ML062710035

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis - Waterford Plant Loss of Offsite Power in Mode 4 During Hurricane Katrina
ML062710035
Person / Time
Site: Waterford Entergy icon.png
Issue date: 05/18/2006
From: Demoss G
NRC/RES/DRASP/DDOERA/OEGI
To:
References
Download: ML062710035 (122)
v  d  e


Text

LER 382-2005-004 1

Final Precursor Analysis Accident Sequence Precursor Program -- Office of Nuclear Regulatory Research Plant Waterford Event Description Loss of Offsite Power in Mode 4 during hurricane Katrina Event Date August 29, 2005 LER 382-2005-004 IR 382-2005-004 CCDP =

2.1E-6 May 18, 2006 Event Summary The loss of offsite power occurred on August 29, 2005 at 07:59 hrs. At the time, the site was experiencing sustained tropical storm winds of 48 miles per hour. The hurricane Katrina was making its landfall on the Louisiana coastline. The loss of power was a result of grid instabilities which were caused by damage and effects of the Katrina. The plant experienced voltage spikes previous to the loss of power, which eventually caused declaration of offsite power inoperable some time before the event, at 06:24. At 07:45, the instrument air pressure was lost due to lowering grid voltage. When the LOOP occurred, both EDGs started and loaded their respective emergency bus loads. SDC-A (shutdown cooling loop A), which was removing the decay heat prior to the event, was manually connected by 08:15 and continued to operate to remove the decay heat. The EDGs operated throughout the event. Eventually, the plant entered Mode 5, as a precaution, on September 1, 2005. After grid evaluations, offsite power was declared operable at 23:21 on September 1, 2005 for train A and at 22:20 on September 2, 2005 for train B. Plant startup commenced on September 9, following successful completion of NRCs and FEMAs restart readiness inspection. The plant was synchronized to the grid on September 13, 2005.

Plant configuration. The plant was in the process of orderly shutdown, which started with reactor manual trip at 13:16, August 28, due to a hurricane warning for St. Charles parish.

Katrina was a Category 4 hurricane at the time. Mode 4 was entered at 20:58 the same day.

At the time of loss of offsite power, the plant was operating on SDC (shutdown cooling) loop A, with RCPs 1B and 2B circulating the primary coolant. Also, in anticipation of the hurricane induced loss of offsite power, two portable diesel generators (TEDs), mounted on truckbeds and normally shuttled between Waterford and another plant in hurricane season, were brought on site on August 28, 2005. They were installed and placed in a ready state for a possible manual connection to their respective emergency bus, should the plant emergency diesel generator (EDG) dedicated to that bus fail to operate during the event.

Concurrent failures. There were no safety systems failures during the event. The only notable events, which do not impact the event evaluation results, were the loss of the instrument air system (per the design), the failure of the RCP-2B breaker to open on loss of offsite power (it was manually opened and repaired) and the failure of the emergency preparedness offsite communication system later in the event, which was also repaired and for which alternate means of communication were available and used.

Other events. No other events having an effect on this event are evident in the LER database, see Appendix F.

LER 382-2005-004 2

Analysis Results Conditional Core Damage Probability (CCDP)

The conditional core damage probability (CCDP) for this event is 2.1E-6. A shutdown model was used for this evaluation. For comparison, the full power model unmodified LOOP event tree evaluation (but with credit for TEDs, no RCP seal LOCA and no SRV challenge) yields a CCDP of 1.3E-5. The shutdown model evaluation is considered the correct one.

The relatively low CCDP in the shutdown model evaluation is due to the presence and reliability of the SDC and the EFW systems, the presence of additional truck-mounted temporary emergency diesel (TED) generators on site and their assumed reliability, and the long available recovery times due to lower decay heat loads as the plant was shut down ahead of Katrinas landfall as a precaution.

The uncertainty results are presented in the Table below.

CCDP 5%

Median Mean 95%

Unit 3 1.8E-7 1.1E-6 2.1E-6 6.9E-6 Dominant Sequences The dominant sequences for this event are the loss of offsite power in shutdown (LOOPSD) sequences 3 and 5. Sequence 3 contributes 16% and sequence 5 contributes 81% to the CCDP results. The event tree and the highlighted dominant sequences are shown in Figure 1.

For comparison, if the full power model is used, the dominant sequence is sequence 14 of the LOOP event tree (shown in Figure 2), contributing 77% to that evaluation.

The dominant sequences contain the following events:

Sequence 3:

- intrinsic plant emergency power succeeds;

- shutdown cooling fails;

- EFW fails.

Sequence 5:

intrinsic plant emergency power fails; turbine-driven EFW succeeds; there is no recovery of plant-intrinsic emergency power in the 4 hr battery depletion time and temporary emergency diesel generators fail; In comparison, the sequence 14 of the full power LOOP event tree has the success of the RPS and the EPS systems and failure of the EFW.

LER 382-2005-004 1According to INL, the core uncovery times in the full power SPAR models are based on decay heat levels at beginning of the event 3

Results Tables The conditional probabilities for the dominant sequences are shown in Table 1.

The event tree sequence logic for the dominant sequences are presented in Table 2a.

Table 2b defines the nomenclature used in Table 2a.

The most important cut sets for the dominant sequences are listed in Table 3.

Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions Analysis Type This is an initiating event analysis. The LOOP event occurred at the site. Thus, in the GEM run, the initiating event probability of event IE-LOOPSD was set to 1.0. A special LOOP event tree was constructed and evaluated for this event, due to the fact that the event occurred in Mode 4 (hot shutdown), whereas the SPAR model assumes full power operation.

This event tree (LOOPSD) takes into account the facts that SDC (shutdown cooling, otherwise known as the RHR system) was available in Mode 4 and that, due to elapsed time, the decay heat levels were lower than in the full power model.

The decay heat levels were estimated to be on the order of 0.7% of full power at approximately 19 hours2.199074e-4 days <br />0.00528 hours <br />3.141534e-5 weeks <br />7.2295e-6 months <br /> after the trip when the initiating event occurred. Since, at the time of reactor trip, the decay heat is at close to 7% of full power, the available time to core uncovery was adjusted accordingly1.

The model also credits the truck-mounted temporary emergency diesels (TEDs), which were on site, installed and ready to be manually connected in case of need. No credit is given to TED repair. No credit is given to offsite power recovery as it didnt occur nor is it postulated to occur within the mission time in a hurricane induced event.

Unique Design Features [Ref. 3 and 4]

Lack of feed and bleed capability. Waterford 3 does not have a reactor coolant system power operated relief valve (PORV). Thus, the unit does not have the feed and bleed capability as the high pressure pump head is insufficient to lift the safety valves. The three charging pumps are the positive displacement type and they can lift the safety valves on the pressurizer.

However, the combined flow rate of around 134 gpm is insufficient for decay heat removal, even at the relatively low decay heat levels during the event. On the other hand, this type of feed and bleed through the SRVs may extend the available time to core damage, in certain sequences, which is not credited in the analysis.

Emergency power. The unit has two 4.4MW emergency diesel generators, and two main 4.16 kV emergency buses, 3A3-S and 3B3-S. In addition, a third bus, 3AB3-S is manually

LER 382-2005-004 2No TED documentation in the FSAR and the IPE. Ref. 10 states that the TEDs are self sufficient.

4 connected to either emergency bus (but not to both at the same time), to provide power to third (installed spare) components in the following systems: HPI, CCW, chilled water and associated valves. Any changes in alignment or loading of this bus are accomplished by a dead bus transfer.

The EDGs are cooled by a closed loop jacket water cooling system. The ultimate heat sink is the CCW system. While the EDGs are idle, the jacket water cooling system and the engine lube system are maintained in warm condition, by usage of electric resistance heating, in order to minimize EDG startup wear and tear.

In addition to the EDGs, there are two TED (temporary emergency diesel generators), which were available at the plant. These are truck mounted and are shuttled between Waterford and another plant in case of need (e.g., hurricane precaution). They are independent of any plant systems2. They are not credited either in the IPE analysis or in the SPAR model. They are credited in evaluation of this event, as they were brought to the plant and installed as a precaution and ready to be manually connected to the emergency buses in case of need. The TEDs are not repairable (they are maintained by the vendor and there are no spare parts) and are not sheltered, they are parked outside the east end of the turbine building.

Ultimate heat sink. CCW is the ultimate heat sink for most risk significant systems at Waterford. This system has three pumps, A, B, and AB (see discussion above on emergency power). CCW rejects heat to two dry cooling towers and, in case of need, to the ACW (auxiliary cooling water system). ACW has two loops and its ultimate heat sink are two wet cooling towers.

The dry and the wet cooling towers are the ultimate heat sink for the CCW system, are safety grade and are designed to withstand or minimize damage from hurricane and tornado effects.

The two wet cooling towers are used if extra cooling capacity is required during hot weather conditions. The two wet cooling tower basins (174,000 gal each) are used as makeup for the CSP. The makeup to the WCT basins is provided by the gravity feed from the underground circulating water system (assumed not available during the event).

EFW. This system has the usual complement of two MD and one TD train. The MD pumps are rated at 395 gpm, while the TDP is rated at 780 gpm.

The TDP controls are dc-powered as are the turbine steam supply (TSS) valves, which fail as-is. The TDP will operate from cold start on steam pressure from 50 psig to 1135 psig. The TDP stop (trip and throttle) valves are solenoid-dc powered (mechanical link overspeed protection also provided), can be remotely operated by a 480V ac motor and are additionally provided with a handwheel for manual local operation.

The EFW isolation valves are fail-open pneumatically operated valves which also rely on 125V DC power to actuate the solenoids; they can be throttled from the control room to match the EFW flow to the decay heat load. The EFW isolation valves are pneumatically operated, equipped with accumulators, sufficient for 10 hrs of operation, fail open on loss of air and are also equipped with handwheels for manual operation.

LER 382-2005-004 5

The EFW isolation valves (in the four lines to the steam generators) and the TSS valves are located outdoors, on top of the auxiliary building (RAB), protected from flooding, tornado missiles by grating and RAB walls, and designed for tornado winds.

The condensate storage pool (CSP) has a water volume of 170,000 gal and is located inside the auxiliary building. If the CSP is exhausted, the EFW suction can be manually aligned to the two wet cooling tower basins, each of which holds 174,000 gal. The first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of cooldown from full power, by steam generators only (SDC out) require 320,000 gal of water, according to the FSAR.

SG heat removal. The preferred mode of heat removal after a LOOP, should secondary cooling be used, is steam dumping to the atmosphere through the steam generator PORVs.

The SG PORVs have enough compressed gas for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> of operation in a LOOP. After that, manual local operation is possible, as well as the decay heat removal at high pressure using the SG safety valves.

SDC (shutdown cooling system). This system is in many aspects similar to most RHR systems (LPI pumps are used). One difference is that there are four discharge lines and two suction lines, each suction line is isolated by an MOV and a pneumatically-hydraulically controlled valve inside the containment and one MOV outside the containment (three valves in series per suction line). These valves are dependent on ac and dc power. Thus, unlike some other designs (e.g., a single suction line for both trains of RHR with two MOVs in series operated from different power divisions), a loss of one train of emergency power does not preclude operation of one train of RHR, while at the same time redundancy is provided in the means of isolation from the RCS pressure at full power. SDC isolation is also interlocked with the pressurizer pressure, and inside-containment MOVs have their breakers racked open during full power operation to prevent inadvertent opening.

Alignment to the shutdown cooling mode is accomplished remotely from the control room except that valves CS117A(B) have to be manually opened in the RAB (auxiliary building). In addition, on loss of instrument air (a consequence of a LOOP event), while the flow throttle valves can be remotely manually operated from the control room, valves SI-306 and SI-307 must be positioned manually locally to adjust the total shutdown cooling flow.

On loss of power, the two isolation MOVs in each line fail as is (and can be manually operated if necessary, except if they are in a closed position), while the HOV in each line fails closed and can be manually opened. The CCW valves to the SDC heat exchanger will not be affected, as they are provided with air accumulators. The air operated SDC heat exchanger bypass valves fail open and can be manually operated with a handwheel, in conjunction with MCR operation of the SDC throttle valves regulating the RCS flow through the SDC HX.

Flood protection. Waterford has engineered flood protection features and the FSAR spends significant time on the topic of external floods. Most of the surrounding area is below the sea level. The plant itself is situated at around 14-15 ft above MSL. The Mississippi river surface at that point is 11-12 ft above MSL. Between the river and the plant, there is a levee with a top at about 30 ft above MSL. Surrounding the nuclear island (which contains the safe shutdown equipment) is a flood protection wall, whose top is also at 30 ft above MSL. There are drainage ditches around the plant, all the openings below the 30 ft MSL are engineered to be flood proof, and there are flood control features upstream which would divert potential flood waters away from New Orleans and the plant. The river levees are designed to much higher standards than the hurricane levees on the lake Pontchartrain and the canals in New Orleans. They are

LER 382-2005-004 6

designed for floods 11% greater than the greatest floods on record, in the early 20th century.

The Waterford site is engineered for a certain maximum credible flood, involving a simultaneous maximum water level on the Mississippi and a large surge from a hurricane.

Modeling Assumptions Summary Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall risk.

TEDs are self contained and can be started, connected and operated without DC power or any other plant support systems.

There will be no TM downtime on any equipment during the event, except as specifically modeled for the failed diesel generators. This is a good best estimate assumption, though slightly non-conservative. There is some probability that some equipment may have been in unplanned maintenance, due e.g., to failed tests prior to hurricane arrival. However, as seen in the sensitivity analysis 14 (which included the very conservative nominal TM unavailabilities),

this will not have a major effect on the results.

Independence of human actions is assumed regarding the EFW and the SDC systems, as in the FP SPAR models. This independence is more likely in this event, where the time scales are relatively long. The diesel generator repair will be performed by dedicated personnel at the diesel generator location, thus independently of the main control room. There will also be independence between EDG repair and manual startup and connection of the TEDs.

TED hardware failure probabilities are assumed to be similar to the EDG failure probabilities (Ref. 9). Hardware start and first hour failures only are important, due to the relatively short times to fill the steam generators and the relatively long boil-off times due to low decay heat levels and any additional unreliability due to longer running times would be more than offset by reduced EDG non-recovery probability, according to available data. There was time to check out and prepare the TEDs for the event.

Standard EDG repair curve is credited, due to availability of essential personnel on-site and availability of spare parts throughout the event. This repair curve is applied to any failures resulting in a loss of EPS.

TED repair/recovery or replacement is not credited.

TED procedures are assumed to exist for startup, connection, running of the TEDs and the operators are assumed to be trained on such.

The steam generators were available for decay heat removal, i.e., the water inventory in them was normal, when the LOOP occurred.

It is assumed that RCP seal LOCA will not be a problem, even in SBO situations.

In case of an SBO, and with TDEFW unavailable, the RCS will start its heatup at low pressure and temperature and the decay power will be low. It will take a long time to boil-off the SG inventory post TDEFW failure or battery depletion and to heat up the RCS to normal operating conditions in which the RCP seal LOCA is a consideration. It is believed that in a protracted SBO, the core uncovery will occur before or on the same time scale as this return to the normal operating conditions in the RCS.

Similar considerations as above for the RCP seal LOCA, apply for the SRV challenge probability (consideration of induced SLOCA due to SRV sticking open), i.e., such will be disregarded in the model.

LER 382-2005-004 7

Automatic start and sequencing of EDGs on loss of offsite power.

EFW will have to be started and aligned manually if needed to use.

SDC has to be manually connected onto respective EDGs.

It is assumed the operators will not have to go outside to operate equipment, such as EFW and TDEFW valves (which are located on RAB roof). The EFW isolation valves fail open on loss of air and the TDEFW steam supply valves can be operated by DC power. However, the EFW isolation valves may need to be manually throttled, to match the flow rate to the decay power, once the 10-hr accumulator air supply runs out. If the outside conditions are still inclement after the 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, an alternative would be to operate the EFW pumps in an intermittent manner, which would alter the failure probabilities somewhat.

The operators will keep the RCS conditions favorable for SDC entry (RCS pressure < 392 psia, RCS temperature < 350 oF), if there is steam generator secondary inventory (e.g., in SBO conditions, with or without TDEFW operating).

Mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is used for this multi-day event.

The plant had full complement of essential operations and maintenance personnel per procedure severe weather/flooding.

The plant and the surrounding area (St. Charles parish) did not experience major effects from hurricane Katrina. There were no reports of wind damage or flooding at the plant, thus the spare parts warehouse was accessible throughout the event. St. Charles parish did not experience extreme winds or major flooding (Ref. 1-3, 11, 16-27).

Fitness for duty PSF was not affected by actual hurricane effects outside the plant.

Timing of failures is not included in scenario development (e.g., convolution).

Other assumptions. Other assumptions that have a negligible impact on the results due to relatively low importance include the following:

The estimated available recovery time of 8-12 hrs is based on a rough estimate of the steam generator inventory, based on FSAR drawings (Figure 5.4-5) (no other information on the subject is available), RCS inventory from the FSAR and the decay heat curve (ANS 5.1-1979, taken from Reference 8). These parameters were also compared to the full power time to core uncovery of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and its decay heat. The results are not overly sensitive to this, as the SPAR time PSF factor is not that precise, and sequences 8 and 9 are minor contributors. In sequence 5, 4 hrs for operation of TDEFW should be added to this time (up to 16 hrs total) to obtain the total time available to operators until core uncovery, however, no further actions (e.g., TED replacement) are credited beyond the 4 hr EDG recovery and TED operation.

CSP (condensate storage pool) will need to be replenished, if EFW is used exclusively in a 24 hr mission time. The makeup source, the two wet cooling tower basins, is assumed not to be fragile with respect to the high winds and their effects.

Either ACW heat removal via the wet cooling towers or the CCW heat removal via the dry cooling towers are sufficient for the ultimate heat sink at the time of the event (summer). The FSAR indicates that under unfavorable conditions, both the dry and the wet cooling tower may be needed per loop.

The wet cooling tower basins will not be sufficiently damaged by hurricane effects.

LER 382-2005-004 8

The WCT basins have sufficient capacity both for makeup to the CSP and for operation of the wet cooling towers, which are assumed to be needed as part of the CCW ultimate heat sink. No credit is given for makeup to the WCT basins.

Stress PSFs are not affected by hurricane effects outside the plant.

high pressure feed and bleed (via charging pumps and SRVs) was not credited.

High dependence is assumed between operator actions related to TDEFW and MDEFW in SBO sequences with EPS recovery.

Fault Tree Modifications Several fault trees were constructed for the new event tree LOOPSD. They are:

TDEFW-SD. Operation of the TDEFW train in shutdown. Used when emergency power fails. It contains a basic event for operator action ORed with the full power SPAR model fault tree for the TDEFW train.

REC4. Recovery of installed emergency power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the estimated battery depletion time. It has an AND gate with as inputs basic event for recovery of intrinsic EDGs in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and a transfer to the fault tree TED (fault tree for the temporary diesel generators), below.

TED. Temporary emergency diesel generators fault tree. Its an OR gate with as inputs the operator action to start and manually connect the TEDs to the emergency buses, and hardware failure of the TEDs (mainly failure to start).

SDC-SD. Shutdown cooling in shutdown (mode 4). Contains the operator action ORed with the FP SPAR model SDC fault tree.

EFW-SD. EFW cooling in shutdown (mode 4). Contains the operator action ORed with the FP SPAR model EFW fault tree.

SDC-SD-EPS. Shutdown cooling in mode 4, after EPS recovery. Similar in structure to the SDC-SD fault tree (different operator action used), this fault tree uses the LOOPB-FTF flag set, which disables train B of emergency power.

MDEFW-SD. MD EFW in mode 4, after EPS recovery. Similar in structure to the EFW-SD fault tree above (different operator action used), this fault tree uses the LOOPB-FTF flag set, which disables train B of emergency power. Technically, this is the fault tree for MD EFW only, but using the EFW transfer is OK, as TDEFW has already failed earlier in the sequence.

In addition, the existing fault tree EFW was changed to disable offsite power recovery in this event. The fault trees are shown in Figures 3-10.

Basic Event Probability Changes Table 4 provides all the basic events that were modified to reflect the best estimate of the conditions during the event. The bases for these changes are provided below:

LER 382-2005-004 9

Turbine driven EFW pump runs for four hours ( event EFW-TDP-FR-TD4HR). This is a new compound event, consisting of events ZT-TDP-FR-E and a new event, ZT-TDP-FR-L-3H, which describe the early and the late run failures, respectively. The new event, ZT-TDP-FR-L-3H has a mission time of 3 hr, thus the compound event has an effective mission time of 4 hrs. This event, EFW-TDP-FR-TD4HR, is used in SBO sequences only, and is implemented via a sequence recovery rule which replaces the event EFW-TDP-FR-AB (the 24 hr run failure of the TDEFW pump) with this one (see Appendix E).

Operator fails to start and run the EFW system in shutdown (mode 4), (event EFW-XHE-SD). This event was set to 2.0E-004, based on SPAR-H considerations, see Appendix B.

Operator fails to start and control the MDEFW system in shutdown (mode 4), after EPS recovery, (event EFW-XHE-SD-MD). This event was set to 1.0E-2, based on SPAR-H considerations, see Appendix B.

Operator fails to start and control the MDEFW system in shutdown (mode 4), after EPS recovery, and after TDEFW failure due to operator error (dependent event EFW-XHE-SD-MD-1). This event was set to 0.5, assuming high dependence between operator actions to start and control MDEFW and operator actions to start and control TDEFW in this sequence.

Operator fails to start and control the TDEFW system in shutdown (mode 4), SBO conditions, (event EFW-XHE-SD-TD). This event was set to 2.5E-3, based on SPAR-H considerations, see Appendix B.

Temporary emergency diesel (TED) generators hardware failure to start and run early, (event EPS-EDG-TED). This event was set to 1.0E-3, based on internal EDG reliability considerations and NPRD95 data. The NPRD95 data stipulate a total failure rate of 9.1 E-4/hr for packaged standby diesel generators (as opposed to the unpackaged standby diesel generator total failure rate of 1.2E-4/hr). This total failure rate includes all failure modes, including failure to start, failure to run early and failure to run late. This is similar to the failure to run late rate of EDGs of 8.E-4/hr.

Thus it was decided to use a failure rate similar to that of EDGs for failure to start and failure to run early, increased by a factor to allow for commercial nature of the TEDs and to allow for the fact that the TEDs are tandem generators. In tandem generators, two diesel engines in tandem run one generator. The failure rate is increased somewhat over the singular generator, but by much less than a factor of two, due to the dominant failure modes. Also, there is uncertainty as to whether one engine could continue to run the generator at reduced power, upon failure of the other engine, no credit will be given to that here. For EDGs, FTS + FTRE = 7.5E-3. Thus, it was decided to use 1.E-2 for FTS + FTRE of a single TED, and to multiply by a conservative beta factor of 0.1 to arrive at an evaluation of this event (composite FTS + FTRE of the two TEDs) of 1.E-3.

This beta factor is probably conservative given that these are rental units and thus unlikely to be maintained at the same time and by the same personnel.

The TEDs are somewhat similar to SBO diesel generators at some plants. The SPAR models use the same reliability parameters for the SBO diesel generators as for the front-line EDGs, due to lack of data and other considerations. It could be argued, that

LER 382-2005-004 10 the plant had anticipated the hurricane hit and the resultant long-term loss of offsite power, and that the TEDs were ready and tested/maintained prior to installation.

As shown in Appendix H, only FTS + FTRE of TEDs is used (i.e., mission time capped at one hour), because the increased unreliability at longer run times is more than offset by the reduced EPS non-recovery probability.

Operator fails to connect and start a TED, (event EPS-XHE-XL-TED). This event was set to 1.0E-3, based on SPAR-H considerations, see Appendix B. As stated in the assumptions, it is assumed that there are procedures for TED operation, that the operators were ready, practiced and knowledgeable on those procedures at the start of the event (preparations were made ahead of time), and, as the LER stated, the TEDs were installed and ready to be manually connected to the respective emergency bus, should the respective front-line EDG fail.

Initiating event loss of offsite power in shutdown (Mode 4), (event IE-LOOPSD).

Set to 1.0, per initiating event evaluation procedure, as the initiating event occurred.

All other initiating events, (event IE-*). Set to 0.0, per initiating event analysis procedure.

Switch to disable offsite power recovery in the EFW fault tree, (event KATRINA-SWITCH). Set to TRUE, as offsite power was not recovered in the 24 hr mission time, in this hurricane event.

Operators fail to restart or control RHR in shutdown (Mode 4), (event SDC-XHE-SD). This event was set to 1.0E-004, based on SPAR-H considerations, see Appendix B.

Operators fail to restart or control RHR in shutdown (Mode 4) after EPS recovery, (event SDC-XHE-SD-EPS). This event was set to 4.0E-3, based on SPAR-H considerations, see Appendix B.

Operator fails to start and control SDC, (events SDC-XHE-XM*). These are the operator actions in the base SPAR full power model. These events were set to FALSE, as other events, described above, for various scenarios were used instead.

Test and Maintenance events for all systems, all trains and all components, (events XXX-XX-TM-X and ZT-XXX-TM*). Set to FALSE, as the hurricane and the induced LOOP were anticipated and prepared for, and thus, it is believed that no planned testing/maintenance was going on in systems that might be used in the event.

This could be somewhat non-conservative as there could have been non-planned maintenance events ongoing when the LOOP occurred. However, as sensitivity analysis below shows this to be a minor effect. The ZT events are the template events for TM basic events, however since there are exceptions (some TM events dont use the ZT events), all TM events were set to FALSE, to make sure that none escaped the screen.

The following events which are associated with SDC loop A were set to FALSE, as SDC-A was operating at the time of the event, and certain valves dont change position on loss of power, and certain pre-existing failures are precluded:

LER 382-2005-004 11 SDC-AOV-CF-1161AB, common cause failure of RWSP miniflow isolation AOVs 1161A and B to close SDC-AOV-OO-1161A, failure of miniflow isolation AOV 1161A to close SDC-MOV-CC-401A, SDC loop A suction isolation MOV 401A fails to open SDC-MOV-CC-407A, SDC loop A suction isolation MOV 407A fails to open LPI-MOV-CF-INJ, CCF of LPI injection MOVs LPI-MOV-CC-139A, LPI discharge MOV 139A fails to open LPI-MOV-CC-138A, LPI discharge MOV 138A fails to open CSR-XHE-XR-HTXA, operator leaves SDC heat exchanger A in improper state post TM CCW-AOV-CC-SDHTXA, CCW outlet AOV to SDC heat exchanger A fails to open CCW-AOV-CF-SDHTX, CCF failure to open of CCW outlet AOVs to SDC heat exchangers LPI-XHE-XR-A, operator leaves LPI pump A in improper state post test and maintenance SDC-AOV-OO-BYPA, SDC heat exchanger bypass valve fails SDC-MOV-CC-125A, failure of SDC A heat exchanger inlet MOV to open SDC-MOV-CC-412A, failure of SDC A heat exchanger outlet MOV to open SDC-AOV-CF-BYP, CCF of SDC heat exchanger bypass valves SDC-MOV-CF-401AB, CCF of SDC suction isolation MOVs 401 A and B SDC-MOV-CF-407AB, CCF of SDC suction isolation MOVs 407 A and B SDC-MOV-CF-HTXIN, CCF of SDC heat exchanger inlet valves SDC-MOV-CF-HTXOUT, CCF of SDC heat exchanger outlet valves Other Items of Interest The original (full power) SPAR model uses the emergency power recovery curve on agglomeration of all EPS failures (including independent failures, common cause failures, support systems and TM outages) on a sequence-wide basis, without special cutset rules (purely independent EDG failure cutsets are a small contributor to EPS unavailability). Such treatment was kept in this analysis, for lack of data. In contrast, the discussion in NUREG/CR-6890 (Ref. 28) regarding this curve implies that it is only applicable to EDG repair, and apparently not the repair of any other cause of EPS failure. Disallowing EDG repair has a moderate effect on the CCDP, as shown in the sensitivity analysis; the effect is amplified if 48 hr mission time is assumed.

Waterfords warehouse, where spare parts are kept, may become inaccessible in some extreme events involving flooding and/or extreme winds and/or other external hazards on site. For example, it seems that the 30 ft MSL floodwall, which encloses the nuclear island, does not include the service building. Thus, in a prolonged LOOP, spare parts may not be available for possible EDG recovery (this was likely not the case in the event analyzed).

Waterfords offsite power connections, while redundant and radiating in many directions, did not forestall a LOOP while relatively mild winds were being experienced on site.

This has a bearing on ASP evaluation of another Waterford LER, the EDG-A burst fuel tubing during testing (LER382-2003-007). The assumption is made in that analysis that only extreme winds locally would guarantee a LOOP. If the alternative assumption is made that any large hurricane hitting SE Louisiana would produce a LOOP, that evaluation rises from a low E-6 to a low to mid E-5 (a CDP of 1.3E-5 results in case of

LER 382-2005-004 12 average incidence of large hurricanes on SE LA, and a CDP of 5E-5 results for hurricane-active decades, of which this may be one). However, it is noted that the true numbers may be smaller, as no credit for TEDs is given in that evaluation, due to lack of firm data on TED use at the plant. In addition to the above adjustment in the results, the standard assumption of only extreme winds guaranteeing a LOOP may also need to be revised.

Sensitivity Analyses Sensitivity analyses were performed to determine the effects of model uncertainties on results based on best estimate assumptions. The following table provides the results of the sensitivity analyses ( means no significant change).

No.

Modification New CCDP 1

HRA dependency btw SDC and EFW systems -

low dependency assumed 7.0E-6 2

TED hardware failure probability increased by one order of magnitude (to 1.E-2 for FTS+FTRE) 9.7E-6 3

TED total unreliability increased to 0.1 (includes both human and hardware components) 9.0E-5 4

only one TED on site 9.7E-6 5

no TEDs on site 9.0E-4 6

0.5 qualitative recovery factor in SBO sequences, for TED replacement upon failure due to long time scales (12-16 hr) 1.3E-6 7

1 + 2 1.4E-5 8

no EDG repair (warehouse inaccessible for 24 hrs, etc.)

8.0E-6 9

stress PSFs increased by one level 2.3E-6 10 9 + no EDG repair (due to stress or warehouse inaccessibility) 8.2E-6 11 9+ 1 1.2E-5 12 9 + 1 + 2 2.1E-5 13 fitness for duty PSF degraded 6.1E-6 14 nominal TM included 3.7E-6 15 6 hr core uncovery 16 OR gate between CCW and ACW instead of the AND gate in the SPAR model 2.2E-6

LER 382-2005-004 No.

Modification New CCDP 13 17 LOOP-A vs. LOOP-B FTF (switch availability of emergency buses after EPS recovery in SBO from A division to B division) 18 both emergency buses available upon EPS recovery in SBO (not just one as in default case) 19 resetting SDC-A events which were FALSEd out 2.2E-6 20 expanding seq. 4 to include SDC and EFW questions 21 48 hr mission time 4.2E-6 22 48 hr mission time + no EDG repair (major hurricane effects on site and surrounding area) 2.1E-5 23 48 hr mission time + no EDG repair + degraded fitness for duty 2.9E-5 24 24 hr mission time of TDEFW in SBO, instead of 4 hr 25 operator always fails to keep RCS pressure/temperature within the SDC entry band in SBO conditions, when TDEFW unavailable (i.e., SDC not available post EPS recovery in SBO, when TDEFW fails) 4.5E-6 26 same as above but regardless of whether TDEFW works or not (no SDC credit in any SBO sequences) 6.2E-6 27 EDG-3B fails 3.1E-5 28 EDG-3B fails and TED hardware failure rate increased by an order of magnitude (to 0.01 for FTS +FTRE) 1.6E-4 29 EDG-3B fails and no TEDs on site 1.5E-2 The above sensitivity analyses show that the major effects are related to the HRA, dependency assumptions and TED reliability, as well as to the local effects of the hurricane.

In most cases, the evaluation stays in the E-6 range, except in cases where the stress PSFs are increased, in conjunction with increased human action dependency and higher TED unreliability. In such cases, the evaluation becomes a low E-5.

This is also the case when a moderate increase in TED unreliability is combined with low dependence between SDC and EFW operator actions.

It can also be seen that the TEDs are instrumental in keeping the CCDP low -

without them, the CCDP is almost 1.E-3; if they are very unreliable the evaluation is a high E-5, and if only one TED is on site (with assumed best estimate reliability), the evaluation is a high E-6.

LER 382-2005-004 14 The fitness for duty PSF has a moderate effect and its degradation due to hurricane effects is much more important than potential increase in the stress PSF.

Sensitivity 14 shows that, even assuming the conservative nominal TM unavailabilities, the effect on CCDP is not very large. Thus, the effect of any unplanned TM at the time of the event (a fraction of nominal TM) will likely be very small.

The 48 hr mission time, per se, does not impact the evaluation by much (and the sensitivity probably somewhat overstates the effect, due to non-consideration of various issues, such as repair at long mission times). However, as a symptom of major hurricane effects on site and surrounding area, in conjunction with other possible effects, such as inability to repair EDGs (access to spare parts warehouse impossible), and operator fitness for duty (due to possible effect on operator psyche), this could have a significant effect and bring the evaluation into the E-5 range.

the last three sensitivities show what happens if one internal EDG has a hidden fault causing it a guaranteed failure. The evaluation rises sharply and is sensitive to assumed TED failure data. Without TEDs the CCDP can be very high in this case.

Insights (discussion in Appendix G)

Waterfords offsite power connections appear relatively fragile to hurricanes, and/or our understanding of hurricane induced LOOP initiation is incomplete.

The CCDP is low due to preparatory measures - precautionary shutdown, arrival of TEDs onsite, and availability of essential personnel onsite, as well as the high reliability of the SDC and the EFW systems, assumed reliability of TEDs, and the mild effects from the hurricane actually experienced by the site and the surrounding area.

The dominant sequence contribution (an SBO sequence) is directly affected by the EPS and TED unreliability and the EPS recovery curve, as well as the lack of TED repair options.

The long time scales to core uncovery tend to offset some concerns with reliability of operator actions, dependence of operator actions, hurricane effects and open up other options for dealing with emergency scenarios.

The 24 hr mission time may need to be adjusted in analysis of hurricane LOOPs, depending on hurricane effects.

Operator action to keep the RCS conditions within SDC entry parameters is important during secondary side heat removal in an SBO.

SPAR Model Corrections It is noted that, except for the new event trees, fault trees and basic events discussed in this report, the shutdown model constructed for this analysis uses parts of the original Waterford SPAR model. Thus, any peculiarities of that SPAR model are noted below:

LER 382-2005-004 15 a) Event ZV-EDG-REP-A (parameter used in compound events for EPS recovery) was set to a value type quantity in this analysis, rather than as a probability, as is the case in the original Waterford SPAR model. If set as a probability, the distribution above 1.0 will be cut off, which will impact the uncertainty analysis.

b) There are some TM combinations in the cutsets which may be forbidden, i.e.,

additional recovery rules may need to be put in place. These involve TM events on the ACW, CCW, and CWS (chilled water system). The effect is minor (and only in evaluation of MODE-4 event tree, calculating the underlying Mode 4 CDP, see Appendix D), and thus no modifications were made for this analysis. For example, there are combinations of simultaneous TM on the A train of CCW (or ACW) and the A train of EFW (and likewise for the B train); combinations of simultaneous TM on the A train of CCW-CTD (dry cooling tower) and CCW MDP AB (the swing CCW pump), and likewise for the B train; combinations of simultaneous TM on chiller A and CWS-MDP-AB (swing chilled water system pump) or EFW pump A, and likewise for the B train; c) the SPAR model assumes redundancy in non-LOCAs between the CCW and the ACW systems (the dry and the wet cooling towers) - an AND gate is used, whereas the FSAR seems to indicate that these systems may be supplemental to each other, depending on the meteorological conditions, suggesting that an OR gate may be more appropriate. The sensitivity analyses show this to be a minor effect.

LER 382-2005-004 16 References 1.

LER 382-2005-004, Loss of Offsite Power During Hurricane Katrina, October 27, 2005 (ML053040460).

2.

NRC Integrated Inspection Report, IR 382-2005-004, Waterford Steam Electric Station, Unit 3; Refueling Outage, Temporary Plant Modifications, and Problem Identification and Resolution, November 8, 2005 (ML053120488).

3.

Waterford SES Unit 3 Updated Final Safety Analysis Report, Revision 13, (Chapters 1, 2, 4, 5, 6, 7, 8, 9, 10), April 2004.

4.

Waterford SES, Unit 3, Probabilistic Risk Assessment Individual Plant Examination (IPE), August 1992.

5.

Waterford 3 Standardized Plant Analysis Risk (SPAR) Model, Level 1, Version 3.21, October 28, 2005.

6.

Millstone-2 Low Power and Shutdown (LPSD) Standardized Plant Analysis Risk (SPAR)

Model Using Revision 3i Fault Tree Models and Methods, January 7, 2003.

7.

Systems Analysis Program for Hands-on Integrated Reliability Evaluations (SAPHIRE),

Version 7.26, http://saphire.inel.gov.

8.

North Anna Power Station Updated Final Safety Analysis Report, Revision 39, Chapter 6, Figure 6.2-1 (depicts the standard decay power vs. time curve),

page 6.2-219, September 30, 2003.

9.

Denson, G., G. Chandler, W. Crowell, A. Clark, and P. Jaworski, 1995, Nonelectronic Parts Reliability Data - 1995, NPRD-95. Reliability Analysis Center, Griffiss AFB, Rome, NY.

10.

Entergy, Inc., Technical Specifications Change Request NPF-38-220, Supplement to Emergency Diesel Generator Allowed Outage Time Increase W3F1-2000-065," May 22, 2000.

11.

R.D. Knabb, J. R. Rhome and D. P. Brown, Tropical Cyclone Report, Hurricane Katrina, 23-30 August 2005," National Hurricane Center report TCR-AL122005_Katrina.pdf, December 20, 2005, http://www.nhc.noaa.gov/pdf/TCR-AL122005_Katrina.pdf 12.

Dual Unit Loss of Offsite Power during Hurricane Jeanne, preliminary ASP analysis report on LER-355-2004-004, (St. Lucie Unit 1 and 2), July 26, 2005.

13.

Risk Assessment of Operating Events Handbook. SDP Phase 3 - ASP, MD 8.3, Rev. 0, RASP manual.

14.

The SPAR-H Human Reliability Analysis Method, NUREG/CR-6883, INL/EXT 00509, August 2005 (ML051950061).

15.

Appendix H of Waterford SPAR model documentation, ver. 3.21

16.

Hurricane Katrina effects by region, in Wikipedia, http://en.wikipedia.org/wiki/Hurricane_Katrina_effects_by_region 17.

Hurricane Katrina Chronology of Events, http://www.dkosopedia.com/index.php/Hurricane_Katrina_Chronology (St. Charles parish orders mandatory evacuation on 8/27, 9am CDT)

18.

Bob Marshall, Levee System along River Held Its Ground in Storm, The Times-Picayune, January 23, 2006, http://www.nola.com/news/t-p/frontpage/index.ssf?/base/news-4/1137999658140350.xml

19.

Geography of New Orleans, at http://www.southbear.com/New_Orleans/Geography.html 20.

Various articles in a St. Charles parish newspaper (Herald Guide) on local conditions in St. Charles parish during and immediately following the hurricane, www.heraldguide.com/news/.

21.

Levee system on the Mississippi, http://www.mvn.usace.army.mil/pao/bro/misstrib.htm

LER 382-2005-004 17

22.

NRC Event Notification Report for September 1, 2005, http://www.nrc.gov/reading-rm/doc-collections/event-status/event/2005/20050901en.html 23.

NRC Event Notification Report for August 30, 2005, http://www.nrc.gov/reading-rm/doc-collections/event-status/event/2005/20050830en.html 24.

NRC News Release - 2005-118 - NRC Monitoring Approach of Hurricane Katrina; Waterford Shuts Down, http://www.nrc.gov/reading-rm/doc-collections/news/2005/05-118.html 25.

NRC News Release - Region IV - 2005-031 - NRC Continues to Monitor Nuclear Plants Affected by Hurricane Katrina, http://www.nrc.gov/reading-rm/doc-collections/news/2005/05-031iv.html

26.

NRC News Release - Region IV - 2005-032 - Waterford Terminates Unusual Event, http://www.nrc.gov/reading-rm/doc-collections/news/2005/05-032iv.html 27.

NRC Authorizes Restart of Waterford Nuclear Plant, News Release IV-05-033, September 9, 2005, http://www.nrc.gov/reading-rm/doc-collections/news/2005/05-033iv.html 28.

Reevaluation of Station Blackout Risk at Nuclear Power Plants, NUREG/CR-6890, Vol.

2, Chapter 5, page 31, December 2005.

29.

Waterford ASP Analysis, Failure of Emergency Diesel Generator A Fuel Oil Line, LER 382-2003-007

LER 382-2005-004 18 Table 1. Conditional core damage probabilities of dominating sequences.

Event tree name Sequence no.

CCDP1 Contribution LOOPSD 5

1.7E-6 81%

LOOPSD 3

3.4E-7 16%

Total (all sequences)2 2.1E-6 100%

1. Values are point estimates.
2. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominating sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for top event names)

LOOPSD 5

EPS /TDEFW-SD REC4 LOOPSD 3

/EPS SDC-SD EFW-SD Table 2b. Definitions of top events listed in Table 2a.

Top Event Definition EPS emergency power system SDC-SD shutdown cooling in shutdown (Mode 4)

EFW-SD emergency feedwater in shutdown (Mode 4)

TDEFW-SD turbine-driven emergency feedwater in shutdown (Mode 4)

REC4 recovery of emergency power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />

LER 382-2005-004 19 Table 3. Conditional cut sets for the dominant sequences.

CCDP Percent Contribution Minimum Cut Sets (of basic events)

Event Tree: LOOPSD, Sequence 5 2.8E-007 16.6 EPS-XHE-XL-NR04H EPS-XHE-XL-TED EPS-DGN-CF-RUN 2.8E-007 16.6 EPS-XHE-XL-NR04H EPS-EDG-TED EPS-DGN-CF-RUN 2.1E-007 12.4 EPS-DGN-FR-DG3A EPS-DGN-FR-DG3B EPS-XHE-XL-NR04H EPS-EDG-TED 2.1E-007 12.4 EPS-DGN-FR-DG3A EPS-DGN-FR-DG3B EPS-XHE-XL-NR04H EPS-XHE-XL-TED 5.1E-008 3.0 EPS-XHE-XL-NR04H EPS-EDG-TED EPS-DGN-CF-STRT 5.1E-008 3.0 EPS-XHE-XL-NR04H EPS-XHE-XL-TED EPS-DGN-CF-STRT 5.0E-008 3.0 EPS-FAN-CF-FTS EPS-XHE-XL-NR04H EPS-XHE-XL-TED 5.0E-008 3.0 EPS-FAN-CF-FTS EPS-XHE-XL-NR04H EPS-EDG-TED 5.0E-008 3.0 EPS-DGN-FR-DG3A EPS-DGN-FS-DG3B EPS-XHE-XL-NR04H EPS-EDG-TED 5.0E-008 3.0 EPS-DGN-FS-DG3A EPS-DGN-FR-DG3B EPS-XHE-XL-NR04H EPS-EDG-TED 5.0E-008 3.0 EPS-DGN-FR-DG3A EPS-DGN-FS-DG3B EPS-XHE-XL-NR04H EPS-XHE-XL-TED 5.0E-008 3.0 EPS-DGN-FS-DG3A EPS-DGN-FR-DG3B EPS-XHE-XL-NR04H EPS-XHE-XL-TED 1.7E-6 100 Total (all cutsets)1 Event Tree: LOOPSD, Sequence 3 1.4E-007 42.7 HVC-XHE-XM-ALTCL CWS-MDP-CF-STRT 2.0E-008 5.9 EFW-XHE-SD SDC-XHE-SD 1.4E-008 4.0 LPI-MDP-CF-START EFW-XHE-SD 8.3E-009 2.5 EPS-DGN-FR-DG3A CWS-MDP-FS-B EFW-XHE-SD 3.4E-7 100 Total (all cutsets)1

1. Total Importance includes all cutsets (including those not shown in this table).

LER 382-2005-004 20 Table 4. Definitions and probabilities for modified and dominant basic events.

Event Name Description Probability/

Frequency (per hour)

Modified ACP-BAC-LP-3A AC POWER 4160V BUS 3A3-S FAILS 4.8E-006 ACW-CTW-TM-A TEST AND MAINTENANCE OF WET COOLING TOWER A FALSE Y

ACW-CTW-TM-B TEST AND MAINTENANCE OF WET COOLING TOWER B FALSE Y

CCW-AOV-CC-SDHTXA CCW outlet AOV to SDC heat exchanger A fails to open FALSE Y

CCW-AOV-CF-SDHTX CCF failure to open of CCW outlet AOVs to SDC HTXs FALSE Y

CCW-AOV-CF-200A727 CCF OF CCW NON-CRITICAL LOOP A MOVs 200A/727 3.0E-005 CCW-MDP-CF-STRT CCF OF CCW MDPs TO START (3) 1.4E-005 CCW-MDP-FS-A FAILURE OF CCW SYSTEM MDP A 2.0E-003 CCW-MDP-FS-B FAILURE OF CCW SYSTEM MDP B 2.0E-003 CCW-TNK-FC-SURGE CCW SURGE TANK FAILS 2.4E-006 CCW-XHE-XM-AB OP FAILS TO ALIGN CCW MDP AB 1.0E-002 CSR-XHE-XR-HTXA op leaves SDC heat exchanger A in improper state post TM FALSE Y

CWS-MDP-CF-RUN CCF OF ESS. CHILLED WATER PUMPS TO RUN 6.2E-007 CWS-MDP-CF-STRT COMMON CAUSE FAILURE OF CWS MDPs TO START 1.4E-005 CWS-MDP-FS-B ESS. CHILLED WATER PUMPB FAILURE TO START 2.0E-003 DCP-BDC-LP-BUS3AS FAILURE OF DIV3A 125VDC BUS3A-S 4.8E-006 EFW-TDP-FR-AB EFW TDPA/B FAILS TO RUN FOR 24 HRS 5.4E-003 EFW-TDP-FR-TD4HR EFW TDP A/B FAILS TO RUN FOR 4 HRS 4.2E-003 Y1 EFW-TDP-FS-AB EFW TDP A/B FAILS TO START 7.0E-003 EFW-XHE-SD OPER FAILS TO TURN ON AND CONTROL EFW 2.0E-004 Y1 EFW-XHE-SD-MD OP FAILS TO START/CNTRL MDEFW IN MODE 4 1.0E-002 Y1 EFW-XHE-SD-MD1 OP FAILS TO START/CNTRL MDEFW IN MD 4 DEP. ACT.

0.5 Y1 EFW-XHE-SD-TD OP FAILS TO START & CONTROL TDEFW IN MODE 4 2.5E-003 Y1 EPS-DGN-CF-RUN COMMON CAUSE FAILURE OF EDGs TO RUN 5.7E-004 EPS-DGN-CF-STRT COMMON CAUSE FAILURE OF EDGs TO START 1.0E-004 EPS-DGN-FR-DG3A DIESEL GENERATOR 3A-S FAILS TO RUN 2.1E-002 EPS-DGN-FR-DG3B DIESEL GENERATOR 3B-S FAILS TO RUN 2.1E-002 EPS-DGN-FS-DG3A DIESEL GENERATOR 3A-S FAILS TO START 5.0E-003 EPS-DGN-FS-DG3B DIESEL GENERATOR 3B-S FAILS TO START 5.0E-003 EPS-EDG-TED TED HARDWARE FTS (2TEDs) 1.0E-003 Y1 EPS-FAN-CF-FTS COMMON CAUSE FAILURE DG ROOM FANS TO START 1.0E-004 EPS-FAN-FS-3ASA DG-3A ROOM FAN 3A-SA FAILS TO START 2.5E-003 EPS-FAN-FS-3BSB DG-3B ROOM FAN 3B-SB FAILS TO START 2.5E-003 EPS-XHE-XL-NR04H FAILURE TO RECOVER CLASS 1 EDGs IN 4 HR 4.8E-001 EPS-XHE-XL-TED OPERATOR FAILS TO CONNECT AND START A TED 1.0E-003 Y1 HVC-XHE-XM-ALTCL OPERATOR FAILS TO ALIGN ALT COOLING METHOD 1.0E-002 IE-LOOPSD LOOP IN SHUTDOWN 1.0 Y1 IE-*

ALL OTHER INITIATING EVENTS 0.0 Y KATRINA-SWITCH SWITCH TO DISABLE POWER RECOVERY IN EFW FT TRUE Y1 LPI-MDP-CF-START COMMON CAUSE FAILURE OF LPI MDPS TO START 6.8E-005 LPI-MDP-FS-A FAILURE OF LPI MDP A TO START 1.5E-003 LPI-MDP-FS-B FAILURE OF LPI MDPB TO START 1.5E-003 LPI-MOV-CC-138A LPI discharge MOV 138A fails to open FALSE Y

LPI-MOV-CC-139A LPI discharge MOV 139A fails to open FALSE Y

LPI-MOV-CF-INJ CCF of LPI injection MOVs FALSE Y

LPI-XHE-XR-A op leaves LPI pump A in improper state post TM FALSE Y

SDC-AOV-CF-BYP CCF of SDC heat exchanger bypass valves FALSE Y

SDC-AOV-OO-BYPA SDC heat exchanger bypass valve fails FALSE Y

SDC-AOV-CF-1161AB failure of RWSP miniflow isol. AOVs 1161A and B to close FALSE Y

SDC-AOV-OO-1161A failure of miniflow isolation AOV 1161A to close FALSE Y

SDC-HDV-CF-405AB CCF OF SDC SUCTION HOVs 405A/B 2.9E-005 SDC-MOV-CC-125A failure of SDC A heat exchanger inlet MOV to open FALSE Y

SDC-MOV-CC-401A SDC loop A suction isolation MOV 401A fails to open FALSE Y

SDC-MOV-CF-401AB CCF of SDC suction isolation MOVs 401 A and B FALSE Y

SDC-MOV-CC-407A SDC loop A suction isolation MOV 407A fails to open FALSE Y

SDC-MOV-CF-407AB CCF of SDC suction isolation MOVs 407 A and B FALSE Y

SDC-MOV-CC-412A failure of SDC A heat exchanger outlet MOV to open FALSE Y

LER 382-2005-004 Event Name Description Probability/

Frequency (per hour)

Modified 21 SDC-MOV-CF-HTXIN CCF of SDC heat exchanger inlet valves FALSE Y

SDC-MOV-CF-HTXOUT CCF of SDC heat exchanger outlet valves FALSE Y

SDC-XHE-SD OPERATOR FAILS TO RESTART OR CONTROL RHR 1.0E-004 Y1 SDC-XHE-SD-EPS OP FAILS TO START/CNTRL RHR AFTER EPS PROBLEMS 4.0E-003 Y1 SDC-XHE-XM* BASE SPAR MODEL SDC OPERATOR ACTIONS FALSE Y

XXX-XX-TM-X TEST AND MAINTENANCE OF ALL EVENTS FALSE Y

ZT-TDP-FR-L-3H LATE RUN FAILURE OF TDP (3 HR MISSION TIME) 1.8E-004 Y1 ZT-XXX-TM* TEST AND MAINTENANCE ALL TEMPLATE EVENTS FALSE Y

1. New event, does not exist in the original SPAR model.

LER 382-2005-004 22 Appendix A Sequence of Key Events

LER 382-2005-004 23 August 27, 2005 22:04 Waterford 3 declares an unusual event due to issuance of hurricane warning for St.

Charles Parish by the National Weather Service.

August 28, 2005 XX:XX Truck mounted TEDs arrive on site and are installed, ready for manual connection to bus XX:XX Katrina is Category 4 on Safir-Simpson scale 10:59 orderly shutdown commenced, per procedure OP-901-521, Severe Weather and Flooding 13:16 reactor tripped 17:05 cooldown commences 20:58 Mode 4 entered August 29, 2005 02:54 Voltage excursion to 236 kV experienced (normal voltage 230 kV) 06:24 offsite power declared inoperable, due to system voltage exceeding 241 kV 06:24 TS 3.8.1.1, action statement e entered 07:45 instrument air pressure lost, due to lowering grid voltage 07:45 OP 901-511, instrument air malfunction, entered 07:59 plant in Mode 4 with SDC-A operating and RCP 1B and 2B operating 07:59 offsite power lost 07:59 OP 902-003, loss of offsite power/loss of forced circulation, entered 07:59 site winds tropical strength 48 mph 07:59 both EDGs start and sequence loads 07:59 RCP 2B breaker fails to trip 08:15 SDC loop A manually connected to EDG-3A 23:02 Event notification report filed indicating that offsite power available, though system voltage too high (plant continues to run on emergency power), LER does not mention this.

August 30, 2005 18:00 Major loss of offsite emergency preparedness communications capability due to loss of RAB Emergency Operations Facility telecommunications switches and the Operational Hotline and the NRC ENS lines. Alternate means of offsite communications remained available.

20:20 NRC notified of the loss of offsite emergency preparedness communications facility.

September 1, 2005 14:18 Plant enters Mode 5 19:00 Train A of offsite power available 23:21 Train A offsite power declared operable

LER 382-2005-004 24 (the 230 kV transmission lines between the switchyard and the switching station remained available throughout the event and did not need repair)

September 2, 2005 21:54 Train B of offsite power available 22:20 Train B of offsite power declared operable September 7, 2005 17:40 Unusual event terminated (emergency preparedness capability had been restored through alternate means)

September 9, 2005 XX:XX Plant restart commences following NRC and FEMA approval September 13, 2005 12:16 Plant synchronized to the grid

LER 382-2005-004 25 Appendix B SPAR-H Worksheets

LER 382-2005-004 26

1. Discussion of Dependencies TEDs and EDG repair. It is stated in the RASP manual that complete dependency should be assumed between recovery of failed equipment and using different equipment for the same function. However, in this case, the two actions happen on different time scales and involve different actions and personnel. When the EDGs fail, certain personnel will be tasked with trying to repair them. This process may take some time - e.g., a few hours. In the meantime, the TEDs can be started and connected to the emergency bus, a relatively simple and quick action. The success or failure of EDG repair is governed by other phenomena, different than those governing the success or failure of TED startup and connection. It could be due to the underlying reason for EDG failure whether or not such is repairable in the time available or not.

EDG recovery and operator actions related to TDEFW system. These are independent because the EDG/TED actions involve local actions at the diesel generators and the breakers, whereas the TDEFW system involves control room actions and possible local actions at the system valves. Different personnel will be involved at different times. The time scales are long.

Operator actions related to EFW and SDC systems in non-SBO sequences. These are independent because of the long times available to operate these systems and the location differences.

HEPs related to SDC, MDEFW and TDEFW in SBO sequences. The timing factor is the most important one, per the SPAR-H manual in determining dependence of operator actions. (And therell be also different locations and possibly different operators). There will be independence of SDC and EFW based on that, even in these sequence, due to ample times available. The time window for recovery of EDGs (4 hrs) is much shorter than that for SG boiloff (8 hrs), which is shorter than that for core uncovery (12 hrs). So, recovering EDGs will not eat up all available time, and therell be plenty left for independence between SDC and MDEFW. The same can be said btw SDC and TDEFW, as the latter will fail at the start or within the initial 4 hr period, and after its failure therell be plenty of time. In general, for the same reason, the same can be said btw. MDEFW and TDEFW. However, there are certain failure modes - e.g., overfilling of steam generators, which may take a long time to recover from (although, we also have a lot of time, on the order of 10 hrs). And there may be some common hardware between the two which needs to be manually operated. So, there could be some dependence btw. those two, and the maximum dependence would be high (i.e., not complete, as there are other independent failures and the time scales are long).

Assuming high dependence between TDEFW and MDEFW actions increases the SBO sequence (with emergency power recovery) by about 50%. However, the overall effect is still negligible, as this sequence is non-dominant and not significant. Nevertheless, high dependence between these two actions is included in the model.

2. SPAR-H Worksheets Below are the SPAR-H worksheets for the operator actions changed or added by this model.

LER 382-2005-004 27

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD Event Coder:________

Basic Event Context:_start and control EFW in Katrina LOOP, EPS available, SDC failed Basic Event

Description:

start and control EFW in shutdown Mode 4 Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO x (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

Time to core uncovery up to 12 hrs Time available is. the time required 10

~

Nominal time 1

~

Time available > 5x the time required 0.1 x

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

~

High 2

~

Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

~

operators have to do some local actions and coordination, have to keep adjusting the flow Moderately complex 2

x Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD Event Coder:________

Basic Event Context:_start and control EFW in Katrina LOOP, EPS available, SDC failed Basic Event

Description:

start and control EFW in shutdown Mode 4 B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 0.1 x ___ x 2 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

2.E-4 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

2.E-4

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD Event Coder:________

Basic Event Context:_start and control EFW in Katrina LOOP, EPS available, SDC failed Basic Event

Description:

start and control EFW in shutdown Mode 4 PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 2.E-4=

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

2.E-4

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

2.E-4

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for LP/SD SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

some time expended on EPS recovery Time available is. the time required 10

~

Nominal time 1

X Time available > 5x the time required 0.1

~

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

~

due to less time available, possible failure of RHR, previous SBO which was recovered High 2

X Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

X less time, need to connect to emergency power, coordinate with local manual action Moderately complex 2

~

Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1 x 2 x 5 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

1.E-2 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

1.E-2 1.E-2

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 1.E-2 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

1.E-2

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

1.E-2

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for LP/SD SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD-1 Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed, dependent with TDEFW action Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery, dependent action Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

some time expended on EPS recovery Time available is. the time required 10

~

Nominal time 1

X Time available > 5x the time required 0.1

~

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

~

due to less time available, possible failure of RHR, previous SBO which was recovered High 2

X Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

X less time, need to connect to emergency power, coordinate with local manual action Moderately complex 2

~

Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD-1 Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed, dependent with TDEFW action Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery, dependent action B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1 x 2 x 5 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

1.E-2 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

1.E-2 1.E-2

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-MD-1 Event Coder:________

Basic Event Context:_start and control MDEFW in Katrina LOOP, EPS recovered after SBO, TDEFW failed, dependent with TDEFW action Basic Event

Description:

start and control MDEFW in shutdown Mode 4 after EPS recovery, dependent action PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 1.E-2 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

1.E-2

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high X 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( 1

  • 1.E-2 ))/ 2 =

0.5

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-TD Event Coder:________

Basic Event Context:_start and control TDEFW in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TDEFW in shutdown Mode 4 after EPS failure Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

up to 12 hrs to core uncovery Time available is. the time required 10

~

Nominal time 1

~

Time available > 5x the time required 0.1 X

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

X due to SBO conditions High 2

~

Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

X need to start, monitor and control TDEFW in SBO conditions including possible manual local actions Moderately complex 2

~

Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-TD Event Coder:________

Basic Event Context:_start and control TDEFW in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TDEFW in shutdown Mode 4 after EPS failure B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 0.1 x 5 x 5 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

2.5E-3 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

2.5E-3 2.5E-3

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EFW-XHE-SD-TD Event Coder:________

Basic Event Context:_start and control TDEFW in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TDEFW in shutdown Mode 4 after EPS failure PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 2.5E-3 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

2.5E-3

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

2.5E-3

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for LP/SD SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EPS-XHE-XL-TED Event Coder:________

Basic Event Context:_start and control TEDs in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TEDs (truck mounted DGs) in shutdown Mode 4 after EPS failure Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

up to 12 hrs to core uncovery (16 hrs if TDEFW runs), action takes about 25 minutes per license amendment Time available is. the time required 10

~

Nominal time 1

~

Time available > 5x the time required 0.1 X

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

X SBO conditions, TEDs last line of defense High 2

~

Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

~

need to connect to the bus, connect the loads manually, monitor the TEDs in SBO conditions; TEDs are outside, not sheltered Moderately complex 2

X Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EPS-XHE-XL-TED Event Coder:________

Basic Event Context:_start and control TEDs in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TEDs (truck mounted DGs) in shutdown Mode 4 after EPS failure B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 0.1 x5 x 2 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

1.E-3 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

1.E-3 1.E-3

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3_ Initiating Event:_IE-LOOPSD_ Basic Event:_EPS-XHE-XL-TED Event Coder:________

Basic Event Context:_start and control TEDs in Katrina LOOP, SBO conditions Basic Event

Description:

start and control TEDs (truck mounted DGs) in shutdown Mode 4 after EPS failure PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 1.E-3 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

1.E-3

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

1.E-3

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for At-Power SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, EPS works Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, EPS OK Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X (skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

restart SDC upon LOOP, up to 8 hrs available until SG boiloff (need to stay in SDC entry conditions band)

Time available is. the time required 10

~

Nominal time 1

~

Time available > 5x the time required 0.1 X

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

~

plenty of time available, simple action, LOOP expected, EPS works High 2

~

Nominal 1

X Insufficient Information 1

~

Complexity Highly complex 5

~

simple action of manually connecting SDC to EDGs, LOOP and need for SDC restart anticipated Moderately complex 2

~

Nominal 1

X Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, EPS works Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, EPS OK B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x0.1 x 1 x 1 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

1.E-4 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

1.E-4 1.E-4

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, EPS works Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, EPS OK PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 1.E-4 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

1.E-4

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

1.E-4

LER 382-2005-004 Reviewer:____________________

HRA Worksheets for LP/SD SPAR HUMAN ERROR WORKSHEET Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD-EPS Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, SBO, EPS recovered, TDEFW had failed Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, after EPS recovered in SBO Does this task contain a significant amount of diagnosis activity? YES ~ (start with Part I -

Diagnosis) NO X(skip Part I - Diagnosis; start with Part II - Action) Why? multiple cues and alarms, plenty of time, operators prepared.

PART II. EVALUATE EACH PSF FOR ACTION A. Evaluate PSFs for the Action Portion of the Task, if any.

PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Available Time Inadequate time P(failure) = 1.0

~

available time somewhat depleted by EPS recovery, about 4 hrs available to SG boiloff while SDC entry conditions maintained Time available is. the time required 10

~

Nominal time 1

X Time available > 5x the time required 0.1

~

Time available is > 50x the time required 0.01

~

Insufficient information 1

~

Stress/

Stressors Extreme 5

~

Some stress due to SBO which was recovered and TDEFW failure during the SBO, and somewhat less time available for this action and fewer options available High 2

X Nominal 1

~

Insufficient Information 1

~

Complexity Highly complex 5

~

reconnecting to emergency buses in less time Moderately complex 2

X Nominal 1

~

Insufficient information 1

~

LER 382-2005-004 PSFs PSF Levels Multiplier for Diagnosis Please note specific reasons for PSF level selection in this column.

Reviewer:____________________

Experience/

Training Low 3

~

Nominal 1

~

High 0.5

~

Insufficient information 1

~

Procedures Not available 50

~

Incomplete 20

~

Available, but poor 5

~

Nominal 1

~

Insufficient information 1

~

Ergonomics/

HMI Missing/Misleading 50

~

Poor 10

~

Nominal 1

~

Good 0.5

~

Insufficient Information 1

~

Fitness for Duty Unfit P(failure) = 1.0

~

Degraded Fitness 5

~

Nominal 1

~

Insufficient information 1

~

Work Processes Poor 5

~

Nominal 1

~

Good 0.5

~

Insufficient information 1

~

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD-EPS Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, SBO, EPS recovered, TDEFW had failed Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, after EPS recovered in SBO B. Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3 (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.0E-3 x 1 x 2 x 2 x ___ x ___ x ___ x ___ x ___ =

C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

Action HEP with Adjustment Factor =

D. Record Final Action HEP.

If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the value from Part C.

Final Action HEP =

4.E-3 HEP NHEP PSF NHEP PSF composite composite

=

+

.(

)1 1

4.E-3 4.E-3

LER 382-2005-004 Reviewer:____________________

Plant: Waterford 3 Initiating Event:LOOPSD (Mode 4) Basic Event:SDC-XHE-SD-EPS Event Coder:________

Basic Event Context:LOOP in shutdown, Mode 4, during hurricane Katrina, SBO, EPS recovered, TDEFW had failed Basic Event

Description:

start and control SDC (RHR) in LOOP, Mode 4, after EPS recovered in SBO PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)

Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required without a diagnosis and there is no dependency, then this step is omitted.

Pw/od = Diagnosis HEP 0 + Action HEP 4.E-3 =

Part IV. DEPENDENCY For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence (Pw/d).

If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the current action unless the previous action has been properly performed, explain here:

4.E-3

LER 382-2005-004 Reviewer:____________________

Condition Number Crew (same or different)

Time (close in time or not close in time)

Location (same or different)

Cues (additional or no additional)

Dependency Number of Human Action Failures Rule

~ - Not Applicable.

Why?

1 s

c s

na complete When considering recovery in a series e.g., 2nd, 3rd, or 4th checker If this error is the 3rd error in the sequence, then the dependency is at lease moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

2 a

complete 3

d na high 4

a high 5

nc s

na high 6

a moderate 7

d na moderate 8

a low 9

d c

s na moderate 10 a

moderate 11 d

na moderate 12 a

moderate 13 nc s

na low 14 a

low 15 d

na low 16 a

low 17 zero X Using Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):

For Complete Dependence the probability failure is 1.

For High Dependence the probability of failure is (1+ Pw/od/2)

For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7 For Low Dependence the probability of failure is (1+19 x Pw/od)/20 For Zero Dependence the probability of failure is Pw/od Calculate Pw/d using the appropriate values:

Pw/d = (1 + ( * ))/ =

4.E-3

LER 382-2005-004 65 Appendix C Event and Fault Trees Figures Relating to Waterfords Offsite Power System Reliability

LER 382-2005-004 66 EFW-SD EFW IN SHUTDOWN SDC-SD SHUTDOWN COOLING IN SHUTDN REC4 4 HR EMER PWR RECOVERY TDEFW-SD TDEFW IN SHUTDOWN EPS EMERGENCY POWER IE-LOOPSD LOOP AT SHUTDOWN (MODE 4)

IN KATRINA END-STATE-NAMES 1

OK 2

OK 3

CD 4

OK 5

CD 6

OK 7

OK 8

CD 9

CD MDEFW-SD SDC-SD-EPS Figure 1. Event Tree LOOP at Shutdown with Dominant Sequences Highlighted

LER 382-2005-004 67 CSR CONTAINMENT COOLING HPR SUMP RECIRC SDC SHUTDOWN COOLING SSC SECONDARY SIDE COOLDOWN OPR-02H OFFSITE POWER RECOVERY IN 2 HOURS HPI HIGH PRESSURE INJECTION LOSC RCP SEAL COOLING MAINTAINED SRV SRVs ARE CLOSED EFW EMERGENCY FEEDWATER EPS EMERGENCY POWER RPS REACTOR SHUTDOWN IE-LOOP SS OF OFFSITE POWER END-STATE FREQUENCY 1

OK 2

T LOOP-1 3

OK 4

OK 5

CD 6

CD 7

OK 8

CD 9

CD 10 OK 11 CD 12 CD 13 CD 14 CD 15 T

SBO 16 T

ATWS HPI-L EFW-L SRV-L HPR-L CSR-L OPR-02H LOSC-L LOOP - Waterford 3 PWR H loss of offsite power 2004/11/10 Figure 2. LOOP Full Power Event Tree, for Comparison, with Dominant Sequence Highlighted

LER 382-2005-004 68 TDEFW-SD 48 EFW-TDP 2.500E-3 EFW-XHE-SD-TD TDEFW IN SHUTDOWN TURBINE DRIVEN EFW OP FAILS TO START

& CONTROL TDEFW IN MODE 4 TDEFW-SD - TDEFW IN SHUTDOWN 2006/02/08 Page 1 Figure 3. Fault Tree for TDEFW train in shutdown (Mode 4)

LER 382-2005-004 69 REC4 106 TED 4.835E-1 EPS-XHE-XL-NR04H 4 HR EMER PWR RECOVERY TEMPORARY EMERGENCY DIESEL GENERATORS FTS FAILURE TO RECOVER CLASS 1 EDGs IN 4 HR REC4 - 4 HR EMER PWR RECOVERY 2006/02/09 Page 84 Figure 4. Fault Tree for 4-hr Recovery of Emergency Power

LER 382-2005-004 70 TED 1.000E-3 EPS-XHE-XL-TED 1.000E-3 EPS-EDG-TED TEMPORARY EMERGENCY DIESEL GENERATORS FTS OPERATOR FAILS TO CONNECT AND START A TED TED HARDWARE FTS (2TEDs)

TED - TEMPORARY EMERGENCY DIESEL GENERATOR FAILS 2006/02/08 Page 106 Figure 5. Fault Tree for TED, Temporary Emergency Diesel Generators

LER 382-2005-004 71 SDC-SD 94 SDC 1.000E-4 SDC-XHE-SD SHUTDOWN COOLING IN SHUTDN SHUTDOWN COOLING OPERATOR FAILS TO RESTART OR CONTROL RHR SDC-SD - SHUTDOWN COOLING IN SHUTDN 2006/02/08 Page 93 Figure 6. Fault Tree for Shutdown Cooling in Mode 4

LER 382-2005-004 72 EFW-SD 39 EFW 2.000E-4 EFW-XHE-SD EMERGENCY FEEDWATER EMERGENCY FEEDWATER IN MODE 4 OPERATOR FAILS TO TURN ON AND CONTROL EFW EFW-SD - EFW IN SHUTDOW N 2006/02/08 Page 95 Figure 7. Fault Tree for EFW in Mode 4

LER 382-2005-004 73 SDC-SD-EPS 94 SDC 4.000E-3 SDC-XHE-SD-EPS SHUTDOWN COOLING SDC WITH EPS PROBLEMS (LOOPB-FTF USED)

OPERATOR FAILS TO RSTRT & CNTRL RHR AFTER EPS PROBLEMS SDC-SD-EPS - SDC WITH EPS PROBLEMS 2006/02/08 Page 101 Figure 8. Fault Tree for SDC in Mode 4, After EPS Recovery (one train EPS only)

LER 382-2005-004 74 MDEFW-SD 39 EFW 1.000E-2 EFW-XHE-SD-MD EMERGENCY FEEDWATER EFW MOTOR DRIVEN IN SHUTDOWN OPERATOR FAILS TO TURN ON OR CONTROL MDEFW IN MODE 4 MDEFW-SD - EFW MOTOR DRIVEN IN SHUTDOWN 2006/02/08 Page 96 Figure 9. Fault Tree for Motor Driven EFW After EPS Recovery, One EPS Train Only

LER 382-2005-004 75 EFW 123 EFW-NOFLOW-F EFW-MKUP-F EFW-MKUP-L EFW-MKUP-RECL 2.850E-2 EFW-XHE-XA-DEP 2.000E-5 EFW-XHE-XM-MKUP FALSE LOOP EFW-MKUP-NL TRUE NONLOSP 2.000E-5 EFW-XHE-XM-MKUP 2.760E-6 EFW-CKV-CF-SG 6.763E-7 EFW-CKV-CF-PMPDIS 6.615E-7 EFW-PMP-CF-RUN 2.400E-6 EFW-TNK-FC-CSP EFW-GATE-15-35 FALSE KATRINA-SWITCH OPERATOR FAILS TO MAKEUP CSP BEFORE DEPLETION EFW WATER SOURCE MAKEUP DURING NON-LOOP EFW WATER SOURCE MAKEUP DURING LOOP FAILURE TO ALIGN MAKEUP TO EFW WATER SOURCE EFW PUMP TRAIN FAILURES NO OR INSUFFICIENT EFW FLOW OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE

- LONG TERM OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE

- LONG TERM EFW CONDENSATE STORAGE POOL FAILURES CCF OF EFW PUMPS TO RUN CCF OF EFW PUMP DISCHARGE CHECK VALVES OP FAILS TO RECOVER FROM LOSP BEFORE CSP DEPLETION NON LOSP INITIATOR CCF OF STEAM GENERATOR CHECK VALVEs 2191A&B LOSS OF OFFSITE POWER HOUSE EVENT SWITCH FOR KATRINA LOOP IN CASE OF HURRICANE, NO LOOP RECOVERY EFW - EMERGENCY FEEDW ATER 2006/02/09 Page 39 Figure 10. Fault Tree for EFW, Showing Added Event KATRINA-SWITCH

LER 382-2005-004 76 SDC-SD SDC IN SHUTDOWN MODE 4 EFW-SD EFW IN SHUTDOWN MODE 4 IE-MODE4 PLANT IN MODE 4 END-STATE-NAMES 1

OK 2

OK 3

CD MODE BASE CASE CDP CALC 2006/02/12 Figure 11. The Event Tree MODE-4 for Normal Operation in Mode 4

LER 382-2005-004 77 Figure 12.

LER 382-2005-004 78 Figure 13.

LER 382-2005-004 79 Figure 14.

LER 382-2005-004 80 Figure 15.

LER 382-2005-004 81 Figure 16.

LER 382-2005-004 82 Appendix D Event Tree Discussion

LER 382-2005-004 83

1. Event Tree LOOPSD Sequences 1-3. In these sequences, the EPS works and the operator has to restart the SDC, or failing that, manually actuate the EFW system. There will be plenty of time (several hours) to effect either of those actions. Core damage results when both SDC and EFW fail.

Sequences 4-5. In these sequences the EPS system fails and the TDEFW is successful.

However, battery depletion occurs in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, unless the EPS system is recovered. If the EPS system is not recovered in this time period, then TDEFW failure results as DC power is needed for instrumentation and control of the TDEFW system. The EPS can be recovered by EDG repair in the first 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> after EPS loss, by starting and operating the TEDs. If both options fail, other recovery options are possible, but not credited. For example, TEDs could be replaced on the long time scales to core uncovery. High pressure feed and bleed could be used, as directed by EOF, to extend the time to core uncovery. Substandard (too high voltage) offsite power was available some time into the event.

It is assumed that the TDEFW, while it is operating, will fill the steam generators to the normal level. Thus, there will be several hours (estimate is eight hours) after battery depletion, before the SG inventory is boiled off and another 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> before the core uncovered.

EDGs will not be repairable in the time frame beyond the 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, because the EDGs need DC power for startup. On the other hand, the TEDs are assumed to be self sufficient. It can also be noted that the bus breakers can be operated manually, though they are charged up after opening to have the potential energy for the closing. When the TEDs are connected, even if that happens after battery depletion, the operators would strive to get the DC power back first and charge the batteries, in order to recover the instrumentation and control capabilities. The TDEFW system would be put in operation as well. With the batteries charged, the plant EDGs are again repairable.

If either recovery actions is successful: EDG repair/recovery, or TED startup and operation, then the successful sequences are not developed any further due to the probabilities involved.

They are assumed to be OK, though there will be residual failures from the combinations of SDC and EFW failures as in Sequence 3. However, if emergency power cannot be recovered past about the 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> after EPS failure (4 hrs of TDEFW operation plus about 12 hrs to core uncovery), then core damage will result.

Sequences 6-9. In these sequences, both the emergency power and the TDEFW fail. There will be about 12 hrs to core uncovery and 4 hrs to battery depletion. EDG recovery is credited only in the 4 hrs to battery depletion.

In sequence 6-8, the time for operator actuation of the SDC and the EFW systems is somewhat reduced, as it has been taken up by EPS recovery. Likewise, the complexity and the stress of the actions are increased compared to sequence 1-3.

It should be noted that fault trees for SDC and EFW in sequences 6-8 use the flag set LOOPB-FTF, which disables train B of emergency power, as the assumption is made that only one EDG or TED is available post successful recovery. This is not always correct (e.g., if EPS recovery is due to TED successful operation - then both TEDs could be successful, which will in fact happen most of the time), but it is deemed sufficiently good for the low frequency core damage sequence 8.

LER 382-2005-004 84

2. Event Tree MODE-4 This event tree is used for calculation of the base case CDP in Mode-4, using GEM. This is the underlying mode 4 CDP, i.e., the CDP for normal operation in Mode 4 without LOOP or any other initiator occurrence. This gives one a perspective as to how much the risk was increased in the LOOP event, vs. normal operation in Mode 4.

The event tree is shown in Figure 11. The initiator, IE-MODE4 is the plant in normal Mode 4 operation and is set to 1.0 in GEM. The available safety systems (EFW-SD and SDC-SD) and logic are similar to sequences 1-3 of the LOOPSD event tree (when EPS is available), with the difference that here both trains of emergency power are always available from normal offsite power. Thus, there are no linkage rules and no special fault tree flag sets are used.

The change set is similar to that for evaluation of LOOPSD CCDP, except that, since there was uninterrupted running of SDC train A, failure to start and CCF FTS for LPI pump A are falsed out, as are any SDC-related operator actions (though there will be some operator involvement in controlling the system, this is neglected). Also, depending on what is believed to be a more realistic configuration, all TM actions are falsed out as in the LOOPSD CCDP evaluation, or they are kept at their nominal probabilities. Generally, the nominal TM case would be considered more realistic in this evaluation.

The results are a CDP of 5.4E-8 for no TM, and 2.E-7 for nominal TM. The latter is about 10%

of the calculated CCDP for this LOOP event.

A further possible refinement to the base case CDP evaluation would be to reduce the mission time of all equipment by the core uncovery time. This will not be a major effect.

3. Event tree LOOPSD1 This event tree is used for some sensitivity analyses. It expands sequence 4 of the LOOPSD event tree, in a similar manner to sequences 6-8 of that event tree, i.e., questions are asked about the SDC and the MDEFW systems. The only difference is that the HEPs for the operator actions are evaluated to be 10 times smaller than in the SBO sequences with TDEFW failed, due to more time available (4 hr more).

LER 382-2005-004 85 Appendix E Model Linkage Rules, Flag Sets and Sequence Recovery Rules

LER 382-2005-004 86 Event Tree Linkage Rules for Event Tree LOOPSD:

l1.

if EPS then

/EFW-SD = MDEFW-SD; EFW-SD = MDEFW-SD;

/SDC-SD = SDC-SD-EPS; SDC-SD = SDC-SD-EPS; endif l2.

if always then eventree(LOOPSD) = Flag(LOOPSD);

endif Additional Flag Sets:

Flag Set Event House Type P r o c e s s Flag Description LOOPB-FTF DIVISION B UNAVAILABLE AFTER EDG RECOVERY LOOP T

LOSS OF OFFSITE POWER HOUSE EVENT LOOP-A F

LOSS OF DIV A OFFSITE POWER HOUSE EVENT LOOP-B T

LOSS OF DIV 3B OFFSITE POWER FLAG LOOPSD Flag set: Loss of offsite power sequences Mode 4 KATRINA-SWITCH T

SWITCH FOR KATRINA LOOP LOOP T

LOSS OF OFFSITE POWER HOUSE EVENT LOOP-A T

LOSS OF DIV A OFFSITE POWER HOUSE EVENT LOOP-B T

LOSS OF DIV 3B OFFSITE POWER FLAG NONLOSP F

NON LOSP INITIATOR Additional sequence cutset recovery rules:

lcutset recovery rule for Katrina LOOP if EFW-XHE-SD-TD

  • EFW-XHE-SD-MD then DeleteEvent = EFW-XHE-SD-MD; AddEvent = EFW-XHE-SD-MD-1; endif if system(EPS)
  • EFW-TDP-FR-AB then DeleteEvent = EFW-TDP-FR-AB; AddEvent = EFW-TDP-FR-TD4HR; endif

LER 382-2005-004 87 APPENDIX F LER SEARCH

LER 382-2005-004 88

LER 382-2005-004 89 APPENDIX G INSIGHTS DISCUSSION

LER 382-2005-004 90 Waterfords offsite power connections appear relatively fragile with respect to hurricanes. The LOOP occurred at 8 am, while only the south-east part of Entergys system may have been feeling the effects of the hurricane. The site was experiencing winds of only 48 mph at the time, and those winds are estimated (no actual measurements have been found) not to have risen much above about 70 mph during the event, with some gusts possible above that (see Appendix H). (Katrinas eye passed about 50 miles east of Waterford when it made the final landfall at Pearl River, at LA-MS border). The winds would have diminished going east to west. The 230 kV transmission lines in the vicinity of the plant were not damaged, as the winds were too low. Waterford reported, in an event notification report at 23:02 on August 29, 2005, that offsite power was available, though the voltages were too high. This too, seems to indicate that the high voltage infrastructure was not hit too hard.

According to the FSAR (Figures 8.1-2, 3, 5 and 6, included in this analysis as Figures 12-15 of Appendix C), the Waterfords switchyard is redundantly connected to many transmission lines from all directions, including from several power plants nearby. To the West, additionally, the Entergy system is connected to other NERC regions, SPP (SPP Southern) and ERCOT, and there are also connections to the North (MAIN) and the East (TVA and SERC Southern), see Figure 16 (reproduced from Figure 3-9 in Reference 28).

The assumption in Reference 29, that a hurricane LOOP will result with a high probability only if extreme sustained winds (> 120 mph) are felt on site, or nearby, which was based on this redundancy of offsite power connections, seems to be wrong. In this case, even though the transmission lines in the vicinity were not damaged, and there were redundant sources of power from different directions, the plant was cut off from offsite power while experiencing relatively mild winds.

The Entergy electrical system appears more fragile than assumed in the Ref. 29 analysis, at least with respect to Waterfords offsite power supply. River Bend and Grand Gulf, other Entergy NPPs in the affected region, apparently did not experience a LOOP, even though Grand Gulf seemingly experienced higher direct wind effects than Waterford (e.g., loss of 17 emergency sirens).

An alternative explanation is that interconnections to Southern Louisiana were cut off deliberately, in order to forestall fault propagation through the system. However, the same conclusions obtain, with respect to susceptibility of Waterford to hurricane induced LOOPs and with respect to the faulty assumption regarding hurricane LOOP initiation due to local extreme winds only.

The relatively low CCDP in the shutdown model evaluation is due to the presence and reliability of the SDC and the EFW systems, the presence of additional truck-mounted temporary emergency diesel (TED) generators on site, the presence of the essential operators and maintenance personnel on site for the duration of the event, and the long available recovery times due to lower decay heat loads as the plant was shut down ahead of Katrinas landfall as a precaution.

Availability of essential personnel onsite, EPS reliability, availability of spare parts and TEDs are significant determinants of CCDP. It is assumed that there was a full complement of the essential onsite staff, including both operations and maintenance people, for all shifts and throughout the event, as seems to be standard practice for NPPs in this situation. The families of personnel were in shelters or out of

LER 382-2005-004 91 the region, due to a mandatory evacuation order for St. Charles parish, issued almost 48 hrs before the LOOP. In addition, damage to property was relatively light in St. Charles parish and further west. It is assumed that, given the circumstances, the personnel were not overly distracted by worries of happenings outside the plant and that their fitness for duty and stress PSF would not be affected.

Availability of personnel on site was also a factor in potential repairability of EDGs (essential personnel would have also apparently included the spare parts warehouse clerk, or maintenance personnel familiar with the warehouse procedures, as well as the maintenance personnel knowledgeable in EDG repair). In this respect, repairability of EDGs would have been somewhat better than in a normal SBO, which happens suddenly and without any preparations in place.

Availability of two TEDs and their assumed reliability is one of the reasons the CCDP is low. The blackout sequence with TED failure is the dominant sequence. The TEDs are not repairable and are not sheltered (which may impact their reliability and further assures their non-repairability). Since they are parked to the east of the turbine building, in this case there was no danger to them from the relatively low westerly winds and there were no other hurricane effects. There are no spare parts for TEDs and plant personnel are not familiar with their repair. It is conceivable, due to long time scales, that TED replacement may be effected with some probability of success in an emergency. Allowing for TED repair or replacement would proportionally reduce the dominant sequence (seq. 6).

Lack of hurricane effects on site and the surrounding area are significant determinants of CCDP. St. Charles parish was spared serious hurricane effects, due to its location away from the landfall and on the weak side of Katrina (countercurrent rotation and northward progression combine to significantly diminish winds on the western flank) and due to the river levees not failing (they were built to much higher standards than the lake Pontchartrain and the canal levees in New Orleans). The plant siting was such that historically, the plant area has been spared direct hurricane hits, any extreme winds from a hypothetical hurricane may not easily reach the site due to the existence of intervening overland and the plant is situated on significantly higher ground (over 14 ft MSL) than the surrounding area (which is below sea level) and is engineered against flooding. All of this combined to produce no serious effects at the plant or in the surrounding area.

Had the hurricane effects been more pronounced then a) a mission time longer than 24 hr might have had to be used; b) the HRA PSFs for stress and/or fitness for duty might have had to be adjusted upwards; c) EDG repair might have had to be disallowed or curtailed (e.g., if the warehouse had been inaccessible); d) communications with the outside world (EOF, NRC) may have been cut off; e) there might not have been any fallback option in case of TED failure Assumption that the SPAR model EDG recovery curve can be used is a moderate determinant of CCDP. The standard SPAR model EDG repair curve is used due to availability of personnel and spare parts (warehouse was accessible). Some aspects of this, due to preparatory measures (essential personnel were on site) were better than in a regular SBO which happens without any warning. It should be noted there is a discrepancy between SPAR and RASP on the issue of which EDG repair curve to use.

Assumed TED reliability is a significant determinant of CCDP. NPRD-95 data for

LER 382-2005-004 92 packaged standby diesel generators are used. The results are sensitive mainly to FTS and FTRE data (FTRL is not important as long as it is < 10% of FTS+FTRE, in /hr units)

The long time scales for core uncovery tend to offset some concerns with reliability of operator actions, dependence of operator actions, hurricane effects and open up other options for dealing with emergency scenarios. The precautionary shutdown was instrumental in keeping the CCDP low. With the long time scales to core uncovery, the operator PSFs are reduced, there is less dependency between operator actions, it is possible to work around any potential hurricane effects (e.g., any possible inaccessibility of the warehouse) and it is even possible to think about replacing the TEDs, should they fail, as in sequence 6.

The 24 hr mission time may not be realistic, depending on hurricane effects.

Waterford was without offsite power for several days. While the conditions around the plant were such that potential resupply of the plant could be accommodated, such would have been hampered somewhat by the reduced but lingering after-effects experienced thereabout. Had the hurricane effects been more pronounced, the 24 hr mission time would have to be considered more carefully.

Operator action to keep the RCS conditions within SDC entry parameters is important during SG boiloff in an SBO. The operators are assumed to keep the RCS in the SDC entry band, by manipulation of SG PORVs, with or without EFW operating, as long as there is inventory on the secondary. This keeps the SDC option alive and substantially reduces contribution of certain sequences.

Events with high F-V and RIR importances. These are the events which contribute the most to the evaluation and at the same time to whose value the evaluation is the most sensitive: TED hardware failure, TED operator error to connect, operator failure to start and control EFW in non-SBO sequences, EDG CCF to run. Other events with high F-V are non-recovery of emergency power, failure to run of EDG 3A and 3 B (separately) and failure of operator to establish alternate cooling in the switchgear room.

Other events with the highest RIR are failure of CCW surge tank, CCF failure of chilled water pumps to start or run, CCF battery failures, CCF of EDG fans and CCF of EDGs to start. There are many events with high RIR evaluations (i.e., RIR > 100).

LER 382-2005-004 93 APPENDIX H DISCUSSION OF VARIOUS ISSUES

LER 382-2005-004 94

1. Effects of Katrina on the plant and surrounding area (Ref. 1-3, 11, 16-27)

Damage to St. Charles parish The LA parishes with significant damage: New Orleans (widespread flooding, starting on Aug 30 at 2-3 am -- over half the economic damage in LA and over 90% of the deaths are there),

Jefferson (part of NO is here), St. Bernard and Plaquemines (flooding), Terrebonne (wind, unspecified). LaFourche is also mentioned as bearing the brunt of the wind (though its far from the eye track). The plant is in the far NW corner of St. Charles parish, about 3 mi away from the border with St. John the Baptist parish to the west, i.e., away from Jefferson parish to the east; on the west bank of the Mississippi, which, due to sediment buildup is much higher than the surrounding area. St. John the Baptist parish suffered even less damage than St.

Charles parish. Even in New Orleans, the pictures show mostly the flooding damage, relatively little of severe wind damage and the plant is about 25 miles further away from the hurricane eye than west New Orleans.

For St. Charles parish the reports mention: minor flooding (mostly on east bank, though the west bank, where the plant is located is mentioned wrt to some levee overtopping); there were about 50 teachers in the parish school district that were left homeless (but no word on anyone else, perhaps these teachers lived in other parishes and only worked here); conflicting reports on deaths - the local newspaper reports no direct deaths and 2 heart attack deaths, while the official sites cite 8 deaths in the parish. Some vegetation on roadways, but volunteers were out that afternoon (on August 29), and the next day, with chainsaws and a backhoe to clear the roadways. St. Charles parish was recipient of evacuees from further east, trailer parks were set up and is said to have been spared the brunt of the storm.

The levees and flooding.

There are two types of levees in LA: the river levees and the hurricane protection levees. The river levees were designed to allow for 11% more water than the worst flood on record, experienced sometime in the early 20th century - it was a special act of Congress due to severe aftermath of that. (And there are other features -- spillways to divert flood waters upstream of the plant, etc.) The hurricane levees - the ones around the lake Pontchartrain and the canals in NO, were designed to much lower standards - not the worst case as for the river levees.

The river levees survived this intact, even preventing some worst case scenarios below New Orleans. And the plant is on significantly higher ground than the surrounding area. As for that surrounding area, there was some minor flooding, confined mostly to East bank, according to the local paper.

The roadways and supply routes Even NO was not cut off completely. The state and the city governments evacuated to Baton Rouge after the flooding started and the city was under water. There were at least two routes out of the city (the Crescent City connection and the Lake Pontchartrain causeway). The airport reopened for emergency flights on Aug 30. The plant is about 25 miles west of the city and the roadways there were in much better shape -- for one thing there was no appreciable flooding, as the river levees were built to higher standards and they held. And the winds were at lower speeds, thus there was less blown vegetation on the roads.

There were numerous roadways, some elevated around the plant. The railroad tracks pass less than a mile therefrom. The river is also a way of supply in a hypothetical situation.

LER 382-2005-004 95 The plant related effects The NRC issued several reports, including an inspection report (2005004 covering the period through September 26, 2005). The NRC had inspectors on site during the event, including a special team that was sent in advance of the hurricane. The inspection report noted that the inspectors reviewed the plant preparations for hurricanes Dennis and Katrina, the inspection team walked down the plant grounds and risk significant systems necessary for plant shutdown, as well as reviewed the plant preparatory measures, including operating experience, compensatory measures and emergency response procedures. The status of the plant after the hurricane is also reported. No findings are noted at either time. Except for the emergency notification system, no damage is noted on those reports, no flooding on site, no damage, no accessibility problems. It is also noted, that the plant stayed on the lowest of the four levels of alerts, the unusual event, throughout the event. The only report of note is that at some point there was a statement that the river may crest close to the levee height of 18 ft (the levee top is at 30 ft MSL, and the Mississippi surface, which at that time of year is low, is at around 12 ft MSL). After the levee there was that 30 ft MSL wall around the nuclear island, and there are drainage ditches in the plant. The plant was designed with flooding in mind, the FSAR spends quite a bit of time on this -- and this was not the worst case scenario, the river was low, per the time of year. The plant elevation is 14-15 ft MSL, much above the surrounding area, which is below the sea level.

The LER mentions the sustained wind speeds of 48 mph at the time of the LOOP (8 am, Aug.

29). The Katrina storm track information, and the distance of the eye, imply that this was probably not far from the maximum wind experienced at the site, esp. after the LOOP initiation.

Katrina decayed away to Cat 1 at 1 pm that day, some 80-100 miles inland. Its first landfall was at Buras, LO (some 100 miles SE from the plant) at 6:10 am, with max winds of about 110 kt.

Its final landfall, at the border of LA and MS (about 50 miles E from the plant) was a little later (perhaps around 8-9 am), with max winds of 105 kt. Assuming forward speed of 13 kt (15 mph)

(it was probably even faster), this would mean winds of 80 kt on the LHS of the hurricane. The winds in east NO were measured at 84 kts at 6 am at NASA Michoud facility, at 68 kts in the middle of lake Pontchartrain at 10:20 am, gusts of 85 kts were reported at NO airport at 120 ft height at 8:40 am, and NO Lakeland airport reported sustained winds of 60 kt at 6:53 am.

Figuring the fact that the winds decrease by 10% in speed for every 30 miles of overland, that the gusts can be 20% higher speed than sustained winds, that the winds increase in height above surface (10% higher at 100 ft than at surface), including the NOAA estimate that most of NO experienced Cat 1 or Cat 2 winds (presumably Cat 1 on the west side), it would be safe to say that the site probably did not experience higher than Cat 1 winds after the LOOP started (64-82 kts), and probably not much more than about 70 mph, with some gusts above that. It is possible that locally winds can be higher than indicated above due to turbulence and other local effects (channeling), but there is no indication that the plant suffered excessively high winds.

The 230 kV transmission lines, for example, albeit robust to 120mph, were not damaged.

Offsite power was reported available at 23:02 on August 29, 2005, though the voltages were too high. This also indicates low damage to infrastructure.

The plant suffered telecommunications equipment failure about 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the LOOP started, thus it is not clear if this was Katrina related.

LER 382-2005-004 96 Warehouse access It seems the warehouse was accessible (for spare parts) when considering that there was no flooding at plant site, that the winds were relatively low (from the west), that shielding was provided by the buildings on site and that there are several ways to get to the warehouse.

Also to keep in mind is that the LOOP happened at 8 am and there were 8-12 hrs to core melt if nothing worked. The hurricane passed at about the same time and there were high winds for a few hours after that. This gives time and flexibility to organize something after the hurricane has passed. It gives time to clear the way to the warehouse -- assuming access was a problem (which apparently it was not).

Even if one assumed no access for, say, 8 hrs, this is averaged over 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and in the PRA space the change in evaluation is not significant, and is offset by more conservative treatment elsewhere (e.g., no convolution). Instead of 0.5 recovery factor one may get 0.7 with that conservative assumption - (At 4 hr inaccessibility, a recovery factor of 0.6 is obtained). In this case, the recovery may be actually more probable than in a regular SBO, as all the essential personnel were on site due to hurricane preparations.

Nowadays the NPPs work on two 12-hr shifts, and the shift turnover usually starts around 6 am, give or take an hour. Thus, the fresh shift was probably on when the LOOP started (at 8 am),

and by the time it was done, the hurricane effects were over and the roadways had been started to be cleared. But in any case, all the essential staff were probably ordered to stay on site for the duration.

Staffing There were contingency plans. The plant entered procedure severe weather/flooding on August 27. At 9 am that day, St. Charles parish declared mandatory evacuation. Thus, essential personnel were on site and their families had been evacuated either out of the area or into emergency shelters. The licensee activated the EOF (emergency operations facility) at the River Bend plant, for Waterford, and of course the NRC was monitoring the situations (they had inspectors and a special hurricane team on site). The licensee had compensatory measures in place, which mean additional staffing. So, the staffing was normal, even beefed up, and there were people on site (e.g., from maintenance) which might not otherwise be there in a regular LOOP.

2. TED Data (Ref. 9, 10)

In 2000, the licensee received an extension to Technical Specification Allowed Outage Time for an EDG. As part of their submittal for this license change, they committed to having a TED available whenever EDG maintenance would extend beyond 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, which was the old AOT.

The assumed failure rates for the TED were taken from NUREG/CR-4550, Vol. 6, Rev. 1 (Grand Gulf NUREG-1150) study. The values from that study are 3E-02 for failure to start and 2E-03/hr for failure to run, with a factor of 0.1.

The NPRD-95 numbers show the packaged standby EDG (this would be similar to the truck mounted diesel generator) reliability to be close (slightly higher failure probabilities) to what is used for installed EDGs in SPAR. (An overall failure rate of 9.1E-4/hr for packaged and 1.2E-4/hr for unpackaged standby diesel generators is shown). This is the data used in the best estimate analysis. This is more defensible than using the above data from NUREG-1150 or multiplying the EDG data by a factor of 7.6, the ratio of unreliabilities between the packaged

LER 382-2005-004 97 and the unpackaged standby diesel generators in NPRD-95. The ratio approach would result in diesel generators which are too unreliable for commercial use (MTBF of only 160 hrs). A beta factor of 0.1 will be used, though that could be conservative as these are rental units, thus potential for common cause maintenance errors (which many times happen when two or more units are maintained close in time by same personnel) is reduced.

It should be noted that these are tandem generators (two diesels driving one generator), thus the failure rate should be somewhat increased over singular diesel generators.

(Also of note is that INL uses the same numbers for the SBO diesels as for the installed EDGs, though that is probably due to lack of data).

3. Modeling of TED mission time The TED run time should be capped at 1 hr (because the 1st hr has the highest unreliability).

Refer to Tables H.1-H.2, below. As can be seen, the higher unreliability of TED running for longer times is more than offset by the lower EDG nonrecovery probability (as measured by the last column). (The two are effectively multiplied in the logic of the event tree CD sequences with EPS failure). In reality, we also have to add contributions from all possible TED run times, but the conclusion is the same. In case of common cause failure, the conclusion is the same, as is the case when timing of failure is considered. Note - hourly TED failure probability is about 10% of the probability for TED FTS + FTR for 1st hr, thats why the 3d column is in terms of fraction of TED FTS + FTR 1st hr failure probability. It is assumed that battery depletion is 4 hrs, after which EDGs cannot be recovered. So, if the TEDs run for 3 hrs, say, then there are 3+4 hrs available for EDG repair, as the batteries will not be used while the TEDs are running, and we assume TEDs will immediately start running upon EDG failure. Otherwise there would be somewhat more than 3+4 hrs in the above example, as the TEDs would replenish the charge initially lost on the batteries.

The above holds for all sequences with EPS failures - whether or not TDEFW works.

There is a discrepancy between the RASP manual and the SPAR model regarding the proper recovery curve to use. Tables H.1 and H.2 use the SPAR and the RASP curves, respectively, though the latest information is that the SPAR curve is correct.

LER 382-2005-004 98 Table H.1. TED running time vs. EDG restoration, assuming the SPAR model recovery curve of 4 hr median repair time (independent failure of diesels in the RASP manual).

TED mission time (hr)

Time available for EDG restoration Ratio of total TED unreliability to TED FTS

+ FTRE EDG nonrecovery probability (time + 4 hr)

Ratio to EDGNRP at 4 hrs Column 3

  • Column 5 1

5 1.0

.424

.85

.85 2

6 1.1

.374

.75

.82 4

8 1.3

.300

.60

.78 6

10 1.5

.237

.47

.70 8

12 1.7

.193

.38

.65 10 14 1.9

.158

.32

.61 12 16 2.1

.130

.26

.55 14 18 2.3

.108

.22

.51 16 20 2.5

.090

.18

.45 18 22 2.7

.075

.15

.40 20 24 2.9

.064

.12

.35 Table H.2. TED running time vs. EDG repair, assuming double the repair time in the SPAR model repair curve (as mentioned in RASP manual), i.e., 8 hr median repair time (no independent failure of EDGs).

TED mission time (hr)

Time available for EDG restoration Ratio of total TED unreliability to TED FTS

+ FTRE EDG nonrecovery probability (time + 4 hr)

Ratio to EDGNRP at 4 hrs Column 3

  • Column 5 1

5 1.0

.602

.93

.93 2

6 1.1

.556

.86

.95 4

8 1.3

.484

.75

.98 6

10 1.5

.424

.65

.98 8

12 1.7

.374

.58

.99 10 14 1.9

.332

.51

.97 12 16 2.1

.300

.46

.97 14 18 2.3

.265

.41

.94

LER 382-2005-004 TED mission time (hr)

Time available for EDG restoration Ratio of total TED unreliability to TED FTS

+ FTRE EDG nonrecovery probability (time + 4 hr)

Ratio to EDGNRP at 4 hrs Column 3

  • Column 5 99 16 20 2.5

.238

.37

.92 18 22 2.7

.214

.33

.89 20 24 2.9

.193

.30

.87

4. Maintenance of SDC entry conditions The operators can and will maintain the SDC entry conditions with or without the TDEFW pump (or MDEFW pumps), they can do that as long as there is water on the secondary side and SG PORV control (which they can also manually operate). They will use the PORVs, and not the SRVs, per procedure, so as to keep the pressure in the SDC band (there is no advantage thermodynamically of using the SRVs, the enthalpy of evaporation at 1,000 psi vs. 377 psi is 650 vs. 788 Btu/lb, while the vapor enthalpy is 1192 vs. 1205 Btu/lb).

Hence, the time to core uncovery would be: SG boiloff time + time to boil off sufficient RCS coolant to uncover the core. Conservatively, only the first term is used in most situations in this analysis. After the SG boiloff, the RCS pressure and temperature cannot be controlled.

However, once the power is back, a variety of methods could be used to depressurize the RCS and reenter the SDC entry conditions - but that is not credited.

5. Time to core uncovery (Ref. 3)

The rough calculations indicate that there may be around 8 hrs to SG boiloff, and maybe another 4 hrs to uncover the core (see Fig. 5.4-5 in the FSAR and deduct about 1,800 ft3 per SG for the primary water plus something for internal structure; one can estimate 5-6,000 ft3 on the secondary side per steam generator, with enthalpy of evaporation of 788 Btu/lb at 377 psi and 24 MW decay heat level; on the primary, there is about 10,750 ft3 in total, with some fraction of that above the core and about 600 Btu/lb heat of evaporation). On the other hand, the EDGs can only be recovered in the 4 hr battery depletion window (except for the self-contained TEDs).

Retrieved from "https://kanterella.com/w/index.php?title=ML062710035&oldid=5357408"