Final Precursor Analysis: Electrical Fault Causes Fire and Subsequent Reactor Trip with a Loss of Reactor Coolant Pump Seal Injection and Cooling

ML112411359
Person / Time
Site:	Robinson
Issue date:	09/23/2011
From:	NRC/RES/DRA
To:
Hunter C, 251-7575 RES/DRA
References
IR-10-004, IR-10-013, IR-11-008, IR-11-009
Download: ML112411359 (28)
v • d • e

Text

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Electrical Fault Causes Fire and Subsequent Reactor Trip with H.B. Robinson a Loss of Reactor Coolant Pump Seal Injection and Cooling LER: 261/10-002 Event Date: 03/28/2010 IRs: 50-261/10-09, 50-261/10-04 CCDP = 4x10-4 50-261/10-13, 50-261/11-08 EVENT

SUMMARY

Brief Event Description. At 18:52 on March 28, 2010, with the H. B. Robinson Steam Electric Plant, Unit No. 2, operating in Mode 1 at approximately 100% power, an electrical feeder cable failure to 4kV non-vital Bus 5 caused an arc flash and fire. Bus 5 failed to isolate from non-vital 4kV Bus 4 due to a failure of Breaker 52/24 to open, which resulted in reduced voltage to Reactor Coolant Pump (RCP) B and a subsequent reactor trip on Reactor Coolant System (RCS) loop low flow. Subsequent to the reactor trip, an automatic safety injection (SI) occurred due to RCS cooldown. Plant response was complicated by equipment malfunctions and failure of the operating crew to understand plant symptoms and properly control the plant. During plant restoration the operating crew attempted to reset an electrical distribution system control relay prior to isolating the fault, which re-initiated the electrical fault and caused a second fire.

A sequence of key events along with a simplified electrical drawing (Figure A-1) is provided in Appendix A. Additional information is provided in References 1-5.

Key Event Details. The following details are important to the modeling of this event analysis:

• The Unit Auxiliary Transformer (UAT) failed due to an overload condition caused by the ground fault on Bus 5. This caused a fast transfer of 4kV Buses 1, 4, and 5 to the Startup Transformer (SUT).

• The reactor automatically tripped as designed due low reactor coolant flow caused by an under-voltage condition on Bus 4, which led to a decrease in RCP B speed.

- Main feedwater (MFW) was isolated when the SI signal occurred, as designed.

Auxiliary feedwater (AFW) initiated as designed and provided makeup to the steam generators.

• RCP seal injection to the RCPs was lost initially due to both running charging pumps being de-energized when the transient occurred. Operators restored seal injection by restarting two charging pumps (only one is required to adequately cool the seals) within one minute.

• RCP seal cooling [via Component Cooling Water (CCW)] was unavailable due to the closing of Flow Control Valve (FCV) 626. FCV-626 closed due to momentary loss of power to vital Bus E2 and flow control circuit being de-energized (via Instrument Bus 4) causing the closure of FCV-626 due to an inaccurate high-flow signal when the flow sensor lost power. Operators restored seal cooling in 39 minutes by re-opening FCV-1

LER 261/10-002 626 (approximately 13 minutes after RCP seal injection became inadequate). This recovery was delayed because operators initially failed to use annunciator procedures that directed the opening of FCV-626.

• RCP seal injection was either completely unavailable or inadequate to fulfill its safety function from 19:19 until approximately 19:58 (~39 minutes). With seal cooling unavailable (and assuming operators fail to reopen FCV-626), the RCPs seal would have been fully challenged (i.e., increased conditional probability of seal failure);

therefore, no recovery credit for RCP seal injection is given in this analysis.

- RCP seal injection was determined to be inadequate due to the opening of Chemical and Volume Control (CVC) Valve 310A (charging flow valve to Loop 1) because of a loss of instrument air; thus, diverting charging flow from the RCP seals to the RCS.

The loss of instrument air occurred due to a Phase-A Containment Isolation (normal function of SI actuation signal). The valve failed fully open 19 minutes after the SI signal. Operators were unaware that the opening of CVC-310A caused the diversion of RCP seal injection away from the RCP seals. The loss of seal injection flow instrumentation within the main control room and an inadequate emergency operating procedure (EOP) step for determining seal injection flow contributed to operators failing to determine that seal injection was inadequate.

- In addition, the charging pump suction source failed to automatically switch-over from the Volume Control Tank (VCT) to the Reactor Water Storage Tank (RWST) on low VCT level. Operators manually aligned the charging pump suction source to the RWST approximately 50 minutes after the automatic switchover was supposed to occur and 13 minutes after all charging flow is assumed to have been lost (as indicated by rapidly fluctuating charging header pressures and an empty VCT). The lowering VCT level combined with the diversion of charging flow away from the RCP seals (due to opening of CVC-310A) was likely a contributing factor to the inadequate RCP seal injection.

• Various electrical system equipment was unavailable as a result of the transient and electrical faults:

- Offsite power was lost to vital Bus E2. Recovery of offsite power to this bus was possible almost immediately after the event occurred. Operators could restore offsite power to vital Bus E2 through non-vital Bus 3 (via the SUT) during a postulated failure of Emergency Diesel Generator (EDG) B.

- Non-vital Bus 5 was unavailable due to damage from the electrical fault.

- Non-vital Bus 4 was unavailable due to the electrical fault on Bus 5 and the failure of the bus tie-breaker (Breaker 52/24) to open.

• During the event, a rapid cooldown of the RCS occurred due to the moisture separator reheater (MSR) drain tank alternate drain valves and MSR timer valves failing open; this provided a flow path for main steam to the main condenser via the MSR Shutoff Valves and MSR Reheater Tubes. Operators failed to manually stop the uncontrolled cooldown by closing the Main Steam Isolation Valves (MSIVs). However, while an Auxiliary Operator (AO) was manually restoring Battery Charger B, the AO accidentally made contact with the handle of the Inverter Supply Breaker B causing the loss of power to Instrument Bus 3. The loss of Instrument Bus 3 coincident with an RCS Low Tavg signal 2

LER 261/10-002 generated a main steam-line isolation signal, automatically closing all MSIVs and terminating the RCS cooldown.

- Power to Instrument Bus 3 was restored within 2 minutes; however, the cause of the restoration has not been fully determined. Without the restoration of Instrument Bus 3, operators would not have received additional RCP high temperature alarms causing further delay in the restoration of cooling water to the RCP thermal barrier heat exchangers (via opening FCV-626) and increasing the likelihood of a total loss of seal cooling and potential failure of the RCP seals.

• After the plant had reached a stable shutdown state, operators attempted to reset the generator lockout relays and reenergized the fault and initiated a second fire. The fault caused extensive damage to the cubicle for Breaker 52/24. In addition, the fire damage caused electrical grounds on both 125V battery buses. However, inspectors determined that the fire induced grounds did not affect the operation of any safety-related components.

- During the initial fault and the re-initiation of the fault there was the potential to cause a site-wide loss of offsite power if additional breakers had failed to operate. The risk caused by the postulated failure of these breakers is evaluated in a sensitivity analysis provided in this report (see Modeling Assumptions).

Additional Event Information. The following event details are provided as additional information about the event. This additional information was not factored in the modeling of this analysis due to the negligible risk impact. See References 2 and 3 for further details.

• The Dedicated Shutdown Bus was automatically de-energized, as designed, due to undervoltage on 4kV Bus 3. As a result, the Dedicated Shutdown Diesel Generator (DSDG) support equipment, such as the starting air system compressor and battery charger, lost power. Based in part on inadequate starting air pressure, the licensee considered the DSDG unavailable. On March 31, 2010, the licensee attempted to start the DSDG and re-energize the Dedicated Shutdown Bus to maintain adequate DSDG support parameters such as starting air pressure and battery voltage. Starting air pressure had decreased to 100 psig and the DSDG did not start. On April 1, 2010, the licensee successfully started the DSDG by pressurizing the DSDG starting air receiving tank using high pressure air bottles. An unresolved issue was opened because additional NRC review was required to determine if the DSDG was available during the plant cooldown to Mode 4. On July 11, 2010, the licensee used a procedure to show that the DSDG will start at a starting air system pressure of less than 130 psi. NRC inspectors noted that during the March 28th event, the pressure in the air start system was logged as 130 psi or higher, thus the DSDG was available as required.

• An additional fire was reported in the Main Condenser Vacuum Pump A Motor during the event. The fire was extinguished without additional impact on the plant. The preliminary cause was attributed to a vacuum pump seizure due to loss of seal water resulting from the loss of electrical power to the seal water makeup source. The motor was replaced and adequate post maintenance testing performed to demonstrate availability.

• The Phase-A Containment Isolation caused the R-11/R-12 Containment Air and Plant Vent Radiation Monitor Sample Supply and Return Line Isolation Valves to close, as designed. Later during the event response, operators secured the R-11/R-12 Radiation Monitor Sample Pump due to reports that the pump was smoking. Subsequent 3

LER 261/10-002 investigation by the licensee determined the low flow switch in the sample line, which should have stopped the sample pump when the sample lines were isolated, failed to operate.

ANALYSIS RESULTS Conditional Core Damage Probability. The conditional core damage probability (CCDP) for this event is 3.7x10-4.

The Accident Sequence Precursor (ASP) Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feed water and condensate), whichever is greater. This CCDP equivalent for H. B. Robinson is 2.7x10-6.

Dominant Sequence. The dominant accident sequence, Loss of Main Feedwater (LOMFW)

Sequence 02-14-04 (CCDP = 2.5x10-4) contributes 68% of the total internal events CCDP.

Additional sequences that contribute greater than 1% of the total internal events CCDP are provided in Appendix B.

The dominant sequence is shown graphically in Figures C-1, C-2, and C-3 in Appendix C. The events and important component failures in LOMFW Sequence 02-14-04 are:

• Loss of MFW transient occurs,

• Reactor trip succeeds,

• AFW succeeds,

• Power-operated relief valves (PORVs) successfully close,

• Loss of RCP seal cooling/injection occurs,

• Operators fail to trip the RCPs,

• Subsequent RCP seal loss-of-coolant accident (LOCA) occurs,

• Safety injection succeeds,

• Operators successfully cooldown/depressurize the RCS,

• Operators fail to initiate shutdown cooling (SDC) mode of the residual heat removal (RHR) system, and

• High-/low-pressure recirculation fails.

SAPHIRE 8 Report. The SAPHIRE 8 Worksheets (Appendix B) provide the following:

• Modified basic events and initiating event frequencies, including base and change case probabilities/frequencies.

• Dominant sequences (including CCDPs).

• Sequence logic for all dominant sequences.

• Fault tree definitions.

• Sequence cutsets.

• Definitions and probabilities for key basic events MODELING ASSUMPTIONS Analysis Type. The Revision 8.16 of the Robinson Standardized Plant Analysis Risk (SPAR)

Model created in September 2010 was used for this event analysis. This event was modeled as a loss of MFW transient initiating event with complications.

4

LER 261/10-002

• The plant lost one of the two MFW pumps initially due to the loss of Bus 4. The second MFW pump was lost (as designed) due to the SI signal, eight minutes later.

Analysis Rules. The ASP program uses Significance Determination Process results for degraded conditions when available. However, the ASP Program performs independent initiating event analysis when an initiator occurs.

Event Tree Modification. The following fault tree modification was necessary to perform this event analysis:

• The base SPAR model loss of seal cooling event tree (LOSC) event tree transfers to the small LOCA event tree for all sequences except those in which the seals fail catastrophically (i.e., 480 gpm per RCP). This was a SPAR modeling assumption based on the estimated equivalent pipe break size of a 480 gpm per RCP leak at normal operating temperature and pressure. Thermal-hydraulic (TH) calculations were made to determine if modeling assumption is valid for this specific event at H. B. Robinson. The results of these calculations revealed that even using conservative assumptions (such as all three RCPs failing at 480 gpm), the scenario still resembled a small LOCA. The factors used to make this conclusion include the lack of RCS depressurization, containment pressure not exceeded the containment spray setpoint (10 psig), and at a very minimum 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> until the RWST inventory was depleted. Therefore, the LOSC was modified to ensure that if RCP seal leakage exceeded normal leakage (i.e., 21 gpm per RCP); the event tree would transfer to the small LOCA tree. The modified LOSC event tree is provided in Figure C-2 in Appendix C.

- To ensure that these changes work properly, the event tree linkage rules in the LOMFW event tree were modified. The flag event that allows the transfer to the medium LOCA event tree was deleted. The base model rules are as follows:

l M1. The following rules apply the flag sets to the appropriate sequence.

l The specific flag set settings are identified in the flag set field under Modify.

if RPS then eventree(LOMFW) = Flag(ETF-LOMFW-ATWS);

elsif LOSC*(RCPT + BP1

• BP2) then eventree(LOMFW) = FLAG (ETF-LOMFW-MLOCA);

elsif LOSC then eventree(LOMFW) = FLAG (ETF-LOMFW-SLOCA);

else eventree(LOMFW) = Flag(ETF-LOMFW);

endif The rules were changed to:

l M1. The following rules apply the flag sets to the appropriate sequence.

l The specific flag set settings are identified in the flag set field under Modify.

if RPS then eventree(LOMFW) = Flag(ETF-LOMFW-ATWS);

elsif LOSC then eventree(LOMFW) = FLAG (ETF-LOMFW-SLOCA);

else eventree(LOMFW) = Flag(ETF-LOMFW);

endif 5

LER 261/10-002 Fault Tree Modifications. The following fault tree modifications were necessary to perform this event analysis:

• Two new basic events were added to fault tree LOSC (Loss of RCP seal cooling). Basic events CCW-MOV-FCV626 (FCV-626 closes due loss of Instrument Bus 4) and CCW-XHE-FCV626 (Operators fail to reopen FCV-626) were inserted under a new AND gate (LOSC-4). CCW-MOV-FCV626 models the closure of FCV-626 due to loss of power from Instrument Bus 4 and CCW-XHE-FCV626 accounts for potential recovery of RCP seal cooling by operators reopening FCV-626. See Figure C-4 in Appendix C for the modified LOSC fault tree.

• A new basic event CVC-RCPSEALS-INADEQUATE (CVC-310A fails open causing inadequate seal injection) was added to fault tree CVC-SUCTION (Loss of chemical and volume control suction). This event accounts for the inadequate RCP seal injection flow due to CVC-310A failing open and diverting charging flow away from the seals to the RCS. See Figure C-5 in Appendix C for the modified CVC-SUCTION fault tree.

• A new basic event was added to fault tree ACP-E2 (480V Emergency Bus E2 fails).

Basic event ACP-XHE-E2-RECOVER (Operators fail to recover offsite power to Bus E2) was added to account for potential recovery of offsite power to vital Bus E2. Along with basic event ACP-XHE-E2-RECOVER, the flag event HE-LOOP-B (House Event: Loss of Division B offsite power flag) was moved and both were inserted under a new AND gate (ACP-E2-4). See Figure C-6 in Appendix C for the modified ACP-E2 fault tree.

Additional SPAR Model Modifications. The following SPAR model modifications were made for this analysis:

• If a small LOCA (due to the failure of RCP seals) were to occur, H.B. Robinson has procedures in place for operators to initiate the cooldown and depressurization of the RCS in order to place the plant in SDC mode of the RHR system. The logic for this mitigation strategy of a small LOCA currently exists within the base SPAR model; however, the flag set ETF-LOMFW-SLOCA must be changed to activate the applicable SPAR model logic. The basic event OPR-XHE-XM-DEPRCS (Operators fail to depressurize RCS) was removed from the flag set to prevent the SPAR model from eliminating the cooldown/depressurization logic for small LOCA sequences.

• When top events within an event tree have a high failure probability (i.e., greater than 0.1) the rare event approximation which is normally used to calculate the event tree branch probabilities for success is not valid because the rare event approximation assumes the success branch probability is essentially 1.0. To use the proper success branch probabilities, the basic event representing the top event must be modified; specifically, the process flag for the event must be changed. In this analysis, the process flag for the basic event RCPT (RCPs tripped), that represents the top event of the RCPT fault tree, was modified due to the high failure probability (i.e., 0.8) of basic event RCP-XHE-XM-TRIP (Operators fail to trip RCPs during loss of cooling/seal injection). The process flag was changed to I Failure=> System Logic l Success=>

/System Logic to ensure the proper calculation of the success branch of this top event within the LOSC event tree.

6

LER 261/10-002 Key Modeling Assumptions. The following modeling assumptions and associated basic event modifications were required for this event analysis:

• The loss of MFW transient initiating event (IE-LOMFW) frequency was set 1.0. All other initiating events frequencies were set to zero.

• Robinson has high-temperature o-ring seals installed in their three RCPs; therefore, the SPAR model uses the Westinghouse Owners Group (WOG) 2000 RCP seal model (Reference 6). Some of the key assumptions during a loss of all RCP seal cooling and injection in this model are:

- If the operators fail to stop the RCPs prior to the seals being fully challenged during a loss of all RCP seal cooling and injection, the seals are assumed to fail catastrophically at the maximum leakage rate of 480 gpm per RCP.

- If RCPs are successfully tripped, the binding/popping-open failure mode of the seals is possible. If this failure occurs, it occurs no later than 13 minutes (based on the RCP purge volume and average seal leak-off rates) after a complete loss of all RCP seal cooling and injection. The conditional failure probabilities for this failure mode are 0.2 for the second stage seal and 0.125 for the first stage seal.

• The basic event CCW-MOV-FCV626 was set to TRUE because the RCPs lost seal cooling due to the closure of FCV-626.

- The non-recoverability probability for basic event CCW-XHE-FCV626 was set to 0.8.

See Appendix D for further details.

- The restoring of CCW to the thermal barrier heat exchangers when the RCP seals had inadequate seal injection and the seals temperatures had increased due the lack of cooling could thermally shock the seals causing failure and/or water hammer transient causing the failure of thermal barrier heat exchangers. During the event, operators restored the CCW to the thermal barrier heat exchangers (via opening FCV-626) 13 minutes after seal injection was inadequate. Based on the time that seals were without all cooling and adequate seal injection and the seal temperatures at the time of restoration, the risk of RCP seal failure or thermal barrier heat exchanger failure due to thermal shock is considered minimal. However, if operators had restored CCW flow at the later time (i.e., when RCP seal temperatures would have exceeded the shutdown temperature limit of 235°F), the likelihood of the RCP seal failure and failure of thermal barrier heat exchangers would have been higher.

Only this simplified qualitative assessment of this risk could be performed due to the lack of phenomenological testing and failure data in this area.

• The basic event CVC-RCPSEALS-INADEQUATE was set to TRUE because RCP seal injection became inadequate when CVC-310A failed open and diverted charging flow away from the RCP seals. In addition, the charging suction failed to switch from the VCT to the RWST. However, RCP seal injection was already inadequate due to CVC-310A failing open. Operators successfully restored charging flow (to the RCS, not the RCP seals) by manually aligning charging suction to the RWST. Because RCP seal injection was either inadequate or completely unavailable for 39 minutes (enough time for the RCP seals to be fully challenged with thermal barrier cooling concurrently lost),

no credit for recovery of RCP seal injection is given in this analysis.

7

LER 261/10-002

- The charging pumps single safety function is to provide RCP seal cooling (i.e., the charging pumps are not considered a safety source of high-pressure injection to the RCS).

• The basic event ACP-BAC-LP-BUS5 (4160V non-vital Bus 5 fails) was set to TRUE because the 4kV non-vital Bus 5 was unavailable due to damage from the electrical fault.

• The basic event ACP-CRB-OO-52-19 (Circuit Breaker 52/19 fails to close) was set to TRUE because the 4kV non-vital Bus 4 was unavailable due to the electrical fault on Bus 5 and the failure of the bus Tie-Breaker 24 to open.

• The flag event HE-LOOP B was set to TRUE because offsite power was lost to vital Bus E2.

- The non-recovery probability for basic event ACP-XHE-E2-RECOVER was set to 9x10-3. Offsite power was available almost immediately after the event initiated because operators could align the SUT to power Bus E2 during a postulated failure of EDG B. See Appendix D for further details.

• The non-recoverability probability for basic event HPR-XHE-XM-RECIRC (Operators fail to initiate high-pressure recirculation) was set to 5x10-3. See Appendix D for further details.

• The non-recoverability probability for basic event LPR-XHE-XM-RECIRC (Operators fail to initiate low-pressure recirculation) was set to TRUE. By setting this basic event to TRUE, no credit is provided for low-pressure recirculation for small LOCA sequences in this analysis. No credit is given because plant procedures direct operators to initiate high-pressure recirculation during small LOCAs and do not direct operators to initiate low-pressure recirculation upon failure of high pressure recirculation.

• The non-recoverability probability for basic event OPR-XHE-XM-DEPRCS was set to 9x10-3. See Appendix D for further details.

• The non-recoverability probability for basic event RCP-XHE-XM-TRIP was set to 0.8.

See Appendix D for further details.

• The non-recoverability probability for basic event RHR-XHE-XM-SD (Operator fails to initiate RHR in shutdown cooling mode) was set to 4x10-2. See Appendix D for further details.

Sensitivity Analyses. There was the potential of a site-wide loss of offsite power event during the initial fault and re-initiation of the fault if additional breakers had malfunctioned. Specifically, if Breakers 19 and 17 would have failed to perform their design function, the fault would have affected the SUT; thus damaging the transformer and causing loss of all offsite power. The most likely case for postulated failures of these two breakers is due a dependent failure (i.e.,

common-cause failure).

• For this sensitivity analysis, an estimated common-cause failure probability of 0.05 (a typical probability for nuclear power plant components) was used for combined failure probability of Breakers 19 and 17. This leads to an increase in the CCDP to 8

LER 261/10-002 approximately 7x10-4. Because common-cause modeling of circuit breakers is not included in the SPAR models and conditional common-cause failure probabilities are not collected by the NRC, this case was not used as the best estimate result for this analysis. Based on this sensitivity analysis, an unusually high common-cause failure probability (i.e., 0.1) must exist for the CCDP of this event to increase to that of a significant precursor (i.e., CCDP 1x10-3). There is no evidence to suggest an unusually high potential common-cause failure probability of circuit breakers at H. B.

Robinson.

Second Fire Event. After the plant was placed in a stable shutdown state, operators incorrectly reset the generator lockout relays and reenergized the fault and initiated a second fire. The fault caused extensive damage to the cubicle for Breaker 52/24. In addition, the fire damage caused electrical grounds on both 125V battery buses. It was determined that the fire induced grounds were limited to the hydrogen supervisory panel and did not affect the operation of any safety-related components. Some additional qualitative insights include:

• It is not believed that operators would have re-initiated the fault if the RCP seals would have failed and subsequent LOCA mitigation was needed. Therefore, the second fire is treated as an event that could only occur with the plant in a stable state (i.e., it would not occur if the plant was experiencing an RCP seal LOCA). Based on a sensitivity analysis, when treated as a separate event, the risk from the second fire (CCDP = 4x10-5) is an order of magnitude lower than the CCDP of this first event. This sensitivity analysis used a conservative common-cause failure probability of 0.1 for the combined failure probability of Breakers 19 and 17 that leads to a non-recoverable, site-wide LOOP.

Therefore, the second fire event is not considered further in this analysis.

• In addition to the risk from a potential site-wide loss of offsite power caused by the re-initiation of the fault, there was the potential that fire damage from Breaker 52/24 cubicle could have affected additional equipment (which could have meant a loss of some safety functions). It is not practical as part of this ASP analysis to examine the postulated scenarios in which a hypothetical fire propagates differently than the actual fire.

REFERENCES

1. Progress Energy, "LER 261/10-002- Plant Trip due to Electrical Fault, dated May 27, 2010.

2. U.S. Nuclear Regulatory Commission, H. B. Robinson Steam Electric Plant - Augmented Inspection Team Report 05000261/2010009, dated July 2, 2010.

3. U.S. Nuclear Regulatory Commission, H.B. Robinson Steam Electric Plant - NRC Integrated Inspection Report 05000261/2010004 and 05000261/2010501; Assessment Follow-Up Letter, dated November 12, 2010.

4. U.S. Nuclear Regulatory Commission, H. B. Robinson Steam Electric Plant - NRC Inspection Report 05000261/2010013 and Preliminary White Findings, dated December 27, 2010.

5. U.S. Nuclear Regulatory Commission, Final Significance Determination of White Findings and Notice of Violation (NRC Inspection Report No. 05000261/2011008; H. B. Robinson Steam Electric Plant) and Assessment Follow-Up Letter, dated January 31, 2011.

9

LER 261/10-002

6. Westinghouse Electric Company, LLC, WOG 2000 Reactor Coolant Pump Seal Leakage Model for Westinghouse PWRs, WCAP-15603, Revision 1, dated May 2002.

7. Idaho National Laboratory, NUREG/CR-6883: The SPAR-H Human Reliability Analysis Method, dated August 2005.

10

LER 261/10-002 Appendix A: Sequence of Key Events March 28, 2010 18:40 Pre-event plant status was 100% power, CCW C Pump running, and Charging Pumps A and C running. No safety equipment was out of service for testing or maintenance.

18:52 An electrical fault and fire occurs on the cable entering 4kV Bus 5. Breaker 24 in 4kV Bus 4 should have isolated the fault in 0.9 seconds, but remained closed. This allows the fault to remain connected to 4kV Bus 4 for sufficient duration to lower the voltage causing RCP B flow to decrease below the low flow trip setpoint to Reactor Protection System, resulting in a reactor trip.

Breaker 20 began its 5 second over-current timeout at event initiation, but the UAT faulted within approximately 3.5 seconds of the event, thus de-energizing 4kV Bus 4.

However, this transformer fault also initiates a fast transfer of 4kV Bus 4 to 4kV Bus 3 which is being supplied by the SUT via Breaker 17. Breaker 20 opens and Breaker 19 closes to accomplish the transfer. The fault continues to exist on 4kV Bus 5 which continues to be tied to 4kV Bus 4 via a closed Breaker 24. The SUT supplies the fault until Breaker 19 opens on the timed over-current (5 seconds) condition.

Due to the above electrical realignments, Charging Pump A is lost when the DC bus de-energizes, Charging Pump C (RCP seal injection lost) and CCW Pump C are lost when 480V Bus E2 transfers to EDG B. CCW Pump B starts on loss of Instrument Bus 4, CCW Pump C starts on the sequencer and FCV-626 (thermal barrier outlet isolation flow control valve) closes stopping flow from the thermal barrier heat exchangers; therefore, RCP seal cooling is lost.

When Motor Control Center 4 de-energized, all MSR Drain Tank Alternate Drain valves and MSR Timer valves failed open, providing a flow path for main steam to the main condenser via the MSR Shutoff valves and MSR reheater tubes. This steam flow resulted in a cooldown of the RCS. Additionally, power was unavailable to the MSR Shutoff valves, preventing the valves from being remotely closed from the control room Operators respond to the reactor trip by entering EOP Path-1, Emergency Procedure Flow Path, determine that no SI is required and transition to End Path Procedure (EPP) 4, Reactor Trip Response. During the first 30 minutes of the event, the reactor coolant system cooldown rate was approximately 200°F/hr.

18:53 Operators start Charging Pumps B and C per Path-1; RCP seal injection is restored.

18:54 Pressurizer level = 14% and letdown system isolates.

18:58 Pressurizer level is low out-of-sight.

19:00 Due to cooldown through the MSR drains, pressurizer level and pressure decrease to the pressurizer low pressure SI setpoint. The reactor automatically safety injects as designed. Charging Pump C trips in response to SI signal which was the normal expected response based on Bus E2 powered from EDG B and Bus E1 powered from normal power. Letdown automatically isolates on Phase-A Containment Isolation.

VCT level decreases to setpoint for auto transfer to the Refueling Water Storage Tank RWST. This automatic transfer does not occur, hence VCT level continues to decrease. No attempts are made to shut the MSIVs and stop the cooldown and depressurization. Charging Pump B remained running at 18 gpm. This is the only A-1

LER 261/10-002 source injecting water to the core at this time, and it is draining down the VCT further.

Operators re-enter Path-1.

19:01 Charging flow at 18 gpm and slowly decreasing.

19:03 SI systems begin to inject based on RCS pressure dropping below shutoff head of the pumps.

19:12 VCT at lowest indicated level during the event (approximately 2-3 inches).

19:13 SI systems no longer injecting to RCS based on pressure at shutoff head for the pumps.

19:19 Charging flow automatically increased to 25 gpm potentially due to the isolation of instrument air to containment resulting in bleed-off of air causing CVC-310A (Charging to Loop 1) valve in the charging system to fail open. The opening of CVC-310A diverts charging flow from the RCP seals to the RCS causing the RCP seal injection to be inadequate.

19:24 RCP B Bearing high temperature alarm received. This was potentially the first indication that the RCP seals are being challenged.

19:25 MSIVs shut due to a valid signal from the low Tave coincident with a loss of Instrument Bus 3 (caused by operator error during another manipulation); this effectively terminated the uncontrolled RCS cooldown.

19:27 Instrument Bus 3 power is restored.

19:30 RCP A Bearing high temperature alarm received.

19:31 Pressurizer comes back on scale and is increasing. DC Bus Battery Charger B was manually restarted (which was > 30 minutes required per Path-1).

19:31 FCV-626 is re-opened by Control Room operators; therefore, operators recovered RCP seal cooling.

19:33 RCP B Seal #1 leak-off high temperature alarm received; RCP C Bearing high temperature alarm received.

19:34 Operators enter Abnormal Operating Procedure (AOP) 18, Abnormal RCP Condition Due to RCP High Temperature Alarms.

19:36 RCP A Bearing high temperature alarm clears.

19:37 Charging header flow lost based on rapidly fluctuating charging header pressures.

19:42 RCP C Bearing high temperature alarm clears.

19:44 RCP B Bearing high temperature alarm clears.

19:46 Operators determine that charging pumps suction switchover did not occur.

19:49 Operators exit AOP-18 after seal injection restored.

19:49 Operators secured Charging Pump B due to indications of low flow and low VCT level to prevent equipment damage.

19:50 Operators manually realign charging suction to the RWST. Operators made an initial error in the alignment and this was caught on second check by STA.

19:53 Charging Pump C restarted on RWST suction. The AO notes (via local indication) seal injection flow initially at zero then increasing to greater than 6 gpm.

A-2

LER 261/10-002 20:05 RCP B Seal #1 leak-off high temperature alarm clears.

20:12 Secured R11/12 Containment Radiation Monitor Pumps. Pumps were smoking due to a Phase-A Containment Isolation which closed the discharge valves from the pumps while they remained running.

20:26 Operators enter EPP-7, SI Termination.

20:44 SI pumps secured.

21:26 Operators transition from EPP-7, SI Termination to GP-4, Post-Trip Stabilization.

Figure A-1. Simplified Electrical Drawing.

A-3

LER 261/10-002 Appendix B: SAPHIRE 8 Worksheets Summary of Conditional Event Changes Conditional Event Description Value ACP-BAC-LP-BUS5 BUS 5 FAILS TO OPERATE TRUE ACP-CRB-OO-52-19 CIRCUIT BREAKER 52/19 FAILS TO CLOSE TRUE ACP-XHE-E2-RECOVER OPERATORS FAIL TO RESTORE OFFSITE POWER TO 9.0E-3 BUS E2 CCW-MOV-FCV626 FCV-626 CLOSE DUE TO LOSS OF INSTRUMENT BUS 4 TRUE CCW-XHE-FCV626 OPERATORS FAIL TO REOPEN FCV-626 8.0E-1 CVC-RCPSEAL-INADEQUATE CVC-310A FAILS OPEN CAUSING INADEQUATE SEAL TRUE INJECTION HE-LOOP-B HOUSE EVENT: LOSS OF DIV B OFFSITE POWER FLAG TRUE HPR-XHE-XM-RECIRC2 OPERATOR FAILS TO INITIATE HPR CL RECIRC 5.0E-3 DURING SLOCA a

IE-LOMFW LOSS OF MAIN FEEDWATER 1.0E+0 LPR-XHE-XM-RECIRC OPERATOR FAILS TO INITIATE THE LPR CL RECIRC TRUE OPR-XHE-XM-DEPRCS OPERATOR FAILS TO DEPRESSURIZE RCS 9.0E-3 RCP-XHE-XM-TRIP OPERATOR FAILS TO TRIP RCPs DURING LOSS OF 8.0E-1 COOLING/SEAL INJ RHR-XHE-XM-SD OPERATOR FAILS TO INITIATE THE RHR SYSTEM 4.0E-2

a. All other initiating events frequencies were set to zero.

CCDP Uncertainty Distribution 5% Median Point Mean 95% Seed Sample Size Method Estimate 1.784E-5 2.052E-4 3.666E-4 3.724E-4 1.292E-3 33 5000 Monte Carlo B-1

LER 261/10-002 Dominant Sequence Results Only items contributing at least 1.0% to the total CCDP are displayed.

EVENT TREE SEQUENCE CCDP  % CONTRIBUTION DESCRIPTION LOMFW 02-14-04 2.498E-4 68.1% /RPS, /AFW, /PORV, LOSC, RCPT, /FW,

/HPI, /SSC, RHR, HPR, LPR LOMFW 02-14-11 6.462E-5 17.6% /RPS, /AFW, /PORV, LOSC, RCPT, /FW, HPI, SSC1 LOMFW 02-14-06 3.113E-5 8.5% /RPS, /AFW, /PORV, LOSC, RCPT, /FW,

/HPI, SSC, HPR LOMFW 02-02-04 1.249E-5 3.4% /RPS, /AFW, /PORV, LOSC, /RCPT, /RSD,

/BP1, BP2, /FW, /HPI, /SSC, RHR, HPR, LPR Total 3.666E-4 100.0%

Referenced Fault Trees Fault Tree Description BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING)

HPI HIGH PRESSURE INJECTION HPR HPR PRESSURE RECIRC LOSC LOSS OF SEAL COOLING LPR LOW PRESSURE RECIRC RCPT REACTOR COOLANT PUMPS TRIPPED RHR RESIDUAL HEAT REMOVAL SSC COOLDOWN (PRIMARY & SECONDARY)

SSC1 SECONDARY SIDE RCS COOLDOWN Cutset Report - LOMFW 02-14-04 Only items contributing at least 1% to the total are displayed.

1. CCDP TOTAL% CUTSET 2.498E-4 100 Displaying 3352 of 3352 Cutsets.

1 1.280E-4 51.24 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,RCP-XHE-XM-TRIP,RHR-XHE-XM-SD 2 4.013E-5 16.06 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-MDP-CF-FSALL 3 1.459E-5 5.84 IE-LOMFW,CCW-MOV-CF-749AB,CCW-XHE-FCV626,RCP-XHE-XM-TRIP 4 6.678E-6 2.67 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-MDP-CF-FRALL 5 4.800E-6 1.92 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2B,RHR-MDP-FS-2A 6 4.800E-6 1.92 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2A,RHR-MDP-FS-2B 7 3.200E-6 1.28 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,RCP-XHE-XM-TRIP,RHR-MOV-CC-751 8 3.200E-6 1.28 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,RCP-XHE-XM-TRIP,RHR-MOV-CC-750 9 3.200E-6 1.28 IE-LOMFW,CCW-MOV-CC-749B,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2A 10 3.200E-6 1.28 IE-LOMFW,CCW-MOV-CC-749A,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2B 11 3.200E-6 1.28 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2A,RHR-XHE-XR-HTX2B 12 3.200E-6 1.28 IE-LOMFW,CCW-XHE-FCV626,RCP-XHE-XM-TRIP,RHR-HTX-TM-2B,RHR-XHE-XR-HTX2A B-2

LER 261/10-002 Cutset Report - LOMFW 02-14-11 Only items contributing at least 1% to the total are displayed.

1. CCDP TOTAL% CUTSET 6.462E-5 100 Displaying 1907 of 1907 Cutsets.

1 1.511E-5 23.39 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-CF-FSALL3,RCP-XHE-XM-TRIP 2 1.459E-5 22.58 IE-LOMFW,CCW-XHE-FCV626,HPI-MOV-CF-870AB,RCP-XHE-XM-TRIP 3 7.680E-6 11.88 IE-LOMFW,CCW-XHE-FCV626,HPI-CKV-CC-SI839,RCP-XHE-XM-TRIP 4 3.840E-6 5.94 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-FS-2A,HPI-MDP-TM-2C,RCP-XHE-XM-TRIP 5 3.840E-6 5.94 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-FS-2C,HPI-MDP-TM-2A,RCP-XHE-XM-TRIP 6 3.072E-6 4.75 IE-LOMFW,CCW-XHE-FCV626,HPI-AOV-OC-856A,RCP-XHE-XM-TRIP 7 3.072E-6 4.75 IE-LOMFW,CCW-XHE-FCV626,HPI-AOV-OC-856B,RCP-XHE-XM-TRIP 8 2.179E-6 3.37 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-CF-FRALL3,RCP-XHE-XM-TRIP 9 1.440E-6 2.23 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-FS-2A,HPI-MDP-FS-2C,RCP-XHE-XM-TRIP 10 1.377E-6 2.13 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-FR-2A,HPI-MDP-TM-2C,RCP-XHE-XM-TRIP 11 1.377E-6 2.13 IE-LOMFW,CCW-XHE-FCV626,HPI-MDP-FR-2C,HPI-MDP-TM-2A,RCP-XHE-XM-TRIP Cutset Report - LOMFW 02-14-06 Only items contributing at least 1% to the total are displayed.

1. CCDP TOTAL% CUTSET 3.113E-5 100 Displaying 597 of 597 Cutsets.

1 2.880E-5 92.52 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,OPR-XHE-XM-DEPRCS,RCP-XHE-XM-TRIP 2 3.612E-7 1.16 IE-LOMFW,CCW-XHE-FCV626,OPR-XHE-XM-DEPRCS,RCP-XHE-XM-TRIP,RHR-MDP-CF-FSALL Cutset Report - LOMFW 02-02-04 Only items contributing at least 1% to the total are displayed.

1. CCDP TOTAL% CUTSET 1.249E-5 100 Displaying 1139 of 1139 Cutsets.

1 6.400E-6 51.26 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-XHE-XM-SD 2 2.006E-6 16.07 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-MDP-CF-FSALL 3 7.296E-7 5.84 IE-LOMFW,CCW-MOV-CF-749AB,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2 4 3.339E-7 2.67 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-MDP-CF-FRALL 5 2.400E-7 1.92 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2B,RHR-MDP-FS-2A 6 2.400E-7 1.92 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2A,RHR-MDP-FS-2B 7 1.600E-7 1.28 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2A,RHR-XHE-XR-HTX2B 8 1.600E-7 1.28 IE-LOMFW,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2B,RHR-XHE-XR-HTX2A 9 1.600E-7 1.28 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-MOV-CC-751 B-3

LER 261/10-002

1. CCDP TOTAL% CUTSET 10 1.600E-7 1.28 IE-LOMFW,CCW-XHE-FCV626,HPR-XHE-XM-RECIRC2,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-MOV-CC-750 11 1.600E-7 1.28 IE-LOMFW,CCW-MOV-CC-749B,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2A 12 1.600E-7 1.28 IE-LOMFW,CCW-MOV-CC-749A,CCW-XHE-FCV626,/RCP-XHE-XM-TRIP,RCS-MDP-LK-BP2,RHR-HTX-TM-2B Referenced Events Event Description Probability CCW-MOV-CC-749A FAILURE OF CCW MOV CC-749A TO RHR HTX-2A 1.000E-3 CCW-MOV-CC-749B FAILURE OF CCW MOV CC-749B TO RHR HTX-2B 1.000E-3 CCW-MOV-CF-749AB CCF OF CCW MOVs CC-749A/B TO RHR HTXs 2.280E-5 CCW-XHE-FCV626 OPERATORS FAIL TO REOPEN FCV-626 8.000E-1 HPI-AOV-OC-856A AIR-OPERATED VALVE SPURIOUS OPERATION 4.800E-6 HPI-AOV-OC-856B AIR-OPERATED VALVE SPURIOUS OPERATION 4.800E-6 HPI-CKV-CC-SI839 MINFLOW CKV SI-839 FAILS TO OPEN 1.200E-5 HPI-MDP-CF-FRALL3 HPI PUMP COMMON CAUSE FAILURES OF ALL 3 TO RUN 3.405E-6 HPI-MDP-CF-FSALL3 HPI PUMP COMMON CAUSE FAILURES OF ALL 3 TO START 2.361E-5 HPI-MDP-FR-2A HPI TRAIN A FAILS TO RUN 5.379E-4 HPI-MDP-FR-2C HPI TRAIN C FAILS TO RUN 5.379E-4 HPI-MDP-FS-2A HPI TRAIN A FAILS TO START 1.500E-3 HPI-MDP-FS-2C HPI TRAIN C FAILS TO START 1.500E-3 HPI-MDP-TM-2A HPI MDP 2A UNAVAILABLE DUE TO T & M 4.000E-3 HPI-MDP-TM-2C HPI MDP 2C UNAVAILABLE DUE TO T & M 4.000E-3 HPI-MOV-CF-870AB COMMON CAUSE FAILURE OF HPI DISCHARGE MOVs SI-870A & B 2.280E-5 HPR-XHE-XM-RECIRC2 OPERATOR FAILS TO INITIATE HPR CL RECIRC DURING SLOCA 5.000E-3 IE-LOMFW LOSS OF MAIN FEEDWATER 1.000E+0 OPR-XHE-XM-DEPRCS OPERATOR FAILS TO DEPRESSURIZE RCS 9.000E-3 RCP-XHE-XM-TRIP OPERATOR FAILS TO TRIP RCPs DURING LOSS OF SEAL 8.000E-1 COOLING/INJECTION RCS-MDP-LK-BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING OPEN) FAILS 2.000E-1 RHR-HTX-TM-2A RHR HTX-2A UNAVAILABLE DUE TO T & M 5.000E-3 RHR-HTX-TM-2B RHR HTX-2B UNAVAILABLE DUE TO T & M 5.000E-3 RHR-MDP-CF-FRALL RHR PUMP COMMON CAUSE FAILS TO RUN 1.043E-5 RHR-MDP-CF-FSALL RHR PUMP COMMON CAUSE FAILS TO START 6.270E-5 RHR-MDP-FS-2A RHR MOTOR DRIVEN PUMP 2A FAILS TO START 1.500E-3 RHR-MDP-FS-2B RHR MOTOR DRIVEN PUMP 2B FAILS TO START 1.500E-3 RHR-MOV-CC-750 RHR SUCTION MOV-750 FAILS 1.000E-3 RHR-MOV-CC-751 RHR SUCTION MOV-751 FAILS 1.000E-3 RHR-XHE-XM-SD OPERATOR FAILS TO INITIATE THE RHR SYSTEM 4.000E-2 RHR-XHE-XR-HTX2A OPERATOR FAILS TO RESTORE RHR HTX-2A AFTER T & M 1.000E-3 RHR-XHE-XR-HTX2B OPERATOR FAILS TO RESTORE RHR HTX-2B AFTER T & M 1.000E-3 B-4

LER 261/10-002 Appendix C: Key Event Trees and Modified Fault Trees LOSS OF MAIN FEEDWATER REACTOR TRIP AUXILIARY FEEDWATER PORV/SRVs ARE CLOSED LOSS OF SEAL COOLING HIGH PRESSURE INJECTION FEED AND BLEED SECONDARY SIDE COOLING COOLDOWN (PRIMARY & RESIDUAL HEAT REMOVAL HPR PRESSURE RECIRC # End State AVAILABLE RECOVERED SECONDARY) (Phase - CD)

IE-LOMFW RPS AFW FTF-LOOP-RECOVERY PORV LOSC FTF-LOSC HPI FAB SSCR SSC RHR HPR 1 OK 2 LOSC 3 OK 4 OK 5 CD 6 OK 7 CD 8 CD 9 OK 10 OK 11 CD 12 CD 13 ATWS Figure C-1. Robinson LOMFW event tree.

RCP SEAL STAGE 1 REACTOR COOLANT PUMPS RAPID SECONDARY RCP SEAL STAGE 1 RCP SEAL STAGE 1 RCP SEAL STAGE 2 RCP SEAL STAGE 2 # End State Comments INTEGRITY TRIPPED DEPRESSURIZATION INTEGRITY INTEGRITY (O-RING INTEGRITY INTEGRITY (O-RING (Phase - CD) (Phase - CD)

(BINDING/POPPING) (<1710 PSI IN 2 HR) (BINDING/POPPING) EXTRUSION) (BINDING/POPPING) EXTRUSION)

BP1 RCPT RSD BP1 O1 BP2 O2 1 OK 21-GPM/RCP 0.200 2 SLOCA 182-GPM/RCP 3 SLOCA 76-GPM/RCP 0.0125 0.200 4 SLOCA 480-GPM/RCP 5 OK 21-GPM/RCP 0.500 6 SLOCA 172-GPM/RCP 0.200 7 SLOCA 182-GPM/RCP 8 SLOCA 61-GPM/RCP 0.500 0.500 9 SLOCA 300-GPM/RCP 0.200 10 SLOCA 300-GPM/RCP 11 SLOCA 76-GPM/RCP 0.0125 0.500 12 SLOCA 300-GPM/RCP 0.200 13 SLOCA 480-GPM/RCP 14 SLOCA 480-GPM/RCP Figure C-2. Robinson modified LOSC event tree.

C-1

LER 261/10-002 SMALL LOCA REACTOR TRIP FEEDWATER AVAILABLE HIGH PRESSURE INJECTION FEED AND BLEED SECONDARY SIDE COOLING COOLDOWN (PRIMARY & LOW PRESSURE INJECTION RESIDUAL HEAT REMOVAL HPR PRESSURE RECIRC LOW PRESSURE RECIRC # End State MFW or AFW RECOVERED SECONDARY) (Phase - CD)

IE-SLOCA RPS FW HPI FAB SSCR SSC LPI RHR HPR LPR 1 OK 2 OK 3 OK 4 CD 5 OK 6 CD 7 OK 8 OK 9 CD 10 CD SSC1 11 CD 12 OK 13 OK 14 CD 15 OK 16 CD 17 OK 18 CD 19 CD 20 CD Figure C-3. Robinson SLOCA event tree.

LOSS OF SEAL COOLING LOSC FAILURE OF RCP SEAL COOLING FAILURE OF CVC COOLING TO RCP FROM CCW SEALS LOSC-2 LOSC-3 ROBINSON UNIT 2 PWR B CCW TO CCW IS ISOLATED FROM RCP SEALS MOTOR-OPERATED VALVE SPURIOUS ROBINSON UNIT 2 PWR B RCP FILTER PLUG (CLEAN WATER SYSTEM)

PROVIDE COOLING CCW-MOV-OC-RCPS 9.6000E-07 LOSC-CVC Ext CCW Ext LOSC-4 MOTOR-OPERATED VALVE SPURIOUS LOSS OF CVC SUCTION CVC-FLT-PG-SEALINJ 2.4000E-06 OPERATION CVC-SUCTION Ext CCW-MOV-OC-FCV626 9.6000E-07 FAILURE OF RCP SEAL INJECTON FCV-626 CLOSES DUE TO LOSS OF CVC-RCPSEALS Ext CCW-MOV-FCV626 Ignore OPERATORS FAIL TO REOPEN FCV-626 CCW-XHE-FCV626 Ignore Figure C-4. Robinson modified LOSC fault tree.

C-2

LER 261/10-002 FAILURE OF RCP SEAL INJECTON CVC-RCPSEALS FAILURE OF RCP A SEAL INJECTON FAILURE OF RCP B SEAL INJECTON FAILURE OF RCP C SEAL INJECTON CVC-310A FAILS OPEN CAUSING INADEQUATE SEAL INJECTION CVC-RCPSEAL-A CVC-RCPSEAL-B CVC-RCPSEAL-C CVC-RCPSEAL-INADEQUATE Ignore FAILURE OF RCP B SEAL INJECTON CVC SEAL INJ THROTTLE VALVE 297B FAILURE OF RCP C SEAL INJECTON CVC SEAL INJ THROTTLE VALVE 297C TO RCP B TRANSFER CLOSED TO RCP C TRANSFER CLOSED CVC-RCPSEAL-B1 CVC-XVM-OC-297B 1.4400E-07 CVC-RCPSEAL-C1 CVC-XVM-OC-297C 1.4400E-07 FAILURE OF RCP SEAL INJECTON FAILURE OF RCP B SEAL INJECTON FAILURE OF RCP SEAL INJECTON FAILURE OF RCP C SEAL INJECTON FLAGS FLAGS CVC-RCPSEAL-A2 Int CVC-RCPSEAL-B3 CVC-RCPSEAL-A2 Int CVC-RCPSEAL-C3 CVC SEAL INJ CKV 298B TO RCP A CVC SEAL INJ CKV 298C TO RCP C CVC-CKV-CC-298B 1.2000E-05 CVC-CKV-CC-298C 1.2000E-05 CVC SEAL INJ CKV 298E TO RCP B CVC SEAL INJ CKV 298F TO RCP C CVC-CKV-CC-298E 1.2000E-05 CVC-CKV-CC-298F 1.2000E-05 CVC SEAL INJ CKV 302B TO RCP B CVC SEAL INJ CKV 302C TO RCP C FAILS TO OPEN FAILS TO OPEN CVC-CKV-CC-302B 1.2000E-05 CVC-CKV-CC-302C 1.2000E-05 Figure C-5. Robinson modified CVC-RCPSEALS fault tree.

ROBINSON UNIT 2 PWR B 480V AC EMERGENCY BUS E2 ACP-E2 LOSS OF POWER TO 2B 4160V AC BUS DIVISION 2B AC POWER 4160V BUS E2 E2 FAILS ACP-E2-1 ACP-BAC-LP-E2 9.6000E-06 LOSS OF POWER TO 4160V AC BUS E2 LOSS OF POWER TO 4160V AC BUS E2 FROM DG-B FROM SUT-2 ACP-E2-2 ACP-E2-3 LOSS OF OFFSITE POWER TO BUS E2 4160V AC Bus # 3 Fails Transformer SST-2G Fails ACP-TFM-FC-SST2G 2.1600E-05 ACP-E2-4 ACP-BUS3 Ext Circuit Breaker 52/28B Fails To Remain Closed ACP-CRB-CO-52-28B 3.6000E-06 House Event: LOSS OF DIV B OFFSITE OPERATORS FAIL TO RECOVER POWER FLAG OFFSITE POWER TO BUS E2 HE-LOOP-B False ACP-XHE-E2-RECOVER Ignore Figure C-6. Robinson modified ACP-E2 fault tree.

C-3

LER 261/10-002 Appendix D: Human Reliability Analysis For this analysis, several important human failure events (HFEs) were evaluated qualitatively and using the quantitative methods provided in the SPAR-H Method (Reference 7). The first two HFEs involve operator actions that either occurred during the event or were potential actions that operators had cues/procedures that could have directed them to perform an action.

The last four HFEs are key mitigation actions that are required by operators to perform during a postulated LOCA due to RCP seal failure.

Dependency. Dependency between HFEs was evaluated by reviewing the cutsets and performing a sensitivity analysis. The sensitivity analysis was performed to determine if any CCDP of cutsets with multiple HFEs would be affected by potential dependency (all of the applicable HEPs that were not modified as part of this main analysis were set to 0.1). The results indicated that only two HFEs, RHR-XHE-XR-HTX2A and RHR-XHE-XR-HTX2B (RHR Heat Exchangers A and B failed to be returned to service after test and maintenance),

appreciably affected the analysis results. These pre-initiator HFEs do not warrant modification due to dependency.

Based on clarified SPAR-H guidance, having multiple HFEs within the same cutset does not automatically constitute dependency and intervening successes are not necessary to break dependency. Unless two HFEs are strongly related (often sequential steps in a procedure),

there is probably no dependence (due to the boundaries between HFEs and not sharing subtasks between HFEs). Additionally, dependency is implicitly accounted for by adjusting the PSFs for same deficiency (e.g., poor command and control by using the Work Processes PSF) in multiple HFEs.

Analysis HFEs. The following operator actions were evaluated for this analysis; including the calculation of the human error probability (HEP) for each HFE.

1. CCW-XHE-FCV626 (Operators fail to restore CCW to the RCPs)

HFE Definition- Operators fail to restore CCW to the RCPs by reopening FCV-626.

Description and Event Context- RCP seal cooling was lost at the onset of the initiating event due the closure of FCV-626 (the component cooling water thermal barrier outlet isolation valve). When CVC-310A failed open 27 minutes later, RCP seal injection became inadequate (there was some injection flow, but it was inadequate to fulfill its safety function).

With both RCP seal cooling unavailable and inadequate, the RCP seals begin to heat up and purge volume begins to empty. The WOG 2000 RCP seal model (Reference 6) assumes that if all seal cooling and injection are lost, the RCP seal will experience voiding conditions in approximately 13 minutes (based on the RCP purge volume and average seal leak-off rates).

Operator Action Success Criteria- For successful recovery, operators would have to reopen FCV-626 from the control room prior to voiding within the RCPs occurs. Typically, the time available is approximately 13 minutes (from when all RCP seal cooling and injection are lost) based on studies performed by Westinghouse.

Cues-

• RCP Thermal Barrier Cooling Water Low Flow Annunciator

• RCP Bearing High Temperature Alarms D-1

LER 261/10-002

• RCP Leak-off High Temperature Alarm Procedural Guidance- The procedure for the RCP Thermal Barrier Cooling Water Low Flow Annunciator (APP-001-D1) directs operators to verify the position of FCV-626 and to reopen the valve if adequate seal injection exists.

Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes The operators would need minimal time (< 1 minute) to re-open FCV-626 from the control room. Based on the RCP purge volumes (48 gallons) and the seal leak-off rates and temperatures of RCP B, the operators would have approximately 19 minutes to determine the need to restore RCP seal cooling. Operators were unaware that CCW to the RCPs was isolated via Time Available 10 FCV-626 until the second RCP bearing high temperature alarm was received (approximately 13 minutes after seal injection had become inadequate). Therefore, only 6 minutes was available for operators to diagnose the need to reopen FCV-626 prior to voiding conditions within RCP B; therefore, the Barely Adequate Time (i.e., x10) was selected.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the sudden onset of the initiating event, the occurrence of the fire and Stress 2 subsequent suppression activities, and actual/postulated compounding equipment failures.

Complexity was maintained at nominal to prevent double counting. Factors Complexity 1 that cause increased complexity were accounted for in the Stress, Experience/Training, and Work Processes PSFs.

The annunciator procedures were available to direct operators to reopen Procedures 1 FCV-626. However, operators did not use them (knowledge-based action).

The plants training simulator did not demonstrate the correct expected plant response for a loss of Instrument Bus 4. Specifically, the operating crews experience in simulator training was for FCV-626 to stay open during a loss of Instrument Bus 4. In addition, the crew composition was determined to be less than optimal. Several members of the crew were newly qualified or Experience/Training 10 were standing unfamiliar or new positions. The most experienced reactor operator was stationed as the balance-of-plant operator and was busy with fire-related activities and was not actively supporting the initial reactor plant response. The combination of these deficiencies provides the basis for assigning the experience/training PSF for diagnosis a value of Low (i.e.,

x10).

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the Work Processes 2 event leading to interruption in the implementation of emergency procedures and distraction the operators. Therefore, the PSF for diagnosis work processes is assigned a value of Poor (i.e., x2).

PSF Composite 400 Diagnosis HEP 4.0 Action HEP 1.E-3 Adjusted Total HEP 0.8 Adjusted when raw HEP is greater than 1.

D-2

LER 261/10-002

2. RCP-XHE-XM-TRIP (Operators fail to trip the RCPs during a loss of seal cooling and injection)

HFE Definition- Operators fail to trip the RCPs during of a loss of all seal cooling and injection.

Description and Event Context- RCP Pump B was tripped due to the loss of Bus 4 during the initial electrical fault. RCPs A and C remained running. RCP seal cooling was lost at the onset of the initiating event due the closure of FCV-626 (the component cooling water thermal barrier outlet isolation valve). When CVC-310A failed open 27 minutes later, RCP seal injection became inadequate (there was some injection flow, but it was inadequate to fulfill its safety function). With both RCP seal cooling unavailable and injection inadequate, the RCP seals begin to heat up and purge volume begins to empty. Based on the RCP purge volumes for Robinson (48 gallons) and the seal leak-off rate of RCP B (the non-running pump, the seals were within 1 to 2 minutes to experiencing voiding conditions.

However, the seals for RCPs A and C had more time until experiencing voiding conditions (based on the lower seal leak-off flows, lower seal leak-off temperatures, and higher seal differential pressures than RCP B).

Operator Action Success Criteria- For successful recovery, operators would have to trip the running RCPs prior to the catastrophic failure of the seals. Typically, the time available is approximately 13 minutes (from when all RCP seal cooling and injection are lost) based on studies performed by Westinghouse. However, some additional time was available as described above.

Cues-

• RCP Bearing High Temperature Alarms

• RCP Leak-off High Temperature Alarm Procedural Guidance-The procedure for Reactor Coolant Pump Abnormal Conditions (AOP-18) provides directions to trip the RCPs; however, the entry conditions from the Emergency Procedure Flow Path (Path-1) were deficient (it only directed operators to verify a running charging pump to ensure adequate seal injection flow).

Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes The operators would need minimal time (< 1 minute) to trip RCPs A and C (RCP B was already tripped). However, operators were unaware that all RCP injection/cooling was unavailable until the second RCP bearing high temperature alarm was received (approximately 13 minutes after seal injection had become inadequate). Although, the non-running pump (RCP Time Available 1 B) was within 6 minutes of experiencing potential failure, the remaining running pumps (RCPs A and C) had lower seal leak-off flows, lower seal leak-off temperatures, and higher seal differential pressures than RCP B.

Operators would have several additional minutes to trip RCPs A and C prior to experiencing conditions that could lead to catastrophic seal failure.

Therefore, Nominal Time (i.e., x1) was selected.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the sudden onset of the initiating event, the occurrence of the fire and Stress 2 subsequent suppression activities, and actual/postulated compounding equipment failures.

D-3

LER 261/10-002 PSF Multiplier Notes Complexity was maintained at nominal to prevent double counting. Factors Complexity 1 that cause increased complexity were accounted for in the Stress and Work Processes PSFs.

With the RCP thermal barrier cooling water flow low flow annunciator lit, the Path-1 Emergency Procedure Flow Path directs the operators to verify that a charging pump is running. However, a running charging pump does not ensure there is adequate seal injection to the RCPs as was the case in this event (due to the charging flow diversion away from the RCP seals via CVC-Procedures 20 310A). Because the procedure does not have operators ensure that RCP seal injection flow is sufficient, further actions such as reopening of FCV-626 and tripping the running RCPs were delayed. Additional cues (e.g., alarms) are needed to direct operators to perform the correct actions. This procedural deficiency provides the basis for assigning the PSF for diagnosis procedures a value of Incomplete (i.e., x20).

The crew composition was less than ideal; however, its effect on this HFE is Experience/Training 1 not believed to be a performance driver. Therefore, the diagnosis PSF for experience and training was maintained at nominal for this HFE.

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the Work Processes 2 event leading to interruption in the implementation of emergency procedures and distraction the operators. Therefore, the PSF for diagnosis work processes is assigned a value of Poor (i.e., x2).

PSF Composite 80 Diagnosis HEP 0.8 Action HEP 1.E-3 Total HEP 0.8

3. OPR-XHE-XM-DEPRCS (Operators fail to depressurize the RCS)

HFE Definition- Operators fail to depressurize the RCS during a small LOCA.

Description and Event Context- During a postulated RCP seal failure leading to a small LOCA, operators could initiate a cooldown and depressurization of the RCS to allow for the plant to be placed in SDC using the RHR System.

Operator Action Success Criteria- To initiate a successful RCS cooldown, operators must depressurize the RCS by using the pressurizer PORVs or pressurizer sprays. The operators must also initiate a secondary side cooldown using is the steam generator atmospheric relief valves or the turbine bypass valves to remove the decay heat and depressurize the RCS.

Cues-

• Containment Spray Actuation

• Pressurizer Low Pressure Alarm

• Decreasing Pressurizer Level

• RCS Pressure Greater than RHR Pump Shutoff Head Procedural Guidance- Path-1 and the procedure for Post-LOCA Cooldown and Depressurization (EPP-8) provide directions for operators to perform RCS depressurization and cooldown during a small LOCA.

D-4

LER 261/10-002 Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes Operators would have at least few hours to initiate the RCS cooldown and depressurization prior depletion of the RWST inventory during a SLOCA Time Available 0.1 caused by failure of RCP seals. Therefore, Extra Time (i.e., x0.1) was selected.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2)

Stress 2 due to the initiation of the RCP seal LOCA.

The PSF for diagnosis complexity is assigned a value of Moderately Complexity 2 Complex (i.e., x2) due to the multiple procedures and operator involvement in controlling plant parameters.

No event information is available to warrant a change from nominal for this Procedures 1 HFE.

The crew composition was less than ideal; however, its effect on this HFE is Experience/Training 1 not believed to be a performance driver. Therefore, the diagnosis PSF for experience and training was maintained at nominal for this HFE.

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the Work Processes 2 event leading to interruption in the implementation of emergency procedures and distraction the operators. Therefore, the PSF for diagnosis work processes is assigned a value of Poor (i.e., x2).

PSF Composite 0.8 Diagnosis HEP 8.E-03 Action HEP 1.E-03 Total HEP 9.E-03

4. RHR-XHE-XM-SD (Operators fail to initiate the RHR system)

HFE Definition- Operators fail to initiate the RHR system in SDC mode.

Description and Event Context- If operators successfully depressurize and cool down the RCS during the postulated RCP seal LOCA (if the leak is SLOCA); operators could then place the plant in SDC mode using the RHR System once the entry conditions are met (see Cues).

Operator Action Success Criteria- Operators must successfully perform the steps to align RHR in SDC mode provided in EPP-8, Supplement 1.

Cues-

• RCS Temperature less than 350°F

• RCS Pressure less than 375 psig Procedural Guidance- The procedure for Post-LOCA Cooldown and Depressurization (EPP-8) and Aligning RHR System For Core Cooling Mode (Supplement I) provides direction for operators to place the RHR system in SDC mode and cooldown during a small LOCA.

D-5

LER 261/10-002 Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes This HFE will be performed if operators successfully cooldown and depressurize the RCS to allow for SDC. Extra Time (i.e., x0.1) was selected for OPR-XHE-XM-DEPRCS. If the cooldown and depressurization is Time Available 1 successful, sufficient time is assumed to be available for operators to initiate SDC; however, credit for Extra Time (i.e., x0.1) for both actions is not warranted. Therefore, the time available will be kept at Nominal (i.e., x1).

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2)

Stress 2 due to the initiation of the RCP seal LOCA.

Complexity was not determined to be a performance driver for this Complexity 1 postulated HFE.

No event information is available to warrant a change from nominal for this Procedures 1 HFE.

The crew composition was less than ideal; however, its effect on this HFE is Experience/Training 1 not believed to be a performance driver. Therefore, the diagnosis PSF for experience and training was maintained at nominal for this HFE.

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the Work Processes 2 event leading to interruption in the implementation of emergency procedures and distraction the operators. Therefore, the PSF for diagnosis work processes is assigned a value of Poor (i.e., x2).

PSF Composite 4 Diagnosis HEP 4.E-02 Action HEP 1.E-03 Total HEP 4.E-02

5. HPR-XHE-XM-RECIRC2 (Operators fail to initiate high-pressure recirculation during SLOCA)

HFE Definition- Operators fail to initiate high-pressure recirculation given successful high-pressure injection and unsuccessful RCS cooldown/depressurization.

Description and Event Context- If operators fail to initiate cooldown and depressurization of the RCS, operators must initiate high-pressure recirculation (assumes successful safety injection) to ensure core cooling.

Operator Action Success Criteria- Operators must successfully perform the steps in EPP-9 and EPP-10 to ensure that high-pressure recirculation is initiated and controlled prior to RWST level decreasing to below 9%.

Cues-

• RWST Low Level Alarm (i.e., RWST level less than 27%).

• RCS Pressure greater than 125 psig Procedural Guidance- The procedures for initiating high-pressure recirculation is provided by Transfer to Cold Leg Recirculation (EPP-9) and Transfer to Long-Term Recirculation D-6

LER 261/10-002 (EPP-10), provide direction for operators to initiate recirculation cooling from either the SI pumps (for high-pressure recirculation) or the RHR pumps (for low-pressure recirculation).

Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes Approximately two hours are available for operators to align and initiate high-pressure recirculation between the time when the low RWST alarm is Time Available 0.1 received (27%) and the RWST inventory is depleted (assumed at 9%) during a SLOCA. The manipulations required for this action are estimated to take 15 minutes to complete. Therefore, Extra Time (i.e., x0.1) was selected.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2)

Stress 2 due to the initiation of the SLOCA.

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) due to the long procedure (41 pages) used to align Complexity 2 recirculation and initiate sump recirculation. In addition, the operators must determine throughout the operating in recirculation if containment sprays are necessary.

No event information is available to warrant a change from nominal for this Procedures 1 HFE.

The crew composition was less than ideal; however, its effect on this HFE is Experience/Training 1 not believed to be a performance driver. Therefore, the diagnosis PSF for experience and training was maintained at nominal for this HFE.

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the event leading to interruption in the implementation of emergency procedures and distraction the operators. However, by the time RWST levels met the Work Processes 1 requirements to switch to recirculation, the Emergency Response Organization (ERO)/Technical Support Center would be staffed due to the ALERT classification because of the SLOCA. This additional staffing would aid in the operator actions in aligning recirculation. Therefore, the PSF for diagnosis work processes is assigned a value of Nominal (i.e., x1).

PSF Composite 0.8 Diagnosis HEP 4.E-03 Action HEP 1.E-03 Total HEP 5.E-03

6. ACP-XHE-E2-RECOVER (Operators fail to recover offsite power to Bus E2)

HFE Definition- Operators fail to restore offsite power to Bus E2 via Bus 3 (and the SUT).

Description and Event Context- Recovery of offsite power to vital Bus E2 was possible almost immediately after the event occurred. Operators could restore offsite power to vital Bus E2 through non-vital Bus 3 (via the SUT) during a postulated failure of EDG B.

Operator Action Success Criteria- If the EDG B fails, operators could immediately restore power to Bus E2 by closing the Breakers 15 and 28B.

Cues-

• EDG B Trouble Alarm D-7

LER 261/10-002

• Safeguards Power Supply Failure Alarm Procedural Guidance- The action would be a knowledge-based action (i.e., operators wouldnt have specific procedures to perform this recovery action.

Diagnosis/Action- This HFE contains sufficient diagnosis activities. The nominal action component of the HEP is 0.001. No event information is available to warrant a change in the action PSFs for this HEP.

PSF Multiplier Notes Several hours are available for operators to restore power to vital Bus E2 during a SLOCA caused by the failure of RCP seals. With only two breakers Time Available 0.1 needing to be shut to align offsite power to vital Bus E2, the action portion time for recovery of offsite power to a vital bus is minimal (< 2 minutes).

Therefore, Extra Time (i.e., x0.1) was selected.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2)

Stress 2 due to the initiation of the RCP seal LOCA.

The PSF for diagnosis complexity is assigned a value of Moderately Complexity 2 Complex (i.e., x2) due to multiple equipment unavailabilities (postulated) and the concurrent actions/multiple procedures used during the event.

Due to the relatively simplistic nature of this recovery event (i.e., closing of Procedures 1 two breakers) the lack of specific procedure in the case of this HFE do not warrant a change from nominal given that this is a knowledge-based action.

The crew composition was less than ideal; however, its effect on this HFE is Experience/Training 1 not believed to be a performance driver. Therefore, the diagnosis PSF for experience and training was maintained at nominal for this HFE.

Ergonomics were cited at below average by Region II; however, it is not Ergonomics/HMI 1 believed that it was a performance driver for this HFE. Therefore, the diagnosis ergonomics PSF was maintained at nominal for this HFE.

No event information is available to warrant a change from nominal for this Fitness for Duty 1 HFE.

Crew supervisors were distracted from oversight of the plant including the awareness of major plant parameters and failed to properly manage the frequency and duration of crew updates/briefs during the early portion of the Work Processes 2 event leading to interruption in the implementation of emergency procedures and distraction the operators. Therefore, the PSF for diagnosis work processes is assigned a value of Poor (i.e., x2).

PSF Composite 0.8 Diagnosis HEP 8.E-03 Action HEP 1.E-03 Total HEP 9.E-03 D-8