ML072290167
| ML072290167 | |
| Person / Time | |
|---|---|
| Site: | Cooper  |
| Issue date: | 08/17/2007 |
| From: | Mallett B Region 4 Administrator |
| To: | Minahan S Nebraska Public Power District (NPPD) |
| References | |
| EA-07-090, IR-07-007 | |
| Download: ML072290167 (96) | |
See also: IR 05000298/2007007
Text
UNITED STATES .
NUCLEAR REGULATORY COMMISSION
R E G I O N IV
611 RYAN PLAZA D R I V E , SUITE 400
ARLINGTON, TEXAS 76011-4005
August 17,2007
EA 07-090
Stewart B. Minahan, Vice
President-Nuclear and CNO
Nebraska Public Power District
72676648AAvenue
Brownville, NE 68321
SUBJECT: FINAL SIGNIFICANCE DETERMINATION FOR A WHITE FINDING AND NOTICE
OF VIOLATION - NRC SPECIAL INSPECTION REPORT 05000298/2007007 -
COOPER NUCLEAR STATION
Dear Mr. Minahan:
The purpose of this letter is to provide you the final results of our significance determination of
the preliminary White finding identified in the subject inspection report. The inspection finding
was assessed using the Significance Determination Process and was preliminarily
characterized as White, a finding with low to moderate increased importance to safety, that may
require additional NRC inspections. This proposed White finding involved an apparent violation
of I O CFR Part 50, Appendix B, Criterion VI "Instructions Procedures, and Drawings," involving
the failure to establish procedural controls for evaluating the use of parts prior to their
installation in safety-related applications, (e.g. the emergency diesel generator).
At your request, a Regulatory Conference was held on July 13, 2007. During this conference
your staff presented information related to the voltage regulator failures that adversely affected
Emergency Diesel Generator (EDG) 2. This included information regarding the failure
mechanism of the voltage regulator circuit board, results of your root cause evaluations, and
associated corrective actions. The July 13, 2007, Regulatory Conference meeting summary,
dated July 18, 2007 (ML072000280), includes a copy of the CNS presentation.
Based on NRC review of all available information, including the information discussed during
the Regulatory Conference, the NRC has decided not to pursue a violation of 10 CFR Part 50,
Appendix B, Criterion V. However, the NRC has determined a violation of 10 CFR Part 50,
Appendix B, Criterion XVI, "Corrective Action," did occur in that CNS failed to promptly identify a
significant condition adverse to quality that resulted in the reduced reliability of EDG 2. Two
distinct and reasonable opportunities to identify the condition adverse to quality existed yet the
condition was not promptly identified and corrected to preclude recurrence. Specifically, your
inadequate procedural guidance for evaluating the suitability of parts used in safety related
applications presented one missed opportunity to identify that an EDG voltage regulating circuit
board was defective prior to its installation on November 8, 2006. Following installation of the
defective EDG 2 voltage regulator circuit board two high voltage conditions, one resulting in an
EDG automatic high voltage trip, occurred on November 13, 2006. Your evaluation of these
high voltage events missed another opportunity to identify and correct the deficient condition.
Nebraska Public Power District -2-
The failure to identify and correct this deficiency resulted in an additional high voltage trip of
EDG 2 that occurred on January 18, 2007. This violation is cited in the enclosed Notice of
Violation (Enclosure I ) . The details describing the 10 CFR Part 50, Appendix B, Criterion XVI,
Corrective Action, violation are described in Enclosure 2.
The NRCs preliminary assessment of the safety significance of the inspection finding is
documented in Attachment 3 of NRC Inspection Report 05000298/2007007 (ML071430289).
This assessment resulted in a change in core damage frequency (delta CDF) of 5.6E-6, being a
finding of low to moderate safety significance, or White. Our preliminary assessment used the
loss of offsite power (LOOP) initiating event frequency and EDG non-recovery/repair
probabilities, as described in NUREG/CR-6890, Reevaluation of Station Blackout Risk at
Nuclear Power Plants, Analysis of Loss of Offsite Power Events: 1986-2004. This assessment
assumed that the voltage regulator degraded only during times that the EDG was in operation.
The assessment assumed the voltage regulator could not be repaired or replaced in time to
affect the outcome of any core damage sequences. The ability to take manual control of
EDG 2 was not credited because procedures did not exist and training was not performed in
this EDG mode of operation. As a sensitivity assessment a case for diagnosing the failure of
the automatic voltage regulator and successfully operating the EDG in manual mode was
considered. A recovery failure probability for EDG 2 of 0.3 was assumed that lowered the delta
CDF to a value of 1.7E-6. A value characterized as having low to moderate safety significance,
or White.
Based on additional information indicating that the voltage regulator card failure mechanism
was intermittent, the NRC determined that a revised safety significance assessment was
warranted. This revised assessment is provided as Enclosure 3. This assessment was
performed assuming that the faulty voltage regulator card reduced the reliability of EDG 2. The
reduced reliability factor was calculated assuming that two failures resulting in high voltage
EDG trips occurred within a period of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> during which the subject voltage regulator card
was energized. This assumption was made recognizing that an additional high voltage
condition occurred on November 13, 2006, that did not result in an EDG trip because the
duration of the high voltage condition was shorter than the time delay setting. Additionally, the
NRC revised assessment refined the probability of failing to recover the failed EDG 2 to a value
of 0.275. This value corresponds to an 83 percent probability for successfully diagnosing the
automatic voltage regulator failure, during a station blackout event, and a 90 percent probability
I
for successfully implementing recovery actions.
During the Regulatory Conference, CNS asserted the finding was of very low safety
significance, or Green. On July 27, 2007, CNS provided to the NRC their Probabilistic Safety
Assessment that is provided as Enclosure 4. The CNS assessment of very low safety
significance was made based on five key assumptions that differed from the NRCs.
The first difference was that following failure of EDG 2, CNS assumed recovery of EDG 2 prior to
core damage occurring with a failure probability of 0.032. This failure probability of recovery
significantly differed from the NRC assessment of 0.275. The NRC determined that 0.275 was a
more realistic value after reviewing the human error factors present. Factors assessed are
discussed in detail in the NRC Phase 3 Analysis provided in Enclosure 3. These factors included:
Nebraska Public Power District -3-
I ) the high complexity of diagnosing an automatic voltage regulator failure during a station
blackout event that would involve the support of CNS engineering staff; and 2) recovering the
failed EDG in manual voltage control during a station blackout event having incomplete
procedural guidance and a lack of operator training and experience involving operating the EDG
in manual voltage control during loaded conditions.
The second difference was that CNS calculated the reduced reliability factor for EDG 2 assuming
that one failure was the result of the defective diode during the 36-hour duration the subject
voltage regulator was energized. CNS asserted that conclusive evidence did not exist that the
cause of the November 13, 2006, event was the result of intermittent voltage regulator card diode
failure. The NRC reviewed all available information provided by CNS related to the November 13
event. This included the apparent cause evaluation, the laboratory failure analysis report,
industry operating experience, and electrical schematic review of the EDG voltage regulating
system. Based on our reviews the NRC determined that an intermittent diode failure of the
voltage regulator circuit board was the most plausible failure mechanism. Therefore, the NRC
concluded that two failures should be used in the EDG 2 reliability calculation.
The third difference involved CNS evaluating the aspect of convolution related to the probability of
recovering offsite power or EDG 1 before or close in time to the assumed failure of EDG 2. This
consideration would render the safety consequences of these events to be less significant. The
NRC agreed that our model was overly conservative in this aspect, and performed an
assessment that incorporated credit for convolution. This resulted in a reduction of delta CDF.
The fourth difference involved CNS crediting the station Class 1E batteries for periods greater
than the 8-hour duration utilized in the current risk model. Based on information reviewed the
NRC concluded that extended battery operation beyond eight hours was plausible, however,
other operational challenges would be present as described in Appendix A, Station Blackout
Event Tree Adjustments, Table A-I of the CNS Probabilistic Safety Assessment (Enclosure 4).
Based on these considerations the NRC adjusted our model extending the Class 1E batteries to
10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. In addition, an adjustment was made to account for the recovery dependency
associated with the failure of both EDGs.
The fifth difference involved CNS asserting that implementation of specific station blackout
mitigating actions, that were not currently credited in either the NRC or the CNS risk models,
would reduce the risk significance of the finding. These specific actions included the use of fire
water injection to the core, manual operation of the reactor core isolation cooling (RCIC) system,
and the ability to black start an EDG following battery depletion events. Based on our review, and
as discussed in the NRC Phase 3 Analysis (Enclosure 3), the NRC determined the success of
using these alternative mitigation strategies were offset by the risk contribution of external events.
After careful consideration of the information provided at the Regulatory Conference, the
information provided in your risk assessment received on July 27, 2007, and the information
developed during the inspection, the NRC has concluded that the best characterization of risk for
this finding is of low to moderate safety significance (White), with a delta CDF of 1.2E-6.
Nebraska Public Power District -4-
You have 30 calendar days from the date of this letter to appeal the NRCs determination of
significance for the identified White finding. Such appeals will be considered to have merit only if
they meet the criteria given in NRC Inspection Manual Chapter 0609, Attachment 2. In
accordance with the NRC Enforcement Policy, the Notice of Violation is considered an escalated
enforcement action because it is associated with a White finding.
You are required to respond to this letter and should follow the instructions specified in the
enclosed Notice when preparing your response.
In addition, we will use the NRC Action Matrix to determine the most appropriate NRC response
and any increase in NRC oversight, or actions you need to take in response to the most recent
performance deficiencies. We will notify you by separate correspondence of that determination.
In accordance with 10 CFR 2.390 of the NRCs Rules of Practice, a copy of this letter, its
enclosures, and your response will be made available electronically for public inspection in the
NRC Public Document Room or from the Publicly Available Records component of NRCs
document system (ADAMS). ADAMS is accessible from the NRC Web site at
ht t P://w. nrc.aov/ readina- rm/adams .ht mI (the PubIic EIect ronic Reading Room) . To the extent
possible, your response should not include any personal privacy, proprietary, or safeguards
information so that it can be made available to the Public without redaction.
Sincerely,
Bru& S. Mallett
Regional Administrator
Docket: 50-298
License: DPR-46
Enclosure 1: Notice of Violation
Enclosure 2: Notice of Violation Details
Enclosure 3: NRC Phase 3 Analysis
Enclosure 4: CNS Probabilistic Safety Assessment
cc w/Enclosures:
Gene Mace John C. McClure, Vice President
Nuclear Asset Manager and General Counsel
Nebraska Public Power District Nebraska Public Power District
P.O. Box 98 P.O. Box 499
Brownville, NE 68321 Columbus, NE 68602-0499
Nebraska Public Power District -5-
D. Van Der Kamp, Acting Licensing Manager Daniel K. McGhee, State Liaison Officer
Nebraska Public Power District Bureau of Radiological Health
P.O. Box 98 Iowa Department of Public Health
Brownville, NE 68321 Lucas State Office Building, 5th Floor
321 East 12th Street
Michael J. Linder, Director Des Moines, IA 50319
Nebraska Department of
Environmental Quality Melanie Rasmussen, Radiation Control
P.O. Box 98922 Program Director
Lincoln, NE 68509-8922 Bureau of Radiological Health
Iowa Department of Public Health
Chairman Lucas State Office Building, 5th Floor
Nemaha County Board of Commissioners 321 East 12th Street
Nemaha County Courthouse Des Moines, IA 50319
1824 N Street
Auburn, NE 68305 Ronald D. Asche, President
and Chief Executive Officer
Julia Schmitt, Manager Nebraska Public Power District
Radiation Control Program 1414 15th Street
Nebraska Health & Human Services Columbus, NE 68601
Dept. of Regulation & Licensing
Division of Public Health Assurance P. Fleming, Director of
301 Centennial Mall, South Nuclear Safety Assurance
P.O. Box 95007 Nebraska Public Power District
Lincoln, NE 68509-5007 P.O. Box 98
Brownville, NE 68321
H. Floyd Gilzow
Deputy Director for Policy John F. McCann, Director, Licensing
Missouri Department of Natural Resources Entergy Nuclear Northeast
P. 0. Box 176 Entergy Nuclear Operations, Inc.
Jefferson City, MO 65102-0176 440 Hamilton Avenue
White Plains, NY 10601-1813
Director, Missouri State Emergency
Management Agency Keith G. Henke, Planner
P.O. Box 116 Division of Community and Public Health
Jefferson City, MO 65102-0116 Office of Emergency Coordination
930 Wildwood, P.O. Box 570
Chief, Radiation and Asbestos Jefferson City, MO 65102
Control Section
Kansas Department of Health Chief, Radiological Emergency
and Environment Preparedness Section
Bureau of Air and Radiation Kansas City Field Office
1000 SW Jackson, Suite 310 Chemical and Nuclear Preparedness
Topeka, KS 66612-1366 and Protection Division
Dept. of Homeland Security
9221 Ward Parkway
Suite 300
Kansas City, MO 641 14-3372
Nebraska Public Power District -6-
Distribution:
RIDSSECYMAILCENTER RIDSOCAMAILCENTER
RIDSEDOMAILCENTER RIDSOEMAILCENTER
RIDSOGCMAILCENTER RIDSNRROD
RIDSNRRADIP RlDSOPAMAlL
RIDSOIMAILCENTER RlDSOlGMAl LCENTER
RIDSOCFOMAILCENTER RlDSRGNl MAILCENTER
RIDSRGN2MAILCENTER RIDSRGN3MAILCENTER
RlDSNRRDlPMlIPB OEWEB
OEMAIL
cc wlenclosures (via ADAMS e-mail distribution):
B. Mallett (BSMI) DRS BCs (DAP, LJS, ATG, MPSI)
T.P. Gwynn (TPG) M. Herrera (MSH3)
K. Fuller (KSF) D. Starkey, OE (DRS)
W. Maier (WAM) M. Ashley, NRR (MAB)
A. Howell (ATH) N. Hilton, OE (NDH)
T. Vegel (AXV) M. Haire (MSH2)
D. Chamberlain (DDC) M. Vasquez (GMV)
R. Caniano (RJCI) C. Carpenter, OE (CAC)
W. Jones (WBJ) V. Dricks (VLD)
M. Hay (MCH2) J. Cai, OE (JXCII)
N. Taylor (NHT) S. Farmer (SEFI)
J. Wray, OE (JRW3)
SUNS1 Review Completed: MCH ADAMS: Yes0 No Initials: MCH
611 Publicly Available Non-Publicly Available 0 Sensitive EI Non-Sensitive
I /RA MCHay for/
07/26/07
RC:ACES
IRA/
08/09/07
DD:DRP
/RA/
08/09/07
/RA/
07/26/07
- ~- -
/RA/
07130107
- _--
KSFuller AVegel SMWong MFranovich SARichards
/RA/ /RA electronic/ /RA electronic/ /RA ECollins for/
081 09 107 081 09 107 081 09 I07 081 09 I07
OFFICIAL RECORD COPY T=Telephone E=E-mail F=Fax
- Previous Concurrence
NOTICE OF VIOLATION
Nebraska Public Power District Docket No. 50-298
Cooper Nuclear Station License No. DPR-46
During an NRC inspection completed on April 24, 2007, and following a Regulatory Conference
conducted on July 13, 2007, a violation of NRC requirements was identified. In accordance with
the NRC Enforcement Policy, the violation is listed below:
10 CFR Part 50, Appendix B, Criterion XVI, requires, in part, that measures shall be
established to assure that conditions adverse to quality, such as failures and malfunctions,
are promptly identified and corrected. In the case of significant conditions adverse to
quality, the measures shall assure that the cause of the condition is determined and
corrective action taken to preclude repetition.
Contrary to the above, as of January 18, 2007, the licensee failed to establish measures
to promptly identify and correct a significant condition adverse to quality, and failed to
assure that the cause of a significant condition adverse to quality was determined and that
corrective action was taken to preclude repetition. Specifically, the licensees inadequate
procedural guidance for evaluating the suitability of parts used in safety related
applications presented an opportunity in which the licensee failed to promptly identify a
defective voltage regulator circuit board used in Emergency Diesel Generator (EDG) 2
prior to its installation on November 8, 2006, a significant condition adverse to quality.
Following installation of the defective EDG 2 voltage regulator circuit board, the licensee
failed to determine the cause of two high voltage conditions which occurred on
November 13, 2006, and failed to take corrective action to preclude repetition. As a
result, an additional high voltage condition occurred resulting in a failure of EDG 2 on
January 18,2007.
This violation is associated with a White SDP finding.
Pursuant to the provisions of 10 CFR 2.201, Nebraska Public Power District is hereby required to
submit a written statement or explanation to the U.S. Nuclear Regulatory Commission, A T N : Document
Control Desk, Washington, DC 20555-0001 with a copy to the Regional Administrator, Region IV,
and a copy to the NRC Resident Inspector at the facility that is the subject of this Notice, within
30 days of the date of the letter transmitting this Notice of Violation (Notice). This reply should be
clearly marked as a Reply to a Notice of Violation; EA-07-090, and should include for each
violation: (1) the reason for the violation, or, if contested, the basis for disputing the violation or
severity level, (2) the corrective steps that have been taken and the results achieved, (3) the
corrective steps that will be taken to avoid further violations, and (4) the date when full
compliance will be achieved. Your response may reference or include previous docketed
correspondence, if the correspondence adequately addresses the required response. If an
adequate reply is not received within the time specified in this Notice, an order or a Demand for
Information may be issued as to why the license should not be modified, suspended, or revoked,
or why such other action as may be proper should not be taken. Where good cause is shown,
consideration will be given to extending the response time.
-1 - Enclosure 1
Because your response will be made available electronically for public inspection in the NRC
Public Document Room or from the NRC's document system (ADAMS), accessible from the NRC
Web site at http://www.nrc.qov/readinq-rm/adams.html, to the extent possible, it should not
include any personal privacy, proprietary, or safeguards information so that it can be made
available to the public without redaction. If personal privacy or proprietary information is
necessary to provide an acceptable response, then please provide a bracketed copy of your
response that identifies the information that should be protected and a redacted copy of your
response that deletes such information. If you request withholding of such material, you must
specifically identify the portions of your response that you seek to have withheld and provide in
detail the bases for your claim of withholding (e.g., explain why the disclosure of information will
create an unwarranted invasion of personal privacy or provide the information required by
10 CFR 2.390(b) to support a request for withholding confidential commercial or financial
information). If safeguards information is necessary to provide an acceptable response, please
provide the level of protection described in 10 CFR 73.21.
Dated this 17thday of August 2007.
-2- Enclosure 1
Notice of Violation Details
Scope
Following issuance of NRC Inspection Report 05000298/2007007 (ML071430289), that identified
an apparent violation of 10 CFR Part 50, Appendix B,Criterion V, "Instructions Procedures, and
Drawings," additional information was reviewed that included the CNS Probabilistic Safety
Assessment, laboratory information related to the failure mechanism of the voltage regulator
circuit board, and information discussed during the Regulatory Conference held on July 13, 2007,
related to this potential finding. After reviewing all available information related to the Emergency
Diesel Generator (EDG) 2 high voltage events, the NRC decided not to pursue a violation of
10 CFR Part 50, Appendix B, Criterion V. However, the NRC determined an apparent violation of
10 CFR Part 50, Appendix B, Criterion XVI, "Corrective Action," did occur in that CNS failed to
promptly identify a significant condition adverse to quality that resulted in the reduced reliability of
EDG 2. Two distinct and reasonable opportunities to identify the condition adverse to quality
existed yet the condition was not promptly identified and corrected to preclude recurrence. The
following details discuss the additional information reviewed and provide the basis for our
decision.
Details
On November 8, 2006, .a potentiometer mechanically failed during planned maintenance on the
Emergency Diesel Generator (EDG) 2 voltage regulator. Work order 4514076 provided the
technical instructions for this maintenance activity and contained a contingency for the
replacement of the voltage regulator printed circuit board. Replacement of the circuit board was
performed on November 8, 2006. Following replacement, the circuit board required tuning. The
tuning process was conducted on November 13, 2006, and included making incremental
adjustments to the R13 feedback adjust potentiometer and then introducing small voltage
demand changes. Approximately ten seconds after one voltage demand change EDG 2
experienced a pair of output voltage spikes, the first to approximately 5500 volts, and the second
to greater than 5900 volts. The second voltage spike resulted in a high voltage trip of EDG 2.
The NRC noted that at the time the voltage spikes occurred, maintenance personnel were
reviewing strip chart recorder traces and no voltage regulator components were being
manipulated and no changes in demanded voltage were occurring.
The licensee conducted a failure modes effects analysis (FMEA) and completed troubleshooting
activities consisting of diagnostic tests and test runs of EDG 2 between November 13-15, 2006.
Based on the lack of any additional high voltage events during the test runs, completion of the
FMEA, and input from a vendor field representative, the licensee concluded that the high voltage
events that occurred on November 13 were attributable to erratic behavior of the feedback
potentiometer being adjusted to tune the circuit board. This conclusion is described in the
apparent cause evaluation attached to Condition Report CR-CNS-2006-09096. After completion
of a subsequent series of satisfactory surveillance test runs, EDG 2 was declared operable on
November 19,2006. Subsequently, on January 18, 2007, EDG 2 experienced another high
voltage trip during surveillance testing. The licensee's root cause evaluation of this high voltage
trip, as described in Condition Report CR-CNS-2007-00480, determined that a manufacturing
defect of a diode, attached to the printed circuit board installed on November 8, 2006, caused the
high voltage conditions observed.
-1- Enclosure 2
The NRC reviewed the Condition Report CR-CNS-2006-9096 apparent cause evaluation
addressing the high voltage conditions experienced on November 13, 2006, conducted interviews
with engineers and maintenance personnel, and reviewed applicable technical manuals. The
NRC determined that erratic behavior of either or both potentiometers on the printed circuit board
was not a likely cause for the November 13, 2006, high voltage events. The NRC discussed this
observation with licensee management on February 1, 2007, after which the licensee initiated
Condition Report CR-CNS-2007-00959 documenting the concern. Following these discussions,
the licensee completed a more detailed evaluation of the apparent cause. This more detailed
evaluation concluded that the erratic behavior of the feedback potentiometer, combined with the
possibility that an oxidation layer could have built up on the potentiometer slide wire, could have
caused an open circuit on the voltage regulator printed circuit board. The licensee believed that
this open circuit could have resulted in the high voltage condition that EDG 2 experienced. The
NRC noted that this evaluation was not based on direct observation or circuit modeling, but on
hypothetical information from a field service vendor. The NRC questioned the licensee if the
vendors were aware of any similar EDG high voltage condition occurring due to erratic
potentiometer operation during the tuning process of the voltage regulator circuit board. The
licensee provided the NRC a written response from the vendor that stated, "No. In addition, we
have not seen or heard of such an event while adjusting the Range and/or Stability
potentiometers on any make or model of voltage regulator."
The NRC noted that the November 13, 2006, high voltage trip of EDG 2 was not viewed by the
licensee as a possible precursor to the January 18, 2007, event until the receipt of a laboratory
report on May 8, 2007. This laboratory report contained the results of destructive testing of the
VRI zener diode from the voltage regulator printed circuit board. This report provided definitive
evidence that the January 18, 2007, overvoltage trip of EDG 2 was caused by an intermittent
discontinuity in the diode resulting from a manufacturing defect. Based on this new information,
the licensee revised the root cause report in CR-CNS-2007-00480 and viewed the
November 13, 2006, EDG 2 high voltage trip as a possible precursor to the January 18, 2007,
EDG 2 high voltage trip. Additionally, the NRC noted that when the faulted circuit board was
being evaluated at the laboratory, no actions were taken to validate if the potentiometers on the
card were potentially the source of the high voltage events that occurred on November 13, 2006,
as their FMEA had concluded.
The NRC reviewed the FMEA performed in Condition Report CR-CNS-2006-9096. The NRC
noted that operating and maintenance instructions of the EDG voltage regulator system are
described in the Basler Electric Company Operation and Service Manual, Series Boost Exciter-
Regulator, Type SBSR HV, dated November 1970. In addition, the NRC noted that Electric
Power Research Institute (EPRI) published a technical report, Basler SBSR Voltage Regulators
for Emergency Diesel Generators, dated November 2004, that provided updated operating,
maintenance, and troubleshooting recommendations to industry users. The licensee used both
of these resources extensively for procedure development and to guide troubleshooting efforts.
The NRC noted Section 5 of the Basler vendor manual provided recommendations for
maintenance and troubleshooting. Table 5-1 of this manual provided a symptom based-probable
cause table for voltage regulator problems. In the case of the November 13, 2006, EDG 2 high
voltage trip, the following guidance was applicable:
-2- Enclosure 2
Svmptom Probable Cause Remedy
Voltage high, Open fuse F1 in If no voltage control
uncontrollable with voltage regulator on automatic
voltage adjust power stage. operation, replace
rheostat. fuse F1. If no
voltage control on
manual operation,
replace fuse F2.
Defect in voltage Replace printed
regulator printed circuit circuit board
board. No current assembly.
indicated on saturable
transformer control
current meter.
Section 8 of the EPRl technical report also provided troubleshooting recommendations. The
section of the table that provided valuable insight for the November 13 trip is as follows:
Symptom Problem Solution
Voltage high and No or low voltage Verify that there are
uncontrollable with from sensing no blown potential
motor operated potential transformer fuses
potentiometer transformers and that there are
(MOP) good connections
at the potential
transformers
Shorted MOP Replace R60 or
entire MOP
assernbly
T2 transformer set Verify tap setting of
to wrong tap 120 VAC
Faulty voltage Replace voltage
regulator assembly regulator assembly
The NRC noted that the FMEA discussed each of the probable causes of the uncontrollable high
voltage on EDG 2, but that not all of the recommended actions were taken. Specifically, the
licensee did not replace the faulty voltage regulator assembly even though both the Basler
technical manual and the EPRl technical report recommended its replacement following
uncontrollable high voltage conditions.
In addition, the NRC noted that Condition Report CR-CNS-2006-9096, contained a summary of
industry operating experience regarding failures of Basler voltage regulators. Of the 58 Basler
-3- Enclosure 2
failures listed in the report, 33 involved Basler SBSR voltage regulators, the same type used at
Cooper Nuclear Station. Of these, four involved manufacturing defects on the printed circuit
boards. The NRC identified another eight Basler voltage regulator failures related to
manufacturing quality in publicly available sources of operating experience. The NRC also noted
that none of these failures occurred due to erratic potentiometer operation utilized during the
tuning process.
As previously documented in NRC Inspection Report 05000298/2007007, the licensee root cause
report evaluating the January 18, 2007, EDG 2 high voltage event, documented in
CR-CNS-2007-00480, determined that the cause of the failure was that the original procurement
process did not provide technical requirements to reduce the probability of infant mortality failure
in the voltage regulator board. The licensee determined that the failed circuit board had been
purchased from the Basler Electric Company in 1973, but that the procurement of the part had
not specified any technical requirements from the vendor. In effect, the part was purchased as a
commercial grade item from a non-Appendix B source and placed into storage as an essential
component, ready for use in safety-related applications, without any documentation of its
suitability for that purpose. The licensee determined that the specification of proper technical
requirements, such as inspections and/or testing, would have provided an opportunity to discover
the latent defect prior to installing the card in an essential application.
During the Regulatory Conference on July 13, 2007, the licensee stated that even if they had
performed additional testing, such as a burn in, of the voltage regulator card prior to its
installation on November 8, 2006, that such testing would probably not identify the faulty diode.
In addition, the licensee stated that since this card was purchased in 1973, Generic Letter 91-05,
Licensee Commercial-Grade Procurement and Dedication Programs, discussed that the NRC
did not expect licensees to review all past procurements.
With respect to these assertions, the NRC determined that had the licensee performed testing of
the card prior to its installation in accordance with standard industry recommendations, there was
some probability that such a defect would have been identified. This conclusion was based on
the fact the laboratory findings coupled with the actual high voltage occurrences experienced on
November 13, 2006, and January 18, 2007, confirmed that the failure was of an intermittent
nature and variations such as temperature alone could cause the condition to manifest itself.
With respect to the assertion that Generic Letter 91-05 did not require licensees to review past
commercial grade procurements that may have been inappropriately dedicated suitable for safety
related applications, the NRC determined the licensee missed an opportunity to perform
additional evaluations concerning the suitability of the voltage regulating circuit board prior to its
installation. Specifically, Generic Letter 91-05 states, in part, that the NRC does not expect
licensees to review all past procurements. However, if failure experience or current information
on supplier adequacy indicates that a component may not be suitable for service, then corrective
actions are required for all such installed and stored items in accordance with 10 CFR Part 50,
Appendix B, Criterion XVI, Corrective Action. Based on the previously discussed operating
experience related to quality concerns associated with Basler voltage regulating cards, the NRC
determined that the licensee missed an opportunity to evaluate this information prior to installing
the EDG 2 voltage regulating card on November 8, 2006. Additionally, following the high voltage
conditions experienced on November 13, 2006, this operating experience, although obtained, did
not result in the licensee questioning the quality of the component as reflected in Item 10 of the
licensees Equipment Failure Evaluation Checklist dated November 30, 2006, stating there were
no concerns associated with the quality of the part.
-4- Enclosure 2
Additionally, the NRC reviewed Condition Report CR-CNS-2007-04278, which reported that the
licensee had failed to perform a required root cause analysis following the diesel generator failure
on November 13, 2006. Administrative Procedure 05.CR, Condition Report Initiation, Review,
and Classification, Revision 7, requires that a condition report be classified as Category A (root
cause investigation) for repeat Critical 1 Component equipment failures that have previously
been addressed with a root or apparent cause evaluation. Voltage control problems on EDG 2,
a critical Icomponent in the licensees equipment reliability program, had been addressed
using apparent cause evaluations on four separate occasions in the twelve months prior to the
November 13, 2006, high voltage trip. Contrary to the guidance in Procedure 0.5CR, the
November 13 trip was again assigned an apparent cause evaluation versus the required root
cause evaluation. When EDG 2 subsequently tripped again on January 18, 2007, a root cause
team was assembled, which resulted in the identification of a defective diode on the voltage
regulator printed circuit board.
Based on the previously discussed observations the NRC concluded that multiple opportunities
existed for the licensee to promptly identify that the EDG 2 voltage regulating card installed on
November 8, 2006, was defective prior to declaring the EDG operable on November 19, 2006.
Based on the failure to promptly identify this degraded condition corrective actions were not
implemented in accordance with 10 CFR Part 50, Appendix B, Criterion XVI, Corrective Action,
resulting in the failure of EDG 2 on January 18, 2007.
Analvsis: This finding is a performance deficiency because the licensee failed to promptly identify
that a defective Emergency Diesel Generator (EDG) 2 voltage regulator circuit board was
installed that resulted in adversely affecting the safety function of equipment important to safety.
This finding is more than minor because it is associated with the equipment performance attribute
of the Mitigating Systems cornerstone and adversely affects the cornerstone objective of ensuring
the availability, reliability, and capability of systems that respond to initiating events.
This finding was evaluated using the Significance Determination Process (SDP) Phase 1
Screening Worksheet provided in Manual Chapter 0609, Appendix A, Significance Determination
of Reactor Inspection Findings for At-Power Situations. The screening indicated that a Phase 2
analysis was required because the finding represents a loss of safety function for EDG 2 for
greater than its Technical Specification allowed completion time. The Phase 2 and 3 evaluations
concluded that the finding was of low to moderate safety significance (See Enclosure 3 for
details).
The cause of this finding is related to the problem identification and resolution crosscutting
components of the corrective action program and operating experience because the licensee
failed to thoroughly evaluate the EDG high voltage condition such that resolutions address the
causes and the licensee failed to effectively use operating experience, including vendor
recommendations, resulting in changes to plant equipment (P.l (c)), and (P.2(b)).
-5- Enclosure 2
Cooper Nuclear Station
Failure of EDG 2 Voltage Regulator
NRC Phase 3 Analysis
The NRC estimated the risk increase resulting from the degraded Emergency Diesel Generator
(EDG) 2 voltage regulator. The diesel was run at the following times with durations reported as
the period of time that the voltage regulator was energized (all of these operational runs were
conducted after the defective voltage regulator circuit board was installed):
11/11/06 0 hrs 3 min
11/13/06 1 hr 30 min (first failure)
11/14/06 6 hrs 46 rnin
11/15/06 1 hr 35 rnin
11/16/06 9 hrs 23 rnin
11/17/06 5 hrs 3 min
11/18/06 2 hrs 28 min
12/12/06 5 hrs 41 rnin
01/18/07 4 hrs 16 min (second failure)
The unit was returned to Mode 1 on November 22, 2006, and ran at power until the last failure
occurred on January 18, 2007. The period of exposure was 57 days.
Assumptions
1. The licensee determined that the voltage regulator failures were caused by an intermittent
condition resulting from a faulty diode. Two failures of the voltage regulator occurred
within a period of 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> during which the voltage regulator was energized. This
information was used to calculate an hourly failure rate for use in the risk analysis. The
NRC noted the licensee had calculated an increased unreliability of the voltage regulator
by performing a Bayesian update of industry data. However, the NRC determined that the
risk impact is more accurately expressed by modeling the condition as a new failure mode
of the diesel generator.
2. Common cause vulnerabilities for EDG 1 did not exist, that is, the failure mode is
assumed to be independent in nature. This is because the root caus'e investigation
determined that the failure was the result of a manufacturing defect resulting in an infant
mortality. The same component in EDGI had been installed since initial plant operations
and had operated reliably beyond the "burn-in" period, providing evidence that it did not
have the same manufacturing defect. The NRC considered the probability of EDG 1
failing from defective voltage regulator within a short period of time of the EDG 2 failure to
be too low to affect the results of this analysis.
3. The standard CNS SPAR model credited the Class 1E batteries with an 8-hour discharge
capability following a station blackout. Based on information received from the licensee,
this credit was extended to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. Although the batteries could potentially function
beyond I O hours under certain conditions other challenges related to the operation of
RCIC and HPCl in station blackout conditions would be present. These challenges
included the availability of adequate injection supply water and operational concerns of
-1- Enclosure 3
RClC under high back pressure conditions as a result of the unavailability of suppression
pool cooling during an extended station blackout event.
4. Using the SPAR-H methodology, it was estimated that the probability of recovering from
the failure, using manual voltage regulation control, in a time frame consistent with the
core damage sequences was 72.5 percent, or a 0.275 non-recovery probability. Recovery
would involve diagnosing the problem and then making a decision to either replace the
automatic voltage regulating circuit board or operate the EDG in a manual voltage
regulating mode.
The results of this analysis are presented in the table below:
Performance Shaping Diagnosis (0.01) Action (0.001)
Factor
Available Time I Expansive Time (0.01) (>2X
nominal and > 30 min.)
>5 Times Required (0.1)
Stress I High (2) High (2) I
I
Complexity I High ( 5 )
~
Moderate (2)
Experiencenraining Low (10)
Procedures Incomplete (20) Incomplete (20)
Ergonomics 1 Nominal Nominal I
Work Processes Nominal Poor (5)
Total 0.168
I Overall Total HRA I 0.275 I
(1) This reflects the result using the formula for cases where 3 or more negative PSFs are present.
The nominal time for performing the actions was small compared to the minimum time of
4 or 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> available (for most core damage sequences) to restore power following a
loss of offsite power (LOOP) event. The time available for diagnosis was considered to
be expansive because it exceeded twice what would be considered nominal and is greater
than 30 minutes. Extra time was credited for the action steps because at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
would be available for most sequences and it was assumed that approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
would be required. High stress was assumed because the station would be in a blackout
condition. The steps needed to diagnose the problem and decide on an action plan to
either replace the voltage regulator or attempt manual voltage control operation were
considered to be highly complex because procedural guidance did not direct operators to
take manual voltage regulation control of the EDG following high voltage trip conditions.
Diagnosing the failed voltage regulator and determining subsequent recovery actions
would be an unfamiliar maintenance task requiring high skill. During NRC discussions
-2- Enclosure 3
with control room operators they stated engineering support would be required to evaluate
the diesel failure rather than attempt to start the EDG in manual control, potentially
damaging the machine.
The NRC addressed diagnosis recovery as presented in the SPAR-H Method in
NUREG/CR-6883, Section 2.8, Recovery. Additional credit for this finding was not
considered applicable because of a lack of additional alarms or cues that would occur
after the initial diagnosis effort was completed. Also, the NRC determined that recovery
from an initial diagnosis failure was already adequately accounted for in the 0.01 factor
that was applied for the availability of expansive time. The actions needed to operate the
diesel generator in a manual voltage regulating mode were considered to be moderately
complex. Low training and experience was assumed because the plant staff had not
performed this mode of operation and had not received specific training. Procedures
focused on manual operation of the diesel were not available, but credit for incomplete
procedures was applied because various technical sources were available that could be
pieced together to generate a temporary working procedure. Work processes for actions
were considered poor because a substantive crosscutting issue is currently open related
to personnel failing to adhere to procedural compliance, reflective of a trend of poor work
practices. The result of the SPAR-H analysis was a failure probability of 0.275. For the
short-term (30-minute) sequences in the SPAR model (corresponding to the failure of
steam-powered high pressure injection sources), credit for recovery of the EDG 2 voltage
regulator failure was not applied because of inadequate time available.
5. For cutsets that contained both recovery of EDG 2 from the voltage regulator failure and a
standard generic recovery for EDGs, which in this case would apply only to a recovery of
EDG 1, a dependency correction was applied as discussed in the SPAR-H Method in
NUREG/CR-6883, Section 2.6. The dependency rating was determined to be high,
based on the rating factors of same crew (crew in this case was defined as the team of
managers and engineers who would be making decisions related to the recovery of both
EDGs), close in time, and different location. To account for the dependency on the
recovery of EDG 1, the formula of (1 + base SPAR non-recovery probability)/2 was used.
The use of a dependency correction accounts for several issues, including the fact that
the standard EDG recovery factors in SPAR models address the probability of recovering
one of two EDGs that have failed, meaning that the more easily recoverable unit can be
selected for this purpose. In this case, the recovery factor is limited to only one EDG, and
the option to select the other EDG is not available within the mathematics of the model.
The dependency also accounts for situations where recovery of one EDG may be
abandoned in favor of recovery the other unit, and where the recovery team loses
confidence after experiencing a failure to recover the first EDG. It also accounts for the
splitting of resources in the double-EDG failure scenario.
6. For EDG fail-to-run basic events, the Cooper SPAR model assumes that the failure occurs
immediately following the loss of offsite power event. This is a conservative modeling
assumption because it fails to account for scenarios where offsite power or the other EDG
is recovered prior to the moment that the EDG 2 experiences a failure to run. For the
assumed intermittent failure condition of EDG 2, failure is assumed to be equally probable
throughout the 24-hour mission time. Therefore, recovery of offsite power or the other
diesel generator before or close in time following the assumed EDG 2 failure renders the
safety consequences of the performance deficiency to be insignificant in those cases. To
-3- Enclosure 3
correct for this conservatism, the Cooper SPAR model was modified with sequence
specific convolution correction factors that were applied whenever an EDG fail-to-run
event appeared in a cutset.
Internal Events Analysis
The Cooper SPAR model, Revision 3.31, dated October I O , 2006, was used in the analysis. A
cutset truncation of 1.OE-I 2 was used. Average test and maintenance was assumed. The model
was modified as previously discussed to apply convolution correction factors and to credit the
battery with a IO-hour discharge capability. In addition, a modeling error was discovered and
corrected related to the failure of a battery charger on a train alternate to an EDG failure. The
result of this correction reduced the base CDF result of the model.
For the estimate of the voltage regulator failure rate, the NRC assumed a zero prior distribution
which resulted in a lambda value of 0.556 for two failures occurring in a 36-hour time period
(Assumption 1). Using a Poisson distribution, this equates to a probability of 0.736 that the EDG
will fail to run within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following a demand. A 24-hour period is used as the standard
mission time within the SPAR model.
The NRC created a new basic event for the failure of the voltage regulator and placed it into the
fault tree for Diesel Generator 2 Faults. Under the same AND gate, a basic event for recovery
of the EDG 2 voltage regulator failure (0.275) was inserted. As previously discussed, for cutsets
that contained both failure to recover EDG 2 from the voltage regulator failure and a standard
SPAR EDG recovery term, which would in this case only apply to EDG 1, a correction to the
standard EDG non-recovery probability was applied to account for the dependency between
these two recoveries. Using the SPAR-H methodology, a high dependency was determined and
the calculation using this assumption resulted in an increase in the non-recovery probability for
EDG 1 within the affected cutsets. Additionally, for cutsets containing a 30-minute recovery term,
related to the loss of high pressure injection sources, the value of the EDG 2 voltage regulator
non-recovery probability was set to 1.O, because recovery of EDG 2 would not be possible in that
time frame. The common cause EDG fail-to-run term was not changed and therefore all cutsets
containing this term were completely offset by the base case.
The following table displays the result of the analysis:
Delta-CDF Result in SPAR Result for 57-Day Exposure
7.846-6 /vr. 1.2E-6
The major cutsets were reviewed and no anomalies were identified.
External Events Analysis
The risk increase from fire initiating events was reviewed and determined to have a small impact
on the risk of the finding. Only two fire scenarios were identified where equipment damage could
cause an unintentional LOOP to occur. These are a fire in control room board C or a fire in
control room vertical board F. For these control room fires, the probability of causing a LOOP are
remote because of the confined specificity of their locations and the fact that a combination of hot
shorts of a specific polarity are needed to cause the emergency and startup transformer breakers
-4- Enclosure 3
to open. Breakers to these transformers do not lock out and recovery of power can be achieved
by pulling the control power fuses at the breakers and operating the breakers manually.
Procedures are available to perform these actions. The combination of the low event frequency
and high recovery probability means that fires in these locations do not add appreciably to the risk
of this finding.
The other class of fires resulting in a LOOP required an evacuation of the control room. In this
case, plant procedures require isolating offsite power from the vital buses and using the preferred
source of power, Division 2 EDG. The sequences that could lead to core damage would include
a failure of the Division 1 EDG, such that ultimate success in averting core damage would rely on
recovery of either EDG or of offsite power. A review of the onsite electrical distribution system
did not reveal any particular difficulties in restoring switchyard power to the vital buses in this
scenario, especially given that at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> are available to accomplish this task for the bulk of
the core damage scenarios.
Switchgear room fires only affected the ability to power one of the two vital buses from offsite
power, leaving at least one vital bus available for plant recovery. Therefore, a fire in Switchgear
Room A would not require operation of EDG 2 and a fire in Switchgear Room B would not affect
the risk difference of the finding because it would cause the same consequence as in the base
case.
In general, the fire risk importance for this finding is small compared to that associated with
internal events because onsite fires do not remove the availability of offsite power in the
switchyard, whereas, in the internal events scenarios, long-term unavailability of offsite power is
presumed to occur as a consequence of such events as severe weather or significant electrical
grid failures.
The Cooper IPEEE Internal Fire Analysis screened the fire zones that had a significant impact on
overall plant risk. When adjusted for the exposure period of this finding, the cumulative baseline
core damage frequency for the zones having the potential for a control room evacuation (and a
procedure-induced LOOP) or an induced plant centered LOOP was approximately 3.6E-7/yr. The
methods used to screen these areas were not rigorous and used several bounding assumptions,
the refinement of which would likely lower the result. Based on these considerations, the NRC
concluded that the risk related to fires would not be sufficient to change the risk characterization
of this finding.
The seismicity at Cooper is low and would likely have a small impact on risk for an EDG issue.
As a sensitivity, data from the RASP External Events Handbook was used to estimate the scope
of the seismic risk particular to this finding. The generic median earthquake acceleration
assumed to cause a loss of offsite power is 0.3g. The estimated frequency of earthquakes at
Cooper of this magnitude or greater is 9.828E-5/yr. The generic median earthquake frequency
assumed to cause a loss of the diesel generators is 3.lg, though essential equipment powered
by the EDGs would likely fail at approximately 2.0g. The seismic information for Cooper is
capped at a magnitude of 1.Og with a frequency of 8.187E-6. This would suggest that an
earthquake could be expected to occur with an approximate frequency of 9.OE-5/yr that would
remove offsite power but not damage other equipment important to safe shutdown.
To model the seismic risk, that NRC assumed that offsite power could not be recovered within
24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and therefore zeroed all offsite power recoveries in the SPAR model. A CCDP was
-5- Enclosure 3
generated for the base case and, using the same assumptions for the failure probability of the
voltage regulator, for the analysis case. The result is presented in the following table:
(I EF=9E- 57-Day
Exposure
I.279E-3 7.560E-3 5.7E-7 8.9E-8
Flooding could be a concern because of the proximity to the Missouri River. However, floods that
would remove offsite power would also likely flood the EDG compartments and therefore not
result in a significant change to the risk associated with the finding. The switchyard elevation is
below that of the power block by several feet, but it is not likely that a slight inundation of the
switchyard would cause a loss of offsite power. The low frequency of floods within the thin slice
of water elevations that would remove offsite power for at least 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, but not debilitate the
diesel generators indicates that external flooding would not add appreciably to the risk of this
finding.
The NRC determined that although external events would add risk to the overall assessment, the
amount of risk would be small and not change the safety significance of the finding.
Alternative Mitigation Strategies
The NRC noted that several alternative mitigation strategies discussed by the licensee during the
Regulatory Conference on July 13, 2007, were not modeled or were disabled in the SPAR model.
These strategies included the ability to operate RClC in a manual mode of operation following
battery depletion, the use of firewater injection into the RCS, and the capability to blackstart an
EDG following loss of the Class IE dc buses.
With respect to the use of fire water injection the NRC noted that the CNS SPAR model
integrates a recovery based on firewater injection into the station blackout event tree. In the base
case, this recovery is set at a non-recovery probability of 1.O,which implies no recovery credit.
As a sensitivity study, the NRC assumed a baseline firewater failure probability of 0.1 and noted
that the final delta CDF result was decreased by only 2.1 percent because firewater was only
modeled in depressurized reactor coolant system sequences that were not large risk contributors
to this finding.
With respect to manual operation of the RClC system, the NRC noted that this mitigation strategy
was not credited in either the NRC or CNS risk assessment models. Nonetheless, the feasibility
of this strategy was assessed by reviewing station procedures, interviewing station personnel,
performing a field walkdown of the procedural steps with station operators, and evaluating the
human error factors that would be present following an extended station blackout event resulting
in depletion of the station essential batteries. Based on this qualitative review, the NRC
concluded that this strategy would not significantly change the overall risk assessment conclusion
for this specific type of event. Factors assessed that affected this decision included: 1) following
depletion of the battery supporting RClC operation the initial valve lineup supporting manual
system operation would take at least 75 minutes; 2) no cooling over an extended period of time in
the RClC turbine room causes an extremely high temperature environment that would
significantly restrict personnel stay times; 3) reactor vessel level indication is on a different
-6- Enclosure 3
elevation than the RCIC flow controls; 4) manual starting of the RClC pump in this configuration
has not been tested; 5) position indication is not readily available for motor operated valves;
6) procedures are not clear ensuring proper system alignment; 7) procedures do not verify
adequate RClC water supply tank level prior to starting the pump nor supply adequate guidance
to maintain adequate level during RClC operation to prevent vortexing concerns in the supply
tank; 8) one identified motor operated valve that is required to be manually operated is
approximately 12 feet above the floor and is not readily accessible because it is directly above the
RClC turbine; 9) operators would be required to travel up and down multiple levels (in an
extremely hot environment) repeatedly; and I O ) a substantive crosscutting issue is currently open
related to personnel failing to follow procedural guidance reflective of a trend related to poor work
practices.
Additionally, the ability to black start an EDG was reviewed by the NRC. The NRC concluded that
because of the many uncertainties and associated variables that credit for this mitigation strategy
was not readily quantifiable.
After review of the particular procedures, activities, and conditions under which these actions
would be taken, none of these strategies were considered to appreciably affect the risk
significance of the finding. Nevertheless, in a qualitative sense, they would improve the chances
for avoiding core damage. The NRC determined the success of using these alternative mitigation
strategies were comparable to the additional risk due to external events. Based on this
qualitative assessment these alternative mitigation strategies were considered offset by the risk
contribution of the external events.
Large Early Release Frequency:
In accordance with Manual Chapter 0609, Appendix A, Attachment 1, Step 2.6, Screening for the
Potential Risk Contribution Due to LERF, the NRC reviewed the core damage sequences to
determine an estimate of the change in large early release frequency caused by the finding.
The LERF consequences of this performance deficiency were similar to those documented in a
previous SDP Phase 3 evaluation regarding a misalignment of gland seal water to the service
water pumps. The final determination letter was issued on March 31, 2005, and is located in
ADAMS, Accession No. ML050910127. The following excerpt from this document addressed the
LERF issue:
The NRC reevaluated the portions of the preliminary significance determination related to
the change in LERF. In the regulatory conference, the licensee argued that the dominant
sequences were not contributors to the LERF. Therefore, there was no change in LERF
resulting from the subject performance deficiency. Their argument was based on the
longer than usual core damage sequences, providing for additional time to core damage,
and the relatively short time estimated to evacuate the close in population surrounding
Cooper Nuclear Station.
LERF is defined in NRC Inspection Manual Chapter 0609, Appendix H, Containment
Integrity Significance Determination Process as: the frequency of those accidents
leading to significant, unmitigated release from containment in a time frame prior to the
effective evacuation of the close-in population such that there is a potential for early health
effect. The NRC noted that the dominant core damage sequences documented in the
-7- Enclosure 3
preliminary significance determination were long sequences that took greater than
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to proceed to reactor pressure vessel breach. The shortest calculated interval
from the time reactor conditions would have met the requirements for entry into a general
emergency (requiring the evacuation) until the time of postulated containment rupture was
3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. The licensee stated that the average evacuation time for Cooper, from the
declaration of a General Emergency was 62 minutes.
The NRC determined that, based on a 62-minute average evacuation time, effective
evacuation of the close-in population could be achieved within 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Therefore, the
dominant core damage sequences affected by the subject performance deficiency were
not LERF contributors. As such, the NRCs best estimate determination of the change in
LERF resulting from the performance deficiency was zero.
In the current analysis, the total contribution of the 30-minute sequences to the current case CDF
is only 0.17% of the total. For 2-hour sequences, the contribution is only 0.04%. That is, almost
all of the risk associated with this performance deficiency involves sequences of duration 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
or longer following the loss of all ac power. Based on the average 62-minute evacuation time as
documented above, the NRC determined that large early release did not contribute to the
significance of the current finding.
References
NUREG/CR-6890, Reevaluation of Station Blackout Risk at Nuclear Power Plants, Analysis of
Loss of Offsite Power Events: 1986-2004
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator, PSA-ES083, Revision 0
NUREG/CR-6883, SPAR-H Human Reliability Analysis Method
Peer Review
See-Meng Wong, NRR
David Loveless, RIV
-8- Enclosure 3
Enclosure 4
PROBABILISTIC SAFETY ASSESSMENT
COOPER NUCLEAR STATION
ENGINEERING STUDY
Incremental Change in Core Damage Probability Resulting from Degraded
Voltage Regulator Diode Installed in the Division 2 Diesel Generator
PSA-ES082
Revision 0
Prepared By:
Risk Management Engineer
Reviewed By:
$isk Management Engineer
Approval:
Risk Management Supervisor
Revisions:
Reviewed Approved
Number Description BY Date BY Date
0 Original Issue See Above See Above
PROBABILISTIC SAFETY ASSESSMENT
COOPER NUCLEAR STATION
ENGINEERING STUDY
Incremental Change in Core Damage Probability Resulting from Degraded
Voltage Regulator Diode Installed in the Division 2 Diesel Generator
PSA-ES082
Revision 0
Signature/Date
See Original for Signatures
Prepared By: Ole Olson 7/27/2007
Risk Management Engineer
Reviewed By: John Branch 7/27/2007
Risk Management Engineer
Approval: Kent Sutton 7/27/2007
Risk Management Supervisor
Revisions:
Reviewed Approved
Number Description BY Date BY Date
0 Original Issue See Above See Above
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
TABLE OF CONTENTS
EXECUTIVE SUMMARY ......................................................................................................................................... 2
NOMENCLATURE ...................... ......................................................
DEFINITIONS
................................................................................................................................... 7
I .2.1 Discussion of the AC Electrical Power System at CNS ..................................................................
1.2.2 Defective Diodes Impact on Normal Operation
2.0 EVALUATION .................................................................................................................................................... 10
2.1 SPECIFIC INCREASE IN RISK RESULTING FROM THE DEFECTIVE DIODE ............ I O
2.1.1 ASSUMPTIONS AND CHARACTERISTICS OF THE MODEL ........................................................... 10
2.1.2 DERIVATION OF ICCDP ............................................................... 13
2.1.2.1 Base CDF Quantification 13
2.1.2.2 Conditional CDF Quantification ................................................................................................................ 15
2,1.3 RISK SIGNIFICANCE CONCLUSIONS WITH RESPECT TO ICCDP ................................................ 16
2.2 RISK INSIGHTS FROM BOUNDING ANALYSIS
2.2.2 ICCDP SENSITIVITY IN
2.2.3 BOUNDING ANALYSIS
2.3 LARGE EARLY RELEASE F ............................................................................... 20
2.4 EXTERNAL EVENT EVALUATION .....................
2.4.1 Intcrnal Fire
3.0 CONCLUSION ................................................................................................
4.0 REFERENCES ............................................................. 22
Appendix A Station Blackout Event Tree Adjustinelits
Appendix B Human Reliability Analysis
Appendix C Data Analysis for Defective Diode Installed in Voltage Regulator Card
Appendix D DG2 Voltage Control Board Diode Failure FIRE-LOOP Evaluation
Appendix E Time Weighted LOOP Recoveries for SBO Sequences
Page 1 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
EXECUTIVE SUMMARY
A focused probabilistic Risk assessment (PRA) based on the Cooper Nuclear Station PRA model
and the CNS SPAR model has been performed to evaluate the safety significance of a January
18, 2007, run failure of the division 2 emergency diesel generator (DG-GEN-DG2). This
assessment concluded that the increased risk can be characterized as veiy low in significance in
t e r m of incremental change in core damage probability resulting from at power internal and
exteimal events.
The run failure of DG-GEN-DG2 was the result of a diesel generator trip from an over voltage
condition that occuil-ed during routine surveillance testing. The failure occurred approximately 4
hours into the suiveillance run with the diesel generator synchronized to the grid. Investigation
found the over voltage condition was caused by an open circuit failure of a diode on the voltage
regulator card for DG-GEN-DG2. The voltage regulator card was installed in DG-GEN-DG2
during refLieling outage RE23 on November 8, 2006. Dissection of the diode at a laboratory
found that the open circuit was caused by a poor electrical connection inside the diode package.
Cross sectioning of the failed diode showed that connections between the die and the heat sinks
were at best marginal and that these marginal connections were the result of a manufacturing
defect. This manufacturing defect manifested itself as a random and intermittent open circuit
failure of the diode.
This assessment evaluates safety significance of this manufacturing defect in tenns of
incremental change in core damage probability (ICCDP). The ICCDP reflects the overall change
in risk resulting froin at power operations of Cooper Nuclear Station (CNS) while the defective
voltage regulator diode was installed in DG-GEN-DG2. The resulting ICCDP, computed with
the CNS PRA model of record is 1.351E-08 and is summarized in the following table.
ICCDP Derivation
Base CDF for CNS Full Power Oueration I 1.359E-OYYr I
Bounding Conditional CDF resulting froin Defective Diode I 1.3678E-OYYr I
Change in CDF resulting from Defective Diode 8.806E-08Nr
Duration of Full Power ODerations with Defective Diode 56 Davs
ICCDP Resulting from Defective Diode I 1.351E-08
The risk significance of the condition is characterized as very low significance. This is based on
the fact that the ICCDP is below an established threshold of safety significance set at 1.OE-06.
This risk significance threshold is used in various PSA applications including the Nuclear
Regulatory Commission Significance Determination Process, and the Maintenance Rule
Configuration Risk Assessments (1 O.CFR50.65(a)(4)).
An additional bounding ICCDP evaluation was also perfonned. This evaluation also
characterized risk as very low in significance with an ICCDP that was less than 1.OE-06. It was
performed using the CNS SPAR model. It is important to note that incremental change to Large
Early Release Probability is negligible and less than 1.OE-07 based on the fact that ICCDP is less
Page 2 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
than 1.OE-07. However, a qualitative evaluation of LERF impact was provided. This qualitative
evaluation found that change in L E W was negligible.
The DG2 over voltage trip also resulted in very low risk change in teiins of large early release
frequency (LEW), and core damage probability resulting from extei-nal events. Both the change
in L E W and core damage probability resulting from external events is characterized as very low
in safety significance.
Page 3 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
NOMENCLATURE
CDF Core Damage Frequency
CNS Cooper Nuclear Station
ICCDP Incremental Change in Core Damage Probability
ICLERP Incremental Change in Large Early Release Probability
DG Diesel Generator
DG -GEN-DG 2 Division 2 Emergency Diesel Generator
DIV I Division I
DIV I1 Division I1
HEP Human Error Probability
HPCI High Pressure Coolant Injection
IPE Individual Plant Examination
LERF Large Early Release Frequency
LOOP Loss of Offsite Power
LOSP Loss of Offsite Power
NRC United States Nuclear Regulatory Coininission
PDS Plant Damage State
PRA Probabilistic Risk Analysis
PSA Probabilistic Safety Assessment
SDP Significance Determination Process
Page 4 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
DEFINITIONS
Accident sequence - a representation in teims of an initiating event followed by a combination of
system, fiinction and operator failures or successes, of an accident that can lead to undesired
consequences, with a specified end state (e.g., core damage or large early release). An accident
sequence may contain many unique variations of events (minimal cut sets) that are similar.
Core damage - uncovery and heat-up of the reactor core to the point at which prolonged
oxidation and severe file1 damage is anticipated and involving enough of the core to cause a
significant release.
Core damage frequency - expected number of core damage events per unit of time.
Cutsets - Accident sequence failure combinations.
EizdStnte - is the set of conditions at the end of an event sequence that characterizes the impact
of the sequence on the plant or the environment. End states typically include: success states,
core damage sequences, plant damage states for Level 1 sequences, and release categories for
Level 2 sequences.
Event tree - a quantifiable, logical network that begins with an initiating event or condition and
progresses through a series of branches that represent expected system or operator performance
that either succeeds or fails and arrives at either a successfiil or failed end state.
Initintiizg Event - An initiating event is any event that pei-turbs the steady state operation of the
plant, if operating, or the steady state operation of the decay heat removal systems during
shutdown operations such that a transient is initiated in the plant. Initiating events trigger
sequences of events that challenge the plant control and safety systems.
Large early release - the rapid, unmitigated release of airborne fission products from the
containment to the environment occurring before the effective implementation of off-site
emergency response and protective actions.
Lnrge early release frequency - expected number of large early releases per unit of time.
Level I - identification and quantification of the sequences of events leading to the onset of core
damage.
Level 2 - evaluation of Containment response to severe accident challenges and quantification of
the mechanisms, amounts, and probabilities of subsequent radioactive material releases from the
containment.
Plant daiiznge state - Plant damage states are collections of accident sequence end states
according to plant conditions at the onset of severe core damage. The plant conditions considered
are those that determine the capability of the Containment to cope with a severe core damage
Page 5 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
accident. The plant damage states represent the interface between the Level 1 and Level 2
analyses.
Probability - is a numerical measure of a state of knowledge, a degree of belief, or a state of
confidence about the outcome of an event.
Probabilistic risk assessiizeizt - a qualitative and quantitative assessment of the risk associated
with plant operation and maintenance that is measured in tenns of frequency of occurrence of
risk metrics, such as core damage or a radioactive inaterial release and its effects on the health of
the public (also referred to as a probabilistic safety assessment, PSA).
Release category - radiological source tenn for a given accident sequence that consists of the
release fractions for various radionuclide groups (presented as fractions of initial core inventory),
and the timing, elevation, and energy of release. The factors addressed in the definition of the
release categories include the response of the containment structure, timing, and mode of
containment failure; timing, magnitude, and mix of any releases of radioactive inaterial; thermal
energy of release; and key factors affecting deposition and filtration of radionuclides. Release
categories can be considered the end states of the Level 2 portion of a PSA.
Risk - encompasses what can happen (scenario), its likelihood (probability), and its level of
damage (consequences).
Severe accident - an accident that involves extensive core damage and fission product release
into the reactor vessel and containment, with potential release to the environment.
Vessel Breach - a failure of the reactor vessel occurring during core melt (e.g., at a penetration or
due to thermal attack of the vessel bottom head or wall by molten core debris).
Page 6 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
1.0 INTRODUCTION
On Januaiy 18,2007, DG-GEN-DG2 tripped after running for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> during a
surveillance test. The trip resulted from an over voltage condition. The over voltage condition
resulted from an open circuit failure of a defective diode contained on the voltage regulator card
for DG-GEN-DG2.
1.1 PURPOSE
In order to assist in a significance determination of the DG-GEN-DG2 trip, a risk assessment is
provided herein. The card with the defective diode was installed on November 8, 2006 during
refuel outage, RE23. Cooper Nuclear Station resumed full power operations from RE23 on
November 23, 2006. Based on this timeline, this risk assessment evaluates this condition for an
exposure time of 56 days. This risk assessment predicts the incremental change in core damage
probability (ICCDP) and relates the significance of the risk increase using industry established
ICCDP thresholds.
The risk assessment also evaluates impacts to the baseline Large Early Release Frequency
(LERF)as well as core damage probabilities attributed to external events.
1.2 BACKGROUND
1.2.1 Discussion of the AC Electrical Power System at CNS
The station electrical power systems provide a diversity of dependable power sources which are
physically isolated. The station electrical power systems consist of the normal and startup AC
power source, the emergency AC power source, the 4160 volt and 480 volt auxiliaiy power
distribution systems, standby AC power source, 125 and 250 volt DC power systems, 24 volt DC
power system, 115/230 volt AC no break power system, and the 120/240 volt AC critical power
system.
Figure 1.1 illustrates the power supplies and distribution for the station loads at the 41 60 volt AC
bus level.
The noi-mal AC power source provides AC power to all station auxiliaries and is the normal AC
power source when the main generator is operating. The startup AC power source provides AC
power to all station auxiliaries and is noiinally in use when the noma1 AC power source is
unavailable.
The emergency AC power source provides AC power to emergency station auxiliaries. It is
normally used to supply emergency station auxiliary loads when the main generator is shutdown
and the startup AC power source is unavailable.
The station 4160 volt and 480 volt auxiliaiy power distribution systems distribute all AC power
necessary for startup, operation, or shutdown of station loads. All poi-tions of this distribution
system receive AC power from the normal AC power source or the startup AC power source.
The critical service portions of this distribution system also can receive AC power from the
standby AC power source or the emergency AC power source.
Page 7 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage
Regulator Diode Installed in the Division 2 Diesel Generator
The standby AC power source provides two independent 41 60 volt DGs as the on-site sources of
AC power to the critical service portions of the auxiliary power systems. Each DG provides AC
power to safely shutdown the reactor, maintain the safe shutdown condition, and operate all
auxiliaries necessary for station safety.
The above power sources are integrated into the following protection scheme to insure that the
CNS emergency loads will be supplied at all times.
If the normal station service transformer (powered by the main generator) is lost, the startup
station service transformer, which is normally energized, will automatically energize 4 160
volt buses 1A and 1B as well as their connected loads, including the critical buses. If the
stamp station service transformer fails to energize the critical buses, the emergency station
service transformer, which is normally energized, will automatically energize both critical
buses. If the emergency station service transformer were also to fail, the DGs would
automatically energize their respective buses.
The defective diode was installed in the voltage regulator for 56 days while CNS was at power.
The voltage regulator card was part of the excitation control for DG-GEN-DG2 (illustrated as
diesel generator #2 in Figure 1.1). All other power sources available to the 41 60 Volt AC buses
remained available and unaffected by the defective diode.
Page 8 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
Figure 1.1 Cooper Nuclear Station Single Line, 4160 Volt Distribution
FROM FROM
MAIN GENERATOR 345 KV1161 KV GRID
v v
STATION SERVICE
STATION SERVICE TRANSFORMER
TRANSFORMER
EMERGENCY
STATION SERVICE 4160v69 Kv
TRANSFORMER
- EB )
6
DIESEL GENERATOR #1
0
f
0.PSS. LINE
s
DIESEL GENERATOR #2
Page 9 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
1.2.2 Defective Diodes Impact on Normal Operation
During nonnal operations the DG-GEN-DG2 is not required to provide power to support plant loads. DG-GEN-
DG2 is tested during nonnal operations and electrical load is supplied through synchronization of DG2 to the
offsite power grid. Protective relaying is provided to prevent iinpact to noma1 operations should DG-GEN-DG2
encounter electrical failures while being tested. These protective devices remained fully operation while the
defective diode was installed. Thus, installation of the defective diode had no impact on nonnal plant operations
and resulted in negligible increase in the frequency of occurrence of plant events.
1.2.3 Defective Diodes Impact on Emergency Operation
During a plant emergency, which includes the inability to provide power to the 4160 Volt AC buses with offsite
power, DG-GEN-DG2 is the remaining power source for 4160 critical bus 1G.
The defective diode installed in DG-GEN-DG2 affected the ability of the generators excitation controls to
regulate voltage. The defective diodes open circuit failure inode resulted in an over voltage condition which
tripped DG-GEN-DG2 rendering it incapable of providing power to 4160 Volt AC bus 1G in the automatic
voltage control mode.
It should also be noted that the defective diode is a subcomponent of the automatic voltage regulating portion of
DG-GEN-DG2. DG-GEN-DG2 would be fully recoverable when started and loaded to bus 1G using the inanual
voltage regulating controls provided locally in the diesel generator room.
2.0 EVALUATION
This section evaluates the specific increase in risk resulting fioin the defective diode found in DG-GEN-DG2 and
documents other bounding analysis coinpleted to provide key insights into the overall risk significance of the
defective diode.
Section 2.1 evaluates the incremental increase in core dainage probability that results from the risk increase
caused by the defective diode installed in the voltage regulator card. This section provides the specific
conclusions of overall risk impact.
Section 2.2 provides bounding analysis to fiirther substantiate the conclusions provided in section 2.1.
Sections 2.3 and 2.4 discuss exteinal events and large early release frequency changes that resulted froin the
defective diode.
2.1 SPECIFIC INCREASE IN RISK RESULTING FROM THE DEFECTIVE DIODE
2.1.1 ASSUMPTIONS AND CHARACTERISTICS OF THE MODEL
1) The CNS 2006TM PRA inodel and the NRC CNS SPAR inodel (Revision 3.31, dated October I O , 2006) werc
applicable for use in this evaluation.
Page 10 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
Quantification was truncated at 1.OE-12 to ensure results captured all relative combinations in the PRA
sequences.
The condition evaluated is limited to the time in which the defective diode was installed during at power
conditions. This was approximated as the time in which reactor power was above turbine bypass valve
capacity and correlates to the period starting November 23,2006 to January 18,2007. The exposure period
for the condition is 56 days.
Fire water injection for the purposes of reactor inventory makeup and cooling is not credited in this
evaluation. It should be noted, however, that this injection source is viable and available for mitigation of
SBO sequences. The use of the diesel driven fire protection pump has been identified as a mitigation system
during several emergency drills by the Emergency Response Organization. The system provides W V
injection through one of three possible hose connections to the RHR system. The procedure
(5.3ALT-STRATEGY) and equipment needed to accomplish RPV injection using the fire protection pump
are in place.
The ability to black start DG-GEN-DG1 or DG2 was not credited in this study. Procedures are in place at
CNS (5.3 ALT-STRATEGY) that direct the black start of a diesel generator. This means a DG can be
started and tied to the critical AC bus after the station batteries are depleted.
The diesel generator fail to run failure rate and probability contained in the CNS SPAR model of record
(Reference 3) will be used for this evaluation to allow a more direct comparison between CNS PRA results
and the CNS SPAR Model results. This failure probability is defined as 2.07E-02 in the SPAR model.
Both the CNS PRA Model and SPAR Model event trees for station blackout will use the actual battery
depletion times documented in CNS PRA internal events analysis. Refer to Appendix A for details on these
depletion times.
The failure rate for the defective diode was derived per the guidance of NUREG CR6823 (Reference 4).
This derivation included Bayesian estimation through application of a constrained noninformative prior to
best represent failure rates given the existing diesel generator failure data available in the PRA models and
the small amount of nm time experienced by the defective diode. See Appendix C for derivation of the
defective diode failure rates. Further sensitivity analysis was provided to ensure that bounding diode failure
rates using other statistical approaches result in negligible risk increase (refer to Section 2.2.2).
Actual failures of the defective diode while installed in the excitation control circuit for DG-GEN-DG2 has
been deteiinined to be 1 (one) for the purposes of failure rate derivations.
Evaluation of perfoiinance leading to the over voltage trip of DG-GEN-DG2 on January 18, 2007 and
subsequent root cause lab testing found that there were two other instances that could be attributed to the
open circuit failure condition of the defective diode. However both of these instances were dismissed as
fo11ow s :
During post maintenance testing of DG-GEN-DG2 on November 11, 2006, an over voltage condition was
noted while tuning the control circuit that contained the defective diode. Because this testing did not
provide conclusive evidence that the diode was the cause of the over voltage condition and because DG-
Page 11 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
GEN-DG2 demonstrated over 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of successful i-un time after occurrence of the November 1 1, 2006
condition, this instance is dismissed as a attributable failure of the defective diode.
A post failure test of the circuit card that included the defective diode resulted in both satisfactory card
operation followed by unsatisfactory card operation with subsequent determination that the defective
diode was in a permanent open circuit state. This lab testing failure has been dismissed in this shidy due
to the large amounts of variability introduced by shipping of the card to the lab, the differences between
lab bench top testing and actual installed conditions, and equipment and human errors that could be
attributed to test techniques.
Section 2.2 provides analysis to address sensitivity in the assumption of number of actual diode failures.
Expected operator actions that would be taken to recover from the over voltage trip that was experienced on
January 18, 2007 include a successful restart of DG-GEN-DG2 and loading of the generator using the
manual voltage controls provided locally in the diesel generator room. The diagnosis and performance of
this recovery has been determined to have a non-recovery probability of 3.OE-02. The detailed evaluation
for this human reliability analysis is included in Appendix B.
The CNS Level 1 and Level 2 PRA Model was developed based on plant specific fiinctions and system
success criteria for each of the important safety functions and support systems relied upon for accident
prevention or mitigation for the duration of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following an event. The systems included in the model
were those that supported the overall objective of maintaining adequate core and containment cooling. There
are two figures-of-merit for meeting these objectives: core damage frequency and large early release
frequency. The definitions used in this study are consistent with the CNS PRA.
For the purposes of this study, the mission time for the DG iun was assumed to be 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. To compensate
for this overly conservative assumption, the sensitivity study in Section 2.2.2 includes sequence dependent
time-weighted offsite power non-recoveiy probabilities. The derivation of these non-recovery probabilities
is discussed in Appendix E. The Diesel Generator failure-to-run events are treated in the CNS PRA with a
lumped parameter approximation. All i-un failures are treated as failures occurring at accident initiation
(t=O). This treatment results in not accounting for diesel offsite power recoveiy at extended times associated
with these failure modes even though adequate AC power is available during the initial diesel run. To
ininiinize the conservative impact of this lumped parameter assumption in the regular CNS PRA model (as
opposed to the model used for this analysis), a iyin time of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is used in establishing nin failure
probability. This is based on the following: The DG mission time accounts for two competing effects. The
first is the running failure rate of the DG and the second is the recovery of offsite or on-site AC power. All
cutsets with a DG fail to i-un event must also include an offsite or on-site AC power non-recovery event. The
time dependent product of these two events is maximized at about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> into the accident.
The offsite power non-recoveiy probability is dominated by weather related events beyond 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> into the
accident. The initiating frequencies used in this shidy include costal effects such as sea spray and hurricanes.
Due to the location of CNS, inclusion of these events results is overly conservative when included in non-
recoveiy probabilities. The exclusion of these events from the LOOP non-recovery probabilities is
appropriate; however, the events are included in the LOOP frequency.
Page 12 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
2.1.2 DERIVATION OF ICCDP
Derivation of ICCDP resulting from the over voltage trip of DG-DEN-DG2 that occurred on January 18,2007
provides the following results.
Base CDF Conditional CDF Change in CDF Exposure (days) Incremental
Resulting from Change in Core
the Defective Damage
Diode Probability
1.359E-O5/Yr 1.3678E-O5/Yr 8.806E-08Nr 56 1.351E-08
2.1.2.1 Base CDF Quantification
Base CDF was derived by quantification of the CNS PRA model of record with the following adjustments to best
fit this application.
1. The diesel generator fail to run basic event probabilities were changed to reflect those in the SPAR
model. Specifically, basic events EAC-DGN-FR-DG1 and EAC-DGN-FR-DG2 probabilities were
changed from 1.45E-03 to 2.07E-02. This was done to allow a better comparison between SPAR
results and CNS PRA model results. This also changed the DG mission times to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> as opposed
to the 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> that is noiinally used in the CNS PRA model.
2. Loss of offsite power frequencies and recoveries were revised to best reflect current industry
performance data. NUREG CR 6890 (Reference 2) was used to derive these new values. These
values are reflected in Table 2.1.2-1. This table also details the 10 and 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> DG recoveries
required to support the event tree adjustments made in Appendix A. All DG recoveries were obtained
using the existing CNS PRA model basis documents. (Reference 6).
3. The SBO portions of the event trees were revised to better reflect the SPAR SBO structure. The SBO
portion of the event trees were also revised to extend recovery times. This accurately models actual
battery depletion times that are in excess of those currently modeled. Refer to Appendix A for further
discussions on the event tree revisions.
Page 13 of 23
lncrernental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
Table 2.1.2- 1 Loss of Offsite Power Frequency and Non-recoveiy Updates
%TI G-INIT I Grid Centered Loss Of Offsite Power 7.18E-03
%T 1P-INIT I Plant Centered Loss Of Offsite Power 1.31E-02
YoT 1 W-INIT I Weather Centered Loss Of Offsite Power 4.83E-03
I NR-DG-IOHR I Non-Recoverv Of DG Within 10 Hours I 2.60E-01 I
NR-LOSP-G 1 OHR I Conditional Non-Recovery Grid Centered Off-Site Power In 10hr 3.64E-02
NR-LOSP-GI 2HR I Conditional Non-Recovery Grid Centered Off-Site Power In 1211r 2.42E-02
NR-LOSP-G 1 HR Non-Recovery Of Grid-Centered LOSP Within 1 Hr 3.73E-0 1
NR-LOSP-G24HR Conditional Non-Recovery Of Grid Centered Off-Site Power In 24 Hrs 4.15E-03
NR-LOSP-G6HR Conditional Non-Recovery Of Grid Centered Off-Site Power In 6 Hrs 9.76E-02
NR-LOSP-GgHR Conditional Non-Recovery Of Grid Centered Off-Site Power In 8 Hr 5.73E-02
NR-LOSP-PI OHR Conditional Non-Recoverv Plant Centered Off-Site Power In 1Olir 2.48E-02
NR-LOSP-P 12HR Conditional Non-Recovery Plant Centered Off-Site Power In 1211r 1.71E-02
NR-LOSP-P 1HR Non-Recovery Of Plant-Centered LOSP Within 1 Hr 1.18E-01
NR-LOSP-P24HR Conditional Non-Recovery Of Plant Centered Off-Site Power In 24 Hrs . 3.49E-03
NR-LOSP-P6HR Conditional Non-Recovery Of Plant Centered Off-Site Power In 6 Hrs 6.42E-02
NR-LOSP-P8HR Conditional Non-Recovery Of Plant Centered Off-Site Power In 8 Hr 3.83E-02
NR-LOSP-W 1 OHR Conditional Non-Recovery Weather Off-Site Power In I Ohr 2.89E-01
I NR-LOSP-W 12HR Conditional Non-Recovei-v Weather Off-Site Power In 1211r 2.5 5 E-0 1
NR-LOSP-W 1 HR Non-Recovery Of Weather-Related LOSP Within 1 Hr 6.568-01
NR-LOSP-W24HR Conditional Non-Recovery Of Weather Centered Off-Site Power In 24 Hrs 1.48E-0 1
NR-LOSP-W6HR Conditional Non-Recovery Of Weather Centered Off-Site Power In 6 Hrs 3.97E-01
NR-LOSP-W 8HR Conditional Non-Recovery Of Weather Off-Site Power In 8 Hr 3.34E-01
Page 14 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator Diode
Installed in the Division 2 Diesel Generator
2.1.2.2 Conditional CDF Quantification
Conditional CDF was also quantified using the CNS model of record with the adjustments detailed for the base
CDF. The defective diode was modeled as a new and separate event placed in the diesel generator fault tree as an
input to gate EAC-DG2-007, Diesel Generator DG2 Failures. The original DG2 fail-to-nin event EAC-DGN-
FR-DG2 was also retained in the tree. The defective diode probability was set at 5.70E-02 (see Appendix C) and
adjusted to reflect a non-recovery probability of 0.03 (see Appendix B). The following represents the addition of
defective diode modeling.
, . . I I
I
II P
U,
I I
Page 15 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
2.1.3 RISK SIGNIFICANCE CONCLUSIONS WITH RESPECT TO ICCDP
The exposure of DG-GEN-DG2 to the failure mode presented by the defective diode found in the
voltage regulator card resulted in quantifiable increases in risk. Increase was quantified as an
incremental change in core damage probability of 1.351E-08. This is judged as not risk significant
and well below the risk significance ICCDP threshold of 1.OE-6 set for PRA applications.
The low significance is a result of a small exposure time (56 days), Cooper Nuclear Station design
features that provide redundancy to DG-GEN-DG2, and the ability to recover from the diodes open
circuit failure mode.
2.2 RISK INSIGHTS FROM BOUNDING ANALYSIS
The assumptions made for this risk change application were chosen to most accurately reflect
conditions that existed at the time of the over voltage trip of DG-GEN-DG2 on January 18, 2007.
Review of the assumptions found the following are key contributors in the overall derivation of
ICCDP:
1. The non-recoveiy probability derived in Appendix B
2. The defective diode failure probability estimated in Appendix C
3, The statistical methodology used to determine the diode failure probability
This section performs bounding analysis using both SPAR and the CNS PRA models to provide
insight with respect to the sensitivity of the diode non-recovery and failure probabilities.
2.2.1 ICCDP SENSITIVITY IN RELATION TO NON-RECOVERY AND DIODE FAILURE
RATE
Tables 2.2.1-1 and 2.2.1-2, as well as Figure 2.2.1-1, represent the sensitivity of ICCDP in relation to
both non-recoveiy probabilities and diode failure probabilities. Diode failure probabilities are varied
to detail how the assumed number of failures experienced while the defective diode was installed
affects overall ICCDP. Non-recovery probabilities are increinented in steps of 0.5 to provide relative
sensitivity insights.
The ICCDP values were derived using the same methods outlined in Section 2.1 above. The SPAR
model of reference was used including the adjustments detailed in Appendix A.
Page 16 of 23
!9
U-I
Y
8
u-)
Y
>
E
a,
5
.
E:
3
s
M
N
Ccl
x 0
00
i
T-
a,
M
E: ti;
u
o
CQ
.c 2
u
I 3 0
cd I
Y 3 Lo co
C 4 4
a,
E 2 W
0
9
a,
L
0
C
5
M
. 3
T- F
d0331
Y ,.
c4
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
2.2.2 ICCDP SENSITIVITY IN RELATIONS TO STATISTICAL METHOD
A bounding ICCDP was also derived using a conservative statistical approach in which a inaxiinuin
likelihood estimation was applied
This bounding analysis assumed two failures of the defective diode occurred in 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of nin time.
The inaxiinin likelihood estimation (MLE) allows the diode failure probability to be calculated
directly through use of Poisson as follows:
( 1 -Exp(-A,,w *24)), or
( 1 -Exp(-(2/36) "24)) = 0.736
This diode failure probability increases the'actual ICCDP derived in section 2.1 by a factor of 8.5.
This increase approaches the risk significance threshold of 1.OE-06. Further evaluation found it
prudent to adjust ICCDP to account for the conservatisin resulting in the assumption that all diesel
generator run failures occur at the start of station blackout events. This adjustment is similar to
application of the convolution integral and is detailed in Appendix E. Results of application of
Appendix E, specifically Tables 5.1 through 5.3, results are as follows:
Table 2.2.2-1 Diode Failure Probability as a Function of DG Non-Recovery Probability
2 failures (CNS MODEL w/ MLE and
Number of diode failures in 36 hour4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />s>>> Time Weighted NR-LOSP)
Diode Failure Probability (24 how mission)>>> 0.736402862
+
DG Non-Recovery Probability
0.03
+
1.01345E-07
0.05 1.68909E-07
0.1 3.378 17E-07
0.15 5.06726E-07
0.2 6.75634E-07
0.25 8.44543E-07
0.3 1.01345E-06
0.35 1.18236E-06
0.4 1.35127E-06
1 3.37817E-06
2.2.3 BOUNDING ANALYSIS CONCLUSIONS
Sensitivity results support the overall conclusion that the ICCDP risk increase resulting froin the
installation of the defective diode is below the threshold of risk significance. This is supported by
both the SPAR and CNS PRA models.
Semi tivity results detail that the extremes of both the diode failure probabilities and non-recovery
probabilities would have to be applied to push the ICCDP above the risk significance threshold of
Page 19 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
1 .OE-06. These extremes, though insightful, are judged not to be viable or representative of the
actual conditions that existed at the time of the over voltage trip of DG-GEN-DG2.
2.3 LARGE EARLY RELEASE FREQUENCY ANALYSIS
It is important to note that incremental change to Large Early Release Probability is negligible and
less than 1.OE-07 based on the fact that ICCDP is less than 1.OE-07. However, a qualitative
evaluation of LERF impact was provided. This qualitative evaluation found that change in LERF
was negligible. The qualitative evaluation is provided below.
The LERF consequences of exposure to the defective diode were similar to those
documented in a previous SDP Phase 3 evaluation regarding a inisalignment of gland
seal water to the seivice water pumps (Reference 5). The following excerpt from NRC Special
Inspection Report 2007007 addresses the LERF issue:
The NRC reevaluated the portions ofthe preliniinary signijicance determination related
to the change in LERF. In the regulatory conference, the licensee argued that the dominant
sequences were not contribzitors to the LERF. Therefore, there was no change in LERF resulting
fioni the subject peiforinance deficiency. Their argument was based on the longer than ziszial core
darnage sequences, providiiigfor additional time to core damage, and the relatively short time
estimated to evacuate the close in popzilation szirrozinding Cooper Nuclear Station..
LERF is de$tied in NRC Inspection Manual Chapter 0609, Appendix H, Containnient Integrity
Significance Deterinination Process as: thefiequency ofthose accidents leading to significant,
uninitigated release,fi.om containnient in a time fianze prior to the effective evacuation ofthe close-in
population szich that there is apotentialfor early health effect. The NRC noted that the dominant
core damage sequences docziniented in the preliminary signijicance determination were long
seqziences that tool: greater than I 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to proceed to reactor presszire vessel breach. The shortest
calciilated internalfioni the time reactor conditions would have ?netthe reqtiirei~ientsfor entiy into a
genei~alemergency (keqtriring the evacuation) until the time ofpostailated containment ruptaire was
. 3.5 lioaii~s.The licensee stated that the average evacuation time f o r CNS,fioni the declaration of a
Genei-a1Eniergency was 62 nzintites.
The NRC determined that, based on a 62-nzinute average evacuation time, effective evacuation ofthe
close-in poptilation could be achieved within 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Therefore, the dominant core damage
sequences afected by the subject performance deficiency were not LERF contributors. As such, the
NRCs best estimate deterinination ofthe change in LERF resultingfioni the performance deficiency
was zero. In the current analysis, tlie totaI contribution ofthe 30-ininute sequences to the current
case CDF is only 0. I 7% ofthe total. For two hour sequences, the contribution is only 0.04 percent.
That is, almost all of the risk associated with this performance deficiency involves sequences of
diiration,foair hours 01 longer following the loss of all ac power.
Based on the average 62 niinzite evacuation time as docziniented above, the analyst
determined that large eady release did not contribute to the signijkance ofthe current
,finding.
This same excerpt is true for this analysis also.
Page 20 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
2.4 EXTERNAL EVENT EVALUATION
2.4.1 Internal Fire
An evaluation of this condition with respect to fire initiated accidents concluded that the ICCDP due
to these initiators is not a significant contributor to the overall condition ICCDP, and does not warrant
inclusion into the overall quantitative results.
While some postulated CNS fires can cause a loss of offsite power requiring the use of the Diesel
Generators, manual recovery of the offsite power does not require repair activities and is relatively
easy. The bulk of the postulated fires do not cause an unintentional LOOP. Rather, they cause
abandonment of the inain control rooin and a procedurally administrated LOOP. Only two fires can
actually cause an unintentional LOOP. These are a fire in control rooin board C or a fire in the
control rooin vertical board F. Multiple hot shorts in either of these locations can cause the
emergency and startup transformer breakers to open. The breakers to the emergency transformers do
NOT lock out in a manner that prevents recovery from inside the plant. Recovery froin these events
involves pulling the control power fuses at the breakers and operating the beakers manually.
Considerable procedural guidance is available for these actions.
The IPEEE Internal Fire Analysis conservatively estimated that the probability of a fire induced
LOOP is almost an order of magnitude lower that the 1E-6 ICCDP cutoff frequency.
2.4.2 External Events
The contribution to the ICCDP froin external events is considered to be insignificant. The NRC in
IR07-07 determined that the risk increase from external events (seismic and flooding) did not add
significantly to the risk of the finding. This was based on a condition that the DG2 ran for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />
before failing and is a follows:
As a seiisitivioi, datafioin the RASP External Events Handbook was used to estimate
the scope of the seismic risk particular to this finding. The generic median earthquake
acceleration asstinzed to catise a loss of offsite power is 0.39. The estiinatedfieqiieiicy
ojearthqiialces at CNS of this magnitude or greater is 9.828E-5/yr. The generic median
eartlzqiialcefiequeiicy assumed to cause a loss of the diesel generatoi-s is 3.19, though
essential eqziipment powered bj}the EDGs would likely fail at approxiinatelj 2. Og. The
seismic informatioiifoi~CNS is capped at a inagnittrde of 1.Ogwith a frequency of
8.187E-6. This would suggest that an earthquake could be expected to occw with an
approximate f i e qtiency of 9.OE-5/yr-that would remove offsite powere but not damage
other equipment iinpoi-taiit to safe shutdown. In the internal events discussion above, it
was estimated that LOOPS that exceeded four how-s duration would occur with a
,fi-equeiicyof 3.91 E-3/yi-. Most LOOP events that exceed the four hour diiration wozild
likely have recovery characteristics closely matching thatfioin an earthquake. The ratio
between these two fieqiiencies is 43. Based on this, the analyst qualitatively concliided
that the risk associated with seismic events would be sinall conipared to the internal
1-esiilt.
Flooding could be a concei*nbecause of the proximity to the Missoziri River. However-,
floods that wotild ieenzove offsite power woiild also IilcelyJlood the EDG coinpartmerits
Page 21 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
and thei-efore not result iii a significant change to the risk associated with the finding.
The switchyard elevation is below that of the power block by several feet, but it is not
likely that a slight in~indationof the switchyard would came a loss of offsite power. The
low fieqwency ofjloods within the thin slice of water elevations that would reinove offsite
power,for at least fotir hows, but not render the diesel generators inoperable, indicates
that extei-nal~floodiiigwould not add appreciably to the risk of this finding.
Based on the above, the analyst determined that external events did not add
signijkantly to the risk of thejnding,
The above logic remains valid when the four hour DG2 run assumption is eliminated and a random
intermittent voltage regulator board diode failure is assumed. In addition, external floods applicable
to CNS are veiy slow developing events. The plant would have one to three days warning. Plant
procedures require the plant to be shut down, depressurized, and the vessel flooded with the head
vents open when flood levels are anticipated to exceed the 902 level.
3.0 CONCLUSION
When examining the risk significance resulting froin the installation of the defective diode contained
in the voltage regulator controls for DG-GEN-DG2, it was concluded that increases in core damage
probability and LERF were below risk significant thresholds established by the industry.
Consideration of the uncertainties involved in significance deteiinination process (probabilistic risk
assessments) was alternatively addressed by separately evaluating bounding cases using conservative
inputs and assumptions.
The conclusion is that the safety impact associated with the defective diode is not risk significant.
4.0 REFERENCES
1 . NRC Special Inspection Report 2007007, dated May 22,2007, froin Arthur T. Howell 111, to
Stewart B. Minehan
2. NUREG CR 6890, Reevaluation of Station Blackout Risk at Nuclear Power plants, published
December, 200
3. CNS SPAR model version 3.3.1, dated October IO, 2006
4. NUREG CR 6823, Handbook of Parameter Estimation for Probabilistic Risk Assessinent,
Published September, 2003
5 . Cooper Nuclear Station - NRC Inspection Report 05000298/2004014 - Final Significance
Determination for a Preliininaiy Greater than Green Finding, dated March 3 1, 2005, fioin Arthur
T. Howell 111, to Randall K. Edington
6. AC Power Recoveiy Evaluation, Prepared by Erin Engineering and Research, Inc, dated October
1995
Page 22 of 23
Incremental Change in Core Damage Probability Resulting from Degraded Voltage Regulator
Diode Installed in the Division 2 Diesel Generator
7. ASME RA-S-2002, Standard for Probabilistic Risk Assessment for Nuclear Power Plant
Applications and Addenda ASME RA-Sb-2005
Page 23 of 23
APPENDIX A
STATION BLACKOUT EVENT TREE ADJUSTMENTS
The Station Black-out (SBO) portion of the CNS Loss of Offsite Power (LOOP) event tree was
modified to reflect updated timing insights gained through thermal hydraulic and battery
depletion calculations perfonned to support the PRA upgrade project. Of particular importance
to SBO mitigation are timing for potential challenges to high pressure injection systems (HPCI
and RCIC) and individual battery depletion timing (with and without load shed). The revised
LOOP event tree considers updated information regarding:
Batteiy depletion timing for each DC bus,
Potential RPV low pressure isolation challenges due to operator actions to emergency
depressurize the RPV in response to EOP required actions on Heat Capacity
Temperature Limit (HCTL), Pressure Suppression Pressure (PSP), and high diywell
temperahire,
Potential equipment trips due to high exhaust back pressure,
Potential suction source impacts associated with ECST depletion or suction
temperahire if automatic suction swap to the suppression pool is anticipated, and
Post event room heat-up impacts on equipment reliability.
Use of the on-site diesel driven fire pump was added to the event tree for potential credit
provided initial success of HPCI or RCIC, but was given a failure probability of 1.O for this
study.
The failure probability for actions to extend HPCI or RCIC operation was assumed to be 0.06.
This assuinption was utilized for consistency in comparing results to SPAR modeling and is
considered a conservative estimate of the failure probability given the relatively long time to
accomplish the relatively simple human actions (e.g. gravity fill of ECST, shedding one large
DC load, etc.).
Figure A-1 shows a graphical representation of the revised LOOP event tree. The new core
damage sequences are named TlSBO-1 through TlSBO-8 and are described as follows:
Sequence T1 SBO-1 : /U2*/RCI-EXT*/Xl "VS"REC-LOSP-DGl2H
Following a LOOP with failure of the emergency diesel generators, RCIC (U2) provides initial
inventory make-up to the RPV. Manual operator actions to extend RCIC operation are
considered successfd at a 94% probability. Successfil depressurization (X 1) in support of fire
water injection occurs, but fire water injection (V5) fails (assumed 1.O failure probability in this
analysis). Recovery of AC power within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is not successful for this sequence, resulting in
core damage. Twelve hours is allowed to recover AC power based on calculation NEDC 07-
053, which documents a limiting division 1 (RCIC supply) battery capability for providing all
required loads for 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> without any load shedding. Due to extended boil-off time an
additional hour is allowed to recover AC power prior to core damage.
Page A1 of A6
Sequence T1 SBO-2: /U2*/RCI-EXT*Xl *REC-LOSP-DG12H
Same as sequence T1 SBO-1, except depressurization of the RPV fails resulting in failure of fire
water injection (V5). The basis for AC recovery is the same as described for sequence TlSBO-
1.
Sequence Tl SBO-3: /U2*RCI-EXT*/Xl*REC-LOSP-DGIOH
Following a LOOP with failure of the emergency diesel generators, RCIC (U2) provides initial
inventoiy make-up to the RPV. Manual operator actions to extend RCIC operation are
considered failed at a 6% probability. Successful depressurization (Xl) in support of fire water
injection occurs, but fire water injection (V5) fails (assumed 1.0 failure probability in this
analysis). Recovery of AC power within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is not successful for this sequence, resulting in
core damage. Ten hours is allowed to recover AC power based on the limiting time for manual
operator action for any anticipated challenge to continued RCIC operation. The first potential
challenge to RCIC operation occurs due to the need to manually align gravity fill of the
Emergency Condensate Storage Tank (ECST) within 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />. Due to extended boil-off time an
additional hour is allowed to recover AC power prior to core damage. It is noted that the next
most limiting challenge for continued RCIC operation does not occur until after 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> due to
potential high exhaust back-pressure turbine trip.
Sequence T1 SBO-4: /U2*RCI-EXT*Xl *REC-LOSP-DGlOH
Same as sequence T1 SBO-3, except depressurization of the RPV fails resulting in failure of fire
water injection (V5). The basis for AC recovery is the same as described for sequence TlSBO-
3.
Sequence TI SBO-5: U2*/UlB*/HCI-EXT*/Xl *VS*REC-LOSP-DGl OH
Following a LOOP with failure of the emergency diesel generators, RCIC (U2) fails and HPCI
(U1 B) provides initial inventoiy make-up to the RPV. Manual operator actions to extend HPCI
operation are considered successful at a 94% probability. Successfiil depressurization (Xl) in
support of fire water injection occurs, but fire water injection (V5) fails (assumed 1.O failure
probability in this analysis). Recovery of AC power within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is not successfiil for this
sequence, resulting in core damage. Ten hours is allowed to recover AC power based on
calculation NEDC 07-053, which documents a limiting division 2 (HPCI supply) battery
capability for providing all required loads for 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> with manual action to shed one major DC
load. Due to extended boil-off time an additional hour is allowed to recover AC power prior to
core damage.
Sequence T1 SBO-6: U2*/UlB*/HCI-EXT*Xl *REC-LOSP-DGlOH
Same as sequence T1 SBO-5, except depressurization of the RPV fails resulting in failure of fire
water injection (V5). The basis for AC recovery is the same as described for sequence TlSBO-
5.
Page A2 of A6
Sequence T1 SBO-7: U2*/UlB*HCI-EXT*/Xl *VS*REC-LOSP-DG6H
Following a LOOP with failure of the emergency diesel generators, RCIC (U2) fails and HPCI
(U1 B) provides initial inventory make-up to the RPV. Manual operator actions to extend HPCI
operation are considered failed at a 6% probability. Successful depressurization (Xl) in support
of fire water injection occurs, but fire water injection (V5) fails (assumed 1.Ofailure probability
in this analysis). Recovery of AC power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is not successful for this sequence,
resulting in core damage. Six hours is allowed to recover AC power based on calculation NEDC
07-053, which documents a limiting division 2 (HPCI supply) battery capability for providing all
required loads for 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> without manual action to shed any loads. Due to extended boil-off
time an additional hour is allowed to recover AC power prior to core damage.
Sequence T1 SBO-8: U2*/UlB*HCI-EXT*Xl "REC-LOSP-DG6H
Same as sequence TlSBO-7, except depressurization of the RPV fails resulting in failure of fire
water injection (V5). The basis for AC recovery is the same as described for sequence TISBO-
7.
Table A- 1 suininarizes the basis for timing insights associated with potential high pressure
injection and batteiy depletion challenges during SBO type scenarios.
Table A-1
HPCI Challenpe Time (hrs) Reference Description
Calculation NEDC 92-50W HPCI high - exhaust back pressure set-point is
Exhaust Pressure set high enough to not cause a concern of
tripping the turbine during an SBO. Nominal
set-point is 136 psig.
MAAP run CN06058, NEDC HPCI is expected to be capable of operating
01-29A, B, C at full load conditions with cooling water
temperatures of 180°F for greater than 2
Suction Temperature 8 hrs hours. This temperature is not reached until
greater than 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> into the event, and HPCI
would be expected to function for an
additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> at a minimum.
MAAP run CN06058 The timing to the Pressure Suppression Curve
PSP ED in EOPs is estimated based on variation in
14.5 hrs
suppression pool water levels seen in the
analysis.
MAAP run CN06058 and Timing based on ability to maintain RPV
EOP IHCTL curve pressure below HCTL curve yet around 200
HCTL psi to allow continued HPCI operation.
1 I .4 hrs
Based on 200 psig in the RPV the
suppression pool temperature to exceed
HCTL occurs at approximately 235°F.
I-ligh DW Temperature ED 17 hrs. MAAP run CN06058
Calculation NEDC 07-065, Equipment reliability for HPCI and RCIC
Area Temperature >I2 hrs. PSA-ES72 and PSA-ES73 areas not impacted for a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SBO
scenario.
PSA-ES66, NEDC 92-050K, Timing based on interpolated time for
and NEDC 98-001 integrated decay heat make-up for 87,000
ECST inventory gallons consumed to prevent the low level
9.5 hrs.
suction swap. Note that HPCI would be
anticipated to auto swap to torus and this
challenge is not limiting for HPCI operation,
~~
Page A3 of A6
Reference
NEDC 07-053
NEDC 07-053 Assumed action to isolate the Main Turbine
Emergency Oil Pump within the first 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />
DC battery depletion with load
9.0 hrs results in extending the 250 V Division 2
shed
battery time to 9 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> The limiting time
reported here is for 125 V Division 2 battery
RCIC Challenge Time (hrs) Reference DescriDtion
MAAP run CN06059A. Based on nominal set-point and conservative
Exhaust Pressure 10.5 hrs
Calculation NEDC 92-050AP accounting of head-loss.
MAAP run CN06059A Not a limiting concern for RCIC due to no
Suction Temperature I 1.5 hrs automatic suction swap from ECST on high
suppression pool water level.
MAAP run CN06059A The timing to the Pressure Suppression Curve
in EOPs is estimated based on variation in
suppression pool water levels seen in the
analysis.
MAAP run CN06059A and Timing based on ability to maintain RPV
EOP HCTL curve pressure below IHCTL curve yet around 200
psi lo allow continued HPCI operation.
I-ICTL 14.1 hrs
Based on 200 psig in the RPV the
suppression pool temperature to exceed
HCTL occurs at approximately 235°F.
MAAP run CN06059A
C;ilculntion NEDC 07-065. Equipment reliability for HPCI and RCIC
.4rc;1 Tcinpc.r;i[urc > I2 hrs. PSA-ES72 and PSA-ES73. areas not impacted for a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> SBO
scenario.
PSA-ES66, NEDC 92-050K, Timing based on interpolated time for
and NEDC 98-001 integrated decay heat make-up for 87,000
gallons consumed to prevent the low level
ECST inventory 9.5 hrs.
suction swap. Note that HPCI would be
anticipated to auto swap to torus and this
challenge is not limiting for HPCI operation.
DC battery depletion without NEDC 07-053
I 1 .O hrs
load shed
Page A4 of A6
U
E
C
.r
i
c[
c
li:
T
C
t
4
ea
t
E
?
D
U
!Y
a
W
2
i
Y..
I
U
a
!
E
ii
W
4
41
0
\o
4
a
5
APPENDIX B
Human Reliability Analysis
Introduction
Division 2 DG failed a monthly Surveillance Test on January 18, 2007. The DG VAR loading rapidly
spiked until the Diesel Generator Breaker tripped on Over-Voltage. The DG VAR loading spiked to
approximately 10,667 KVAR prior to tripping the Diesel Generator. After trouble shooting the Diesel
Generator, it was deteiinined that a diode on the Voltage Regulator card had failed and caused the
VAR excursion and subsequent Diesel Generator failure.
A risk evaluation of this condition was documented in CR-CNS-2007-00480 which credits recoveiy
from the DG2 failure. This is also a key input to the significance deteiinination of this failure, since
recoveiy of the DG trip restores critical on-site AC power.
This paper provides the basis for recovery, identifying the activities that accomplish recovery and
discusses factors affecting the successful outcome. An estimate of the probability of failure of the
recovery is determined for the limiting core damage scenarios as defined in the plant PRA and SPAR
models ,
Conclusion
Recovery of DG2 is considered likely due to time available for diagnosis using existing Station
Blackout procedures that place priority on restart of emergency AC power. The most limiting core
damage event for failure of Diesel Generator 2 is a LOOP with the Diesel Generator 1 not available. In
these sequences high pressure core cooling is initially successful. More than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is available to
recover at least one AC electrical power source prior to core damage. With the station in a blackout
condition, DG2 restart is directed by 5.3SBO which is applicable to greater than 95% of the core
darnage sequences. Given an extended coping period available for diagnosis and execution, the
likelihood of successful recoveiy for DG2 is estimated to be at or below 3.2E-2, depending on the
HRA model used.
Review of Expected Plant Response
The increase in risk due to emergency AC failure occurs in sequences where core and containment
cooling was successful when relying solely on Division 2 DG during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time of the
PRA supplying all required loads. These sequences require a Loss of Offsite Power event concurrent
with DG1 out of service for maintenance (or as result of system failures). After the scram, DG2 trips
due to random (intermittent) diode failure. When the diode fails, the DG VAR (voltage) output
rapidly increases until the DG trips on output breaker lockout (86 relay) on over voltage. The loss of
DG2 emergency AC power occurs almost instantaneously following the diode failure. The DG2 would
trip and lockout on over-voltage given the Voltage Control Mode Selector (VCMS) switch is
positioned to Auto.
In response to a LOOP, the Control Room would be operating the plant using HPCI or RCIC to
control level and pressure while depressurizing the reactor. An RHR pump, a Service Water Pump
Page B1 of B20
and a Service Water Booster Pump would be in service to cool the suppression pool. These loads
would be supplied by DG2. Since DG 1 is not credited, once the Control Rooin validates that offsite
power will not be available promptly (prior to DG2 failure), the RCIC loads will be transferred to the
Division I1 batteries and supplied by Division I1 Diesel Generator (via 5.3AC480, Attachment 8). This
action would extend the available battery depletion time to approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after DG2 diode
failure.
A realistic battery depletion of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> is modeled in the CNS PRA. The depletion times assume that
both divisions of batteries are both at 90% capacity. Calculation NEDC 07-053 estimates how long
the batteries would last using the Design Basis calculations NEDC 87-131A3,ByC and D as inputs.
The average loading assumed in these calculations is determined and divided by the actual battery
capacity. The result of this calculation validates that both divisions of batteries would be capable of
supplying all required loads for a ininiinum of approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. At the end of the scenario, the
battery terminal voltage was compared with the ininiinum battery teiininal voltage required to ensure
adequate voltage to start the Diesel Generator was available. Based on this analysis, both RCIC and/or
HPCI are available for a minimnuin of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.
Review of Other Issues Effecting: Recovery
There are a number of issues that should be addressed as part of crediting restoration of the DG2
lockout. These issues and their resolution are listed below:
Diagnosis: In order to diagnose the DG2 voltage regulator failure, an operator (in the DG2 room) inust
confirm there are no obvious gross mechanical or electrical issues effecting DG operation. This is
accomplished by procedure 2.2.20. land supports the decision to restart. Since a LOOP event would
have occurred, the plant would be in the Emergency Power procedure (5.3EMPWR). A station
operator monitors diesel operation (Operations Procedure 2.2.20 and 2.2.20.1, the DG operating
procedures) and during a LOOP would be expected to be nearby (not necessarily in the diesel rooin).
Once the SBO is entered, the station operator returns to the diesel rooin and confirms overall integrity
of the machine to support restart as needed.
Effects of DC2 Restart: The nature of the failure becomes apparent when initial restart fails due to
over-voltage and sanie annunciation re-occurs (Procedure 2.3-C-4, Page 8, Tile C-4/A-5 .) Given a
failure attempt to restai-t from the Control Rooin per 2.2.20.1, the Operations crew would focus on
local operation in Procedure 2.2.20.2, Section 9 (or 5) as directed by 5.3SBO. Procedure 2.2.20.2
provides guidance for placing DG control in ISOLATE which defeats the standing emergency start
signal. The decision for local operation in inanual voltage control would be driven by the high priority
of AC power restoration given the SBO condition.
Staffing: At the initiation of the LOOP event, the plant would have been placed in a Notification of
Unusual Event. Although a NOUE does not require initiating actions to bring the ERO on site,
Operations Management would expect the SM to call in additional personnel, once the Control Rooin
contacted the Doniphan Control Center and determined that offsite power would not be restored
promptly. In the event that the SM did not initiate ERO pagers to activate facilities, the Operations
Management team would require the SM to take these actions as follow-up to notification
Page B2 of B20
of change in plant status. The needed staff, including management, maintenance, and engineering,
would be called out and mobilized to respond to the plant event. After the SBO occurred due to the
loss of DG2, a Site Area Emergency would be declared and the ERO would be activated, if not already
staffed.
Lighting: When DG2 is running the plant would be in a LOOP with normal lighting powered from
MCC-DG2. When DG2 failed, a station blackout would occur given DG1 is unavailable. Local
inspections would be facilitated by emergency Appendix R lighting. A set of emergency lights are
located in the DG2 room and they are directed in the general direction of the local control panels. The
emergency lights are rated at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> on battery. Lighting levels are adequate for general activities
such as getting around in the room and gross inspection of the diesel. The lighting would be sufficient
to support local control using the VC Mode Selector and Manual Voltage Regulator Adjust, each
which are within aims reach on the front control panel in the DG2 room.
Execution: Loading of the DG during manual operation was reviewed for system response. The first
loads the DG would supply are the 480 volt load center including the 460 volt MCC loads. This
loading is expected to be approximately 500 to 750 1VA. Based on the rating of the DG compared to
this load, the DG output voltage is not expected to change significantly. Following these loads, an
RHR pump, a Service Water Booster Pump and a Service Water pump would be manually started
from the Control Rooin. These loads would be started individually by the operator in the DG Room.
The operator stationed in the DG room would monitor DG voltage after each large motor start and
adjust the voltage back to approximately 4200 volts after the motors had started and a steady state
voltage had been achieved. Conversations with the DG System Engineer and two MPR representatives
indicated that with the DG in manual voltage control, the voltage drop between no load and full load
would probably be around 5%. Since each of the large motors that would be started represents
approximately '/4 of the total capacity of the generator, a voltage drop of 1.25% would be expected.
Due to the uncertainties associated with operating a DG in this manner, a value of 5% voltage drop for
each motor start will be conservatively utilized. Given the minimal loading and the significant margin
between the original voltage of 4200 volts and the minilnuin required voltage, the Station Operator
would be able to maintain the output voltage of the DG at above the minimum voltage requirements
for the equipment at all times.
Recovery Time Line
A list of actions is described for the recovery of DG2, including consideration of the issues described
above. These actions are shown in the following table, with estimates of the range of times required to
perform each action (Time Estimate column). A narrative of the Operator response is given here to
support the list in Table 1.
After the DG2 trip, the Control Room would enter procedure 5.3SBO which would direct the Operator
located near DG2 to do a visual inspection of the Diesel Generator to ensure that fluid levels and other
parameters are in specifications (5.3SBO Attachment 3, Step 1.2.3.2 ff). When the 86 lockout relay is
reset in the Control Room, DG2 restart is expected due to the standing safety system actuation signal.
Due to the failed diode in the voltage regulator card, the diesel generator will fail almost instantly
upon starting. As a result of this trip, the same alarms and trip indications will re-occur.
Once DG2 trips the second time, the Control Room would have received the same annunciation and
breaker flags on both trips (indicates a voltage control problem.) The Control Room would be directed
Page B3 of B20
to place DG2 in ISOLATE (5.3SB0, Step 1.2.3.5) which defeats the emergency start signal. The
Control Room directs use of Section 9, Procedure 2.2.20.2, Operation of Diesel Generators froin
Diesel Generator Rooms, by placing Control Mode Selector Switch to LOCAL. At Step 9.6.1 the
Control Room would require the VC Mode Selector switch be positioned to Manual to start the DG
and the Manual Voltage Regulator Adjust be set and maintained at approximately 4200 volts. It should
be noted that this control will probably already be set to approximately 4200 volts. Once the DG was
running and not tripping, the Operations Crew would load the DG per plant procedures (refer to
5.3SB0, Attachment 3, Step 1.2.3.6.)
Table 1 Recovery Activities and Duration
I Activitv I Time Estimate finin) I Time L i m (tniti) 1
I A. LOOP ResDonse I I t=O I
1 , Control room responds to LOOP, 5.3EMPWR verifies DG2 runiiiiig 1-2 1-2
2. Station Operator dispatched to DG2 room 2-5 3-7
B. TSC Activation
I 1. TSC Activatioii I 60 I 60 I
I 3. Decisioii to Restart DG2. 5.3SBO. SteD 1.2.3.4 Der 2.2.20.1 I 1-2 I 4-9 I
4. Station Operator performs checklist, contact Coiitrol rooin 2-5 6-14
5 . Station Operator observes DG2 start sequence and trip 1-1 7-15
6. Decision to Restart DG2, 5.3SB0, Att. 3, Step 1.2.3.5 using 2.2.20.2
45- 105 51-120
(DG2 Isolated, cliaiige VC Mode to Manual and Man Volt Control)
D. Execution
I 1. Station ODerator restart DG2 in Manual I 5-10 I 56-130 I
The time required to recover the DG is estimated at 120 minutes for diagnosis (steps C.l through C.6)
and 10 minutes for execution (step D. 1) froin the time the DG lockout occurs. (The ininiinum time
estimated to perform the recoveiy is 56 minutes.) This is supported by the expected time to review the
alanns and step through existing procedures to determine applicable steps. This restoration, operating
the DG in manual, is a relatively simple task which is accomplished by the Operating crew member
assigned to the DG unit.
These times are used in the next section, where the recoveiy failure probabilities are estimated in
SPAR-H method. The minilnuin retui-n to service time available is 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />, based on 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> RCIC
operation plus 120 minute boil-off period. (Similar time for recovery exists for the HPCI success case,
with actions to extend injection to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> following DG2 failure.) This treatment is applicable to
more than 95% of the sequences contributing to core damage. The remaining 5% of the sequences
have considerably shorter time frame for recoveiy and are assumed not recovered. This assumption
has negligible impact on expected change to core damage frequency.
Probability of Failure to Recover
The SPAR-H model was used to estimate the probability of failure to recover the DG as a function of
the time required to perform the manual restart (the time from the timelines) and the time available to
complete the actions in order to mitigate core damage (which comes from the accident sequence
Page B4 of B20
analysis in the PSA). The recovery will be considered in two parts, Diagnosis and Execution, per the
SPAR-H method.
The time available to make the restoration is the time the plant is able to cope with a SBO. The DC
battery depletion time is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with either high pressure injection source with an additional 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />
for core boil-off time. This evaluation assumes the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> depletion time starts at the time of the SBO
event. For this scenario no credit is given for possibility of using the swing charger on Division 1
batteries when DG2 is running. A bounding 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> recovery period is assumed to apply to both HPCI
and RCIC depletion sequences.
The following perfoiinance shaping factors from the SPAR-H method are assumed for the diagnosis
portion:
a Time Available = Long (9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />), time needed -120 minutes
W Stress = High, LOOP, then station blackout conditions
W Complexity = Nominal, indications are compelling, interpretation and action is clear
W Training = Nominal, address symptoms use TSC support to diagnose
a Procedures = Nominal, use alarms as defined and steps in procedures problem is self-revealing
W Ergonomics = Nominal, CR emergency lighting exists
The following performance shaping factors from the SPAR-H method are assumed for the execution
portion:
a Time Available = Long (-10 min), with >60 min available
a Stress = High, focused on DG recovery, however action does not create conflict
W Complexity = Nominal, actions are simple and gradual
W
Training = Low, however manual operation uses familiar controls at DG panel
a Procedures = Not complete, TSC to add steps to Section 9 for manual start and load
a Ergonomics = Nominal, emergency lighting in place
As seen on the following SPAR-H table, the estimate for the probability of failure to recover the DG is
3.2E-2. This is calculated using conservative estimates of repair activity times.
Discussion of SPAR-H Performance Shapinp Factors
Diagnosis Factors:
Location: Information from the Control Room and the Diesel Generator Room would be utilized to
diagnose this event.
Time Available: The minimum time available is considered long (>60 minutes) because total time to
diagnose the DG is approximately 120 minutes and the execution is expected to take about 10 min.
Stress: The stress is considered high because the plant would be in an SBO. With the ERO staffed, the
Operations Crew would have additional resources to help diagnose the problem and significant insight
into the problem would be available.
Complexity: The Control Room would have at least two distinct annunciator and a breaker trip flag
cues - indicate a voltage control problem as confirmed by alarm card listing. There is not conflicting
infoiinatioii since both cues lead to the same conclusion, the complexity is considered Nominal.
Page B.5 of B20
Training: Operations is trained on how to operate the DG and a procedure is available for operation of
the DG from the Diesel Generator Room which is considered adequate.
Procedures: Procedures 5.3EMPRY5.3SB0, 2.2.20.1, and 2.2.20.2 provide guidance on what actions
should occur during an SBO. The guidance in 2.2.20.2 (refer to Section 9) to start the DG in auto
voltage control would establish the DG voltage trouble. The vendor manual states that DG operation in
manual should be used if there are voltage control issues. By modifying Procedure 2.2.20.2, at Step
9.6.1 the Control Room would require the VC Mode Selector switch be positioned to Manual to start
the DG and the Manual Voltage Regulator Adjust be set and maintained at approximately 4200 volts.
Therefore, the procedures are considered nominal for diagnosis.
Ergonomics: The operator would be required to operate the DG from the Diesel Generator Room and
the actions of starting the DG and adjusting DG voltage would occur at different times. The actions the
operator would be required to perfom are considered ininiinal and the position of the equipment is
considered adequate. Therefore, the ergonomics of this recovery is considered nominal.
Execution Factors:
Location: The recoveiy of the DG would occur in the Diesel Generator Room.
Time Available: The time available is considered long because the actual starting of the DG in manual
voltage control is estimated to take approximately 10 minutes and the available time is much greater
than 5 times that amount.
Stress: Since the operator would have been in the DG room inspecting the DG and resetting breakers
since the time the DG failed, the stress is considered high. Since the DG would start once procedure
2.2.20.2 was utilized, the stress would only decrease as the recovery continued.
Complexity: The start and operation of the DG in manual voltage control is provided by the Control
Room using 2.2.20.2 with the exception that the operator does not perform the step to start the DG in
automatic voltage control. The control room would provide guidance on manual operation to be
followed prior to running in manual. Once the DG was running and not tripping, the Operations Crew
would load the DG per plant procedures (refer to 5.3SB0, Attachment 3, Step 1.2.3.6.) With the DG in
manual, the need for adjusting the voltage as loads are added is considered minimal. Overall the
complexity is considered nominal.
Training: Procedure 2.2.20.2 does not provide explicit guidance on how to manually adjust voltage,
therefore the training is considered low. Manual voltage control of the DG is not specifically trained
on, however, the required voltage band is large and the control of the DG voltage is simple. Overall,
training is considered low for this recovery.
Ergonomics: The ergonomics for this recovery is considered adequate. The controls for the DG are
readily available and are the same controls used in other DG evolutions. Once the DG is started, the
only operator input required is occasionally verifying the output voltage and malting minor
adjustments as needed. Overall, the ergonomics is considered nominal for this recovery.
Page B6 of B20
f
+ c
"
.-
s
0
$
K
C I
K
- C
S
-
S
.o .o .o .o .o
l
M2u 3, ,x 3 3
a,a,a,a,a,
I
K
I
L
h
c x x x x x m I1 =!.
. z w w w w w c3
n
c
-m
m
0
- Ic
0
-I
I-b
"&,
-I
'
1
-i
Y
4
I
Discussion of EPRI HRA Calculator Analysis
EPS-XHE-FO-DG2, Operator fails to recover DG2 after VC board failure
Table 1: Basic Event Summary
Table 2: EPS-XHE-FO-DG2 SUMMARY
Related Human Interactions:
-
Cue:
The increase in risk due to emergency AC failure occurs in sequences where core and
containment cooling was successful when relying solely on Division 2 DG during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
mission time of the PRA supplying all required loads. These sequences require a Loss of Offsite
Power event concurrent with DG 1 out of service for maintenance (or as result of system
failures). The DG2 continues to run for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> prior to the diode failure causing the DG to trip.
When the diode fails, the DG VAR (voltage) output rapidly increases until the DG trips on
output breaker lockout (86 relay) on over voltage. The loss of DG2 emergency AC power occurs
almost instantaneously following the diode failure. The DG2 would trip and lockout on over-
voltage given the Voltage Control Mode Selector (VCMS) switch is positioned to Auto.
In response to a LOOP, the Control Room would be operating the plant using HPCI or RCIC to
control level and pressure while depressurizing the reactor. An RHR pump, a Service Water
Pump and a Service Water Booster Pump would be in service to cool the suppression pool.
These loads would be supplied by DG2. Since DG1 is not credited, once the Control Room
validates that offsite power will not be available proiiiptly (prior to DG2 failure), the RCIC loads
will be transferred to the Division I1 batteries and supplied by Division I1 Diesel Generator (via
5.3AC480, Attachment 8). This action would extend the available battery depletion time to
approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after DG2 diode failure.
The cue is the trip of the DG2 and entry into SBO conditions. It would be indicated by numerous
alarms and indications and clearly identifiable.
Degree of Clarity of Cues & Indications:
Very Good
Page B8 of B22
Procedures:
Cognitive: 5.3SBO (STATION BLACKOUT) Revision: 14
Execution: 2.2.20.2 (OPERATION OF DIESEL GENERATORS FROM DIESEL
GENERATOR ROOMS) Revision: 36
Other: () Revision:
Cognitive Procedure:
Step: 1.2.3.1
Instmction: LOCALLY CONFIRM DG INTEGRITY
Procedure and step governing HI:
Plant Response :
DG2 automatically starts and loads Essential Bus 4160 Volt 1G.
Main Control Room (MCR) declares a NOUE and enters 5.3EMPR,
Attachment 2, Step 1.8.3
"If normal power cannot be restored or is subsequently lost, ensure TSC activated and have
TSC activate Attachment 5 (Page 18) to restore power to PPGB 1.I1
Attachment 3, Step 1.2.3
"If only one DG is providing power, perform following:
Monitor DG load in accordance with Step 1.1.2 and Attachment 4 (Page 1l)."
DG2 Voltage Regulator Card Fails causing DG2 Failure
Plant Response:
MCR declares a Site Area Emergency and activates the ERO if the ERO has not already
been activated due to the extended LOOP.
MCR enters 5.3SBO Step 1.2.3, Attachment 3
1.2.3 "If a DG is not running, perform following:
1.2.3.1 Check local control boards, valve lineups, and control power fiises if
degraded conditions such as shorts, fires, or mechanical damage are not evident.
1.2.3.2 Reset any trip condition.
Page B9 of B22
a At VBD-Cy check white light above DIESEL GEN l(2) INCOMPLETE
SEQ RESET button light is off. If on, press RESET button to reset trip.
b Locally in DG Room, check ENGINE OVERSPEED alarm is not in alaim. If
alaimed, reset per alarm procedure.
c Locally in DG Room, on DIESEL GENERATOR #1(2) RELAYING panel
check white light above DGl(2) LOCKOUT relay is on. If off, check relays to
determine cause and reset.
1.2.3.3 If starting air pressure is low, start diesel air compressor per Procedure
2.2.20.1.
1.2.3.4 Start and load DG per Procedure 2.2.20.1."
MCR and DG Operators would enter Procedure 2.2.20.1, Section 7. Section 7 contains
several steps designed for maintaining the availability of the DG during surveillance runs,
however, the steps of interest are:
Plant Enters 2.2.20.1 "DIESEL GENERATOR OPERATIONS"
7.13 Place and hold DIESEL GEN 2 STOPETART switch to START until
STOP light tui-ns off.
7.14 Using DIESEL GEN 2 VOLTAGE REGULATOR, adjust voltage to -
4200V.
This step does not state specifically the voltage regulator would be in "Automatic"
at this time, however, since this is a Restart froin the Main Control Room, the
only option for restarting the Diesel Generator froin the Control Rooin is in
Automatic. Due to this fact, the DG would trip and cause an over-voltage lock-
out, an over-voltage annunciation exactly the same as the first trip.
Plant Continues in Procedure 5.3SBO
Attachment 3, Step 1.2.3.5 provides the following guidance:
"If DG(s) cannot be started and loaded, start and load DG(s) with ISOLATION
SWITCHES in ISOLATE per Procedure 2.2.20.2".
Procedure 2.2.20.2 has 3 Sections that are applicable to DG2.
Sections 5 , "DG2 STARTUP AND SHUTDOWN AFTER MAJOR
MAINTENANCE",
Section 7, "DG2 STANDBY STARTUP AND SHUTDOWN FROM DG2
ROOM
Page B 10 of B22
Section 9, "DG2 OPERATION WHEN REQUIRED BY PROCEDURE 5.3SBO
OR 5.4POST-FIRE"
The obvious section that would be applicable for this condition would be Section 9
since it references 5.3SB0, however, upon reviewing this section, the steps are
virtually identical to the steps in 2.2.20.1 except that the DG is physically started in
the DG rooin. The Voltage Control remains in Automatic and thus the DG would trip
as soon as the DG started resulting in the same annunciation, alarms and flags.
Reviewing the procedure further reveals that Section 5 provides the appropriate
guidance for starting the DG in manual voltage control. Since Operations use this
section of the procedure each outage if any major maintenance is performed on the
DG, it is reasonable to assume that this section of the procedure would be utilized
under these conditions with these combined expertise of the TSC and the on-shift
operating crew and potentially the entirely ERO staffed. Following either section 5 or
section 9 would accomplish the same actions, and both would lead to a successful
stai-t of the DG.
Plant Enters 2.2.20.2 "OPERATION OF DIESEL GENERATORS
FROM DIESEL GENERATOR ROOMS"
1. Section 5 "DG2 STARTUP AND SHUTDOWN AFTER MAJOR
MAINTENANCE"
5.8 Place VOLTAGE CONTROL MODE SELECTOR switch to MANUAL.
5.16 Press and hold START button until blue AVAILABLE light t~irnsoff.
5.20 Using MANUAL VOLTAGE CONTROL ADJUST knob, adjust
GENERATOR VOLTAGE to - 4200V.
5.23 Place VOLTAGE CONTROL MODE SELECTOR switch to AUTO.
At this time the DG would trip and cause an over-voltage lock-out, an over-voltage
annunciation exactly the same as the previous trips. Since the trip would occur immediately
after the switch was placed in automatic, the cause of the failure would be self revealing.
Once the cause the DG trip was determined, the procedures would easily be revised to
eliminate the step that puts the DG in automatic voltage control and adds a step that has the
DG operator check and/or adjust the DG voltage as necessary within a few minutes after
large motors are added and as a periodic task. This task would be identical to the task the
operator perforin to add load to the DG for the Monthly Suiveillance tests with the only
exception being that they would be monitoring voltage and total load rather than just total
load. Therefore, the operators receive training on this type of activity twice a month.
Operation of the DG in manual voltage control is also discussed in the Vendor Manual.
Training:
Classroom, Frequency: Initial
OJT, Frequency: Initial
Routine Operation: The operators perform a manual start from the DG rooin per procedure
2.2.20.2, section 5, at least once per outage.
Page B11 of B22
JPM Procedure:
() Revision:
HFE Scenario Description:
Division 2 DG failed a monthly Surveillance Test on January 18,2007. The DG VAR loading
rapidly spiked until the Diesel Generator Breaker tripped on Over-Voltage. The DG VAR
loading spiked to approximately 10,667 KVAR prior to tripping the Diesel Generator. After
trouble shooting the Diesel Generator, it was detennined that a diode on the Voltage Regulator
card had failed and caused the VAR excursion and subsequent Diesel Generator failure.
A risk evaluation of this condition was documented in CR-CNS-2007-00480 which credits
recovery from the DG2 failme. This is also a key input to the significance deteiinination of this
failure, since recovery of the DG trip restores critical on-site AC power.
This HRA estimates the probability of failure of the recovery.
Execution Performance Shaping Factors:
Environment: Lighting Einergeiicy
Heatkluinidity Hot I Huinid
Radiation B aclcgsouiid
Atmosphere Nonnal
Special Requirements:
Comdexitv of ResDonse: Comitive Coinulex
Executioii Complex
Equipment Accessibility: CONTROL ROOM Accessible
DIESEL GENERATOR ROOM Accessible
Stress: High
Plant Response As Expecled: No
Workload: NIA
Pei:fonnance Sliapiiig Factors: NIA
Page B12 of B22
Performance Shaping;Factor Notes:
Cognitive Unrecovered
EPS-XHE-FO-DGZ
Timing:
6no.00
sw I
Irrevekble
Cue DamageS tate
I I
t=o I
Timing Analysis: The time required to recover the DG is estimated at 120 minutes for diagnosis
(steps C.l through (2.6) and 10 minutes for execution (step D.l) from the time the DG lockout
occurs. (The minimum time estimated to perform the recovery is 56 minutes.) This is supported
by the expected time to review the alarms and step through existing procedures to determine
applicable steps. This restoration, operating the DG in manual, is a relatively simple task which
is accomplished by the Operating crew member assigned to the DG unit.
The time available to inalte the restoration is the time the plant is able to cope with a SBO. The
DC battery depletion time is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> with either high pressure injection source with an additional
2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for core boil-off time. This evaluation assumes the 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> depletion time starts at the
time of the SBO event. For this scenario no credit is given for possibility of using the swing
charger on Division 1 batteries when DG2 is running. A bounding 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> recovery period is
assumed to apply to both HPCI and RCIC depletion sequences.
Time available for recovery: 470.00 Minutes
SPAR-H Available time (cognitive): 590.00 Minutes
SPAR-H Available time (execution) ratio: 48.00
Minimum level of dependence for recovery: ZD
Page B 13 of B22
Table 3: EPS-XHE-FO-DG2 COGNITIVE UNRECOVERED
Page B14 of B22
Indication Avail in CR Indication Warning/Alternate Training on
CR Accurate in Procedure Indicators
Most necessary indications are available in tlie main control rooin.
Lockout relay and diesel integrity information is necessary for the cognitive task and is readily available
from the diesel generator room.
Low vs. Hi Check vs. Monitor Front vs. Back Alarmed vs.Not
Workload Panel Alarmed
Front
Check (a) neg.
Back (b) 1.5e-04
Low (c) 3.0e-03
1Monitor
Front (d) 1.5s-04
(e) 3.0e-03
Monitor (m) M e - 0 2
Back (n) 1.5e-03
I ( 0 ) 3.0e-02
Per procedure during a SBO, recoveiy of the EDGs is tlie operators primary concern and focus. Most of
the necessary information is available on a front control panel or tlie DG local panel.
Page B 15 of B22
indicators Easy to GoodlBad indicator Formal
Locate Communications
I (h) 7.0e-03
While diesel noise could hinder coinmunication while the diesel is running, it will not be ruiiniiig during
the cognitive phase and communication froin the DG room to the CR should be normal.
pcd: Information misleading
Ail Cues as Stated Warning of Specific Training General Training
Differences
-Yes
_ (b) 3.0e-03
No
~
pce: Skip a step in procedure
I Obvious vs.
Hidden
Single vs. Multiple Graphically
Distinct
Placekeeping Aids
(a) 1.0e-03
(b) 3.0e-03
(c) 3.0e-03
(d) 1.0e-02
r------- (e) 2.0e-03
(f) 4.Oe-03
No I (i) 1.Oe-01
Page B 16 of B22
pcf: Misinterpret instruction
Standard or All Required Training on Step
Ambiguous wording Information
(d) 3.0e-03
I
I (e) 3.0e-02
I I (f) 6.0e-03
(9) 6.0e-02
"NOT" Statement "AND or "OR" Both "AND" B Practiced Scenario
Statement "OR
(a) 1.6e-02
(b) 4.Be-02
(e) 6.0e-03
(d) 1.08-02
(e) 2.0e-03
(f) 6.0e-03
Belief in Adequacy Adverse Reasonable Policy of
of Instruction Consequence if Alternatives "Verbatim"
Page B17 of B22
3
E
z
em
e Bt;
L
s
5
Q
VI
0
e!
e
V
w
d
2
0
A V
w
W
sQ
n t;
0
2 0
il
>
-1
2 3
Q
2 z
0
V
W
2
W
V V
2
C
5
a
m
2
3
C
0
x
-
N
m
%
x
APPENDIX C
Data analysis
The following section describes the process and results of the data analysis performed to
determine the failure probability of the defective diode in the DG-GEN-DG2 voltage regulator
card.
In Service Performance for the Defective Diode
The diodes in service life included 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> of run time and one failure of ftinction.
The defective diode was installed in as pai-t of the voltage regulator control card on November 8,
2006. The card was in service for 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> following installation as the diesel generator was ran
for post maintenance testing and surveillance testing up until its failure and reinoval on January
18, 2007.
Evaluation of performance leading to the over voltage trip of DG-GEN-DG2 on January 18,
2007 and subsequent root cause lab testing found that there were two other instances that could
be attributed to the open circuit failure condition of the defective diode. However both of these
instances were dismissed as follows:
During post maintenance testing of DG-GEN-DG2 on November 11, 2006, an over voltage
condition was noted while tuning the control circuit that contained the defective diode.
Because this testing did not provide conclusive evidence that the diode was the cause of the
over voltage condition and based on the fact that DG-GEN-DG2 demonstrated over 24
hours of successful iun time after occurrence of the November 11, 2006 condition, this
instance is dismissed as a attributable failure of the defective diode.
A post failure test of the circuit card that included the defective diode resulted in both
satisfactory card operation followed by unsatisfactory card operation with subsequent
determination that the defective diode was in a permanent open circuit state. Though this
lab testing could have been interpreted as an additional failure of the diode, it has been
dismissed due to the large amounts of variability introduced by shipping of the card to the
lab, the differences between lab bench top testing and actual installed conditions, and errors
that could be attributed to test techniques and human errors.
Priors
A bounding approach was taken in the application of diesel generator failure to nin data used to
assess the change in risk resulting fonn the January 18, 2007 over voltage trip. This bounding
approach includes use of a higher diesel generator fail to A n failure rate modeled in the CNS
SPAR model. The SPAR model diesel generator fail to run probability is 2.07E-02 for a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
mission time. The mean failure rate can be derived by solving the following poison derivation for
the diesel generator failure probability of 2.07E-02:
Page C1 of C2
2.07E-02=1-Exp(-h"24) or h = 8.715E-O4/Hr
This failure rate will be used as a noninfonnative prior to derive the failure rate of the defective
diode.
Bayesian Estimation
Guidance provided in NUREG CR6823 (Reference 4) was used to deteiinine that a Constrained
Noninfonnative Prior Bayesian Estimation was the best method to utilize in the derivation of the
defective diode failure rate. Section 6.5.1 of NUREG CR6823 discusses failure to run during
mission events and directs the use of Bayesian estimates using section 6.2. Section 6.2.2.5.3
recoininends use of the constrained noninformative prior as a coinpromise to a Jeffi-ies prior
when prior belief is available but the dispersion is defined to correspond to little information.
Because the SPAR fail to run data provides prior belief with unknown infomation on possible
industry failures resulting fonn the diode defect a constrained noninfonnative prior was applied.
This estimation assumes an dc of 0.5 and derives p as follows using the 8.715E-04 mean failure
rate froin the SPAR data:
hprior= dc/p Where dc=0.5, hp~i,,=8.715E-04/Hr
p = 573
Applying the in service performance for the defective diode the following table can be generated
to detail the diodes failure probability. Apostis derived using the Constrained Noninfonnative
Prior with an dc=0.5 and p = 573.
Number of Diode Diode In Service hpost, Diesel Generator Diode Failure
Failures (N) Tiine (Hours) (dc+N)/p+36) Mission Time Probability (1-
E~p(-Api,,t "24)
N=1 36 2.46E-03 24 H O U ~ S 5.7E-02
N=2 36 4.1 1E-03 24 Hours 9.3 9E-02
I N=3 I36 I 5.75E-03 I 24 Hours I 1.29E-01
Note the above table includes 1, 2 and 3 failures to support bounding analysis done in section
2.2. The overall ,change in risk imparted by the defective diode derived in section 2.1 of this
study concludes an overall failure of 1 to best reflect the actual conditions.
Page C2 of C2
APPENDIX D
DG2 VOLTAGE CONTROL BOARD DIODE FAILURE FIRE-LOOP EVALUATION
Introduction
During surveillance testing on January 18,2007 the Division 2 Emergency Diesel Generator
(DG2) tripped unexpectedly after running for approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> in automatic voltage control
mode. This paper evaluates the impact of internal fires on offsite AC power availability and
recoveiy actions. Internal fires can contribute to the Incremental Conditional Core Damage
Probability (ICCDP) for this condition, and that contribution is assessed using the results of the
CNS IPEEE Internal Fire Analysis coupled with additional condition specific analysis.
This evaluation is limited to conditional fire initiated accident sequences where the DGs are
demanded. Therefore, for the evaluated fire sequences to contribute to the overall ICCDP, they
inust cause a Loss of Offsite Power (LOOP). The LOOP can be caused in one of two ways.
Either the fire physically damages equipment that causes offsite power to be lost, or it forces the
operators to intentionally (per procedure) isolate offsite power from the plant. Sequences that
include a partial LOOP event occurring as result of loss of the start-up transformer are also
possible. However the onsite LOOP recovery (as addressed in 5.4POST-FIRE) from these
sequences are not discussed here.
Evaluation Summary
Only two credible fires will cause a LOOP due to equipment damage. Those fire initiators are 1)
a control room fire originating at either Vertical Board F or Board C, and 2) a fire in Division I1
critical switchgear room 1G. The latter switchgear room fire is not considered because this fire is
assumed to disable Division I1 AC power regardless of the success of the DG2 voltage control
board.
There are two locations in the control room where a fire can conceivably cause a LOOP. Both of
these locations contain control circuits for the critical bus tie breakers from both the station
startup transformer (SSST) and the emergency transformer (ESST). A fire in each location is
considered a separate initiator. One of those sequences requires an unmitigated fire involving at
least 4 feet of a control board to affect the necessaiy breakers. Both fire sequences would require
a combination of hot shorts to open the breakers before the breaker control circuits were shorted
to ground. The 69 ItV transmission line that supplies the ESST does not have a local 69kV
breaker and therefore the 86 Lockout and 87 Differential relays cannot de-energize the
transformer. Instead the 86 Lockout and the 87 Differential relays cause the 41 60 Volt breakers
1F and 1G to trip. Therefore, power from the ESST is recoverable by pulling the fuses at the
brealter(s) and manually closing the breaker(s). Ifjust one (out of two) of the 1G breaker control
circuits is either not shorted to power (hot short) or blows a fuse due to a short to ground, the 1G
critical AC bus will remain energized from an offsite source. Due to the required complexity of
these fires, the probability of the short combinations is on the order of 1E-3. The four lockout
relays are individually fiised and required 125 VDC control power to operate. A fire creating a
Page D1 of D6
short would have to simulate a CLOSED contact from an initiating device without blowing a
control power fuse to actuate the lockout relay or affect current transfoiiner wiring from the
current transformer to the neutral over-current or differential relay causing the relay to actuate.
The contribution to risk from these sequences is negligible.
There are several fires that result in the transfer of control of the plant to the ASD Panel. When
this occurs operators are directed to isolate offsite power and then power bus 1G with DG2.
These fire initiators are 1) a control room fire requiring evacuation, 2) a fire in the cable
spreading room, 3) a fire in the cable expansion room, 4) a fire in the NE comer of the reactor
building, and 5) a fire in the auxiliary relay room. Procedure 5.4FIRE-SD provides instructions
on isolating offsite power and powering the plant from DG2. In these cases, the LOOP is
administratively induced and fiilly recoverable if needed.
In response to the above sequences, the Emergency Response Organization (ERO) will be
available after 60 minutes to assist operations in restoring offsite power if DG2 fails. (Refer to
EAL 5.2.1, a fire that effects any system required to be operable, directs an Alert classification
with ERO activation.) For example, if 4160 VAC buslF is energized, an alternate breaker
alignment could be use to power the 4160 VAC bus 1G (Div. 11) loads that are controlled from
the Alternate Shutdown (ASD) Panel.
Overview of CNS 4160 VAC Distribution Design
The configuration of the CNS offsite power sources and the main generator supply is illustrated
in Figure 1. CNS supplies power to the grid at 345kV. The 345kV switchyard is designed with a
"breaker and a half scheme, so if the CNS Main Generator output breakers trip, the remainder of
the 345kV yard is unaffected. The primary offsite power source at CNS is the Startup Station
Service Transformer (SSST) which is supplied via a step-down transformer T2 from the 345kV
switchyard. The SSST can also be supplied by a 161kV transmission line that leaves the site and
terminates close to the city of Auburn.
At power, CNS norinally supplies the non-1E and 1E 4160 VAC switchgear from the station unit
auxiliary transformer (Normal Station Seivice Transformer or NSST). If the CNS generator trips
or the NSST de-energizes without a generator trip, the station switchgear is designed to transfer
station to the SSST if available via a "fast transfer". The fast transfer occurs within 3-5 cycles
such that no loads are shed during this transfer. Since the 4160 volt Essential Buses 1F and 1G
are supplied by 4160 Volt Buses A and B, the Essential Buses also "fast transfer" to the SSST.
The SSST is supplied by the 161kV CNS switchyard which is connected to the CNS 3451cV
switchyard via an auto-transformer and a 161kV switchyard via the CNS to Auburn 161kV
transmission line. If the SSST is not available or the tie breakers between 4160 Volt BL~S A and F
(and B and G) trip, the Essential Buses 1F and 1G transfer to the Emergency Station Service
Transformer via a short duration dead bus transfer.
Page D2 of D6
FROM FROM
MAIN GENEWTOR 345 KV/161 KV GRID
v
N
22 W/4 160V
NORMAL
STATION SERVICE
TRANSFORMER
STARTUP
STATION SERVICE
TRANSFORMER - VI
UAAJ
I161 KV/4160/
DIESEL GENERATOR R I OESEL GENERATOR P2
f
O P P O LINE
Figure 1. CNS 4160 VAC Distribution
Page D3 of D6
The ESST is supplied by a 69kV sub-transmission line from the 691tV Substation near Brock,
Nebraska which has inultiple sources. A trip of the CNS main generator supply would have a
'
minimal affect on the voltage at the Brock Substation. If the ESST is available and breakers 1FA
and 1GB are OPEN, the ESST supply breakers (1FS and 1GS) to the 1F and 1G switchgear will
close after a short delay (in which the 4160 motors trip) and the ESST will supply both class 1E
switchgear.
If the ESST is also unavailable or one of the supply breakers (IFS or IGS) does not close, the
diesel generator(s) will supply the associated 41 60 VAC switchgear.
Devices that will prevent the ESST or SSST from automatically supplying the 1E switchgear are
the 86/EGP Lockout Relay (ESST Sudden Gas Pressure), 86/SGP (SSST Sudden Gas Pressure),
86IST (SSST Differential Current) and the 86/STL (SSST Neutral Over-current). These lockout
relays will trip the 4160 VAC supply breakers froin the offsite power transformers and prevent
remote closure froin the control room of the 4160 VAC supply breakers. Reference B&R
Drawing 3012, Sheet 4 Rev N1 1. The lockout relays associated with the SSST will also trip the
161kV breakers 1604 and 1606.
The four lockout relays associated with the ESST and SSST are located on Vertical Board F in
the CNS Control Room. The 86/EGP is actuated by a normally open contact at the ESST. Tlie
86/SGP is actuated by a normally open contact at the SSST. The 86/STL is actuated by over-
cui-rent relay 5 lN/STL (also located on Board F) with a cui-rent transformer on the neutral of the
SSST. The 86/ST is actuated by the differential relay 87/ST (also located in Board F) with
cui-rent transformers located in the Non-Critical Switchgear Room.
Discussion of Fire Induced Unintentional LOOP
A Control Rooin fire originating at either Vertical Board F or Board C could cause a LOOP due
to control circuit faults. Tlie following is a discussion of the fire damage scenario needed to
result in a LOOP.
Postulated Control Rooin Fire on Vertical Board F or Board C:
In order to cause 4160 VAC busses A, B, F and G to de-energize due to a fire under Board C in
the control room, the following actions must be caused by the fire before the control room staff
pull the fiises as part of the alternate shutdown procedure. These actions can either be caused by
a fire a Board C or Vertical Board F but the result of the fire must cause damage that results in
the following conditions:
1. The fire would have to cause the breakers 1AS and lBS, the breakers that close to supply
buses 1A and 1B froin the SSST, to fail such that a trip signal would be present.
2. The fire would have to cause the wires for breakers 1FS and IGS, the breakers that close to
supply the buses 1F and 1G froin the ESST, to fail such that a trip signal would be present.
3. The fire would have to cause the wires for breakers 1FE and 1GE, the breakers that close to
supply the buses from the DGs, to fail such that a trip signal would be present.
Page D4 of D6
All of the above failures would have to occur or the under-voltage protection scheme at CNS
would cause the loads to be transferred to the next source. The under-voltage scheme only
transfers loads in one direction, thus once the loads are transferred from the SSST, the under-
voltage protection scheme would not cause the loads to be loaded back onto the SSST if it
becomes available. This latter transfer would be a manual action only. These breakers could be
manually reset from the Essential Switchgear Room once the trip signal is removed. The trip
signal could be removed by the fire causing a short in the control wiring that would cause the
Control Power Transformer fuses to blow or pulling these fuses at the breakers 1FS and/or 1GS
and close the breakers manually.
The switches on Board C where the above control wires are teiininated for division I breakers are
located between 3 to 5 feet from the corresponding Division I1 switches on Board C in the
control room. The fire would have to damage both switch groups and/or corresponding wire
bundles in the manner described above in order to initiate a LOOP. The 86 and 87 relays are
located on Vertical Board F. The four 86 lockout relays open the 4160 VAC tie breakers from
the SSST and ESST in the event of either a high transfoiiner pressure or a neutral over-current.
The four relays are in close proximity to each other and could conceivably be involved in a
single fire. One of these four relays controls the tie breakers from the ESST and the other three
control the tie breakers from the SSST. For a fire to isolate all of the offsite power, it must
involve the 86 relay for the ESST and at least one of the relays for the SSST. The fire must cause
hot shorts that energize the 86 relay coils for all four tie breakers before any shorts to ground
occur that blow the power supply fuses to these relays.
Fire Induced Intentional LOOP
For postulated fires that could impair the ability of the operators to control the plant froin the
control room, CNS procedure 5.4FIRE-SD direct the operators to isolate offsite power, and then
supply power to the plant with DG2. Consequently, the LOOP is administratively induced and
leaves the plant in a configuration where Division I1 equipment is controlled from the ASD panel
(Div I equipment cannot be controlled from the ASD panel.) These postulated fire initiators are
1) fire in the cable spreading room (zone 9A), 2) a fire in the cable expansion room (zone 9B), 3)
a fire in the auxiliaiy relay rooin (zone 8A), 4) a fire in each of the remaining 35 control rooin
panels, and 5) a fire in the NE corner of the Reactor Building (zone 2N2C).
If DG2 fails and cannot be recovered, the operations shift manager (SM) may determine that
offsite power is available and restoration is needed. The ERO can then direct offsite power
recovery using simple breaker operations combined with removing fuses. If needed, the NPPD
Distribution Control Center located at Doniphan can operate 16 lkV switchyard breakers 1604 or
1606 to restore power to the SSST.
CNS IPEEE Internal Fire Analysis
The CNS IPEEE Internal Fire Analysis addressed the above fire zones. The results of that
analysis are summarized in the following table. These sequences are limited to those that result
in the potential for control rooin evacuation and induced plant centered LOOP. The screening
values are the reported screening frequencies in the IPEEE adjusted for the condition exposure
Page D5 of D6
time. This time was determined by taking the tiine fioin plant starhip from the refueling outage
to the DG2 failure (56 days).
Table 1.
Fire Location Adjusted screening value
Cable &reading Room 6.3 1E-8 See Note 2
I Cable ExDansion Room I 2.65E-8 See Note 2 I
Auxiliary Relay Room 2.81E-8 See Note 2
NE Corner of RX Building 6.26E-8 See Note 1, 2
Control Room Vertical Board F 1.28E-7 See Note 2
Control Room Board C 4.3 1E-8 See Note 2
I Control Room All Other Panels I 6.86E-8 See Note 2
Notes:
1. Value for the 903 -6 Rx Building Elevation that includes the NE corner; however, only
the contribution from NE corner requires controlling the plant from the ASD.
2. Since the recovery of offsite AC power in each of these sequences does not involve a
repair, can be performed from within the plant, and has significant procedural guidance, a
non-recovery probability of 5E-1 is estimated and applied to each sequence.
Table 1 lists the applicable results for the base case, including various DG2 failure inodes and
illustrates the order of magnitude importance for areas that include induced LOOP sequences.
The ICCDP for fire would essentially be the sum of the additional cutsets formed by replacing
the DG2 failure events with the voltage control board failure event, and the normal DG non-
recovery with the specific non-recovery of a failed voltage control board. The cutset multiplier to
estimate this replacement would be just slightly over 1.O and would result in an ICCDP of much
less than 1E-6.
Page D6 of D6
APPENDIX E
TIME WEIGHTED LOSP RECOVERIES FOR SBO SEQUENCES
1. OBJECTIVE
The purpose of this calculation file is to update of the offsite power recovery failure
probability for the Cooper PRA. It also documents the calculation of time-weighted
offsite power recovery failure factors for application in SBO sequences in which diesel
generators i-un for a period of time before the SBO occurs.
2. INPUTS AND REFERENCES
The following inputs and references were used to generate offsite power recovery:
1. NUREG CR 6890, Reevaluation of Station Blackout Risk at Nuclear Power
plants, published December, 2005
3. DEFINITIONS
Time-weighted LOSP This represents the average offsite power recovery failure
Recovery: probability assuming temporary operation of the EDG after
loss of offsite power.
4. ASSUMPTIONS
Offsite Power Recovery
1. General industry loss of offsite power data as reported in References 1 are considered
to be applicable to Cooper. Loss of offsite power events at other nuclear power plants
documented in these references could also occur at Cooper due to the similarity in the
design of their power grid. Pooling all applicable events would provide a better estimate
of the offsite power recoveiy failure probability as a fiinction of time than relying simply
on data for Cooper.
Recovery Time
1. Refer to Appendix A for discussions of batteiy depletion times
5 . ANALYSIS
Method Einployed and Suminailr of Results
The analysis is performed in two steps:
Derive offsite power recoveiy failure probability as a fiinction of time for three
conditions :
Plant centered loss of offsite power
Grid centered loss of offsite power
Page E l of E9
Weather related loss of offsite power
Develop a time weighted offsite power recovery factor to account for the possibility that
a diesel generator may run for a period of time before a station blackout occurs.
Successful diesel operation, even if temporarily, can provide additional time to recover
offsite power.
Offsite Power Recovery
The methodology used here develops a discrete probability profile generated from
compilation of loss of offsite power durations which is then fit to a continuous
distribution fiinction using least-square curve fit. The data used in this analysis was
collected by the NRC [References 11. The loss of offsite power events were used to form
the inputs for deriving the discrete offsite power failure recovery probability.
Time Weighted Offsite Power Recovery Factor:
The Cooper station blackout (SBO) sequences consider seven different means of reaching
core damage.
Extended RCIC Success (Case 1) - Modeled recovery of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />
RCIC Success (Case 2) - Modeled recovery of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />
Extended HPCI Success (Case 3) - Modeled recovery of 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />
HPCI Success (Case 4) - Modeled recoveiy of 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
One SORV, RCIC Success (Case 5 ) - Modeled recovery of 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />
Two SORV (Case 6) - Modeled recovery of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
Injection Failure (Case 7) - Modeled recovery of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
For the above scenarios, the current SBO accident sequences are quantified as though the
SBO event occurs at the time of the loss of offsite power event (time = 0). This assumption is
considered conservative from an offsite power recovery standpoint given that one or both
EDGs may be available for a while to provide support for operation of AC powered accident
mitigating systems. Temporary operation of an EDG would allow inore time for operators to
recover offsite power and thus would reduce the SBO CDF. Explicitly accounting for the
SBO scenarios where the EDG(s) runs temporarily requires integration of the run failure rate
and the offsite power recovery probability over the mission time of the accident sequence. A
discrete approximation to this integration can be performed by breaking out the original 24
hour EDG mission time into equal run time segments (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> segments) with corresponding
EDG failure probabilities. Since offsite power is lost at time zero, the latest time to recover
power increases by an hour for each succeeding EDG successful run segment.
Correspondingly, with each succeeding hour that the SBO event is delayed, the offsite power
recoveiy failure probability would decrease. The event tree shown in Figure 5-1 illustrates
the EDG run scenarios to be quantified to obtain a time-weighted offsite power recovery
failure probability for the extended RCIC success sequences.
Page E2 of E14
ct, = Pt, / Plosp,o
PtW= Averaged offsite power recovery factor
Ch,,= Time Weighted Correction Factor
Page E3 of E14
Figure 5-1 : EDG Time Dependent Loss of Offsite Power Event Tree (Plant Centered)
Plant Centererl
EDG Run Time-Segment (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) Must Case
0 0 1 2 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 9 2 0 2 1 22 23 Seq Recv 1 Bat
- - - - - - - - - - - - - - - - - - - - - - - OSP Depl
1 2 3 5 6 7 8 9 10 11 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 byhr PLOSP
1
I-
.)
P I -11
- 24
23
22
0.004
0.005
0.005
16 21 0.006
17 20 0.007
18 19 0.008
19 18 0.091
d I
20 17 0.010
16 0.012
15 0.014
14 0.0 17
24 13 0.020
I EDG P( 12h)
I FTS = 0.024
SUM 0.199
Period 24
'Ptw 0.008
- ch 0.345
- Time weighted recovery(Ptw) = SUM(recoveries over 24 hr)/24
- Correction Factor (Ctw) = Time weighted recovery/FTS OSP fail to recover
The time weighted correction factor would be applied to SBO accident sequence cut sets in
which a diesel fail to run basic event occurred.
Analysis
Page E4 of E9
Using the methods described in the preceding section, this section presents the derivation of the
probability of failure to recover offsite power as a fiinction of time.
As explained in Section 5.1, offsite power recovery factors are initially applied in the PRA as
though the station blackout occurred at time zero. In fact, a portion of the station blackout
accident sequences may have an emergency diesel generator available as a power source for a
short period of time before the blackout occurs. These diesel generator failure to run sequences
actually have a longer period of time for operators to recover offsite power than those sequences
in which both offsite power and the diesels are lost at the LOSP event.
Tables 5-1 through 5-3 below coinpile the offsite power recovery failure as a function of the
available recoveiy times for diesel generator failure to mn sequences for each of the three LOSP
event categories (plant centered, grid centered, weather related). The first coluinn represents the
sequence in the event tree shown in Figure 5-1. The second coluinn is the time at which it is
assumed that the last diesel generator fails to run following the loss of offsite power initiator.
The coluinns labeled "AC Recovery Required" represent the time at which core damage is
assumed and the associated offsite power recovery failure probability (PLosp iJ. The offsite
power recoveiy factor as a fiinction of time (Plosp-i) is calculated as illustrated in Figure 5-1 for
all seven cases.
Since offsite power recovery failure for the three SBO scenarios are represented by point values
in the accident sequence quantification, it is necessary to obtain representative average values for
sequences in which a diesel fail to run occurs. The average values are time-weighted on the
EDG i-un cases and are calculated by the following equation.
Equation 4
Where:
Ptw = Time weighted loss of offsite power recovery factor
Ch,.= Time weighted loss of offsite power recovery correction factor (normalized
to recovery assuming blackout conditions at t=O)
Plosp-i = Probability of offsite power recovery failure by time segment i
Plosp~~ = sProbability of offsite power recovery failure assumes EDG fails at t=O
tl = Recovery time (Case specific)
t2 = EDG mn mission time (24 hr)
For example, for battery depletion scenarios, accident sequence quantification is perfoiined
assuming a failure to recover offsite power probability at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. The time weighted correction
factor Ch,,is calculated by averaging offsite power recovery failure over the 9 hour1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> to 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />
time frame and noiinalizing to the recovery failure probability at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. For any cut set
Page E5 of E14
containing an EDG fail to nm event, the time weighted coi-rection factor (C,,) is applied as a
recovery factor. This approach to SBO accident sequence quantification assuines that the EDG
mission time is set to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for all accident sequences.
Page E6 of E14
2
w
4.
0
M
w
a,
a
2
I1
2
W
cr
0
m
W
The above tables derive conditional time weighted recovery factors for the CNS PRA model and
were used to derive values in Table 2.2.2-1 Because the CNS model combines plant centered
and switchyard centered events into one initiator with recoveries, no specific switchyard
recovery factors are provided.
A separate analysis, specific to Cooper Nuclear Station, was performed to provide recovery
factors for switchyard centered events. This is reflected in the following 4 tables (5.4 through
5.7).
The recovery factors in Tables 5.4 through 5.7 are provided to allow other analyst the option to
apply recovery time weighted factors should the analysts PRA model separate the switchyard
centered LOSP recoveries from the plant centered LOSP recoveries.
Page E10 of E14
2
W
rcr
0
c!
W
e,
M
cd
a
d
W
r,
0
m
c
W
al
a
3
c