Text

2008-02 Final Significance Determination for a White Finding and Notice of Violation
	ML082140518
Person / Time
Site:	Cooper
Issue date:	08/01/2008
From:	Caniano R; Division of Reactor Safety IV
To:	Minahan S; Nebraska Public Power District (NPPD)
References
	EA-08-124, IR-08-002
	Download: ML082140518 (26)
	v • d • e

UNITED STATES NUC LE AR RE G UL AT O RY C O M M I S S I O N R E GI ON I V 612 EAST LAMAR BLVD , SU I TE 400 AR LI N GTON , TEXAS 76011-4125 August 1, 2008 EA 08-124 Stewart B. Minahan, Vice President-Nuclear and CNO Nebraska Public Power District 72676 648A Avenue Brownville, NE 68321

SUBJECT:

FINAL SIGNIFICANCE DETERMINATION FOR A WHITE FINDING AND NOTICE OF VIOLATION - NRC INTEGRATED INSPECTION REPORT 05000298/2008002 - COOPER NUCLEAR STATION

Dear Mr. Minahan:

The purpose of this letter is to provide you the final results of our significance determination of the preliminary White finding identified in the subject inspection report. The NRCs final risk-informed conclusion is that the finding discussed in this letter is best characterized as a White finding. Our rationale for this conclusion is discussed below, as well as in Enclosures 2 and 3.

The NRCs preliminary finding was discussed with your staff during an exit meeting on April 14, 2008. As documented in Inspection Report 05000298/2008002 (ML081270639) dated May 6, 2008, the inspection finding was assessed using the Significance Determination Process (SDP) and was preliminarily characterized as White, a finding with low to moderate increased importance to safety significance that may require additional NRC inspections. As described in Section 1R19 of the inspection report, a loose electrical (amphenol-type) connection resulted in the failure of the Division 2 emergency diesel generator on January 15, 2008. Our inspectors determined that the loose electrical connection was due to inadequate maintenance work instructions.

The NRCs preliminary assessment of the safety significance of the inspection finding, which is documented in Attachment 2 of NRC Inspection Report 05000298/2008002 (ML081270639),

resulted in an increase in core damage frequency (CDF) for internal events of 2.99E-6/year, or White.

At the request of Nebraska Public Power District, a Regulatory Conference was not held. By letter dated June 19, 2008 (ML081760263), your staff presented additional information for NRC consideration related to the preliminary significance determination for the loose electrical connector. This included information regarding the method used by the NRC to determine the base core damage frequency, the performance shaping factors selected, and the use of alternate injection sources to the reactor pressure vessel.

The NRC reviewed the information provided in your letter. We concluded that the base core damage frequency used in our original significance determination was appropriate. While we agreed with most of the points raised by your staff regarding performance shaping factors, we

Nebraska Public Power District concluded that the ergonomics factor was most appropriately characterized as poor as used in our original evaluation. With regard to alternate injection, we do not agree that credit for fire water injection would be appropriate when equipment needed to successfully accomplish mitigation of the event was found to be unavailable. Even if some credit for fire water injection is considered for operators seeking an alternate alignment during an event, the net result in the quantitative risk assessment was a slight reduction in the calculated change in core damage frequency to 2.98E-6/year. A detailed description of the NRCs review is provided as .

In a second letter dated July 21, 2008 (ML082050232), your staff presented additional information regarding a revised root cause evaluation for the diesel failure based on off-site vibration testing. The NRC reviewed the information provided by your staff and noted that no root cause was identified in the revised evaluation and that the evaluation was not informative as to the as-found condition of the connector on January 15, 2008. Specifically, the evaluation did not effectively explain how or when the connector coupling became disengaged and the connector plug became partially inserted. Additionally, your staff concluded that the failure of the electrical connection was not caused by vibration and was therefore not time dependent.

You concluded the potential cause of the failure was that the connection was not properly assembled and was physically disturbed during maintenance activities on January 14-15, 2008.

The NRC concluded that your assertion that the electrical connection was physically disturbed during maintenance on January 14-15, 2008, was unlikely based on the location and nature of the work involved. Specifically, all the January 14-15 documented maintenance activities were located on the opposite side of the emergency diesel generator away from the electrical connection, and the connection was located in a part of the emergency diesel generator that was not very accessible. Regarding your conclusion that the connection was not susceptible to vibration, the NRC did not agree that vibration was not potentially a factor. We noted the vibration tests that were performed did not include configurations in which the connector plug was not fully inserted, which is a configuration that could result from improper reassembly of the connector during a major maintenance activity or during the last documented maintenance on the connector in December 2000. The as-found condition of the connector was a configuration which could have resulted from vibration if the connector had not been properly reassembled.

Also, previous Cooper operating experience related to a 1995 failure of an electrical connection on the diesel generator indicated that these connections were susceptible to vibration, and corrective actions developed by your staff included the application of a thread locking compound to prevent the connectors from vibrating loose. We therefore concluded that the exposure time of our risk analysis was appropriate.

After careful consideration of all available information, including the information provided in your June 19, and July 21, 2008, letters, the NRC has concluded that the inspection finding is appropriately characterized as White. This was based upon an SDP Phase 3 analysis performed by the NRC staff using a Standardized Plant Analysis Risk (SPAR) model simulation of the failed emergency diesel generator, as well as an assessment of the risk contributions to external initiators using insights and values provided by your staff. Based upon our assessment of the applicable information, we estimated the change in core damage frequency associated with this condition, for both internal and external events, to be 3.1E-6/year. This conclusion is based on our original analysis documented in NRC Inspection Report 05000298/2008002, included as Enclosure 2 to this letter, as modified by our review of the additional information provided by your staff as described in Enclosure 3.

You have 30 calendar days from the date of this letter to appeal the staffs determination of significance for the identified White finding. Such appeals will be considered to have merit only if they meet the criteria given in the NRC Inspection Manual Chapter 0609, Significance

Nebraska Public Power District Determination Process, Attachment 2, Process for Appealing NRC Characterization of Inspection Findings (SDP Appeal Process).

The NRC has also determined that the failure of the Division 2 emergency diesel generator was due to one violation of NRC requirements with two examples. These examples are described in detail in the referenced inspection report and involved a violation of Technical Specification 5.4.1.a in that maintenance affecting performance of safety-related equipment was not performed in accordance with written procedures appropriate to the circumstances. The procedural guidance was not appropriate and resulted in amphenol-type connections on the Division 2 emergency diesel generator being improperly reassembled. Additionally, procedural guidance for performing periodic electrical inspections was not appropriate in that it did not check the tightness of engine mounted electrical connections. These inadequate procedures resulted in the trip of the Division 2 emergency diesel generator during testing on January 15, 2008. This violation is cited in the enclosed Notice of Violation (Notice). In accordance with the NRC Enforcement Policy, the Notice is considered escalated enforcement action because it is associated with a White finding. You are required to respond to this letter and should follow the instructions specified in the enclosed Notice when preparing your response. In addition, we will use the NRC Action Matrix, as described in NRC Inspection Manual Chapter 0305, Operating Reactor Assessment Program, to determine the most appropriate NRC response and any increase in NRC oversight. We will notify you by separate correspondence of that determination.

In accordance with 10 CFR 2.390 of the NRCs Rules of Practice, a copy of this letter, its enclosures, and your response will be made available electronically for public inspection in the NRC Public Document Room or from the Publicly Available Records component of NRCs document system (ADAMS). ADAMS is accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html (the Public Electronic Reading Room). To the extent possible, your response should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the Public without redaction.

Sincerely,

/RA/

Roy J. Caniano Director, Division of Reactor Safety Docket: 50-298 License: DPR-46

Enclosures:

1) Notice of Violation

2) Significance Determination Process Phase 3 Analysis as documented in NRC Inspection Report 05000298/2008002

3) Supplemental Information cc w/

Enclosures:

Gene Mace Nuclear Asset Manager Nebraska Public Power District P.O. Box 98 Brownville, NE 68321

Nebraska Public Power District John C. McClure, Vice President and General Counsel Nebraska Public Power District P.O. Box 499 Columbus, NE 68602-0499 D. Van Der Kamp, Licensing Manager Nebraska Public Power District P.O. Box 98 Brownville, NE 68321 Michael J. Linder, Director Nebraska Department of Environmental Quality P.O. Box 98922 Lincoln, NE 68509-8922 Chairman Nemaha County Board of Commissioners Nemaha County Courthouse 1824 N Street Auburn, NE 68305 Julia Schmitt, Manager Radiation Control Program Nebraska Health & Human Services Dept. of Regulation & Licensing Division of Public Health Assurance 301 Centennial Mall, South P.O. Box 95007 Lincoln, NE 68509-5007 H. Floyd Gilzow Deputy Director for Policy Missouri Department of Natural Resources P. O. Box 176 Jefferson City, MO 65102-0176 Director, Missouri State Emergency Management Agency P.O. Box 116 Jefferson City, MO 65102-0116 Chief, Radiation and Asbestos Control Section Kansas Department of Health and Environment Bureau of Air and Radiation 1000 SW Jackson, Suite 310 Topeka, KS 66612-1366

Nebraska Public Power District Daniel K. McGhee, State Liaison Officer Bureau of Radiological Health Iowa Department of Public Health Lucas State Office Building, 5th Floor 321 East 12th Street Des Moines, IA 50319 Melanie Rasmussen, Radiation Control Program Director Bureau of Radiological Health Iowa Department of Public Health Lucas State Office Building, 5th Floor 321 East 12th Street Des Moines, IA 50319 Ronald D. Asche, President and Chief Executive Officer Nebraska Public Power District 1414 15th Street Columbus, NE 68601 Director of Nuclear Safety Assurance Nebraska Public Power District P.O. Box 98 Brownville, NE 68321 John F. McCann, Director, Licensing Entergy Nuclear Northeast Entergy Nuclear Operations, Inc.

440 Hamilton Avenue White Plains, NY 10601-1813 Keith G. Henke, Planner Division of Community and Public Health Office of Emergency Coordination 930 Wildwood, P.O. Box 570 Jefferson City, MO 65102 Ronald L. McCabe, Chief Technological Hazards Branch National Preparedness Division DHS/FEMA 9221 Ward Parkway Suite 300 Kansas City, MO 64114-3372

Nebraska Public Power District Distribution:

RIDSSECYMAILCENTER RIDSOCAMAILCENTER RIDSEDOMAILCENTER RIDSOEMAILCENTER RIDSOGCMAILCENTER RIDSNRROD RIDSNRRADIP RIDSOPAMAIL RIDSOIMAILCENTER RIDSOIGMAILCENTER RIDSOCFOMAILCENTER RIDSRGN1MAILCENTER RIDSRGN2MAILCENTER RIDSRGN3MAILCENTER RIDSNRRDIPMIIPB OEWEB OEMAIL cc w/enclosures (via ADAMS e-mail distribution):

E. Collins DRS BCs C. Casto M. Herrera K. Fuller D. Starkey, OE W. Maier M. Ashley, NRR D. Chamberlain N. Hilton, OE A. Vegel W. Jones R. Caniano M. Vasquez T. Pruett C. Carpenter, OE V. Dricks J. Wray, OE G. Miller J. Cai, OE N. Taylor M. Cox, OEDO S. Farmer SUNSI Review Completed: GBM ADAMS: Yes No Initials: GBM Publicly Available Non-Publicly Available Sensitive Non-Sensitive R:\_REACTORS\CNS\2008\CNS 2008-02 NOV Ltr.doc ADAMS ML082140518 RI:DRP/C SRA:DRS C:DRP/C D:DRS NHTaylor MFRunyan GBMiller RJCaniano

/RA electronic GBM/ /RA/ /RA /RA TPruett for/

07/25/2008 07/25/2008 07/24/2008 07/25/2008 RC:ACES DD:DRP D:ACES NRR KSFuller AVegel WBJones MFranovich

/RA electronic/ /RA /RA/ /RA/ electronic 07/25/2008 07/25/2008 07/25/2008 07/29/2008 OE DRA RA NHilton CCasto EECollins

/RA electronic /RA/ /RA/

07/29/2008 07/25/2008 08/1/2008 OFFICIAL RECORD COPY T=Telephone E=E-mail F=Fax

NOTICE OF VIOLATION Nebraska Public Power District Docket No. 50-298 Cooper Nuclear Station License No. DPR-46 EA-08-124 During an NRC inspection completed on May 6, 2008, a violation of NRC requirements was identified. In accordance with the NRC Enforcement Policy, the violation is listed below:

TS 5.4.1.a requires that written procedures be established, implemented, and maintained, covering the activities specified in Regulatory Guide 1.33, Revision 2, Appendix A, dated February 1978. Regulatory Guide 1.33, Appendix A, Section 9(a),

requires, in part, that maintenance affecting performance of safety-related equipment should be performed in accordance with written procedures or documented instructions appropriate to the circumstances.

Contrary to the above, the licensee failed to perform maintenance affecting performance of safety-related equipment with written procedures or documented instructions appropriate to the circumstances. Specifically, (1) on December 29, 2000, during reassembly of electrical connections on Diesel Generator 2, Work Order 003915 was not appropriate to the circumstances in that it did not include guidance to ensure that thread locking compounds or other measures would be utilized to ensure electrical connections would not loosen during engine operation. Additionally, (2) since September 30, 1988, the licensee failed to use procedures appropriate to the circumstances for performance of periodic electrical inspections to check the tightness of engine-mounted amphenol-type connections. Specifically, Maintenance Procedure 7.3.8.2, Diesel Generator Electrical Examination and Maintenance, inappropriately excluded engine mounted components from the scope of electrical connection tightness checks. The inadequate instructions and procedure resulted in the failure of Diesel Generator 2 during testing on January 15, 2008.

This violation is associated with a White SDP finding.

Pursuant to the provisions of 10 CFR 2.201, Nebraska Public Power District is hereby required to submit a written statement or explanation to the U.S. Nuclear Regulatory Commission, ATTN: Document Control Desk, Washington, DC 20555-0001 with a copy to the Regional Administrator, Region IV, and a copy to the NRC Resident Inspector at the Cooper Nuclear Station, within 30 days of the date of the letter transmitting this Notice of Violation (Notice). This reply should be clearly marked as a Reply to a Notice of Violation; EA-08-124, and should include for each violation: (1) the reason for the violation, or, if contested, the basis for disputing the violation or severity level, (2) the corrective steps that have been taken and the results achieved, (3) the corrective steps that will be taken to avoid further violations, and (4) the date when full compliance will be achieved. Your response may reference or include previous docketed correspondence, if the correspondence adequately addresses the required response.

If an adequate reply is not received within the time specified in this Notice, an order or a Demand for Information may be issued as to why the license should not be modified, suspended, or revoked, or why such other action as may be proper should not be taken. Where good cause is shown, consideration will be given to extending the response time.

Enclosure 1

If you contest this enforcement action, you should also provide a copy of your response, with the basis for your denial, to the Director, Office of Enforcement, United States Nuclear Regulatory Commission, Washington, DC 20555-0001.

Because your response will be made available electronically for public inspection in the NRC Public Document Room or from the NRCs document system (ADAMS), accessible from the NRC Web site at http://www.nrc.gov/reading-rm/adams.html, to the extent possible, it should not include any personal privacy, proprietary, or safeguards information so that it can be made available to the public without redaction. If personal privacy or proprietary information is necessary to provide an acceptable response, then please provide a bracketed copy of your response that identifies the information that should be protected and a redacted copy of your response that deletes such information. If you request withholding of such material, you must specifically identify the portions of your response that you seek to have withheld and provide in detail the bases for your claim of withholding (e.g., explain why the disclosure of information will create an unwarranted invasion of personal privacy or provide the information required by 10 CFR 2.390(b) to support a request for withholding confidential commercial or financial information). If safeguards information is necessary to provide an acceptable response, please provide the level of protection described in 10 CFR 73.21.

Dated this 1st day of August 2008.

Enclosure 1

Cooper Nuclear Station Failure of EDG 2 Speed Sensing Circuit SDP Phase 3 Analysis Performance Deficiency:

Inadequate maintenance resulted in EDG 2 failing to run on January 15, 2008. The event was caused by a failure of an amphenol connection on the EDG speed sensing circuit.

Assumptions:

1. It is assumed that the amphenol-type connector of the speed sensing circuit degraded only during times that the diesel generator was running; specifically in response to the vibration of the operating engine. There is no assumption of accelerated degradation associated with diesel starts or any degradation while the unit was in standby. It is further assumed that the failure was a deterministic outcome set to occur after a specific number of operating hours.

The diesel was run at the following times:

09/13/07 - ran for 2 hrs 15 min 10/15/07 - ran for 5 hrs 45 min 11/13/07 - ran for 5 hrs 21 min 12/10/07 - ran for 5 hrs 51 min 01/14/08 - ran for 5 hrs 21 min (1700) 01/15/08 - failure less than one minute after starting 01/16/08 - EDG 2 restored to a functional status (1700)

Therefore, it is assumed that EDG2 would have failed to run within one minute of a LOOP demand, or it was inoperable for maintenance, during the two-day period from January 14 to January 16, 2008.

Prior to this date, it is assumed that EDG 2 would have failed to run at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months following a LOOP demand at any time during the 35-day period from its last successful surveillance test on December 10, 2007 until the test failure that occurred on January 14, 2008.

Prior to this date, EDG 2 would have run and failed at 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months during the 27-day period from November 13, 2007 to December 10, 2007.

Prior to this date, EDG 2 would have run and failed at 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months during the 29-day period from October 15, 2007 to November 13, 2007.

Prior to this date, EDG 2 would have failed to run at 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months during the 32-day period from September 13, 2007 to October 15, 2007.

Before October 15, 2007, it is assumed that EDG 2 would not have failed from the speed sensing circuit failure for at least 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the mission time assumed in the SPAR model.

Therefore, prior to this date no additional risk impact is assumed.

2. The problem with the speed sensing circuit would be difficult to diagnose in time to affect the outcome of any of the SPAR core damage sequences, the longest of which is 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months (as modified by an extension to the battery duration (assumption #3). Adjustments made to the Enclosure 2

performance shaping factors in the SPAR-H Human Reliability Analysis Method, NUREG CR-6883, Sept. 2004 (expansive time, extreme stress, highly complex, nominal training, unavailable procedures, and missing ergonomics) returned a failure probability of 0.56, including a very small contribution from the action steps of repairing the amphenol-type connection and re-starting the EDG, which are relatively simple.

The following table presents the diagnosis tabulation:

Diagnosis (0.01) Multiplier Action (0.001) Multiplier Available Time Expansive 0.01 Nominal 1 Stress Extreme 5 High 2 Complexity High 5 Nominal 1 Experience/Training Nominal 1 Nominal 1 Procedures Not Available 50 Nominal 1 Ergonomics Poor 10 Nominal 1 Product of Multipliers 125 2 Diagnosis HEP = 0.01(125)/ [0.01(125-1)] + 1 = 0.558 Action HEP = 0.001(2) = 0.002 Total HEP = 0.56 For this analysis, it is assumed that the recovery of EDG 2 from the speed sensor circuit failure applies to sequences of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months or greater. The only sequence that is less than 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is a 30 minute sequence, for which no recovery of the amphenol-type connection is assumed.

The SPAR model does not distinguish between cutsets that contain two or just one EDG failure as it relates to EDG non-recovery basic events. Theoretically, it would be more likely to succeed in restoring one of two EDGs versus recovering one (of one) EDG. However, in this analysis, this feature of the SPAR model is not altered

3. The standard CNS SPAR model credited the Class 1E batteries with an 8-hour discharge capability following a station blackout. Based on information received from the licensee, this credit was extended to 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months . Although the batteries could potentially function beyond 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months under certain conditions other challenges related to the operation of RCIC and HPCI in station blackout conditions would be present. These challenges include the availability of adequate injection supply water and operational concerns of RCIC under high back pressure conditions as a result of the unavailability of suppression pool cooling during an extended station blackout event.

4. For the purpose of this analysis, it is assumed that EDG 2 would not be unavailable or fail to operate for the period of time before it is assumed to fail from the connector failure during the various exposure periods. This introduces a slight inconsistency to the risk estimate, but because it would similarly affect both the base and current case, it does not significantly influence the result of this analysis.

5. Common cause vulnerabilities for EDG 1 did not exist, that is, the failure mode is assumed to be independent in nature. The reason for this determination is based on the following Enclosure 2

reasoning. The loosening of the amphenol connection on EDG 2 resulted from engine vibration while the EDG was running. Historically, EDG 2 has experienced vibration problems while EDG 1 has not. Therefore, it is likely that vibration induced loosening of the amphenol connection would proceed at a faster pace for EDG 2 than EDG 1, making It very unlikely that this type of failure would occur on both EDGs at the same time. The fact that it took 7 years of operation for EDG 2 to reach the point of failure also points to the unlikelihood that the same failure would have occurred on EDG 1 within the timeframe of the exposure period of this finding.

Even if both EDGs were determined to be vulnerable to a speed sensor amphenol connection failure, there was no mechanism that would tend to cause both EDGs to fail simultaneously. That is, the failure of one amphenol connection would not make failure of the other one more likely. Therefore, for this case, the failure of both EDGs from this issue would mathematically be modeled by the combined independent failures of both EDGs instead of by a classic common cause coupling mechanism. For this case, the estimated probability of an independent failure of EDG 1 from a failed amphenol connection during the exposure period would be a small number compared to its baseline SPAR fail-to-run probability and therefore this application would not appreciably affect the final result.

Finally, if EDG 1 had experienced problems with this connection, thereby making it comparatively vulnerable to the same type of failure; it is likely that the licensee would have taken more aggressive actions to address this issue, seeing that it affected both trains of emergency power. Therefore, the conditions necessary to create the possibility of a common cause failure would also have triggered actions to prevent it.

The Cooper SPAR model, Revision 3.40, dated February 28, 2008, was used in the analysis. A cutset truncation of 1.0E-13 was used. Average test and maintenance was assumed.

The model was revised by INL to increase the battery life to 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months , as discussed above. In addition, the timing of various sequences was lengthened based on data provided by the licensee. INL also adjusted the credit applied for firewater injection (base model HEP = 1.0),

with an HEP of 0.15. However, based on observations by the senior resident inspector, the analyst concluded that credit for firewater injection should not be granted. This is because barely enough time was available to perform the necessary actions and a valve that must be opened to establish a flow path was non-functional with a stem-disk separation for the entire period of exposure. There were other valves that could have been used in alternate lineups, but it was clear that the disabled valve would have been chosen first, leaving no time to reconfigure the flow path.

Also, changes were made to the containment venting fault tree. In the original version, a loss of Division 2 AC was sufficient to fail the containment vent function. However, a recovery of the vent function is possible by taking manual local actions to open the vent valves. The failure probability of this action was estimated based on an observed evolution conducted in response to questions concerning this analysis. This observation revealed that the actions needed to perform this function were dangerous and complex and would be conducted in poor lighting and high temperatures. Also, operators had little experience. The recovery efforts applied to both a loss of Division 2 AC and to a loss of instrument air. A non-recovery probability of 0.23 for basic events CVS-XHE-XL-LOAC and CVS-XHE-XL- LOIAS was determined based on the following SPAR-H analysis.

Enclosure 2

The diagnosis of the need to manually vent containment is obvious based on emergency operating procedures that direct this action when containment pressure reaches 25 psig.

Operators would be continually monitoring this parameter, and it is very unlikely that the effort to manually vent containment would not be undertaken at 25 psig and possibly prior to this point.

For the action steps, approximately 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of time are available from the time that containment pressurizes to 25 psig until containment would fail. The nominal time needed to perform the manually venting task is estimated at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . In this case, the relevant SPAR-H category for time is nominal. Extreme stress is chosen because the effort to manually open the vent valves involves a high risk of falling 40 feet through a maze of pipes, possibly resulting in death. The effort is complex because of the need to carry a lot of equipment, including nitrogen bottles, to the valves and performing several manipulations. Operators have little experience with this evolution and the ergonomics are limited by high temperatures, restricted clearances, and a lack of lighting.

Diagnosis (0.01) Multiplier Action (0.001) Multiplier Available Time Expansive 0.01 Nominal 1 Stress High 2 Extreme 5 Complexity Obvious 0.1 Moderate 2 Experience/Training Nominal 1 Low 3 Procedures Nominal 1 Nominal 1 Ergonomics Nominal 1 Poor 10 Product of Multipliers 0.002 300 Diagnosis HEP = 0.01(.002) = 2.0E-5 Action HEP = 0.001(300)/ [0.001(300-1)] +1 = 0.23 Total HEP = 0.23 To model the failure of the speed sensing circuit and its specific recovery, a new and gate was added to the EDG 1B Faults fault tree, with an input from two basic events (one modeling the speed sensor failure set at 1.0 and another modeling the recovery set at 0.56). The chance of restoring the EDG for LOOPs occurring during the two-day diagnosis and repair period are considered similar to the same for the various prior exposure periods. The common cause probability for fail-to-run events was restored to its nominal value. Therefore, only cutsets containing the independent failure of EDG 2 contribute to the delta CDF of this finding.

Because the recovery of EDG 2 for speed sensor faults was built into the fault tree, all EDG recovery basic events were removed from cutsets that contained an EDG 2 speed sensor failure, but did not also contain either an EDG 1 fail-to-start or EDG 1 fail-to-run or EDG 1 failure to restore basic event. Additionally, a correction factor (1/0.56 = 1.78) was applied to the subset of the above that contained 30-minute recovery events to effectively remove all EDG 2 recovery for those sequences.

Internal Events Analysis:

A. Risk Estimate for the 2-day period between January 14 and January 16, 2006:

During this 48-hour period, it is assumed that EDG 2 was completely unavailable either because of maintenance or because it would have failed within one minute after a LOOP Enclosure 2

demand. To represent the assumed failure and potential recovery of EDG 2, the new basic event EPS-SPEED-SENSOR was set to 1.0 and EPS-SPEED-SENSOR-RCV was set to 0.56. The basis event EPS-DGN-CF-RUN was reset to its base case value of 4.172E-4 to ensure that cutsets containing common cause to run events would cancel out in the base and current case.

The result was a delta-CDF of 2.789E-5/yr. or 1.528E-7 for two days.

B. Risk Estimate for the 35-day period between December 10, 2006 and January 14, 2007:

During this exposure period, EDG 2 is assumed to have been capable of running for 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months . The LOOP frequency used in the analysis was adjusted to reflect the situation that only LOOPs with durations greater than 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months would result in a risk increase attributable to the speed sensor failure.

The base LOOP frequency is 3.59E-2/yr. The 5.35-hour non-recovery of offsite power is 0.1112. Therefore, the frequency of LOOPs that are not recovered in 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months is 3.99E-3/yr.

Resetting event time t=0 to 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months following the LOOP event requires that the recovery factors for offsite power be adjusted. For instance, in 2-hour sequences in SPAR, the basic event for non-recovery of offsite power should be adjusted to the non-recovery at 7.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months , given that recovery has failed at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months .

An adjustment to account for the diminishment of decay heat must be considered. This is because the magnitude of decay heat at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months following shutdown is less than in the early moments following a reactor trip, and the timing of core damage sequences is affected by this fact. In the modified SPAR model, recovery times for offsite power are set at the intervals of 30 minutes, 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , and 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months . The analyst determined that the average decay heat level in the first 30 minutes is approximately two times the average level that exists between 5.35 and 6.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months following shutdown.

Therefore, baseline 30-minute SPAR model sequences, that essentially account for boiloff to fuel uncovery, should be adjusted to 1-hour sequences. The 2-hour sequences model safety relief valve failures to close, and are based more on inventory control than core heat production. Therefore, no adjustment was made for these sequences. The analyst determined that decay heat rates leveled out quickly following shutdown and could find no basis for adjusting the times associated with the 4 and 10-hour sequences.

The following table presents the adjusted offsite power non-recovery factors for the event times that are relevant in the SPAR core damage cutsets:

Enclosure 2

SPAR SPAR base SPAR base SPAR base Modified recovery offsite power offsite power offsite power SPAR non-time non-recovery non-recovery at non-recovery at recovery 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months + (Column 4 SPAR recovery divided by time in Column 1 Column 3) 30 min. 0.7314 0.1112 0.0905 1 0.814 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.1566 0.1112 0.0554 0.498 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 0.1205 0.1112 0.0487 0.438 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 0.05789 0.1112 0.0325 0.292 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months 0.04500 0.1112 0.0278 0.250

1. A SPAR recovery time of 1.0 hours0 days 0 hours 0 weeks 0 months is used, as discussed above, to account for the lessening of decay heat To compensate for sequences where EDG 1 fails to start (FTS) and then is recovered before EDG 2 fails from the speed sensor circuit failure at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months , the result for the base and the current case that contain an EDG 1 FTS event were multiplied by the success probability of recovering EDG 1 in 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months , which was 0.5934 (1- non-recovery probability). This value was then subtracted to obtain a final result for the base and current case. This adjustment recognizes/assumes that recovery of an EDG 1 fail to start event before EDG 2 fails from the speed sensor circuit failure will not end in core damage. Also, the methodology used effectively assumes that for EDG 1 fail to run events, the failure occurs more or less at the same time that EDG 2 fails (5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months ).

This then would suggest that the EDG recovery terms in the SPAR model would coincide with the event time t=0 at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months following the onset of the LOOP and therefore do not require adjustment.

Enclosure 2

The results of this portion of the analysis are presented in the following table:

CDF/yr CDF/35 days EDG1 FTS EDG1 FTS Remaining Recovered Recovered/35 CDF (column (EDG1 FTS days 3- column 5)

Cutset total times 0.5934)

Base Case 6.989E-7 6.702E-8 3.686E-8 3.535E-9 6.348E-8 Current Case 1.394E-5 1.337E-6 4.706E-7 4.513E-8 1.292E-6 Delta 1.229E-6 CDF/35 days C. Risk Estimate for the 27-day period between November 13, 2007 and December 10, 2007:

During this exposure period, EDG 2 is assumed to have been capable of running for 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . The LOOP frequency was adjusted to reflect the situation that only LOOPs with durations greater than 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months would result in a risk increase attributable to the speed sensor failure.

The base LOOP frequency is 3.59E-2/yr. The 11.2-hour non-recovery of offsite power is 0.0441. Therefore, the frequency of LOOPs that are not recovered in 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months is 1.58E-3/yr.

Resetting event time t=0 to 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months following the LOOP event requires that the recovery factors for offsite power be adjusted. For instance, in 2-hour sequences in SPAR, the basic event for non-recovery of offsite power should be adjusted to the non-recovery at 13.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , given that recovery has failed at 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

The analyst considered an adjustment to account for the diminishment of decay heat as in the 5.35-hour case above. The analyst determined that the average decay heat level in the first 30 minutes is approximately three times the average level that exists between 11 and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months following shutdown. Therefore, baseline 30-minute SPAR models, that essentially account for boiloff to fuel uncovery were adjusted to 1.5-hour sequences.

The 2-hour sequences model safety relief valve failures to close, and are based more on inventory control than core heat production. Therefore, no adjustment was made for these sequences. Sequences of 4 and 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months were increased by 30 minutes each Enclosure 2

The following table presents the adjusted offsite power non-recovery factors for the event times that are relevant in the SPAR core damage cutsets:

SPAR SPAR base SPAR base SPAR base Modified recovery offsite power offsite power offsite power SPAR non-time non-recovery non-recovery at non-recovery at recovery 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months + (Column 4 SPAR recovery divided by time in Column 1 Column 3) 30 min. 0.7314 0.0441 0.0377 1 0.855 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.1566 0.0441 0.02922 0.662 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 0.1205 0.0441 0.02712 0.615 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 0.05789 0.0441 0.02122 0.481 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months 0.04500 0.0441 0.01912 0.433

1. A SPAR recovery time of 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months is used, as discussed above, to account for the lessening of decay heat

2. The SPAR recovery time was increased by 30 minutes.

To compensate for sequences where EDG 1 fails to start (FTS) and then is recovered before EDG 2 fails from the speed sensor circuit failure at 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the result for the base and the current case that contain an EDG 1 FTS event were multiplied by the success probability of recovering EDG 1 in 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , which was 0.7907 (1- non-recovery probability). This value was then subtracted to obtain a final result for the base and current case. This adjustment recognizes/assumes that recovery of an EDG 1 fail to start event before EDG 2 fails from the speed sensor circuit failure will not end in core damage. Also, the methodology used effectively assumes that for EDG 1 fail to run events, the failure occurs more or less at the same time that EDG 2 fails (11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ).

This then would suggest that the EDG recovery terms in the SPAR model would coincide with the event time t=0 at 11.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months following the onset of the LOOP and therefore do not require adjustment.

Enclosure 2

The results of this portion of the analysis are presented in the following table:

CDF/yr CDF/27 days EDG1 FTS EDG1 FTS Remaining Recovered Recovered/27 CDF (column (EDG1 FTS days 3- column 5)

Cutset total times 0.7907)

Base Case 4.332E-7 3.204E-8 3.168E-8 2.343E-9 2.970E-8 Current Case 9.216E-6 6.817E-7 4.216E-7 3.119E-8 6.505E-7 Delta 6.208E-7 CDF/27 days D. Risk Estimate for the 29-day period between October 15, 2007 and November 13, 2007:

During this exposure period, EDG 2 is assumed to have been capable of running for 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . The LOOP frequency was adjusted to reflect the situation that only LOOPs with durations greater than 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months would result in a risk increase attributable to the speed sensor failure.

The base LOOP frequency is 3.59E-2/yr. The 16.5-hour non-recovery of offsite power is 0.0275. Therefore, the frequency of LOOPs that are not recovered in 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months is 9.87E-4/yr.

Resetting event time t=0 to 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months following the LOOP event requires that the recovery factors for offsite power be adjusted. For instance, in 2-hour sequences in SPAR, the basic event for non-recovery of offsite power should be adjusted to the non-recovery at 18.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , given that recovery has failed at 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

The analyst considered an adjustment to account for the diminishment of decay heat as in the 5.35-hour case above. The analyst determined that the average decay heat level in the first 30 minutes is approximately four times the average level that exists between 16 and 17 hours1.967593e-4 days 0.00472 hours 2.810847e-5 weeks 6.4685e-6 months following shutdown. Therefore, baseline 30-minute SPAR models, that essentially account for boiloff to fuel uncovery were adjusted to 2-hour sequences. The 2-hour sequences model safety relief valve failures to close, and are based more on inventory control than core heat production. Therefore, no adjustment was made for these sequences. Sequences of 4 and 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months were increased by 60 minutes each Enclosure 2

The following table presents the adjusted offsite power non-recovery factors for the event times that are relevant in the SPAR core damage cutsets:

SPAR SPAR base SPAR base SPAR base Modified recovery offsite power offsite power offsite power SPAR non-time non-recovery non-recovery at non-recovery at recovery 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months + (Column 4 SPAR recovery divided by time in Column 1 Column 3) 30 min. 0.7314 0.0275 0.02411 0.876 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.1566 0.0275 0.02032 0.738 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 0.1205 0.0275 0.01922 0.698 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 0.05789 0.0275 0.01602 0.582 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months 0.04500 0.0275 0.01482 0.538

1. A SPAR recovery time of 2.0 hours0 days 0 hours 0 weeks 0 months is used, as discussed above, to account for the lessening of decay heat

2. The SPAR recovery time was increased by 60 minutes.

To compensate for sequences where EDG 1 fails to start (FTS) and then is recovered before EDG 2 fails from the speed sensor circuit failure at 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , the result for the base and the current case that contain an EDG 1 FTS event were multiplied by the success probability of recovering EDG 1 in 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , which was 0.8760 (1- non-recovery probability). This value was then subtracted to obtain a final result for the base and current case. This adjustment recognizes/assumes that recovery of an EDG 1 fail to start event before EDG 2 fails from the speed sensor circuit failure will not end in core damage. Also, the methodology used effectively assumes that for EDG 1 fail to run events, the failure occurs more or less at the same time that EDG 2 fails (16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ).

This then would suggest that the EDG recovery terms in the SPAR model would coincide with the event time t=0 at 16.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months following the onset of the LOOP and therefore do not require adjustment.

The results of this portion of the analysis are presented in the following table:

CDF/yr CDF/29 EDG1 FTS EDG1 FTS Remaining days Recovered Recovered/29 CDF (column (EDG1 FTS days 3- column 5)

Cutset total times 0.8760)

Base Case 3.263E-7 2.593E-8 2.675E-8 2.125E-9 2.380E-8 Current Case 7.071E-6 5.618E-7 3.601E-7 2.861E-8 5.332E-7 Delta 5.094E-7 CDF/29 days Enclosure 2

E. Risk Estimate for the 32-day period between September 13, 2007 and October 15, 2007:

During this exposure period, EDG 2 is assumed to have been capable of running for 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . The LOOP frequency was adjusted to reflect the situation that only LOOPs with durations greater than 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months would result in a risk increase attributable to the speed sensor failure.

The base LOOP frequency is 3.59E-2/yr. The 22.3-hour non-recovery of offsite power is 0.01944. Therefore, the frequency of LOOPs that are not recovered in 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months is 6.98E-4/yr.

Resetting event time t=0 to 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months following the LOOP event requires that the recovery factors for offsite power be adjusted. For instance, in 2-hour sequences in SPAR, the basic event for non-recovery of offsite power should be adjusted to the non-recovery at 24.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , given that recovery has failed at 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

The analyst considered an adjustment to account for the diminishment of decay heat as in the 5.35-hour case above. The analyst determined that the average decay heat level in the first 30 minutes is approximately four times the average level that exists between 22 and 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months following shutdown. Therefore, baseline 30-minute SPAR models, that essentially account for boiloff to fuel uncovery were adjusted to 2-hour sequences. The 2-hour sequences model safety relief valve failures to close, and are based more on inventory control than core heat production. Therefore, no adjustment was made for these sequences. Sequences of 4 and 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months were increased by 60 minutes each The following table presents the adjusted offsite power non-recovery factors for the event times that are relevant in the SPAR core damage cutsets:

SPAR SPAR base SPAR base SPAR base Modified recovery offsite power offsite power offsite power SPAR non-time non-recovery non-recovery at non-recovery at recovery 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months + (Column 4 SPAR recovery divided by time in Column 1 Column 3) 30 min. 0.7314 0.0194 0.0177 1 0.912 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 0.1566 0.0194 0.01692 0.871 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months 0.1205 0.0194 0.01492 0.768 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months 0.05789 0.0194 0.01342 0.691 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months 0.04500 0.0194 0.01272 0.655

1. A SPAR recovery time of 2.0 hours0 days 0 hours 0 weeks 0 months is used, as discussed above, to account for the lessening of decay heat

2. The SPAR recovery time was increased by 60 minutes.

To compensate for sequences where EDG 1 fails to start (FTS) and then is recovered before EDG 2 fails from the speed sensor circuit failure at 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , the result for the base Enclosure 2

and the current case that contain an EDG 1 FTS event were multiplied by the success probability of recovering EDG 1 in 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , which was 0.9267 (1- non-recovery probability). This value was then subtracted to obtain a final result for the base and current case. This adjustment recognizes/assumes that recovery of an EDG 1 fail to start event before EDG 2 fails from the speed sensor circuit failure will not end in core damage. Also, the methodology used effectively assumes that for EDG 1 fail to run events, the failure occurs more or less at the same time that EDG 2 fails (22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months ). This then would suggest that the EDG recovery terms in the SPAR model would coincide with the event time t=0 at 22.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months following the onset of the LOOP and therefore do not require adjustment.

The results of this portion of the analysis are presented in the following table:

CDF/yr CDF/32 days EDG1 FTS EDG1 FTS Remaining Recovered Recovered/32 CDF (column (EDG1 FTS days 3- column 5)

Cutset total times 0.9267)

Base Case 2.745E-7 2.407E-8 2.402E-8 2.106E-9 2.196E-8 Current Case 6.033E-6 5.289E-7 3.262E-7 2.860E-8 5.003E-7 Delta 4.783E-7 CDF/32 days The following table presents the aggregate internal events result:

TIME PERIOD DAYS OF EXPOSURE DELTA CDF 01/14/08 - 01/16/08 2 1.528E-7 12/10/07 - 01/14/08 35 1.229E-6 11/13/07 - 12/10/07 27 6.208E-7 10/15/07 - 11/13/07 29 5.094E-7 09/13/07 - 10/15/07 32 4.783E-7 Total Internal Events Delta-CDF 2.990E-6 External Events Analysis:

The risk increase from fire initiating events was reviewed and determined to have a small impact on the risk of the finding. Two fire scenarios were identified where equipment damage could cause a loss of Division 2 vital power, thereby requiring the function of EDG 2. One was a control room fire that affected either Vertical Board F or Board C. The second was a fire in the Division 2 critical switchgear. For the control room fires, the scenario probabilities are remote because of the confined specificity of their locations and the fact that a combination of hot shorts of a specific polarity are needed to cause a LOOP. In addition, recovery from a LOOP induced in this manner would be likely to succeed for the station blackout sequences that comprise the majority of the risk, because a minimum of 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months of battery power would be available, power would presumably be available in the switchyard, and the breaker manipulations needed to complete this task would be possible and within the capability of an augmented plant staff that would respond to the event.

Enclosure 2

Fires in the Division 2 switchgear would eliminate the importance of EDG 2 because Division 2 power would be unavailable whether or not EDG 2 succeeds. Therefore, there would be no change in risk from the finding.

The other type of fires that would result in a LOOP are those that require an evacuation of the control room. In this case, plant procedures require offsite power to be isolated from the vital buses and the preferred source of power, the Division 2 EDG, is used to power the plant. With the assumption that the Division 2 EDG will fail 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months into the event, a station blackout would occur at this time. The sequences that could lead to core damage would include a failure of the Division 1 EDG, such that ultimate success in averting core damage would rely on recovery of either EDG or of offsite power. A review of the onsite electrical distribution system did not reveal any particular difficulties in restoring switchyard power to the vital buses in this scenario, especially given that many hours are available to accomplish this task. The licensee confirmed that for all postulated fire scenarios that would require evacuation of the control room, a undamaged and available power pathway exists from the switchyard through the emergency transformer to the Division 2 vital bus, and that the breaker manipulation needed to accomplish this task would take only a few minutes.

In general, the fire risk importance for this finding is small compared to that associated with internal events because onsite fires do not remove the availability of offsite power in the switchyard, whereas, in the internal events scenarios, long-term unavailability of offsite power is presumed to occur as a consequence of such events as severe weather or significant electrical grid failures. Also, the fire risk corresponding the two-day period when EDG 2 was essentially non-functional (no run time remaining) is small because of a very low initiating event probability.

The Cooper IPEEE Internal Fire Analysis screened the fire zones that had a significant impact on overall plant risk. When adjusted for the exposure period of this finding, the cumulative baseline core damage frequency for the zones that had the potential for a control room evacuation (and a procedure-induced LOOP) or an induced plant centered LOOP was approximately 3.6E-7/yr. The methods used to screen these areas were not rigorous and used several bounding assumptions. The analyst qualitatively assumed that the increase in risk from having EDG 2 in a status where it is assumed to fail at 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months would likely be somewhat less than one order of magnitude above the baseline, or 3.6E-6/yr. This is easily demonstrated by an assumption that failure to re-connect offsite power within a period of at least 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months is well less than 10 percent. Based on these considerations, the analyst concluded that the risk related to fires would not be sufficiently large to change the risk characterization of this finding.

The seismicity at Cooper is low and would likely have a small impact on risk for an EDG issue.

As a sensitivity, data from the RASP External Events Handbook was used to estimate the scope of the seismic risk particular to this finding. The generic median earthquake acceleration assumed to cause a loss of offsite power is 0.3g. The estimated frequency of earthquakes at Cooper of this magnitude or greater is 9.828E-5/yr. The generic median earthquake frequency assumed to cause a loss of the diesel generators is 3.1g, though essential equipment powered by the EDGs would likely fail at approximately 2.0g. The seismic information for Cooper is capped at a magnitude of 1.0g with a frequency of 8.187E-6. This would suggest that an earthquake could be expected to occur with an approximate frequency of 9.0E-5/yr that would remove offsite power but not damage other equipment important to safe shutdown. In the internal events discussion above, it was estimated that LOOPS that exceeded 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months duration would occur with a frequency of 3.99E-3/yr. Most LOOPS that exceed 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months duration would likely have recovery characteristics closely matching that from an earthquake.

Enclosure 2

The ratio between these two frequencies is 44. Based on this, the analyst qualitatively concluded that the risk associated with seismic events would be small compared to the internal result.

Flooding could be a concern because of the proximity to the Missouri River. However, floods that would remove offsite power would also likely flood the EDG compartments and therefore not result in a significant change to the risk associated with the finding. The switchyard elevation is below that of the power block by several feet, but it is not likely that a slight inundation of the switchyard would cause a loss of offsite power. The low frequency of floods within the thin slice of water elevations that would remove offsite power for at least 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months but not debilitate the diesel generators indicates that external flooding would not add appreciably to the risk of this finding.

Based on the above, the analyst determined that external events did not add significantly to the risk of the finding.

Large Early Release Frequency:

In accordance with Manual Chapter 0609, Appendix A, Attachment 1, Step 2.6, "Screening for the Potential Risk Contribution Due to LERF," the analyst reviewed the core damage sequences to determine an estimate of the change in large early release frequency caused by the finding.

The LERF consequences of this performance deficiency were similar to those documented in a previous SDP Phase 3 evaluation regarding a misalignment of gland seal water to the service water pumps. The final determination letter was issued on March 31, 2005 and is located in ADAMS, Accession No. ML050910127. The following excerpt from this document addressed the LERF issue:

The NRC reevaluated the portions of the preliminary significance determination related to the change in LERF. In the regulatory conference, the licensee argued that the dominant sequences were not contributors to the LERF. Therefore, there was no change in LERF resulting from the subject performance deficiency. Their argument was based on the longer than usual core damage sequences, providing for additional time to core damage, and the relatively short time estimated to evacuate the close in population surrounding Cooper Nuclear Station.

LERF is defined in NRC Inspection Manual Chapter 0609, Appendix H, Containment Integrity Significance Determination Process as: the frequency of those accidents leading to significant, unmitigated release from containment in a time frame prior to the effective evacuation of the close-in population such that there is a potential for early health effect. The NRC noted that the dominant core damage sequences documented in the preliminary significance determination were long sequences that took greater than 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to proceed to reactor pressure vessel breach. The shortest calculated interval from the time reactor conditions would have met the requirements for entry into a general emergency (requiring the evacuation) until the time of postulated containment rupture was 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . The licensee stated that the average evacuation time for Cooper, from the declaration of a General Emergency was 62 minutes.

The NRC determined that, based on a 62-minute average evacuation time, effective evacuation of the close-in population could be achieved within 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . Therefore, the dominant core damage sequences affected by the subject performance deficiency were Enclosure 2

not LERF contributors. As such, the NRCs best estimate determination of the change in LERF resulting from the performance deficiency was zero.

In the current analysis, the total contribution of the 30-minute sequences for the 35-day period (when 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months of EDG run time remained) to the current case CDF is only 0.54% of the total.

That is, almost all of the risk associated with this performance deficiency involves sequences of duration 5.35 hours4.050926e-4 days 0.00972 hours 5.787037e-5 weeks 1.33175e-5 months or longer following the loss of all ac power.

The two-day period where EDG 2 was essentially unavailable had a delta-CDF of 1.528E-7. Of these, the 30-minute sequences comprise only 2 percent of the total current case CDF and the two-hour sequences comprise only 0.3 percent of the total.

Consequently, the analyst determined that the risk associated with large early release was very small.

References:

SPAR-H Human Reliability Analysis Method, NUREG CR-6883, Sept. 2004 GE-NE-E1200141-04R2, Table 5-1, Shutdown Power at Cooper Nuclear Station (proprietary)

Green Screen Source Data, External Events PRA model, Nine Mile Point, Unit 1 NUREG/CR-6890, Reevaluation of Station Blackout Risk at Nuclear Power Plants, Analysis of Loss of Offsite Power Events: 1986-2004" Peer Review:

See-Meng Wong, NRR George McDonald, NRR Enclosure 2

Supplemental Information In its letter dated June 19, 2008, the licensee identified comments of concurrence, comments with minor effects on the Phase 3 Significance Determination Process (SDP), and comments affecting the outcome of the Phase 3 SDP. The comments with minor impacts are not addressed in this reply because, whether or not the NRC concurs, their effect has been determined to be inconsequential to the overall result of the analysis. Therefore, only the comments with potentially significant effects are addressed below.

The licensee identified three points having a significant effect on the outcome of the Phase 3 analysis: (1) the use of a lower frequency for loss of offsite power in establishing the base case, (2) the assumptions used in determining the probability that emergency diesel generator (EDG) 2 could not have been recovered from a speed sensor failure in time to influence the outcome of core damage sequences, and (3), the basis for not crediting the alternate mitigation strategy of firewater injection.

In the first point, the licensee stated that the change in core damage frequency is over-estimated because the NRC preliminary Phase 3 evaluation used a base case to establish nominal core damage frequency (CDF) that included adjustments to the loss of offsite power initiating frequencies, offsite power non-recoveries, and diesel generator recoveries for cutsets that include start failures of the division one emergency diesel generator.this resulted in a base CDF that is less than the nominal CDF reflected by the NRC Standardized Plant Analysis Risk (SPAR) model, and correspondingly resulted in a larger change in CDF.

The NRC does not concur with this comment. In the analysis, the base and current cases were re-defined to exclude loss of offsite power (LOOP) events of duration less than the time that EDG 2 was assumed to be able to run before experiencing a speed sensor circuit failure. In other words, shorter LOOPS were not analyzed because their core damage consequences were insensitive to whether or not EDG 2 was susceptible to a speed sensor circuit failure. It would be mathematically inconsistent to include the short-term LOOPs in the base case while excluding them from the current case, in that this would artificially lower the change in core damage frequency. It was important to eliminate the shorter LOOPs because to have not done so would have inappropriately failed to credit the remaining run capability of EDG 2, but for consistency this adjustment was also necessary in the base case. It was recognized that cutsets with a start failure of EDG 1 should be modified to account for the possibility of recovering this EDG prior to the assumed failure of EDG 2. This adjustment lowered the delta-CDF by approximately 3 percent.

In the second point, the licensee disagreed with several assumptions made in the SPAR-H human reliability analysis of the recovery of EDG 2 from a speed sensor failure. Specifically, the licensee considered that the ergonomics aspect of the diagnosis was over-estimated and that the available time, stress, and procedure characterization for the action steps were also incorrect.

Concerning the diagnosis ergonomics, the licensees stated that there were no conditionsthat would be expected to result in poor ergonomic shaping factors during the recovery. Emergency lighting and portable lighting will be available in these areas throughout the recovery timeline.

The NRC disagrees with the proposed change to this performance shaping factor. It is asserted that three issues support the assignment of "poor" for the diagnosis: (1) there were no indications or annunciators revealing the reason for the shutdown of EDG 2, (2) the loose Enclosure 3

amphenol connection was not readily noticeable from the ground floor or the catwalk, and (3) the time available to observe the failure mechanism was limited to several short windows of time (20-30 seconds) before the EDG would shut down automatically. The NRC recognizes that the lack of indication for other failure modes would narrow the scope of possibilities that would need to be investigated, though the obscure location of the amphenol and the limited observation periods would represent a challenge to successfully diagnose the problem. Also, this failure mode was not well known to the operators, so their experience in dealing with it would have been limited. The combination of these factors was considered sufficient to warrant an ergonomics rating of greater than nominal (poor).

The NRC agrees that the three shaping factors identified by the licensee associated with the action steps should be changed as follows:

ORIGINAL ASSUMPTION REVISED ASSUMPTION Available Time Nominal (1) >= 5X Time Required (0.1)

Stress High (2) Extreme (5)

Procedures Nominal (1) Not Available (50)

The following table presents the revised EDG 2 non-recovery probability:

DIAGNOSIS MULTIPLIER ACTION MULTIPLIER (0.01) (0.001)

Available Time Expansive 0.01 >5 Times 0.1 Required Stress Extreme 5 Extreme 5 Complexity High 5 Nominal 1 Experience/Training Nominal 1 Nominal 1 Procedures Not Available 50 Not Available 50 Ergonomics Poor 10 Nominal 1 Product of Multipliers 125 25 Diagnosis human error probability (HEP) = 0.01(125)/ [0.01(125-1) + 1] = 0.558 Action HEP = 0.001(25) = 0.025 Total HEP = 0.558 + 0.025 = 0.583 The overall effect of the revisions was to change the EDG 2 non-recovery HEP from its original value of 0.560 to 0.583.

In the third point, the licensee stated that the complete removal of credit for firewater injection in the NRC analysis was not a proper application of the SDP guidelines. Specifically, the fact that manual service water Valve SW-V-119 was incapable of opening to enable the firewater injection flow path should not have been considered because doing so has the effect of aggregating the consequences of two dissimilar performance deficiencies. The SDP is designed to quantify the isolated risk effects of single performance deficiencies. Furthermore, other flow paths were available, though the timing of configuring these paths in time to prevent core damage was indeterminate. However, it was possible that operators could recognize the Enclosure 3

nonfunctional status of SW-V-119 early in the process, presumably by noticing its caution tag, and then proceed initially to configure an alternate flowpath.

The NRC disagrees that the operational status of Valve SW-V-119 should have been disregarded in the determination of firewater injection credit. This valve's condition was not considered a performance deficiency. It was considered a result of the elective deferral of a maintenance activity. However, the use of firewater injection as an alternate mitigation strategy does not merit the same degree of credit that is applied to emergency core cooling systems (ECCS), where Technical Specifications and safety-related maintenance programs ensure a high degree of reliability and availability. Therefore, the actual condition of equipment used for alternate mitigation was considered when assigning recovery credit.

As a sensitivity analysis, the analyst estimated the firewater injection credit that hypothetically could be applied given that alternate flowpaths were available and operators might have initially selected such a path after assessing the condition of Valve SW-V-119. Within the SPAR-H methodology, and discounting a diagnosis failure, the following non-nominal performance shaping factors were considered appropriate to model this recovery action:

Available time Barely Adequate (10)

Stress Extreme (5)

Complexity Moderate (2)

Ergonomics Poor (10)

The assignment of "poor" to ergonomics is intended to model the likelihood that the nonfunctional status of Valve SW-V-119 would only be discovered after insufficient time remained to reconfigure an alternate flowpath. With a base error probability of 1.0E-3, and a product of multipliers of 1000, the estimated failure probability is:

HEP = 0.001(1000)/[0.001(1000-1) +1] = 0.5 Therefore, as a sensitivity analysis, the failure probability assigned to firewater injection was changed from 1.0 in the original analysis to 0.5 for the revised analysis.

The revised SDP result, considering the changes discussed above, excluding the hypothetical credit for firewater injection, was not significantly different from the original value. The revised delta-CDF was estimated as 3.11E-6/yr. The original result was 2.99E-6/yr. With a credit for firewater injection as discussed above, the result is a delta-CDF of 2.98E-6/yr. Therefore, the NRC has decided to sustain the original characterization of the finding as having low risk significance (White).

Enclosure 3

ML082140518

Contents

Text

SUBJECT:

Dear Mr. Minahan:

Enclosures:

Enclosures:

References:

Navigation menu

ML082140518

Text

SUBJECT:

Dear Mr. Minahan:

Enclosures:

Enclosures:

References:

Navigation menu

Search