual depressurization succeeds,

- shutdown cooling fails,

- containment spray fails, and

- containment venting fails.

The events and important component failures in LOOP/SBO Sequence 60-04 are:

- loss of offsite power occurs,

- reactor shutdown succeeds,

- emergency power is unavailable,

- safety relief valves successfully reclose,

- reactor core isolation cooling (RCIC) provides sufficient flow to the reactor vessel,

- manual depressurization succeeds,

- firewater injection is unavailable, and

- ac power is not recovered in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

Results Tables

- The CCDP value for the dominant sequence is shown in Table 1.

- The event tree sequence logic forthe dominant sequence is presented inTable 2a.

- Table 2b defines the nomenclature used in Table 2a.

- The most important cut sets for the dominant sequence are listed in Table 3.

- Table 4 presents names, definitions, and probabilities of (1) basic events whose probabilities were changed to update the referenced SPAR model, (2)basic events whose probabilities were chan ged to model this event, and (3)basic events that are important to the CCDP result.

Modeling Assumptions =

Assessment Summary This event was modeled as a loss of offsite power initiating event. Rev. 3.10 (SAPHIRE

7) of the Fermi SPAR model (Ref. 4) was used for this assessment. The specific model version used as a starting point for this analysis is dated December 10, 2004.

2

LER 341/03-002 Since this event involves a LOOP of significant duration (longerthan the battery depletion time), probabilities of nonrecovery of offsite power at different times following the LOOP are important factors in the estimation of the CCDP.

Best estimate: Detroit Edison was able to isolate an offsite power restoration path between the Monroe Power Plant, Brownstown Station, Fermi nuclear plant, and Trenton Channel plant. This occurred at 2230 hours0.0258 days 0.619 hours 0.00369 weeks 8.48515e-4 months , about 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months following LOOP, in this event.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore properbreakerline-ups, (2)breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. This analysis assumed that at least 30 minutes is necessary to restore power to an emergency bus given that offsite power is available inthe switchyard2. The time available forooperators to restore proper breaker line-ups to prevent core damage is dependent on specific accident sequences and is modeled as such using the SPAR human reliability model (Ref. 5). Assumptions described below, combined with the assumption of offsite power restoration described above, form the bases for the LOOP nonrecovery probabilities.

Important Assumptions Important assumptions regarding power recovery modeling include the following:

- No opportunityforthe recovery of offsite powerto safety-related loads is considered for any time prior to power being available in the switchyard.

- At least 30 minutes are required to restore power to emergency loads after power is available in the switchyard.

- SPAR models do not credit offsite power recovery following battery depletion.

The GEM program used to determine the CCDP for this analysis will calculate probabilities of recovering offsite power at various time points of importance to the analysis based on historical data for grid-related LOOPs. In this analysis, this feature was overridden; offsite power recovery probabilities were based on (1) known information about when powerwas restored to the switchyard and (2) use of the SPAR human error model to estimate probabilities of failing to realign power to emergency buses for times after power was restored to the switchyard.

Attachment B is a general description of analysis of loss of offsite power events in the Accident Sequence Precursor Program. It includes a description of the approach to estimating offsite power recovery probabilities.

Event Tree and Fault Tree Modifications The CTG failed to start from the control room due to the failure of a battery-powered inverter. The CTG was manually started 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months into the event using a portable generator as an alternate source of starting power. For this analysis, the CTG was modeled as (1) failed for sequences leading to early core damage and (2) recoverable for long-term core 2 Sensitivity analysis has shown that the difference between 30 and 60 minutes restoration time has minimal effect on the results.

3

LER 341/03-002 damage sequences. The following rules were applied to LOOP sequences 56, 57, 58-37, 58-38, 59-11, 60-14, 60-23, 60-25, 630-27 and 60-28 (sequences leading to early core damage):

if EPS-CTG-FS-BLKST then DeleteEvent = EPS-CTG-FS-BLKST; AddEvent = EPS-CTG-FS-BLKST1; elsif (EPS-CTG-TM-CTG + EPS-CTG-FR-BLKST + EPS-XHE-XM-CTG) then DeleteRoot; endif EPS-CTG-FS-BLKST1 is an event whose probability is set to 1.0 to model the early unavailability of the CTG.

Additionally, two long-term LOOP sequences appeared to be very important contributors to the overall CCDP. In the dominant cut sets forthese sequences, one operator recovery value, which concerned the operator aligning a dead bus to a functioning EDG (EPS-XHE-XM-ALTDG), was particularly important. While its default value might be appropriate for short-term realignment, the value is too high for these important long-term sequences.

Therefore, the following recovery rule! was implemented for LOOP sequences 5 and 17:

if EPS-XHE-XM-ALTDG then DeleteEvent = EPS-XHE-XM-ALTDG; AddEvent = EPS-XHE-XM-,ALTDG10; endif The four basic events involved in the these two changes are included in the basic event probability changes section.

Basic Event Probability Changes Table 4 includes basic events whose probabilities were changed to reflect the event being analyzed. The bases for these changes are as follows:

- Probability of blackstart CTG failing to start before 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months (EPS-CTG-FS-BLKSTI). This event represents the short-term failure to start (< 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months ) of the blackstart CTG. Since the CTCG was unavailable forthe first 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , EPS-CTG-FS-BLKST1 was set to 1.0.

- Probabilityof operator failingto align dead bus to alternate diesel generator after 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months (EPS-XHE-XM-ALTDGIO). This event represents the long-term failure of the operator to realign a dead bus to an alternate diesel generator (> 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months ). This value is used in long-term sequence. Using the SPAR human error model to determine the value (seeAttachment D), EPS-XHE-XM-ALTDG10 was set to 1.0X10-3.

- Probabilityofoperatorsfailingto recoverblackstartCTG (EPS-XHE-XM-CTG).

This event represents the probability of operators failing to recover the blackstart CTG. Using the SPAR human error model to determine the value (see Attachment D), EPS-XHE-XM-CTG was set to 2.5x10-1.

4

LER 341103-002

- Probability of failure to recover offsite power in 30 minutes (OEP-XHE-XL-NR30M). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after the LOOP. Therefore, there was no opportunity to recover offsite power in 30 minutes and OEFP-XHE-XL-NR30M was set to TRUE.

- Probability of failure to recover offsitepowerin 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (OEP-XHE-XL-NR0IH).

During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after the LOOP. Therefore, there was no opportunity to recover offsite power in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and OEP-XHE-XL-NROI H was set to TRUE.

- Probability of failure to recover offsite power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (OEP-XHE-XL-NR04H). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after the LOOP. Therefore, there was no opportunity to recover offsite power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and OEP-XHE-XL-NR04H was set to TRUE.

- Probability of failure to recover offsite power in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months (OEP-XHE-XL-NR10H). During the event, offsite power was not available in the switchyard until 6.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after the LOOP. Therefore, the operators had approximately 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months to recover offsite power to the vital safety buses. Using the SPAR human error model to determine the value (see Attachment C), OEP-XHE-XL-NR1 OH was set to 1.0X104.

- Probability that restart of RCI is required (RCI-RESTART). During the event, RCI and high-pressure coolant injection (HPCI) automatically started to provide flow to the reactor vessel. Upon reaching level 8 in the reactor, both systems were isolated. RCIC was later manually started and used forreactorlevel control. Since RCI restart occurred, RCI-RESTART was set to TRUE.

- Probability of diesel generators failing to run (ZT-DGN-FR-L). The default diesel generator mission times were changed to reflect the actual time to recover power to the first safety bus (approximately 9.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ). Since the overall fail-to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1.0 hours0 days 0 hours 0 weeks 0 months (base case value) and ZT-DGN-FR-L = 8.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

References =: ;=L=

1. Licensee Event Report 341/03-002, Revision 1, Automatic Reactor Shutdown Due to Electric Grid Disturbance and Loss of Offsite Power, event date August 14,2003 (ADAMS Accession No. ML033570189).

2. NRC Region 3 Grid Special RepDrt, August 28, 2003 (ADAMS Accession No. ML0324102370).

3. Michigan Public Service Commission Report on August 14th Blackout, November 2003.

4. R. F. Buell and J. A. Schroeder, Standardized PlantAnalysis Risk ModelforFermi 2 (ASP BWR C), Revision 3.10, December 2004.

5

LER 341/03-002

5. D. Gertman, etal., SPAR-HMethod, INEEL/EXT-02-10307, DraftforComment, November 2002 (ADAMS Accession No. ML0315400840).

6

LER 341/03-002 Table 1. Conditional probabilities associated with the highest p obability sequences.

Conditional core damage Percent Event tree Sequence no. probability (CCDP)1 contribution name LOOP 05 6.9x104 38.3%

LOOP/SBO 60-04 6.9x104 0 38.3%

Total (all sequences) 2 1.8x10 5

1. Values are point estimates. (File name: GEM 341-03-002 12-13-2004.wpd)

2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences.

Event tree Sequence Logic name no. ("I" denotes success; see Table 2b for top event names)

LOOP 05 /RPS, /EPS, /SRV, /SFW, SPC, /DEP, SDC, CSS, CVS LOOP/SBO 60-04 /RPS, EPS, /SRV, /RCI, /DEP, VA3, AC-04H Table 2b. Definitions of fault trees listed in Table 2a.

AC-04H OPERATOR FAILS TO RECOVER AC POWER IN 4 HOURS CSS CONTAINMENT SPRAY FAILS CVS CONTAINMENT VENTING FAILS DEP MANUAL DEPRESSURIZATION FAILS EPS EMERGENCY POWER FAILS RCI RCIC FAILS TO PROVIDE SUFFICIENT FLOW TO REACTOR RPS REACTOR SHUTDOWN FAILS SDC SHUTDOWN COOLING FAILS SFW STANDBY FEEDWATER FAILS SPC SUPPRESSION POOL COOLING FAILS SRV ONE OR MORE SRVS FAIL TO RECLOSE VA3 FIREWATER INJECTION IS UNAVAILABLE 7

LER 341/03-002 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP' contribution Minimal cut sets 2 Event Tree: LOOP, Sequence 05 5.0x 104 72.0 RHR-XHE-XM-ERROR CVS-XHE-XM-VENT 4 3 7.4X10 Total (all cut sets)

Event Tree: LOOP/SBO, Sequence 60-04 2.8x104 40.1 EPS-XHE-XM-CTG EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 6.3x10-7 9.1 EPS-XHE-XM-CTG EPS-DGN-CF-START EPS-XHE-X.L-NR04H 5.5x107 8.0 EPS-CTG-TM-CTG EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 4.4X10-7 6.4 EPS-CTG-FS-BLKST EPS-DGN-CF-RUN EPS-XHE-XL-NR04H 6.3x 104 Total (all cut sets) 3

1. VnCIU< C n Int -CLiI_#

n

2. See Table 4 for definitions and probabilities for the basic events.

3. Totals include all cut sets (including those not shown in this table).

8

LER 341/03-002 Table 4. Definitions and probabilities for modified or dominant basic events.

Event name Description fProbability Modified CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT 1.Ox10-2 No EPS-CTG-FS-BLKST BLACKSTART CTG FAILS TO START 4.Ox10-2 No BLACKSTART CTG FAILS TO START EPS-CTG-FS-BLKST1 1.0 Yes' BEFORE 3 HOURS EPS-CTG-TM-CTG CTG OUT FOR TEST AND MAINTENANCE 5.0x10, 2 No EPS-DGN-CF-RUN EDGs FAIL FROM COMMON CAUSE 2.2x 10-5 No EPS-DGN-CF-START EDGs FAIL FROM COMMON CAUSE 5.Ox1i0 No OPERATOR FAILS TO RECOVER EDG IN 4 EPS-XHE-XL-NR04H 5.Ox 1 0 No HOURS EPS-XH E-XM-ALTDG 10 OPERATOR FAILS TO ALIGN ALT EDG TO 1.0x10 3 Yes 2 DEAD BUS AFTER 10 HOURS EPS-XHE-XM-CTG OPERATOR FAILS TO START CTG 2.5x 10-1 Yes 2 LOSS OF OFFSITE POWER INITIATING Yes3 IE-LOOP 1.0 EVENT OPERATOR FAILS TO RECOVER OFFSITE Yes 2 OEP-XHE-XL-NR30M TRUE POWER IN 30 MINUTES OPERATOR FAILS TO RECOVER OFFSITE Yes 2 OEP-XHE-XL-NRO1 H TRUE POWER IN 1 HOUR OPERATOR FAILS TO RECOVER OFFSITE Yes2 OEP-XHE-XL-NR04H TRUE POWER IN 4 HOURS OPERATOR FAILS TO RECOVER OFFSITE 1.Ox1 0'3 Yes2 OEP-XHE-XL-NR1 OH POWER IN 10 HOURS RCI-RESTART RESTART OF RCIC IS REQUIRED TRUE Yes' OPERATOR FAILS TO START/CONTROL RHR-XHE-XM-ERROR 5.0x10-4 No RHR ZT-DGN-FR-L EDG FAILS TO RUN (LONG TERM) 6.8x1 0'3 Yes4

1. Events changed to reflect the condition being analyzed. See report and Basic Event Probability Changes for further details.

2. Evaluated per SPAR-H method (Ref. 5). See Attachments C and D for further details.

3. Initiating event assessment- all other initiating event frequencies set to zero.

4. Changed mission time to correspond to the time that offsite power was restored to the first vital bus. See report and Basic Event Probability Changes for further details.

9

LER 341/03-002 Attachment A Event Timeline Table A.l Timeline of significant events.

Date Time Event 1610 Reactor trips due to grid instability 1611 Offsite power is lost to emergency buses; emergency diesel generators 8/14/03 _ automatically start and load to power the emergency buses 1622 Unusual Event is declared 2230 Offsite power is restored to the switchyard 0153 First emergency bus (10600) is switched to offsite power source and EDG 14 is shutdown 0412 Second emergency bus (10500) is switched to offsite power source and EDG 13 is 8/15/03 shutdown 1332 Emergency diesel generators are shut down 1348 Unusual Event is terminated 10

LER 341/03-002 Attachment B LOOP Analysis Procedure This procedure is not intended to stand alone; instead it is intended to augment ASP Guideline A:

Detailed Analysis3 . LOOP event analyses are a type of initiating event assessment as described in ASP Guideline A. Specific analysis steps that are unique to ASP analysis of LOOP events are included here.

1. Determine significant facts associated with the event.

1.1 Determine when the LOOP occurred.

1.2 Determine when stable offsite! power was first available in the switchyard.

1.3 Determine when offsite power was first restored to an emergency bus.

1.4 Determine when offsite power was fully restored (all emergency buses powered from offsite, EDGs secured).

1.5 Identify any other significant conditions, failures, or unavailabilities that coincided with the LOOP.

2. Model power recovery factors associated with the best estimate case and any defined sensitivity cases.

2.1 For the best estimate case, the LOOP duration is the time between the occurrence of the LOOP and the time when stable power was available in the switchyard plus the assumed time required to restore power from the switchyard to emergency buses. Attachment C documents the probabilistic analysis of power recovery factors for the best estimate case analysis.

2.2 If EDGs successfully start and supply emergency loads, plant operators do not typically rush to restore offsite power to emergency buses, preferring to wait until grid stability is more certain. Therefore, a typical upper bound sensitivity case considers the LOOP duration as the time between the occurrence of the LOOP and the time when offsite power was first restored to an emergency bus. Attachment C documents the probabilistic analysis of power recovery factors for the sensitivity case analysis.

3. Model event-specific mission durations for critical equipment for the best estimate case and any defined sensitivity cases. (For most equipment, SPAR model failure probabilities are not functions of defined mission durations and are therefore not affected by this analysis step. Notable exceptions include EDGs and, for PWRs, turbine-driven auxiliary feedwater pumps.)

3.1 Forthe best estimate case, mission durations are set equal to the assumed LOOP duration as defined in Step 2.1 above.

3.2 For a typical upper bound sensitivity case, mission durations are set equal to the time between the occurrence of the LOOP and the timewhen offsite powerwas fully restored to all emergency buses. (Note these mission durations are longerthan the assumed LOOP duration defined in Step 2.2 above; they are intended to represent the longest possible mission duration for any critical equipment item.)

3 ASP Guideline A: Detailed Analysis, U.S. Nuclear Regulatory Commission.

11

LER 341/03-002 Attachment C Power Recovery Modeling

Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, only about 30 minutes would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover ac power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in the LER and in response to the questionnaire that was conducted by the NRC Regional Office. The time used is the time at which the grid operator informed the plant that power was available to the switchyard (with a load limit). Although the load limit was adequate to energize plant equipment and, if necessary, prevent the occurrence of an SBO sequence, plant operators did not immediately load safety buses onto the grid. This ASP analysis does not consider the possibility that grid power would have been unreliable if that power were immediately used.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2)breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model (ref.) was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes are necessary to restore offsite power to emergency buses given offsite power is available in the switchyard.

Human Error Modeling The SPAR human error model generally considers the following three factors:

- Probability of failure to diagnose the need for action

- Probability of failure to successfully perform the desired action

- Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any othertasktheoperators mayneedto perform. Thus, each estimated acpowernonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

12

LER 341/03-002 The probability of failure to perform an action isthe product of a nominal failure probability (1.0X10-3) and the following eight performance shaping factors (PSFs):

- Available time

- Stress

- Complexity

- Experience/training

- Procedures

- Ergonomics

- Fitness for duty

- Work processes For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between 2 and 4 times the time required, and 0.1 if the time available is greater than or equal to 5 times the time required. If the time available is inadequate (i.e., less than the time to restoration of powerto the switchyard plus 30 minutes for the best estimate), the ac power nonrecovery probability is 1.0.

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power nonrecovery probabilities. Factors considered in assigning this PSF include the sudden onset of the LOOP initiating event, the duration of the event, the existence of compounding equipment failures (ac power recovery is needed only if one or more emergency buses are not powered by EDGs), and the existence of a direct threat to the plant.

Forall of the ac powernonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

Results Table C.1 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate analysis.

Table C.1 AC Power Nonrecovery Probabilities PSF Nominal Time Product of Nonrecovery Nonrecovery Factor Value Available All Others Probability 3

OEP-XHE-XL-NR30M 1.OX 1() Inadequate TRUE OEP-XHE-XL-NRQ1H 1.0X1()4 Inadequate TRUE OEP-XHE-XL-NR04H 1.0X1()4 Inadequate - TRUE 3

OEP-XHE-XL-NR1OH 1.OXl() 0.1 10 1.0x10 3 Attachment D 13

LER 341/03-002 Human Error Modeling For this analysis, the values of two operator recovery events, EPS-XHE-XM-ALTDG10 and EPS-XHE-XM-CTG, were updated using the standard SPAR Model Human Error Worksheet. A summary of the worksheet results is provided by Table D.1.

Table D.1 Human Error Basic Event Probabilities PSF o -4 I 0 CD ~ 'a

- CL CD U) ,

Nominal Nonrecovery Factor Value Nonrecovery Probability EPS-XHE-XM-ALTDG10 1.0x1o-3 All PSFs are Nominal 1.Ox10 3 (Action)

EPS-XHE-XM-CTG 1.Ox1O-2 0.1 5 1 1 20 1.0x10-'

(Diagnosis) I __(Total) 2____

2.5X10 (Total)

EPS-XHE-XM-CTG 1.ox10-3 0.1 2

3 50 -

1.5x10-1 '

(A ction) _I_ I___ __ __ __I___I___I_

14

04 0

C11 Cf) 0~

-J LO Figure 1: Fermi LOOP event tree with dominant sequence highlighted.

,IL CV)

W

-J CID Figure 2: Fermi SBO event tree with dominant sequence highlighted.

ML060720146

Text

Navigation menu

Search