ML101600186

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Oyster Creek
ML101600186
Person / Time
Site: Oyster Creek
Issue date: 06/23/2010
From: Christiana Lui
NRC/RES/DRA
To: Giitter J
Division of Operating Reactor Licensing
Hunter C, 251-7575 RES/DRA
Shared Package
ML101600173 List:
References
IR-09-005, LER 219/09-005
Download: ML101600186 (15)
v  d  e


Text

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oyster Creek Loss of Offsite Power due to Lightning Strike LER: 219/09-005 Event Date: 07/12/2009 CCDP = 5x10-5 IR: 50-219/09-09 EVENT

SUMMARY

Event Description. At 1:31 am on July 12, 2009, a lightning strike on the 34.5 kV Whiting Line near the Oyster Creek switchyard, caused the pilot wire to break and fall across the suspended wire conductors. This caused both a phase to phase and a phase to ground short circuit. The generator responded to the fault on the Whiting line as an additional load and the generator automatic voltage regulator increased excitation to the generator field to match the load. The generator protection relays sensed a valid over-excitation condition, and after an appropriate time delay, caused the generator output breakers to open. This initiated a signal to remove steam from the turbine, which resulted in a fast closure of the turbine control valves. The fast closure of the turbine control valves initiated the reactor scram, as designed.

Following the generator trip and reactor scram, the safety-related 4 kV busses were de-energized. The maximum reactor coolant system (RCS) pressure during the transient was 1066 psig, which caused the A and D electromatic relief valves (EMRVs) to open, as designed, to limit the pressure increase. Both isolation condensers (ICs) initiated at an RCS pressure of 1051 psig, as designed. To limit the RCS cooldown and depressurization the operators secured both ICs by closing their condensate return valves. The main feed pumps, powered from non-safety-related busses, tripped on loss of power and could not be restarted until offsite power was restored.

Both emergency diesel generators (EDGs) started on their respective bus under-voltage relay signals. EDG 2 breaker closed within the required design basis time period; while EDG 1 output breaker did not close within the design basis time period. EDG 1 output breaker closed in about 91 seconds.1 In the time that the 4 kV safety busses were de-energized, the reactor protection system (RPS) motor generator sets lost power until the EDGs started and repowered the busses. This loss of RPS power caused primary and secondary containment isolations due to a loss of power, including closure of the main steam isolation valves.

Once the EDGs repowered the safety-related busses, the operators started a second control rod drive pump and used that system to feed cooling water to the RCS to restore reactor pressure vessel water level.

The operators cycled the IC condensate return valves, as needed, to control RCS pressure and temperature. After the initial operation, the third time that the B IC was initiated its shell side water level indication decreased to zero. Operators noted the decrease and removed the B IC from further service.

1 The loads supplied by EDG 1 were automatically powered in sufficient time to perform their safety function.

1

LER 219/09-005 Operators unsuccessfully attempted to restore offsite power to the 1C Safety Bus at 3:08 am.

EDG 1 would not automatically synchronize with offsite power and operators could not complete the manual synchronization given the procedures in place at the time. Although offsite power was available to the bus, EDG 1 continued to power the bus until July 13, 2009. Offsite power was restored to Safety Bus 1D at 3:14 am and EDG 2 was secured and placed in a standby status.

Additional information is provided in References 1 and 2.

Cause. The cause of the LOOP was a lightning strike that broke the carrier/static line, resulting in a three-phase-to-ground fault. The Q-121 line breaker at Oyster Creek failed to open on the line fault resulting in the generator feeding the fault until backup line breakers opened and isolated the line. These grid disturbances caused voltage swings and when the backup line breakers eventually isolated the Q-121 fault, switchyard voltage increased rapidly and the generator tripped on over-excitation. The turbine-generator trip resulted in an automatic reactor scram.

Recovery Opportunities. Offsite power was restored to the first safety bus (Bus 1D) 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 43 minutes after the LOOP occurred. Offsite power was available in switchyard 9 minutes earlier. See Appendix C for further details.

Analysis Rules. The ASP program uses Significance Determination Process (SDP) results for degraded conditions when available. However, the ASP program performs independent initiating event analysis when an initiator occurs and a condition analysis when there are no performance deficiencies identified for a particular event. In addition, the ASP program analyzes separate degraded conditions that were present during the same period and similar degraded conditions on an individual system or component that had different performance deficiencies.

Two GREEN (i.e., very low safety significance) findings have been identified for this event and are described in Reference 2. Therefore, this analysis focuses solely on the risk of the loss of offsite power to the safety buses and subsequent reactor trip that occurred.

ANALYSIS RESULTS Conditional Core Damage Probability. The point estimate conditional core damage probability (CCDP) value for this event is 4.1x10-5. The results of an uncertainty assessment on the event CCDP are summarized below.

5% Mean 95%

CCDP 8.8x10-8 4.8x10-5 2.0x10-4 The Accident Sequence Precursor Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feed water and condensate), whichever is greater. This CCDP equivalent for Oyster Creek is 2x10-5.

Dominant Sequence. The dominant accident sequence, LOOP Sequence 25 (CCDP =

2.3x10-5) contributes 56% of the total internal events CCDP. Additional sequences that contribute greater than 1% of the total internal events CCDP are provided in Appendix A.

2

LER 219/09-005 The dominant sequence is shown graphically in Figure B-1 in Appendix B. The events and important component failures in LOOP Sequence 25 are:

  • IC fails, and
  • operators fail to depressurize the RCS.

GEM Worksheet. The GEM analysis worksheet contained in Appendix A provides the following:

  • Modified basic events and initiating event frequencies, including base and change case probabilities/frequencies.
  • Dominant sequences (including CCDPs).
  • Sequence logic for all dominant sequences.
  • Fault tree definitions.
  • Sequence cutsets.
  • Definitions and probabilities for key basic events.

MODELING ASSUMPTIONS Analysis Type. The Revision 3.50 of the Oyster Creek SPAR model (Reference 3) created in November 2009 was used for this event analysis. This event was modeled as a LOOP initiating event.

Modeling Assumptions. The following modeling assumptions were determined to be vital to this event analysis:

  • This analysis models the July 12, 2009 reactor trip at Oyster Creek as a LOOP initiating event.
  • Offsite power recovery to a safety bus was possible 94 minutes after the LOOP occurred.
  • Recovery of the B IC was possible within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of the initiating event occurrence.

Fault Tree Modifications. The following fault tree modifications were necessary to perform this event analysis:

  • Two basic events were added to the ISO-B and ISO-HW fault trees. A basic event (ISO-TRNB-SD) to account for the operators securing the B IC due to low level and a basic event (ISO-XHE-TRNB-LEVEL) representing the non-recovery probability of the B IC were inserted under an AND gate. See Figures B-2 and B-3 in Appendix B for the modified isolation condenser fault trees.

3

LER 219/09-005 Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

  • The LOOP initiating event frequency (IE-LOOPSC) was set 1.0 to represent the operational event that occurred at Oyster Creek on July 12, 2009. All other initiating events frequencies were set to zero.
  • The A IC condensate return valve was cycled 67 times by operators during the event.

Therefore, the failure probability for basic event ISO-MOV-CC-V1434 was changed to 6.3x10-2 (binomial expansion) to account for increased chance that this motor-operated valve would fail to open on demand.

  • The basic event ISO-TRNB-SD was set to TRUE because operators secured the B IC due to low indicated level.
  • The non-recovery probability for basic event ISO-XHE-TRNB-LEVEL was set to 0.5 using the SPAR-H method (Reference 4). The performance shaping factor (PSF) for diagnosis ergonomics/human machine interface was set to missing/misleading due to erroneous level indication caused by the foreign material present in the instrument line.

All other PSFs were set to nominal.

  • The non-recovery probability for basic event OEP-XHE-XL-NR30MSC was set to TRUE because offsite power was unavailable in the switchyard until 94 minutes after the LOOP occurred.
  • The non-recovery probability for basic event OEP-XHE-XL-NR01HSC was set to TRUE because offsite power was unavailable in the switchyard until 94 minutes after the LOOP occurred.
  • The non-recovery probability for basic event OEP-XHE-XL-NR03HSC was changed to 2.4x10-3. See Appendix C for further details.
  • The non-recovery probability for basic event OEP-XHE-XL-NR04HSC was changed to 2.4x10-3. See Appendix C for further details.
  • The non-recovery probability for basic event OEP-XHE-XL-NR08HSC was changed to 2.4x10-3. See Appendix C for further details.
  • The non-recovery probability for basic event OEP-XHE-XL-NR10HSC was changed to 2.4x10-3. See Appendix C for further details.
  • There were five openings of EMRVs: The A and D EMRVs opened at their set points (1066 psig) to limit pressure after the reactor and turbine trips and operators manually opened a EMRV three times to lower RCS pressure and vessel level. Therefore, the failure probability for basic event PPR-SRV-OO-1VLV was changed to 4x10-3 (binomial expansion) to account for the increased probability that one the EMRVs could stick open.
  • The default diesel generator mission times were changed to reflect the actual time offsite power was restored to the first vital bus (approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />). Since the overall fail-4

LER 219/09-005 to-run is made up of two separate factors, the mission times for the factors were set to the following: ZT-DGN-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case value) and ZT-DGN-FR-L = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

REFERENCES

1. Oyster Creek Generating Station, "LER 219/09-005- Reactor Scram Following a Transmission Line Lightning Strike dated September 9, 2009.
2. U.S. Nuclear Regulatory Commission, Oyster Creek Generating Plant Special Inspection Report 05000219/2009009, dated September 26, 2009.
3. Idaho National Laboratory, Standardized Plant Analysis Risk Model for Oyster Creek, Revision 3.45, dated June 2008.
4. Idaho National Laboratory, NUREG/CR-6883: The SPAR-H Human Reliability Analysis Method, dated August 2005.
5. U.S. Nuclear Regulatory Commission, RASP Handbook: Internal Events, Revision 1.03, dated August 2009.

5

LER 219/09-005 Appendix A GEM Worksheet SAPHIRE Code Version: 7.27.0.41 SPAR Model Version: Oyster Creek 3.45 (June 2008)

Analysis Type: Initiating Event Assessment Event

Description:

LOOP with Offsite Power Recovery Possible 94 Minutes after Event Occurrence Total CCDP: 4.1E-5 (Point Estimate) 4.8E-5 (Mean)

BASIC EVENT CHANGES Base Current Event Name Description Probability Probability IE-IORV Inadvertent Open Relief Valve 2.0E-002 0.0E+000 IE-ISL-RHR ISLOCA IE 2-MOV RHR Interface 4.0E-006 0.0E+000 IE-LLOCA Large LOCA 1.0E-005 0.0E+000 IE-LO1C Loss of 4160 V AC Bus 1C 4.5E-003 0.0E+000 IE-LO1D Loss of 4160 V AC Bus 1D 4.5E-003 0.0E+000 IE-LOCHS Loss of Condenser Heat Sink 2.0E-001 0.0E+000 IE-LOCW Loss of Circulating Water 4.0E-004 0.0E+000 IE-LODCB Loss of Vital DC Bus 1.2E-003 0.0E+000 IE-LOFC Loss of Feedwater Control 1.7E-001 0.0E+000 IE-LOIAS Loss of Instrument Air 1.0E-002 0.0E+000 IE-LOIS Loss of Intake Structure 7.5E-003 0.0E+000 IE-LOMFW Loss of Feedwater 1.0E-001 0.0E+000 IE-LOOPGR Loss of Offsite Power (Grid-Related) 1.9E-002 0.0E+000 IE-LOOPPC Loss of Offsite Power (Plant-Centered) 2.1E-003 0.0E+000 IE-LOOPSC Loss of Offsite Power (Switchyard-Centered) 1.0E-002 1.0E+000 IE-LOOPWR Loss of Offsite Power (Weather-Related) 4.8E-003 0.0E+000 IE-LOSWS Loss of Service Water 4.0E-004 0.0E+000 IE-MLOCA Medium LOCA 1.0E-004 0.0E+000 IE-SLOCA Small LOCA 6.0E-004 0.0E+000 IE-TRANS General Plant Transient 8.0E-001 0.0E+000 IE-XLOCA Excessive LOCA (Vessel Rupture) 1.0E-007 0.0E+000 ISO-MOV-CC-V1434 Train A Injection Valve EC-14-34 Fails to Open 1.0E-003 6.3E-002 ISO-TRNB-SD Operators Shutdown Train B IC Due to Level 0.0E+000 TRUE ISO-XHE-TRNB-LEVEL Operators Fail to Restore Level in Train B 0.0E+000 5.0E-001 OEP-XHE-XL-NR01HSC Operator Fails to Recover Offsite Power in 1hr 0.0E+000 TRUE OEP-XHE-XL-NR03HSC Operator Fails to Recover Offsite Power in 3hrs 0.0E+000 2.4E-003 OEP-XHE-XL-NR04HSC Operator Fails to Recover Offsite Power in 4hrs 0.0E+000 2.4E-003 OEP-XHE-XL-NR08HSC Operator Fails to Recover Offsite Power in 8hrs 0.0E+000 2.4E-003 OEP-XHE-XL-NR10HSC Operator Fails to Recover Offsite Power in 10hrs 0.0E+000 2.4E-003 OEP-XHE-XL-NR30MSC Operator Fails to Recover Offsite Power in 30m 0.0E+000 TRUE PPR-SRV-OO-1VLV One SRV Sticks Open 8.0E-004 4.0E-003 ZT-DGN-FR-L Emergency Diesel Generator (Fail-to-Run Late) 1.8E-002 8.0E-004 DOMINANT SEQUENCES Event Tree Sequence CCDP  % Contribution LOOPSC 25 2.3E-005 56.1 LOOPSC 24 6.1E-006 14.9 LOOPSC 29-37 4.9E-006 12.0 LOOPSC 29-50 2.6E-006 6.3 A-1

LER 219/09-005 LOOPSC 29-44 2.3E-006 5.6 SEQUENCE LOGIC Event Tree Sequence Name Logic LOOPSC 25 /RPS, /EPS, /SRV, ISO-HW, DEP LOOPSC 24 /RPS, /EPS, /SRV, ISO-HW, /DEP, LCI LOOPSC 29-37 /RPS, EPS, /SRV, /ISO1, CTG, SEALS, /DEP1, FWS, OPR-30M, DGR-30M LOOPSC 29-50 /RPS, EPS, P1, /ISO1, OPR-01H, DGR-01H LOOPSC 29-44 /RPS, EPS, /SRV, ISO1, CTG1, /SEALS, OPR-01H, DGR-01H FAULT TREE DESCRIPTIONS Fault Tree Name Description CTG Forked River Combustion Turbines CTG1 Oyster Creek Forked River Combustion Turbines (Early)

DEP Manual Reactor Depressurization DEP1 Manual Reactor Depressurization DGR-01H Operator Fails To Recover Emergency Diesel in 1 Hour DGR-30M Operator Fails To Recover Emergency Diesel in 30 Minutes EPS Emergency Power FWS Firewater Injection ISO-HW Isolation Condenser ISO1 Isolation Condenser LCI Low-Pressure Injection OPR-01H Offsite Power Recovery in 1 Hour OPR-30M Offsite Power Recovery in 30 Minutes P1 One Stuck Open SRV RPS Reactor Protection System SEALS Recirculation Pump Seals Survive SRV SRV Are Closed SEQUENCE CUTSETS Sequence: LOOP 25 CCDP: 2.3E-005 CCDP  % Cutset Cutset Events 1.6E-005 68.33 ISO-MOV-CC-V1434, ADS-XHE-XM-MDEPR, ISO-XHE-TRNB-LEVEL Sequence: LOOP 24 CCDP: 6.4E-006 CCDP  % Cutset Cutset Events 3.2E-006 51.49 ISO-MOV-CC-V1434, LCS-XHE-XM-ERROR, ISO-XHE-TRNB-LEVEL 3.1E-007 5.06 ISO-MOV-CC-V1434, LCS-MDP-CF-BSTART, ISO-XHE-TRNB-LEVEL 3.1E-007 5.06 ISO-MOV-CC-V1434, LCS-MDP-CF-START, ISO-XHE-TRNB-LEVEL 1.5E-007 2.50 ISO-MOV-CF-INJEC, LCS-XHE-XM-ERROR A-2

LER 219/09-005 Sequence: LOOP 29-37 CCDP: 4.9E-006 CCDP  % Cutset Cutset Events 5.8E-007 11.83 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-CF-RUN, EPS-CTG-OP-BOTH 4.1E-007 8.20 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FR-DG1, EPS-DGN-TM-DG2, EPS-CTG-OP-BOTH 4.1E-007 8.20 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-TM-DG1, EPS-DGN-FR-DG2, EPS-CTG-OP-BOTH 3.3E-007 6.60 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-CF-START, EPS-CTG-OP-BOTH 3.0E-007 6.04 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-TM-DG1, EPS-DGN-FS-DG2, EPS-CTG-OP-BOTH 3.0E-007 6.04 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FS-DG1, EPS-DGN-TM-DG2, EPS-CTG-OP-BOTH 2.3E-007 4.64 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FR-DG1, EPS-DGN-FR-DG2, EPS-CTG-OP-BOTH 1.7E-007 3.42 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FS-DG1, EPS-DGN-FR-DG2, EPS-CTG-OP-BOTH 1.7E-007 3.42 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FR-DG1, EPS-DGN-FS-DG2, EPS-CTG-OP-BOTH 1.5E-007 3.02 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-TM-DG2, ACP-CRB-CC-M1C, EPS-CTG-OP-BOTH 1.5E-007 3.02 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-TM-DG1, ACP-CRB-CC-M1B, EPS-CTG-OP-BOTH 1.5E-007 3.02 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-TM-DG1, ACP-CRB-OO-DG2, EPS-CTG-OP-BOTH 1.2E-007 2.52 RRS-MDP-LK-SEALS, EPS-XHE-XL-NR30M, EPS-DGN-FS-DG1, EPS-DGN-FS-DG2, EPS-CTG-OP-BOTH Sequence: LOOP 29-50 CCDP: 2.6E-006 CCDP  % Cutset Cutset Events 3.6E-007 14.22 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-CF-RUN 2.5E-007 9.86 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-FR-DG1, EPS-DGN-TM-DG2 2.5E-007 9.86 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-TM-DG1, EPS-DGN-FR-DG2 2.0E-007 7.93 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-CF-START 1.9E-007 7.27 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-FS-DG1, EPS-DGN-TM-DG2 1.9E-007 7.27 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-TM-DG1, EPS-DGN-FS-DG2 1.4E-007 5.58 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-FR-DG1, EPS-DGN-FR-DG2 1.1E-007 4.11 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-FR-DG1, EPS-DGN-FS-DG2 1.1E-007 4.11 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-FS-DG1, EPS-DGN-FR-DG2 9.3E-008 3.63 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-TM-DG1, ACP-CRB-OO-DG2 9.3E-008 3.63 EPS-XHE-XL-NR01H, PPR-SRV-OO-1VLV, EPS-DGN-TM-DG1, ACP-CRB-CC-M1B A-3

LER 219/09-005 Sequence: LOOP 29-44 CCDP: 2.3E-006 CCDP  % Cutset Cutset Events 1.7E-007 7.33 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-CF-RUN, EPS-CTG-OP-BOTH 1.2E-007 5.08 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-FR-DG1, EPS-DGN-TM-DG2, EPS-CTG-OP-BOTH 1.2E-007 5.08 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-TM-DG1, EPS-DGN-FR-DG2, EPS-CTG-OP-BOTH 9.2E-008 4.09 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-CF-START, EPS-CTG-OP-BOTH 8.5E-008 3.74 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-TM-DG1, EPS-DGN-FS-DG2, EPS-CTG-OP-BOTH 8.5E-008 3.74 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-FS-DG1, EPS-DGN-TM-DG2, EPS-CTG-OP-BOTH 6.5E-008 2.87 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-FR-DG1, EPS-DGN-FR-DG2, EPS-CTG-OP-BOTH 5.7E-008 2.53 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-CF-RUN, EPS-XHE-XM-CTG1 4.8E-008 2.12 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-FR-DG1, EPS-DGN-FS-DG2, EPS-CTG-OP-BOTH 4.8E-00 2.12 EPS-XHE-XL-NR01H, ISO-XHE-TRNB-LEVEL, ISO-MOV-CC-V1434, EPS-DGN-FS-DG1, EPS-DGN-FR-DG2 BASIC EVENTS (cutsets only)

Event Name Description Probability ACP-CRB-CC-M1B Main Generator Circuit Breaker 1b Fails To Open 2.5E-003 ACP-CRB-CC-M1C Main Generator Circuit Breaker 1c Fails To Open 2.5E-003 ACP-CRB-OO-DG2 Dg2 Breaker Fails To Remain Close (PRA) 2.5E-003 ADS-XHE-XM-MDEPR Fail To Depressurize Given Transient Plant 5.0E-004 EPS-CTG-LP-XSW Extreme Weather Event Conditional Probability 4.8E-003 EPS-CTG-OP-BOTH Both CTGs Initially Operating 5.8E-002 EPS-DGN-CF-RUN Diesel Fail from Common Cause to Run 1.2E-004 EPS-DGN-CF-START Diesels Fail from Common Cause to Start 6.6E-005 EPS-DGN-FR-DG1 Diesel Generator DG1 Fails to Run 6.8E-003 EPS-DGN-FR-DG2 Diesel Generator DG2 Fails to Run 6.8E-003 EPS-DGN-FS-DG1 Diesel Generator DG1 Fails to Start 5.0E-003 EPS-DGN-FS-DG2 Diesel Generator DG2 Fails to Start 5.0E-003 EPS-DGN-TM-DG1 DG1 Is Unavailable Due To Test or Maintenance 1.2E-002 EPS-DGN-TM-DG2 DG2 Is Unavailable Due To Test or Maintenance 1.2E-002 EPS-XHE-XL-NR01H Operator Fails To Recover Emergency Diesel in 1H 7.7E-001 EPS-XHE-XL-NR30M Operator Fails To Recover Emergency Diesel in 30M 8.6E-001 EPS-XHE-XM-CTG1 Failure to Align Forked River CTGs 2.0E-002 ISO-MOV-CC-V1434 Train A Injection Valve EC-14-34 Fails To Open 6.3E-002 ISO-MOV-CF-INJEC Common Cause Failure of Injection Valves 1.5E-003 ISO-XHE-TRNB-LEVEL Operators Fail To Restore Level in Train B 5.0E-001 LCS-MDP-CF-BSTART Core Spray Booster Pumps Fail from Common Cause 9.8E-006 LCS-MDP-CF-START Core Spray Pumps Fail from Common Cause to Start 9.8E-006 LCS-XHE-XM-ERROR Operator Fails to Start/Control Core Spray 1.0E-004 PPR-SRV-OO-1VLV One SRV Sticks Open 4.0E-003 RRS-MDP-LK-SEALS Recirculation Pump Seals Fail during SBO 1.0E-001 A-4

LER 219/09-005 Appendix B Key Event Trees and Modified Fault Trees LOSS OF REACTOR EMERGENCY SRVs ISOLATION ISO-COND CRD MANUAL LOW OFFSITE SUPPRESSION SHUTDOWN CONTAINMENT LATE OFFSITE PROTECTION POWER ARE CONDENSER MAKEUP INJECTION REACTOR PRESSURE POWER POOL COOLING VENTING INJECTION POWER SYSTEM CLOSED DEPRESS INJECTION RECOVERY COOLING IN 10 HOURS IE-LOOP RPS EPS SRV ISO-HW ISO-MU CRD DEP LCI OEP-10H SPC SDC CVS LI # END-STATE 1 OK 2 OK 3 OK 4 OK LI01 5 CD 6 OK LI02 7 CD 8 OK 9 OK 10 OK 11 OK 12 CD 13 OK 14 CD LI02 15 CD 16 CD 17 OK 18 OK 19 OK 20 OK 21 CD 22 OK LI02 23 CD 24 CD 25 CD P1 26 T LOOP-1 P2 27 T LOOP-2 P3 28 T LOOP-3 29 T SBO 30 T ATWS 31 CD Figure B-1. Oyster Creek LOOP event tree.

B-1

LER 219/09-005 TRAIN B FAILS ISO-B MAKEUP ISOLATION MAKEUP ISOLATION ISOLATION CONDENSER TRAIN B INJECTION OYSTER CREEK OPERATORS SHUTDOW N MAKEUP W ATER DC POW ER AVAILABLE VALVE V-11-34 VALVE V-11-33 TRAIN B IN T&M VALVE EC-14-35 125 VDC BATTERY TRAIN B SOURCES FAIL TO EC-B FAILS TO EC-B FAILS - PRA FAILS TO OPEN PANEL B FAULT TO OPEN TO OPEN TREE ISO-AOV-CC-V1134 ISO-CKV-CC-V1133 ISO-CND-TM-TRNB ISO-MOV-CC-V1435 DCP-PNL-B-ST ISO-3A ISO-B-1 ISO-B-2 OPERATORS SHUTDOW N OPERATORS FAIL OYSTER CREEK MAKEUP FROM OPERATOR FAILS OYSTER CREEK TRAIN B DUE TO TO RESTORE LEVEL FIREW ATER SYSTEM CONDENSATE TRANSFER TO START/CONTROL 125 VDC BATTERY LOW LEVEL IN TRAIN B FAULT TREE FAILS ISO W /O DC POWER PANEL B FAULT TREE ISO-TRNB-SD ISO-XHE-TRNB-LEVEL FW S3 ISO-B-3 ISO-XHE-XO-ERRLT DCP-PNL-B-LT CONDENSATE XFER CONDENSATE XFER CONDENSATE TRANSFER INSTRUMENT AIR ISOLATION VALVE ISOLATION VALVE FAILS IS UNAVAILABLE V-11-42 FAILS V-11-41 FAILS TO OPEN TO OPEN ISO-CKV-CC-V1142 ISO-XVM-CC-V1141 CTS IAS Figure B-2. Oyster Creek modified ISO-B fault tree.

B-2

LER 219/09-005 IC HARDW ARE FAILURE ISO-HW COMMON CAUSE OPERATOR FAILS IC TRAIN LEVEL FAILURE OF INJECTION TO START/CONTROL FAILURES VALVES EMERGENCY CONDENSER ISO-MOV-CF-INJEC ISO-XHE-XE-ERROR ISO-HW -1 TRAIN A FAILS TRAIN B FAILS ISO-HW -2 ISO-HW -3 ISOLATION CONDENSER TRAIN A INJECTION OYSTER CREEK ISOLATION CONDENSER TRAIN B INJECTION OYSTER CREEK DC POWER UNAVAILABLE OPERATORS SHUTDOW N DC POW ER UNAVAILABLE TRAIN A IN T&M VALVE EC-14-34 125 VDC BATTERY TRAIN B IN T&M VALVE EC-14-35 125 VDC BATTERY TRAIN B

- PRA FAILS TO OPEN PANEL C FAULT - PRA FAILS TO OPEN PANEL B FAULT TREE TREE ISO-CND-TM-TRNA ISO-MOV-CC-V1434 DCP-PNL-C-ST ISO-HW-4 ISO-CND-TM-TRNB ISO-MOV-CC-V1435 DCP-PNL-B-ST ISO-3A ISO-HW -5 OPERATOR FAILS OYSTER CREEK OPERATORS SHUTDOW N OPERATORS FAIL OPERATOR FAILS OYSTER CREEK TO START/CONTROL 125 VDC BATTERY TRAIN B DUE TO TO RESTORE LEVEL TO START/CONTROL 125 VDC BATTERY ISO W /O DC POWER PANEL C FAULT LOW LEVEL IN TRAIN B ISO W /O DC POWER PANEL B FAULT TREE TREE ISO-XHE-XO-ERRLT DCP-PNL-C-LT ISO-TRNB-SD ISO-XHE-TRNB-LEVEL ISO-XHE-XO-ERRLT DCP-PNL-B-LT Figure B-3. Oyster Creek modified ISO-HW fault tree.

B-3

LER 219/09-005 Appendix C Offsite Power Recovery Modeling Background and Modeling Details of Offsite Power Recovery2 The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. SPAR LOOP/SBO models include various sequence-specific AC power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the cooling sources, approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> would be available to recover power to help avoid core damage. On the other hand, sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, would accommodate several hours to recover AC power prior to core damage.

In this analysis, offsite power recovery probabilities are based on (1) known information about when power was restored to the switchyard and (2) estimated probabilities of failing to realign power to emergency buses for times after offsite power was restored to the switchyard. Power restoration times were reported by the licensee in References 1 and 2. Offsite power was restored to the first safety bus (Bus 1D) 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and 43 minutes after the LOOP occurred. Offsite power was available in switchyard 9 minutes earlier. In the event of a blackout condition, operators would not be able to recover offsite power until 94 minutes after the LOOP occurred.

Therefore, the recovery actions OEP-XHE-XL-NR30M and OEP-XHE-XL-NR01H are set to TRUE for this analysis.

Failure to recover offsite power to plant safety-related loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR-H Human Reliability Analysis Method (Ref. 4) was used to estimate non-recovery probabilities as a function of time following restoration of offsite power to the switchyard.

Diagnosis, Action, and Dependency The SPAR Human Reliability Analysis Method considers the following three factors:

  • Probability of failure to diagnose the need for action,
  • Probability of failure to successfully perform the desired action, and
  • Dependency on other operator actions involved in the specific sequence of interest.

This analysis considers the probability of failure to diagnose the need for action and the probability of failure to successfully perform the desired action. However, dependency between operator power recovery tasks and any other operator tasks is not considered. Dependency is considered only when multiple operator actions are present in the same cutset. This analysis does not have any cutsets containing multiple human error basic events.

2 This section provides background information and details involving recovery of offsite power for this event. In an ASP analysis, offsite power recovery constitutes the recovery of power to the unit vital busses once power has been restored to the switchyard.

ASP analyses do not deal with offsite recovery actions outside the switchyard.

C-1

LER 219/09-005 Performance Shaping Factors The probability of failure to perform an action is the product of a nominal failure probability (1x10-3) and the following eight performance shaping factors (PSFs):

  • Available Time
  • Stress
  • Complexity
  • Experience/Training
  • Procedures
  • Ergonomics
  • Work Processes Time New human reliability analysis (HRA) guidance currently being developed directs the analyst to determine if time is available to perform the action. If sufficient time is available to perform the action, the time available (best estimate) for operators to perform to action is subtracted from the total time available for the recovery action, with the remainder of the time being available for diagnosis activities. Under this new guidance, the time available PSF for action is not modified unless sufficient time to perform the operator action is not available.

Diagnosis. If the EDGs failed (postulated failure) during this event, operators would have approximately 90 minutes to recover offsite power prior to the first possible recovery action (OEP-XHE-XL-NR03H). The time required for the action component (i.e., breaker(s) manipulation) of recovery of offsite power to a vital bus is minimal (< 5 minutes). Therefore, expansive time (i.e., 2x nominal and > 30 minutes) is used for the time available PSF for all recovery actions greater than or equal to three hours.

Action. The PSF for time available for action is set to nominal for the possible AC power recovery actions.

Stress Diagnosis and Action. The PSF for diagnosis and action stress is assigned a value of 2 (i.e.,

High Stress) for all possible AC power recovery actions. Factors considered in assigning this PSF level "higher than nominal level" include sudden onset of the LOOP initiating event, multiple alarms/annunciators, actual and/or postulated compounding equipment failures, and resulting core uncovery and eminent core damage.

Complexity Diagnosis and Action. The PSF for diagnosis complexity is assigned a value of 2 (i.e.,

Moderately Complex) for all possible AC power recovery actions. Factors considered in assigning this PSF level include multiple equipment unavailabilities, communications with grid-operators to ensure offsite power is stable, and the concurrent actions/multiple procedures used during a station blackout.

Action. The PSF for action complexity is set to nominal for all possible AC power recovery actions.

C-2

LER 219/09-005 All Other PSFs Diagnosis and Action. For all possible AC power recovery actions, the diagnosis and action PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are set to nominal (i.e., are assigned values of 1.0). Details of the event, plant response, and crew performance did not warrant a change from nominal for these PSFs.

Tables C-1 though C-4 contain the PSF adjustments and non-recovery probabilities for all possible AC power recovery actions.

Table C-1. PSF adjustments for operator recovery actions of offsite power.

DIAGNOSIS ACTION All Other All Other Recovery Basic Event Time Stress Complexity Stress PSFs PSFs OEP-XHE-XL-NR03H Expansive Time High Moderate Nominal High Nominal OEP-XHE-XL-NR04H Expansive Time High Moderate Nominal High Nominal OEP-XHE-XL-NR08H Expansive Time High Moderate Nominal High Nominal OEP-XHE-XL-NR10H Expansive Time High Moderate Nominal High Nominal Table C-2. Diagnosis non-recovery probabilities for operator recovery actions of offsite power.

Base All Other Diagnosis Recovery Basic Event Time Stress Complexity Probability PSFs Probability

-2 -4 OEP-XHE-XL-NR03H 1x10 x0.01 x2 x2 x1 4x10

-2 -4 OEP-XHE-XL-NR04H 1x10 x0.01 x2 x2 x1 4x10

-2 -4 OEP-XHE-XL-NR08H 1x10 x0.01 x2 x2 x1 4x10

-2 -4 OEP-XHE-XL-NR10H 1x10 x0.01 x2 x2 x1 4x10 Table C-3. Action non-recovery probabilities for operator recovery actions of offsite power.

Base All Other Action Recovery Basic Event Stress Probability PSFs Probability

-3 -3 OEP-XHE-XL-NR03H 1x10 x2 x1 2x10

-3 -3 OEP-XHE-XL-NR04H 1x10 x2 x1 2x10

-3 -3 OEP-XHE-XL-NR08H 1x10 x2 x1 2x10

-3 -3 OEP-XHE-XL-NR10H 1x10 x2 x1 2x10 Table C-4. Total non-recovery probabilities for operator recovery actions of offsite power.

Recovery Basic Event Diagnosis Probability Action Probability Final Probability

-4 -3 -3 OEP-XHE-XL-NR03H 4x10 2x10 2.4x10

-4 -3 -3 OEP-XHE-XL-NR04H 4x10 2x10 2.4x10

-4 -3 -3 OEP-XHE-XL-NR08H 4x10 2x10 2.4x10

-4 -3 -3 OEP-XHE-XL-NR10H 4x10 2x10 2.4x10 C-3

Retrieved from "https://kanterella.com/w/index.php?title=ML101600186&oldid=2132121"