NLS2008047, Reply to Preliminary White Finding Regarding NRC Inspection Report 05000298-08-002

From kanterella
(Redirected from ML081760263)
Jump to navigation Jump to search
Reply to Preliminary White Finding Regarding NRC Inspection Report 05000298-08-002
ML081760263
Person / Time
Site: Cooper Entergy icon.png
Issue date: 06/19/2008
From: Minahan S
Nebraska Public Power District (NPPD)
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NLS2008047 IR-08-002
Download: ML081760263 (38)
v  d  e


Text

N Nebraska Public Power District "Always there when you need us" NLS2008047 June 19, 2008 U.S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, D.C. 20555-0001

Subject:

Reply to Preliminary White Finding Regarding NRC Inspection Report 05000298/2008002 Cooper Nuclear Station, Docket No. 50-298, DPR-46

Reference:

Letter to Stewart B. Minahan, Nebraska Public Power District, from Dwight D. Chamberlain, U. S. Nuclear Regulatory Commission, dated May 6, 2008, "Cooper Nuclear Station - NRC Integrated Inspection Report 05000298/2008002"

Dear Sir or Madam:

The purpose of this correspondence is to submit Nebraska Public Power District's (NPPD) position on a preliminary finding discussed in the reference letter. The Nuclear Regulatory Commission (NRC) cited a finding and provided NPPD an opportunity to discuss its position in a regulatory conference or in writing on the docket. As discussed with Rick Deese (NRC) in a phone call with David Van Der Kamp (NPPD) on May 16, 2008, NPPD is not requesting a regulatory conference.

The reference letter discusses a preliminary finding that is categorized as having low to moderate safety significance (that is, White). The NRC concluded that the failure to establish adequate procedural controls for the maintenance of electrical connections on diesel generators led to the failure of Diesel Generator 2 (DG2) during testing on January 15, 2008.

The enclosure to this letter is an engineering study that documents NPPD's review of the NRC's preliminary risk evaluation. This review concluded that additional key information should be provided to the NRC for consideration as this information does affect the outcome of the significance determination. The enclosure also includes two sections discussing comments of concurrence and comments with minor effects on the phase 3 Significance Determination Process (SDP) to document completeness of the Cooper Nuclear Station (CNS) review. The preliminary phase 3 significance determination, provided as Attachment 2 in the reference letter, must consider the following information prior to the final significance determination for the violation related to the unexpected shutdown of DG2 that occurred on January 15, 2008.

COOPER NUCLEAR STATION P.O. Box 98 / Brownville, NE 68321-0098 *,,fZ" Telephone: (402) 825-3817 / Fax: (402) 825-5211 v'ww.nppd com

NLS2008047 Page 2 of 4

1. The change in core damage frequency (CDF) is over estimated because the preliminary phase 3 evaluation used a base case to establish nominal CDF that included adjustments to the loss of offsite power initiating frequencies, offsite power non-recoveries, and diesel generator recoveries for cutsets that include start failures of the division one emergency diesel generator. This resulted in a base CDF that is less than the nominal CDF reflected by the NRC SPAR model, and correspondingly resulted in a larger change in CDF.
2. The performance shaping factors (PSF) applied to determine human error probability for recovery of DG2 after the unexpected shutdown does not reflect the post event conditions that would be present. This results in a higher human error probability than what would be warranted due to favorable layout and actual configuration. The following outlines the PSFs of interest.
a. Ergonomics during diagnosis is judged to be nominal instead of the PSF level of poor listed in the phase 3 SDP evaluation included in the reference.
b. Available time for the actions requited for recovery is considered five times greater than required instead of the PSF level of nominal listed in the phase 3 SDP evaluation included in the reference.
c. Stress for the actions required for recovery is considered extreme instead of the PSF level of high listed in the phase 3 SDP evaluation included in the reference.
d. Procedures for the actions required for recovery are considered not available instead of the PSF level of nominal listed in the phase 3 SDP evaluation included in the reference.
3. The preliminary phase 3 risk evaluation changes the CNS SPAR model to reflect certain (probability of 1.0) failure of the fire protection system to provide an alternate reactor pressure vessel (RPV) injection function (known as firewater injection). This review determined that full credit of the SPAR's 0.15 failure probability should be allowed for the ability to mitigate the loss of offsite power event. The importance of firewater as an injection source is large enough to impact the change in CDF derivation provided by the preliminary NRC risk evaluation.

CNS PRA modeling has documented sound justification for the success of firewater as an RPV injection system. Justification includes assurance that available time, and firewater flow rates are adequate. The CNS staff acknowledges that a manual service water valve (SW-V-119) was tagged closed by a clearance order and was incapable of providing its function required by the firewater injection flow path during the exposure time. However, this condition is not sufficient to exclude crediting firewater injection in the significance determination for the DG2 unexpected shutdown.- The configuration of SW-V-1i19 is not a result of the cause related to the DG2 apparent violation. Regulatory guidance specifically states that significance determinations should not include additional

NLS2008047 Page 3 of 4 postulated or known degraded conditions that existed during the exposure time if the cause of the degradation is independent of the cause for the violation.

In evaluating the risk significance of the finding, the NRC Senior Resident Inspector (SRI) considered the plant alignment for delivering fire protection system water into the reactor vessel: The SRI determined that the time'needed to establish the configuration was marginal and that a valve in the flow path would have prohibited successful completion of the strategy. Based on the above information, the NRC determined that no credit would be provided for the firewater injection mitigation strategy. The attachment to this letter addresses NPPD's understanding of the application of exclusions in IMC 0308 for concurrent non-performance deficiency related issues such as this.

Also, note that there are other flow paths available to inject firewater into the RPV that do not require manipulation of the SW-V-I 19 valve. These flow paths are included in the same section of the operating procedure used to inject firewater into the RPV using SW-V- 119. As noted in the phase 3 SDP evaluation of the reference, the operator would not have time to lineup and inject with another flow path if the operator chose to open the tagged and degraded SW-V-I 19 and attempt to inject firewater into the RPV. However, adequate time would be available should the operator decide to pursue one of the other firewater injection paths immediately upon discovery that the SW-V-i19 valve was degraded and tagged closed.

Overall, consideration of the information in the enclosure is expected to decrease the change in CDF by approximately 86%. This reduction in CDF results in an SDP below the Green-White threshold.

The major contributor to the reduction in the change in CDF is application of a more appropriate PSF level of "nominal" for the ergonomics that are associated with the diagnosis portion of the non-recovery analysis.

The proposed phase 3 SDP evaluation included in the reference letter includes an ergonomic PSF level of "poor." The PSF level of "poor" is not warranted when considering the acceptable, existing human interface design and operating experience at CNS. This is based on the following:

  • The design of the man-machine interface in the control room, DG2 room, and emergency response facilities includes sound human factor elements that ensure correct performance of operator actions. This design meets nominal industry expectations.
  • CNS operating experience did not reveal any ergonomic deficiencies that would result in a negative impact to the actions required for recovery of DG2.

NLS2008047 Page 4 of 4 There are no conditions (for example, insufficient lighting, high area temperatures) that would be expected to result in poor ergonomic shaping factors during the recovery.

As a side note, CNS is performing further investigations that may challenge the basis of our root-cause evaluation. This is an internal initiative to understand the effects of vibration on the amphenol connector through detailed vibration testing performed by an outside vendor. This action is being taken based on a review of our corrective actions during implementation of our root cause corrective actions. Vibration testing may provide data that validates that the loose amphenol connector failure was not time dependant and in turn, would decrease the exposure time used in this SDP from four months to less than three days.

If you have questions, you may contact David Van Der Kamp, Licensing Manager at (402) 825-2904.

Sincerely, Stewart B. Minahan Vice President - Nuclear and Chief Nuclear Officer

/jf Attachment Enclosure cc: Regional Administrator w/ attachment and enclosure USNRC - Region IV Cooper Project Manager w/ attachment and enclosure USNRC - NRR Project Directorate IV-1 Senior Resident Inspector w/ attachment and enclosure USNRC - CNS NPG Distribution w/o attachment and enclosure CNS Records w/ attachment and enclosure

ATTACHMENT Treatment of Concurrent Issue (Non-Performance Deficiency)

NLS2008047 Attachment Page 1 of 2 Attachment

Subject:

Treatment of Concurrent Issue (non-performance deficiency)

Nuclear Regulatory Commisstion (NRC) Inspection Report (IR) 2008002 documents a preliminary White finding associated with a loose amphenol connector on Diesel Generator 2 (DG2). In order to properly determine the risk significance of the finding, the NRC Senior Resident Inspector (SRI) observed a walk-down of procedure steps, with a senior reactor operator and a risk management engineer, which would be used for delivering fire water into the reactor vessel (known as firewater injection). The SRI determined that the time needed to establish the configuration was marginal and that a valve in the flow path would have prohibited successful completion of the strategy. Based on the above information, the NRC determined that no credit will be provided for the fire injection mitigation strategy. The central issue is concerned with whether a maintenance condition (valve in the firewater injection flow path needing to be repaired) should be considered in the significance determination in such a way as to preclude appropriate mitigation credit.

The documented performance deficiency resulted in an apparent violation of Technical Specification (TS) 5.4.1 .a for failure to establish appropriate maintenance procedure controls (inadequate procedure). The condition that resulted from the inadequate maintenance. procedure was loosening of an amphenol connector that ultimately caused the DG2 load/run failure on January 15, 2008. The loose amphenol is the only condition that should be evaluated within the significance determination process (SDP). The degraded valve in the firewater injection path (SW-V-i 19) is a separate maintenance condition.

The SDP recognizes that structures, systems, and components will require maintenance from time to time. The purpose for conducting maintenance may be in the form of preventive or corrective activities and, in all but extreme cases, is planned. The NRC identifies maintenance (normal maintenance, on-line maintenance, and planned maintenance) as an accounted for condition within the maintenance and testing risk model. Since the performance deficiency and resulting condition were associated with the DG2 amphenol connector, then the outstanding maintenance condition with SW-V- 119 should not be considered unavailable for mitigation purposes.

SW-V-i 19 failed its surveillance test on March 18, 2007. It was believed that the drain line used for testing was plugged, not that SW-V-1l19 was plugged. Per the work control process, a work order was developed and scheduled and on September 16, 2007, it was determined the valve chain operator moved very easily. An apparent cause was performed and an action developed to inspect the valve internally using a boroscope. The inspection was performed on November 21, 2007, and determined that the valve disc for SW-V-1i19 had separated from its stem. A work order was developed and scheduled to repair the valve. On June 10, 2008, the valve was disassembled, but the disc could not be removed from the valve seat and no replacement valve is currently in stock.

NLS2008047 Attachment Page 2 of 2 The work is being rescheduled for a later time when a new valve is available for complete replacement. [Note: SW-V-1i19 has been out of service for 15 months which was concurrently unavailable during the exposure period for DG2; nevertheless the SDP does not address limitations in this area.]

NRC Inspection Manual, Manual Chapter 0308 (Reactor Oversight Process (ROP) Basis Document), Attachment 3 (Significance Determination Process (SDP) Basis Document) states (emphasis added):

The SDP actually estimates the CCDP given the degraded condition which resulted from the performance deficiency, for the time this degradation existed. The nominal CDP, which accounts for normal maintenance, during this time, is subtracted from the CCDP to obtain the change in CDP due to the degraded condition alone (without consideration of any specific maintenance configuration that might have existed). This numerical result is then normalized by dividing it by 1 year to arrive at a delta CDF in units of "per year." If equipment outages due to maintenance were included in this delta CDF estimation, the result would potentially render results of higher significance. This would result in assessments of the risk impact of licensee performance that inappropriately would depend as much on the licensee's appropriate conduct of on-line maintenance as on the licensee's deficient performance .

NRC Inspection Manual, Manual Chapter 0308 (Reactor Oversight Process (ROP) Basis Document), Attachment 3 (Significance Determination Process (SDP) Basis Document),

Appendix A (Technical Basis For At Power Significance Determination Process) states (emphasis added):

Because the purpose of the SDP is to estimate the increase in core damage frequency due to deficient licensee performance, the SDP evaluation should not include equipment unavailabilitydue to planned maintenance and testing. The impact of this equipment not being availablefor mitigation purposes is included in the baseline core damage frequency 2

for each plant .

CONCLUSION The SDP basis documents clearly identify that the impact of equipment out of service for maintenance should not be considered unavailable for mitigation purposes. The NRC uses several terms to describe maintenance; however, the context of the application within the SDP focuses on maintenance conditions and activities as being included in the baseline core damage frequency. Therefore, the maintenance condition for SW-V-1i19 should not prevent the full mitigation credit of the SPAR's 0.15 failure probability when working through the significance determination for the DG2 amphenol issue. Otherwise, the risk impact could be artificially elevated potentially resulting in inappropriate regulatory action.

Section 8.B. - Issue Date: 10/16/06 2 Section 3.A.2.12.1.2 - Issue Date: 11/08/07

ENCLOSURE PSA-ES092 Results of the Review of the NRC Preliminary Risk Significance Determination. for the January 15, 2008, Unexpected Shutdown of DG2

ATTACHMENT 3 LIST OF REGULATORY COMMITMENTS@

ATTACHMENT 3 LIST OF REGULATORY COMMITMENTS© Correspondence Number: NLS2008047 The following table identifies those actions committed to by Nebraska Public Power District (NPPD) in this document. Any other actions discussed in the submittal represent intended or planned actions by NPPD. They are described for information only and are not regulatory commitments. Please notify the Licensing Manager at Cooper Nuclear Station of any questions regarding this document or any associated regulatory commitments.

COMMITMENT COMMITTED DATE COMMITMENT NUMBER OR OUTAGE None

4. 4 4- 4

+ 4 4- 4 4- 4 4- 4 4- 4 PROCEDURE 0.42 REVISION 22 PAGE 18 OF 25

PROBABILISTIC SAFETY ASSESSMENT COOPER NUCLEAR STATION ENGINEERING STUDY tiile: RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR TI-E JANUARY 15, 2008, UNEXPECTEI)

SHUTDOWN OF DG2 Log No.: PSA-ES092 Date Prepared. By:

Risk Management, ESD w H Olon Reviewed By:

Branch Engineering, Inc A/

Entergy Nuclear Northeast A. Milialik J. Bretti

.;-iXproved By:

S upervisor, Risk MNanagement, ESD. K. E. Sutton Revisions:

Number Description / Reviewed Approved Prepared By ! Date B **Date y Date 0 See above Seeabove Se.c above IL f

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 EXECUTIVE

SUMMARY

....................................................... 2 BACKGROUND.................................................................. 2 OVERVIEW OF FINDINGS.................................................... 2 CONCLUSION .................................................................... 2 APPROACH FOR REVIEW .................................................... 4 COMMENTS OF CONCURRENCE .......................................... 5 COMMENTS WITH MINOR AFFECTS ON THE PHASE 3 SDP ........ 5 COMMENTS AFFECTING THE OUTCOME OF THE PHASE 3 SDP.. 7 RESULTING SIGNIFICANCE........................................ .......... 10 REFERENCES...................................................................... 13 ADDENDUM A: Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Page 1 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 EXECUTIVE

SUMMARY

BACKGROUND While performing post maintenance testing, an unexpected shut down of the division two emergency diesel generator (DG2) occurred on January 15, 2008. Subsequent root cause investigation determined that the unexpected shutdown was caused by a loose connection of the Amphenol-type connector used by the relay tachometer speed sensor, DG-SE-3143.

The NRC integrated inspection completed on March 22, 2008 resulted in an apparent violation for the DG2 unexpected shutdown. This apparent violation was documented by the NRC in reference 1 and resulted in a preliminary phase three significance determination included as attachment 2 of the reference.

As requested by reference 1, a review of the preliminary phase three significance determination has been completed and is documented herein.

OVERVIEW OF FINDINGS This engineering study documents Cooper Nuclear Station's (CNS) review of the NRC preliminary risk evaluation. This review concluded that additional key information should be provided to the NRC for consideration as this information does affect the outcome of the significance determination.

CONCLUSION The preliminary phase 3 significance determination provided as attachment 2 in reference 1 must consider the following information prior to the final significance determination for the violation related to the unexpected shutdown of DG2 that occurred on January 15, 2008. Consideration of this information is expected to decrease the change in CDF by approximately 86%.

1. The change in core damage frequency (CDF) is over estimated because the NRC preliminary phase 3 evaluation used a base case to establish nominal CDF that included adjustments to the loss of offsite power initiating frequencies, offsite power non-recoveries, and diesel generator recoveries for cutsets that include start failures of the division one emergency diesel generator. This resulted in a base CDF that is less than the nominal CDF reflected by the NRC SPAR model, and correspondingly resulted in a larger change in CDF.

Page 2 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2

2. The performance shaping factors (PSF) applied to determine human error probability for recovery of DG2 after the unexpected shutdown does not reflect the post event conditions that would be present. This results in a higher human error probability than what would be reflective of actual conditions. The following outlines the PSFs of interest.
  • Ergonomics during diagnosis is judged to be nominal not poor

" Available time for the actions required for recovery is considered 5 times greater than required rather than nominal

  • Stress for the actions required for recovery is considered extreme instead of high
  • Procedures for the actions required for recovery are considered not available instead of nominal
3. The preliminary phase 3 risk evaluation changes the Co'oper SPAR model to reflect certain (probability of 1.0) failure of the firewater RPV injection function.

This review determined that full credit should be allowed for the ability to mitigate the loss of offsite power event through the use of firewater as a reactor pressure vessel (RPV) injection source. The importance of firewater as an injection source is large enough to impact the change in CDF derivation provided by the preliminary NRC risk evaluation. CNS PRA modeling has documented sound justification for the success of firewater as a RPV injection system.

Justification includes assurance that available time, and firewater flow rates are adequate. Cooper Nuclear Station does recognize that a manual valve (SW-V-119) was tagged closed by a clearance order and may have been incapable of providing its function required by the firewater injection flow path during the exposure time. However, this configuration should not be included in the significance determination for the DG2 unexpected shutdown. The configuration of SW-V-1 19 is not a result of the cause related to the DG2 apparent violation.

Regulatory guidance specifically states that significance determinations should not include degradations that existed during the exposure time if the cause of the degradation is independent of the cause for the violation.

The following details the overall review of the NRC phase three significance determination.

Page 3 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 RESULTS OF REVIEW APPROACH FOR REVIEW The preliminary phase 3 significance determination process risk evaluation provided in reference 1 was reviewed to ensure the following criteria were met:

  • Information obtained during the Cooper Nuclear Station's investigation of the unexpected shutdown of DG2 was reflected in the risk evaluation.
  • The application of the CNS SPAR model to determine the change in CDF included use of appropriate PRA techniques. This included ensuring assumptions were correct and best represented expected plant response.

. Overall methodology followed the industry guidance for determination of significance using change in CDF.

The results of the review are documented in three sections.

  • Review comments documenting agreement with the phase 3 risk evaluation are included in the section titled "Comments of Concurrence".
  • Comments that were determined to affect the risk evaluation, but considered to have minor impact on the overall change in CDF conclusion are included in the section titled "Comments with Minor Affects on the Phase 3 SDP". These comments are best characterized as either typographical, elaboration on the evaluations narrative, or recommendations to improve the application of the PRA.

Comments that provide additional information that is judged to affect the overall outcome of the phase 3 SDP risk evaluation are included in the section titled "Comments Affecting the Outcome of the Phase 3 SDP". Because these comments affect the evaluations outcome, they are provided for consideration prior to determination of the final significance.

Also included in this study is a change in CDF determination that incorporates the comments included in the section titled "Comments Affecting the Outcome of the Phase 3 SDP". This determination was done to validate the judgment that the comments are significant enough to result in a change to the outcome of the preliminary phase 3 SDP risk evaluation.

Page 4 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 COMMENTS OF CONCURRENCE

1. The overall approach used to determine the change in core damage frequency was found to be sound. The approach demonstrated keen knowledge of the facts, how to apply the PRA model, and expected plant response to loss of offsite power events.
2. The review concurs with assumption 1 of the phase 3 SDP risk evaluation. Based on information gathered during the investigation of the unexpected DG2 shutdown, it is reasonable to conclude that the degradation of the Amphenol-type connector degraded only during times that DG2 was running. DG2 run times listed in this assumption reflect the operating times found in the DG2 run data archives.
3. The review concurs with some aspects of assumption 2. Specifically, it is agreed that the recovery of DG2 should only be applied to sequences that have 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> or more for recovery.
4. The review concurs with assumption 3. Additional SPAR modeling was done to more accurately reflect the allowance for an 11 hour1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> discharge of the class 1E batteries.
5. The review concurs with the conclusions detailed in assumption 5. Common cause vulnerabilities for DG1 did not result from the root cause of the DG2 unexpected shutdown. Investigation of the shutdown found that the failure caused by the loose Amphenol-type connector was independent in nature.
6. The review concurs with the conclusions detailed in the external events section and the large early release frequency section of the phase 3 evaluation.

COMMENTS WITH MINOR AFFECTS ON THE PHASE 3 SDP

1. This review believes it is important to note that the CNS root cause investigation included assurance that no Amphenol-type connectors were loose on DG1. This assurance was provided through hands on inspections of DG1 Amphenol-type connectors. Assumption 5 should be further substantiated by including discussion of checks performed on DG1 connections.
2. The base case and current case should not contain non-minimal cutsets. Cutsets generated from the quantification of the phase 3 PRA modeling contain non-minimal cutsets for the base case and current case. Non-minimal cutsets provide false contributions to increase in risk. Because the significance evaluation is attributable to one initiator, subsuming non-minimal cutsets is justified. One example from the base case-is as follows:

Page 5 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 Minimal cutset:

Cut  %  % Cut Prob./F Basic Event No. Total Set requen cy 1 17.72 17.72 1.238E- IE-LOOP 007 EPS-DGN-FR-DG1A EPS-DGN-FR-DG1B EPS-XHE-XL-NR1 1H OEP-XHE-XL-NR11 H Non-minimal cutset:

16 70.26 .1.06 7.431E- IE-LOOP 009 EPS-DGN-FR-DG1A EPS-DGN-FR-DG1B EPS-XHE-XL-NR11 H OEP-XHE-XL-NR11H OPR-XHE-XL-EXT01

3. The existing DG2 fail to run event, EPS-DGN-FR-DGIB should be set to a failure probability of 1.0 and anded with the new non-recovery event, EPS-SPEED-SENSOR-RCV.

The new event, EPS-SPEED-SENSOR is not required because speed sensor failures are not indicative of a new failure mode. Speed sensor failures are within the boundary of the diesel generator fail to run event. CNS and standard PRA data analysis practices include diesel control circuitry within the boundaries of the diesel generator when deriving fail to run frequencies. The failure that was manifested by the speed sensor loose connection is considered to be within the diesel boundary and therefore a diesel generator run failure. This modeling approach is detailed in reference 2 (second bullet under the "Adding a Non-recovery Event Using Saphire Version 7" heading on page 6-8).

An alternative approach would be to model this speed sensor fault tree as detailed in the preliminary phase 3 SDP risk evaluation, but set the probability for the EPS-DGN-FR-DG 1B event to reflect the failure probability for the remaining time DG2 would run after recovery.

4. The review agrees that compensation should be included for the ability to recover from division one diesel generator fail to start events if recovery occurs prior to the time related failure of DG2 caused by the loose connector. However, the compensation is over estimated in that the recovery from the fail to start event is applied to all current case cutsets that contain EPS-DGN-FS-DG1. This results in applying the compensating recovery for DG1 fail to start cutsets that already include recovery of emergency power events (e.g. EPS-XHE-XL-NR 1I H).

Page 6 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 This review recommends applying the DG1 fail to start recovery compensation only to those current case cutsets that contain both the EPS-DGN-FS-DG1. event and the EPS-SPEED-SENSOR-RCV event. This ensures that the compensation for fail to start recovery for DG1 is not applied to cutsets that already contain emergency power recovery events.

5. The title for sub-sections A and B of the Internal Events Analysis section include dates reflective of the years 2006 and 2007. These dates should be changed to be reflective of the years 2007 and 2008.

COMMENTS AFFECTING THE OUTCOME OF THE PHASE 3 SDP

1. The change in core damage frequency is over estimated because the NRC preliminary phase 3 evaluation used a base case to establish nominal CDF that included adjustments to the loss of offsite power initiating frequencies, offsite power non-recoveries, and diesel generator recoveries for cutsets that include start failures of the division one emergency diesel generator. These adjustments are judged to be modeling changes to reflect the degraded condition of DG2 and not modeling changes to better reflect normal baseline operations. This resulted in a base CDF that is less than the nominal CDF reflected by the NRC SPAR model, and correspondingly resulted in a larger change in CDF.

The significance determination process is based on the change in CDF as related to the base average test and maintenance CDF for a nuclear power plant operating at power. Determination of this change in CDF requires that the base CDF represents the normal configuration of the operating plant. Thus, changes to the base model to reflect the degradations characterized by the apparent violation are not warranted.

Guidance in this area is in agreement with this review comment. Reference 3, sections 3.C.1 and 8.B detail that the change in CDF is based on change from nominal baseline levels.

The Cooper Nuclear Station's base case CDF for loss of offsite power events with core damage end states is 1.158E-6/year. This is quantified through the Cooper SPAR model, Revision 3.40. This is the recommended value that should be used when deriving the change in CDF for the phase 3 risk evaluation.

2. The PSF applied to determine human error probability for recovery of DG2 after the unexpected shutdown does not reflect the post event conditions that would be present. This results in a higher human error probability than what would be warranted due to favorable layout and actual configuration.

Page 7 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 The following outlines the PSFs of interest. Reference 4 was used as basis to determine the appropriate level for each PSF discussed.

a. Ergonomics during diagnosis is judged to be nominal not poor.

The design of the plant supports sound and favorable man machine interface and correct performance of tasks. Appropriate component labeling and machine interface is established for the DG2 equipment being diagnosed and operated. Emergency lighting and readily available portable lighting will provide adequate illumination for the task at hand.

CNS operating experience did not reveal any ergonomic deficiencies that would result in a negative impact to the actions required for recovery of DG2.

No other negati-ve contributions to ergonomics are anticipated.

b. Available time for the actions required for recovery is considered 5 times greater than required rather than nominal.

Based on the timeline detailed in figure 1 of addendum A, the duration of recovery after diagnosis is 13 minutes. The time available for recovery is judged to be 176 minutes and is the difference between diagnosis time, 124 minutes, and the time at which HPCI injection is terminated due to battery depletion, 300 minutes. This results in the time available being 13 times greater than the time required.

c. Stress for the actions required for recovery is considered extreme instead of high.

The situation that would be present would include recovery from a station blackout condition. This is considered to induce a level of disruptive stress in which the performance could deteriorate. This level of stress is compounded from the fact that the loss of offsite power event has persisted for several hours.

d. Procedures for the actions required for recovery are considered not available instead of nominal.

Recovery actions though straight forward are not guided by procedures.

The action includes the tightening of an Amphenol-type connector and is considered skill of the craft, but no procedures exist to direct the tightening. Procedures are available to guide the start of and loading of DG2 after the connector is retightened. It is noted that this PSF may be considered nominal based on the simplicity of the action and the available Page 8 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 procedures that direct DG2 loading and this recommendation of not available may be considered a conservative bound.

The changes to the PSFs result in a human error probability of 1.37E-01. This probability should be considered for use as the value for the EPS-SPEED-SENSOR-RCV in the phase 3 evaluation.

Details of the human reliability analysis are included in this study as addendum A.

3. The preliminary phase 3 risk evaluation changes the Cooper SPAR model to reflect certain (probability of 1.0) failure of the fire protection system to provide an alternate reactor pressure vessel (RPV) injection function (known as firewater injection). This review determined that full credit of the SPAR's 0.15 failure probability should be allowed for the ability to mitigate the loss of offsite power event. The importance of firewater as an injection source is large enough to impact the change in CDF derivation provided by the preliminary NRC risk evaluation. CNS PRA modeling has documented sound justification for the success of firewater as a RPV injection system. Justification includes assurance that available time, and firewater flow rates are adequate.

The CNS staff acknowledges that a manual valve (SW-V- 119) was tagged closed by a clearance order and was incapable of providing its function required by the firewater injection flow path during the exposure time.

However, this condition is not sufficient to exclude crediting firewater injection in the significance determination for the DG2 unexpected shutdown. The configuration of SW-V-119 is not a result of the cause related to the DG2 apparent violation. Regulatory guidance specifically states that significance determinations should not include additional postulated or known degraded conditions that existed during the exposure time if the cause of the degradation is independent of the cause for the violation.

Page 9 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 RESULTING SIGNIFICANCE The Cooper SPAR model revision 3.40 was used to model the three comments detailed in the "Comments Affecting the Outcome of the Phase 3 SDP" section above. Comment incorporation included using the SPAR model value of 0.15 for FWS-XHE-ERROR, applying the SPAR LOOP baseline CDF of 1.1 58E-06, and applying the Addendum A HEP value of 0.137 for EPS-SPEED-SENSOR-RCV.

All other modeling changes done by the NRC preliminary phase 3 SDP risk evaluation were made. The resulting phase 3 change in CDF is 4.229E-7. The following tables provide the data generated from the Cooper SPAR model.

Note that these results are not validated. It is recommended that the final phase 3 SDP risk evaluation include only results that are modeled and validated by qualified NRC SRAs.

New Results for the Two Day Periodof January 14 to January.16,2008 CDF/yr CDF/2 days Remaining CDF Base Case 1.16E-06 6.345E-09 6.345E-09 Current Case 2.78E-06 1.524E-08 1.524E-08 Delta CDF/2 days 8.890E-09 New Results for the 35 Day Periodof December 10, 2007 to January14, 2008 CDF/yr CDF/35 EDG 1 FTS EDG 1 FTS Remaining days Recovered Recovered/35 CDF (EDG1 FTS days (column 3-cutset total column 5) times 0.5934)

Base Case 1.16E-06 1.11OE-07 N/A N/A 1.11OE-07 Current 3.83E-06 3.674E-07 1.340E-07 1.285E-08 3.545E-07 Case Delta 2.435E-07 CDF/3 5 days Page 10 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 New Results for the 27 Day Periodof November 14 to December 10, 2007 CDF/yr CDF/27 EDG I FTS EDG 1 FTS Remaining days Recovered Recovered/27 CDF (EDGI FTS days (column 3-cutset total column 5) times 0.7907)

Base Case 1.16E-06 8.566E-08 N/A N/A 8.566E-08 Current 2.48E-06 1.833E-07 1.193E-07 8.826E-09 1.745E-07 Case Delta 8.885E-08 CDF/27 days New Results for the 29 Day Periodof October 15 to November 13, 2007 CDF/yr CDF/29 EDG 1 FTS EDG 1 FTS Remaining days Recovered Recovered/29 CDF (EDGI FTS days (column 3-cutset total column 5) times 0.8760)

Base Case 1.16E-06 9.201E-08 N/A N/A 9.201E-08 Current 1.89E-06 1.503E-07 1.019E-07 8.094E-09 1.422E-07 Case Delta 5.018E-08 CDF/29 days Page 11 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 New Results for the 32 Day Periodof September 13 to October 15, 2007 CDF/yr CDF/32 EDG 1 FTS EDG 1 FTS Remaining days Recovered Recovered/32 CDF (EDGI FTS days (column 3-cutset total column 5) times 0.9267)

Base Case 1.16E-06 1.015E-07 N/A N/A 1.015E-07 Current 1.61E-06 1.411E-07 9.225E-08 8.088E-09 1.330E-07 Case Delta 3.144E-08 CDF/32 days New Aggregate Internal Events Results TIME PERIOD DAYS OF EXPOSURE DELTA CDF 01/14/08 - 01/16/08 2 8.890E-09

'12/10/07 - 01/14/08 35 2.435E-07 11/13/07 - 12/10/07 27 8.885E-08 10/15/07 - 11/13/07 29 5.018E-08 09/13/07 - 10/15/07 32 3.144E-08 Total Internal Events Delta-CDF 4.229E-07 Page 12 of 13

RESULTS OF THE REVIEW OF THE NRC PRELIMINARY RISK SIGNIFICANCE DETERMINATION FOR THE JANUARY 15, 2008, UNEXPECTED SHUTDOWN OF DG2 REFERENCES

1. Letter, EA 08-124, dated May 6, 2008, From Dwight D. Chamberlain (Director -

Division of Reactor Projects, NRC), to Stewart B. Minahan (Vice President -

Nuclear and CNO, CNS)

2. "Risk Assessments of Operating Events Handbook, Volume 1 - Internal Events",

Revision 1.01

3. "Significance Determination Process Basis Document" NRC IMC 308, Attachment 3, Issued 10/16/06
4. "The SPAR-H Human Reliability Analysis Method", NUREG/CR 6883
5. System Operating Procedure 2.2.20 .1, Diesel Generator Operations
6. System Operating Procedure 2.2.20.2, Operation of Diesel Generators from Diesel Generator Rooms
7. Emergency Procedure 5 .3AC480, 480 VAC Bus Failure.
8. Emergency Procedure 5 .3EMPWR, Emergency Power During Modes 1, 2, or 3
9. Emergency Procedure 5 .3SBO Station Blackout Page 13 of 13

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector ADDENDUM A Introduction While performing post maintenance testing, an unexpected shut down of the division two emergency diesel generator (DG2) occurred on January 15, 2008. Subsequent root cause investigation determined that the unexpected shutdown was caused by a loose connection of the Amphenol type connector used by the relay tachometer speed sensor, DG-SE-3143.

This documents the human reliability analysis completed to determine the failure probability of recovery from the January 15, 2008 unexpected shutdown of the division 2 emergency diesel generator. This probability will then be applied during the significance determination process for the corresponding NRC violation.

Conclusion Human reliability analysis has determined that there was both adequate time and cues available to allow the CNS organization to diagnose the actions required to recover the division two emergency diesel generator from a unexpected shutdown caused by the loose relay tachometer speed sensor. Actions required for recovery were found to be uncomplicated and achievable. HRA calculations result in a recovery failure probability of 0.137.

Review of Expected Plant Response Review of initiating events for this analysis determined that initiators include both loss of offsite power events and loss of offsite power events followed by a station blackout. Because this analysis evaluates the recovery from the January 15, 2008 DG2 shutdown, station blackout events only include those in which run failures of the division two emergency diesel generator is a contributor.

Initiating events other than loss of offsite power initiators were not considered. This is acceptable based on the fact that diesel generator failures are insignificant contributors to core damage for events that are not initiated by a loss of offsite power. This was confirmed through review of cutsets from the SPAR model. In addition, this recovery will not be applied to ATWS sequences and stuck open relief valve sequences. Application of this recovery will not be applied for ATWS and SORV sequences because time for recovery is greater than the time to core damage.

The failure mode experienced during the unexpected January 15, 2008 shutdown of DG2 was found to be time dependant. Therefore, the DG2 run time that occurred during prior surveillance testing shall be credited as part of the expected plant response. Specifically, DG2 satisfactorily ran for 321 minutes during the January 14, 2008 surveillance test. The DG2 start subsequent to this 321 minute surveillance run resulted in the unexpected shutdown that occurred less than one minute after the DG2 start. This testing history results in DG2 being available as an onsite emergency power source for 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and 21 minutes following a loss of offsite power event.

Page 1 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Expected plant response is as summarized below:

  • A successful plant scram results from a grid, weather related or plant centered loss of offsite power event.
  • The loss of offsite power event is followed by successful transfer of the 4160 G bus to the diesel generator (DG2) upon sensing under voltage on the bus.
  • DG2 continues to power the 4160 G bus for 321 minutes.
  • Approximately 322 minutes after the loss of offsite power, DG2 experiences a shutdown as the result of the erroneous speed signal from the speed sensor with the loose Amphenol connector.
  • Upon the DG2 unexpected shutdown the 4160 G bus will sense a under voltage condition and restart DG2. DG2 will again shutdown because of the loose speed connector.
  • DG2 will restart for a third time at which the operations crew will shutdown the engine and prevent restart.
  • Resources will be made available to diagnose the DG2 shutdown. This will be given very high priority based on the station blackout condition. The staffing of the emergency response organization ensures that proper resources are onsite and at the ready.
  • Recovery of DG2 from the unexpected shutdown will be pursued by the CNS organization. Per the SPAR sequences SBO-14 or SBO-16, recovery execution will be most limited by the accident progression in which HPCI is in service and the 250 VDC battery is depleted within 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Note that this is actually 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> and 21 minutes into the event since DG2 ran for 321 minutes prior to shutting down.
  • Non- recovery of DG2 combined with known core damage sequences that include DG2 run failures lead to core damage.

DG2 output breaker, EG2, will open after the first unexpected shutdown of DG2. Though this breaker will receive a close signal upon the second and third restart of DG2, breaker closure will be prohibited by the anti-pumping feature of the EG2 control logic.

Page 2 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Timeline for Recovery A timeline was developed to best characterize the events that would take place after the loss of offsite power initiating event occurred. This timeline was developed using the following facts:

- DG2 would have successfully ran for at least 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and 21 minutes after the onset of the loss of offsite power event. The DG2 unexpected shutdown would have occurred 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and 22 minutes after the loss of offsite power, This is based on the fact that DG2 ran loaded successfully for this duration during 6.2DG.101 on January 14, 2008.

- Engineering, maintenance, operations and radiation protection resources needed to support the diagnosis and field actions would be available at the time of the DG2 unexpected shutdown. The control room shift manager will assume the duties of the emergency director and will activate the Technical Support Center (TSC) and the Emergency Operations Facility (EOF) through the classification of an alert per emergency action level 8.2.5. This EAL is detailed in procedure 5.7.1. Interviews with operations staff determined that this EAL would be judged appropriate based on the fact that conditions that reflect a loss of offsite power of a duration predicted to be at least 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> in length. Should the TSC/EOF not be manned, procedure 0.40.3 also would require the formation of a duty response team made up of required resources prior to the unexpected shutdown of DG2. Specifically, steps 1.2.4 or 1.2.5 of Attachment I to procedure 0.40.3 directs call in of required resources at the time the loss of offsite power event takes place.

- The loose Amphenol connector for the DG2 speed sensor will not cause detrimental damage to the engine or generator during the event. Multiple starts of DG2 will occur since the 4160 bus supplied by DG2 will experience an undervolatage condition each time DG2 is shutdown by the lose of speed signal. The output breaker for DG2 will not reclose after the shutdown due to the anti-pumping feature of the breakers relay logic. Based on the robustness of the diesel generator and factory and pre-operational test results that included consecutive starts the diesel generators, DG2 is judged to be capable of multiple starts in succession without damage.

- Starting air receivers are sized adequately to support the needed multiple starts of DG2. This is based on testing performed at CNS which included the ability to start the diesel 5 times using only the air receiver capacity

- Existing conditions would warrant the use of emergent work orders. This would be directed by section 9.0 of procedure 0.40 and provide for quicker response from field teams while DG2 is recovered.

Page 3 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Diagnosis Action 1404 min I 1445 min 1321 min -1 374 minI 1448 min -1 1461 min ]

0 CD CD 0

-1 CD

'ý5 Cn CD Cn Cn 0 0SID CD CD CD N 0 CD (D CD C/i CD. ý::

0-CL CD r.* CD CD 0 CD 0- lzý CD 0 0 CC CD c/i C

0~t (D !Z c/i 0

tD 0,.

tz CD CD CD CA CD t0 P

R 0

0-)

0-lzý

ý:r C

Figure 1: Timeline for Recovery of DG2 from the Unexpected Shutdown Resulting from the Speed Sensor Loose Connector Page 4 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Figure 1 (see above) graphically displays the events timeline. The timeline details are tabulated in . This timeline was developed through execution of a table top scenario that included the review of actions that would be directed by CNS procedures or expected actions of key ERO positions within the CNS organization. The table top participants included an operations member with a senior reactor operating license, a PRA risk analyst, an electrical'engineer and emergency diesel geneiator system engineer. The scenario included the loss of offsite power, followed by a successful SCRAM, and opening and closing of SRVs. HPCI provided adequate RPV level, and pressure control. Onsite emergency power was provided through 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> and 21 minutes of successful operation of DG2 (DG1 was assumed failed to best represent significant cutsets resulting form the CCDP analysis). All containment parameters were maintained within acceptable bands through use of suppression cooling until the unexpected DG2 shutdown. HPCI continued to maintain RPV level and pressure while the DG2 recovery diagnosis and actions took place.

The table top discussions determined that recovery of DG2 would be placed as the top priority for the CNS organization.. This is based on the fact that the site would be in a station blackout and the recovery of DG2 would be the key path to successfully stabilizing the plant. The TSC and EOF would be manned at the time of the DG2 shutdown based on the emergency director's orders that took place shortly after the loss of offsite poser event occurred. Any resource needed would be placed on the diagnosis and recovery of DG2.

The table top scenario detailed that an operator would be immediately dispatched to the DG2 room and would be directed to secure DG2 based on the fact that the engine would be cycling between undervoltage starts and loose speed connector shutdowns. The operator would be dispatched from the control room and arrive within 2 minutes. Within this time frame, DG2 is assumed to have started again. The local operator would witness another shutdown due to the loose speed sensor connector and restart from a valid undervoltage signal. At this time the operator would perform an emergency shutdown of DG2 locally within the room. This would be reinforced by the control room crew directing the local operator to secure DG2 based on control room cues that DG2 was not functioning as expected.

Upon concluding that DG2 would be secured after repeated starts, the table top team reached the following conclusions for the most likely path to recovery of DG2:

- Based on the high priority that would be placed on the recovery of DG2, a team of maintenance, engineering and operations personnel would be dispatched to DG2 for trouble shooting. The team would be formed and arrive at DG2 within 15-20 minutes based on the table top teams experiences from participation in past emergency drill scenarios that took place at CNS.

- Based on the actual response documented during the unexpected shutdown of DG2 that occurred on January 15, 2008, the team would find that there were no anomalies in that no unexpected alarms, annunciators, or bus lockouts occurred. This would be immediately communicated to the technical engineering team in the TSC.

Page 5 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector The engineering team would assess the field team feedback. This assessment would conclude that field observations would support the fact that DG2 could be restarted since no anomalies were present. Based on the need to quickly reestablish emergency power and the fact that no relevant field data was provided to troubleshoot the DG2 issue, the engineering team would direct DG2 be restarted and that the field team would monitor key parameters. Because of the immediacy of the issue the direction to restart DG2 is expected to be given in less than 20 minutes.

During the restart of DG2 the field team would note that local indication of RPM would vary and be well below the expected engine speed of 600 RPM. Actual RPM observed during the trouble shooting of DG2 after the unexpected shutdown was at or below 400 RPM. Once again the operator would shutdown DG2 using the emergency pushbutton. The field team would communicate the DG2 speed anomaly to the TSC engineering team. Though the restart and shutdown of DG2 occurs in 1-2 minutes, it is expected that the team takes an extra 20 to 25 minutes to determine how best to monitor parameters and restart DG2.

The engineering team's review of DG2 logic drawings would identify that the speed indicator instrument loop consisted of the speed probe, tachometer relay and indicator. This logic drawing would also detail that faulty speed signals would result in a DG2 shutdown with no unexpected annunciation, alarms or bus lockout. Based on this the field team would be directed to check the three components in the instrument loop. The engineering team is expected to have the needed drawings at their disposal at this time. More than 60 minutes has transpired since the first DG2 shutdown. Therefore, with drawings at hand, the engineering team can readily determine the components in the DG2 speed sensing instrument loop and provide those details to the team in the field. This results in the engineering team providing direction to the field in 20 to 30 minutes.

The field team would take action to check the speed probe, tachometer relay and indicator.

The team is expected to perform visual checks first. Visual check of the speed probe would include actual hand tightening check of the Amphenol connector. This would be the point of discovery of the loose probe. All components in the speed sensing instrument loop are located in the DG2 room. Therefore, the team is expected to locate and hand check each component in 3 to 5 minutes. Thus, the discovery of the loose connector is judged to take 20 to 15 minutes after direction is provided to investigate.

Upon completion of diagnosis, the field team would hand tighten the Amphenol as directed through the emergency work order process stipulated in section 9.0 of procedure 0.40. This is a task that takes no tools and is expected to be minimal in duration. The table top team estimated a 2 to 4 minute duration for this task.

Upon completion of the tightening of the speed probe connector, the operating crew, using diesel generator operating procedures, would start and load DG2. A duration of 10 to 15 minutes was judged adequate for this task. Duration was based on review of the DG operating procedure 2.2.20.1.

The crew would then stabilize the plant as directed by EOPs and operating procedures.

Page 6 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Overview of Human Reliability Modeling for Recovery The SPAR-H method as described in NUREG 6883 was applied to determine the appropriate human error probability. This included analysis of diagnosis of the DG2 unexpected shutdown and actions to restore DG2.

During the process of identifying the scope of potential recovery actions, the following questions regarding functional recovery were addressed:

1) Can the CNS emergency organization diagnose the need for recovery? Yes. Based on the fact that the organization is well aware of the fact that there was a loss of offsite power event and that DG2 shutdown, it is expected that the need to recover DG2 will be given high priority.
2) Can it be accomplished in the time available? Yes, the timeline developed above concludes that recovery of DG2 after the unexpected shutdown is 140 minutes in duration.

HPCI is available and will be used to control RPV temperature and pressure for a minimum of 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the DG2 shutdown (the 5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> duration is based on battery depletion). This provides an ample margin of 160 minutes for this recovery.

3) Can the equipment be put in functional condition by personnel? Yes, tightening of the loose Amphenol connector only requires hand tightening by ERO personnel.
4) Can the crew gain access to the equipment? Yes, the DG2 room, control room and TSC all remain habitable during the event. No high temperatures or severe environments are expected to result from this event
5) Is the required staff (with the right skills) available? Yes, the ERO would have been staffed prior to encountering the DG2 unexpected shutdown Review of ASME PRA Standard RA-Sb-2005, SR HR-H2 also confirms the appropriateness of applying recovery.

Determination of Probability of Failure to Recover The following tables were derived through guidance provided in NUREG 6883. Table I provides derivation of the human error probability for failure to adequately diagnosis the recovery action.

Table 2 provides derivation of the human error probability for failure to provide actions required to restore DG2.

Page 7 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Table 1: HEP - DIAGNOSIS (ONLY)

Ava ii D ie maaequaie ime -taaiiure) = -. u Barely adequate time (- 2/3 x nominal) 10 Nominal time 1 Extra time (between 1 and 2 x nominal 0.1 and > 30 min)

Expansive time (> 2 x nominal and-> 30 X 0.01 min)

Insufficient Information 1 The minimum time available from the time DG2 unexpectedly shuts down due to the loose Amphenol connector to the time in which low pressureinjection must be reestablishedis 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> (300 minutes). Recovery actions arejudged to be 13 minutes (see Figure1). This results in 287 minutes of time remaining to diagnosis the recovery. A table top exercise determined that diagnosistime is a nominal 124 minutes.

Based on this diagnosis time allowed is greaterthan 30 minutes and roucihlv 2.3 times nominal.

Stress Extreme X 5 High 2 Nominal 1 Insufficient Information 1 Extreme stress level was chosen as a conservative bound.

Conditions exist in which staff is fulfilling emergency organizationroles that are not representativeof normal duties.

It is judged that the disruptive nature of this event places extreme stress on the organization Complexity Highly complex X 5 Moderately complex 2 Nominal 1 Obvious diagnosis 0.1 Insufficient Information 1 The complexity is consideredhighly complex from the aspect that the diagnosisrequires the organizationto logically assemble field information to determine appropriate restoration. This requires both application of sound troubleshootingmethods and insights into the design of the emergency diesel generators.

Experience/Training Low 10 Nominal X 1 High 0.5 Insufficient Information 1 The staff that would be assembled to address the recovery of DG2 would be representativeof the emergency diesel generatortechnical experts, maintenancestaff and operators familiarwith diesel generatoroperations. A nominal rating was chosen to bound the overall experience of an emergency response team.

Page 8 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor I nnQio Arnhpnn] (rnnnootnr Incomplete ZU Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5 Insufficient Information 1 This diagnosis representsthe probability of an emergency response organization to gatherand interpretfield data.

Proceduresin the area of troubleshootingare very general and not specific to the event being analyzed. Therefore, proceduresare iudced to be "not available".

ErgonomicslHMl Missing/Misleading 50 Poor 10 Nominal X 1 Good 0.5 Insufficient Information 1 Ergonomics are considerednominal for this action. Activities that take place in the emergency response facilities and DG2 room are considered to be of favorable design in regardsto human factors. The design of the man-machine interface in the control room, DG2 room and emergency facilities include sound human factors elements that ensure correct performance of operatoractions. This design meets nominal industry expectations. CNS operating experience did not reveal any ergonomic deficiencies that would result in a negative impact to the actions requiredfor recovery of DG2.

There are no conditions (insufficientlighting, high area temperatures)that would be expected to result in poor ergonomic shaping factors during the recovery. Emergency and portablelighting will be available in these areas throughout the recovery timeline. No extreme conditions are expected.

Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipatedthat the individualis able to carry out tasks.

Work Processes Poor 2 Nominal X 1 Good 0.8 Insufficient Information 1 Work processesshould be consideredgood for this diagnosis based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that pre-job brief would be conducted priorto team dispatches from the emergency facilities. However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain(NRC) to Stewart Minahan (NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief. Work Processesare considered nominal for this HER.

Page 9 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector HEP (Diagnosis): 1.12 E -01 Calculate the Diagnosis Failure Probability.

(1) If all PSF ratings are nominal, then the Diagnosis Failure Probability = 1.OE-2 (2) Otherwise, the Diagnosis Failure Probability is: 1.OE-2 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes DiagnosisPSF: 1.OE-02x5x5x 1 x x50lxIx 1 = 12.5 Calculate the Adjustment Factor IF Negative Multiple (>3) PSFs are Present.

When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.OE-2 for Diagnosis.

The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:

HEP= (NHEP *PSFcomposite)/(NHEP * (PSFcomposite - 1) + 1)

Diagnosis HEP with Adjustment Factor = (1.0E-02* 12.5)/(1.Oe-02*(12.5-1 )+1 )= 1.12E-01 Table 2: HEP - ACTION (ONLY)

Multi plierfor Inadequate Time P(failure) = 1.0 Time available is - the time required 10 Nominal time 1 Time available >= 5x the time required X 0.1 Time available >= 50x the time required 0.01 Insufficient'Information 1 Based on the timeline detailed in figure 1, the duration of recovery after diagnosisis 13 minutes. The time available for recovery is judged to be 176 minutes and is the difference between diagnosis time, 124 minutes, and the time at which HPCI injection is terminated due to battery depletion, 300 minutes. This results in the time available being 13 times greaterthan the time required.

Stress/Stressors Extreme X 5 High 2 Nominal 1 Insufficient Information 1 Extreme stress level was chosen as a conservative bound.

Conditions exist in which staff is fulfilling emergency organizationroles that are not representativeof normal duties.

It is judged that the disruptive nature of this event places extreme stress on the organization.

Page 10 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Am-phenol Connector Complexity Highly complex 5 Moderately complex 2 Nominal Xi1 Insufficient Information 1 Diagnosis includes identification of the loose speed sensor connection. Actions to tighten the connector and restore DG2 to service are considered skill of the craft or routine operations. This is nominal in comnplexity._

Experience/Training Low -3 Nominal X 1 High __0.5 Insufficient Information1 The staff that would be assembled to address the recovery of DG2 would be representative of the emergency diesel generator technical experts, maintenance staff and operators familiar with diesel generator operations. A nominal rating was chosen to bound the overall experience of an emergency response team.

Procedures Not available X 50 Incomplete 20 Available, but poor 5 Nominal 1 Insufficient Information 1 This recovery represents the probability of an emergency response organization to provide actions during troubleshooting activities. Procedures in the area of troubleshooting are very general and not specific to the event being analyzed. Therefore, procedures are judged to be "not available".

Ergonomics/HMI Missing/Misleading 50 Poor 10 Nominal Xl1 Good 0.5 Insufficient Information 1 Ergonomics are considered nominal for this action.

Activities that take place in the emergency response facilities and DG2 room are considered to be of favorable design in regards to human factors. The design of the man-machine interface in the control room, DG2 room and emergency facilities include sound human factors elements that ensure correct performance of operator actions. This design meets nominal industry expectations. CNS operating experience did not reveal any ergonomic deficiencies that would result in a negative impact to the actions required for recovery of DG2. There are no conditions (insufficient lighting, high area temperatures) that would be expected to result in poor ergonomic shaping factors during the recovery. Emergency and portable lighting will be available in these areas throughout the recovery timeline. No extreme conditions are expected.

Page I11 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor I ,nci,* Amnhlicnnl (Crnnr--tnr Fitness for Duty Unfit P(failure) = 1.0 Degraded Fitness 5 Nominal X 1 Insufficient Information 1 It is anticipatedthat the individualis able to carry out tasks.

Work Processes Poor 5 Nominal X 1 Good 0.5 Insufficient Information 0.5 Work processesshould be consideredgood for this diagnosis based on implementation and proven use of human performance tools when plant conditions are expected to be significantly changed. It is expected that pre-job brief would be conducted priorto team dispatches from the emergency facilities. However, because of human performance cross cutting issues highlighted in the 2007 annual assessment letter from Dwight Chamberlain(NRC) to Stewart Minahan (NPPD) dated March 3, 2008 no credit will be given in this PSF for the expected brief. Work Processes are considered nominal for this HEP.

HEP (ACTION): 2.5E-02 Calculate the Action Failure Probability.

(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.OE-3 (2) Otherwise, the Action Failure Probability is: 1.OE-3 x Time x Stress or Stressors x Complexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes Action: 1.OE-3 x 0.1 x 5 x 1 x 1 x 50 x 1 x 1 x 1= 2.5E-02 (Note that no Adjustment Factor for multiple negative PSFs were included since only 2 negative PSFs were used)

Dependency Evaluation:

Dependencies among human error events were not found when deriving the HEP for recovering DG2 from the unexpected shutdown due to the loose Amphenol connection. It was determined that this HEP did not impart negative influences to or sustain negative influences from other human errors that contributed to CDF for the event.

CNS SPAR cutsets that included DG2 fail to run events were reviewed to determine other human error events that would contribute to CDF. Other human error events found in the applicable cutsets were Page 12 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector as follows and were found to share no appreciable dependency with the human error derived for recovery of the DG2 loose Amphenol connection.

OPR-XHE-XL-EXTO1 OPERATOR ACTIONS TO EXTEND RCIC OPERATION DURING SBO FAIL FWS-XHE-XM-ERROR OPERATOR FAILS TO ALIGN FIREWATER INJECTION EPS-XHE-XR-DG1A OP FAILS TO RESTORE DIESEL GENERATOR 1A CVS-XHE-XL-LOAC OPERATOR FAILS TO VENT GIVEN LOSS OF MOV POWER SUPPLY CVS-XHE-XL-LOIAS OPERATOR FAILS TO VENT FOLLOWING LOSS OF INSTRUMENT AIR RCI-XHE-XL-RSTRT OPERATOR FAILS TO RECOVER RCIC FAILURE TO RESTART HCI-XHE-XO-ERRSBO OPERATOR FAILS TO START/CONTROL HPCI INJECTION DURING SBO The human errors found in the SPAR cutsets were be made by the control room crew that consisted of personnel that were different than those involved in the recovery of DG2. The SPAR cutset human error events included cues that were different than those used to diagnose recovery of DG2. Finally the human error events in the SPAR cutsets were made in a different location, the control room or torus basement, and at a time that was well before or after the DG2 loose Amphenol recovery human error.

Because the human error events that may share dependency are performed by different personnel, are in different locations, rely on different cues and are made at different times, no dependency corrections are required for the DG2 recovery HEP derivation.

Final HEP Derivation:

The final HEP is derived through summation of the values for diagnosis and action. The final HEP is as follows:

HEP Diagnosis + HEP Action = 1.12E-01 + 2.5E-02 = 1.37E-01 Page 13 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor Loose Amphenol Connector Attachment 1: Detailed Timeline of Event

. A:.Re

1. Complete loss of offsite power event. Power to the Start-up, Normal and 0 0 Emergency Transformer are lost.
2. The Emergency Diesel Generator, DG2 powers the essential loads as designed. 4160 VAC G bus is supplying AC loads. Division 2, 125 VDC and 1-2 1-2 250 VDC buses are functioning with their batteries on continuous charge.
3. DG1 is assumed to fail (this reflects PRA modeling at the start of the N/A 1-2 scenario).
4. CRS/SM establishes control of HPCI or RCIC system and maintains hot 5-10 6-12 shutdown RPV water level. Cool down is commenced.
5. CRS/SM establishes SPC as required and maintains containment parameters 40-50 41-52 per EOPs
  • B. Response t,G2 Failure
1. Unexpected shutdown of DG2 results from loose Amphenol connector. SBO 321 321-322 event starts. Operator is dispatched to DG2
2. Bus under voltage on 4160 VAC bus G is sensed, UV time delay elapses and DG2 restarts
3. A second unexpected shutdown of DG2 occurs resulting from the loose <1 323-324 Amphenol connector.
4. Bus Under voltage on 4160 VAC bus G is sensed, and DG2 restarts < 325-326
5. Operator shuts down DG2 using emergency stop push button 0.5 326-327
6. CRS/SM continues to use HPCI or RCIC system to maintain RPV water level 600 N/A KB. 9IPTSC Aciv, tioii
1. TSC Activation - TSC is activated by EAL 8.2.5. Emergency director judges that event which includes LOOP, DG1 failure is significant enough to declare 45 46-47 Alert and activate TSC, OSC and EOF. (Note that 0.40.3 would also direct formation of a duty response team should the 8.2.5 EAL not be declared)

.'C. Diagi.osisf

1. Field Team dispatched to DG2 for observation 15-20 341-347
2. Field team assesses DG2 and briefs TSC engineering team on as found 10-15 351-362 conditions
3. TSC engineering team diagnostics commence with phase one trouble shooting 15-20 366-382 and recommends restart of DG2
4. TSC field team directed to restart DG2 and monitor key parameters. 20-25 366-407
5. Field Team observes DG 2 run and briefs TSC on observed DG2 run.

Specifically, the team will observe that the RPM indicated is 400 RPM instead of 5-10 391-417 600 RPM. DG2 will once again restart on under voltage and the operator will locally trip the engine using the emergency trip button.

6. Based on the observed 400 RPM anomaly, the TSC team will diagnose the condition and direct the field team to check the DG2 relay tachometer and speed 20-30 411-447 2

probe.

2 Note. that the field team observing the DG2 run may diagnosis the 400 RPM anomaly real time and check the speed probe amphenol connector without the need for the support form the TSC team. This would result in decreasing the time to repair by 20-30 minutes Page 14 of 15

PSA-ES092 Human Error Probability Determination for Recovery from the DG2 Speed Sensor T nncp Amnhinn] C(-nnnertnr

7. Field team directed to check speed probe and relay tachometer 3-5 414-452
8. Field team discovers loose Amphenol connector on speed probe 10-15 424-467
1. Field Team tightens speed probe Amphenol connector 2-4 426-471
2. Operations restores DG2 and applicable loads using procedures 5.3SBO, 10-15 436-486 5.3EMPWR, 5,3AC-OUTAGE, 5,3AC480, and De:/1 F HRA Performed by: Date:

Ole Ols n, Risk Management Engineer HRA Reviewed by: Date:

a oelaar, Scienttech Page 15 of 15

Retrieved from "https://kanterella.com/w/index.php?title=NLS2008047,_Reply_to_Preliminary_White_Finding_Regarding_NRC_Inspection_Report_05000298-08-002&oldid=2568546"