ML13059A525

From kanterella
Jump to navigation Jump to search
Final Precursor Analysis, Transformer and Breaker Failures Cause Loss of Offsite Power, Reactor Trip, and De-Energized Safety Buses
ML13059A525
Person / Time
Site: Byron  Constellation icon.png
Issue date: 04/25/2013
From:
Office of Nuclear Reactor Regulation
To:
NRC/RES/DRA
Hunter Christopher 301-251-7575
Shared Package
ML13059A506 List:
References
IR-12-008, LER 12-001-01
Download: ML13059A525 (17)
v  d  e


Text

Enclosure 1

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Byron Station, Unit 2 Transformer and Breaker Failures Cause Loss of Offsite Power, Reactor Trip, and De-Energized Safety Buses Event Date: 01/30/2012 LER: 454/12-001-01 IR: 50-455/12-08 CCDP = 1x10-4 EVENT

SUMMARY

Event Description. At 10:01 on January 30, 2012, Byron Station, Unit 2 experienced an event, in which the 4.16 kV engineered safety feature (ESF) buses were not energized by an operable power source for eight minutes. The event was initiated by a mechanical failure of an electrical insulator in the 345 kV switchyard. The failed insulator caused the loss of one of three electrical phases (Phase C) supplying 345 kV offsite power to the Unit 2 station auxiliary transformers (SATs). Following the insulator failure, the reactor automatically tripped from full power due to an under-voltage condition on 6.9 kV Buses 258 and 259 that supply power to two of four reactor coolant pumps (RCPs). About 30 seconds after the reactor trip, the power source for 6.9 kV Buses 256 and 257 and 4 kV Buses 243 and 244 automatically fast transferred from the unit auxiliary transformers (UATs) to the SATs, as designed. As a result, the remaining two RCPs tripped on an over-current condition due to the increased current flow through the A and B phases.

The loss of Phase C, however, did not result in an automatic under-voltage protection signal for either 4 kV ESF Buses 241 or 242, because the buses under-voltage protection scheme did not provide adequate protection from a single phase loss of either Phase A or C. As a result, all running equipment powered by Buses 241 and 242 had tripped. This included the charging pumps which supply RCP seal injection, the component cooling water (CCW) pumps, system which supply thermal barrier heat exchanger cooling to the RCP seals, and the essential service water (ESW) pumps. These conditions existed until operators manually opened (from the main control room) the SAT feeder breakers about eight minutes after the event had initiated.

Following the opening of the SAT feeder breakers, both emergency diesel generators (EDGs) started and loaded supplying power to Buses 241 and 242, as designed. The Operations crew declared a Notice of Unusual Event (NOUE) at 10:18 for a loss of offsite power (LOOP) to essential buses for greater than 15 minutes.

No significant degradation to the RCP seals occurred based on the manual action occurring within the time it would have taken for the RCP seal water volume to deplete (about 13 minutes). Reactor decay heat was removed utilizing the diesel-driven auxiliary feedwater (AFW) pump and steam generator (SG) power operated relief valves (PORVs) while the primary system cooled down in the natural circulation mode of operation. On January 31, 2012, Unit 2 entered Mode 5 (i.e., Cold Shutdown). The licensee remained in the UE until repairs were completed and the Unit 2 SATs were returned to their normal alignment on January 31, 2012.

Additional event details are provided in References 1 and 2.

LER 454/12-001-01 2

Sequence of Key Events. The following table provides a sequence of key events (Reference 2):

January 30, 2012

~1001:54 An insulator stack supporting the Phase C Conductor for 345 kV Bus 13 that supplies power to the Unit 2 SATs breaks, resulting in an open Phase C Conductor.

1001:55 Non-safety related (NSR) 6.9 kV RCP Buses 258 and 259 supplied by the Unit 2 SATs are affected by the open Phase C. Unit 2 reactor protection system senses the RCP bus under-voltage and initiates an automatic reactor trip.

1001:55 Unit 2 ESF Buses 241 and 242 supplied by the Unit 2 SATs are affected by the open Phase C. However, due to the design of the under-voltage protection logic, a bus under-voltage protection signal is not processed and Buses 241 and 242 remain energized with the Phase A-B at nominal 4000 Vac, the Phase A-C at about 2400 Vac, and the Phase B-C at about 2400 Vac.

1001:56 ESW Pump 2A low discharge pressure annunciator alarm is received due to an over-current trip of the pump.

1001:56 AFW Pumps 2A (motor-driven) and 2B (diesel-driven) receive auto-start signals as designed due to the RCP bus under-voltage condition. AFW Pump 2B starts and operates as designed. AFW Pump 2A is unable to start and run due to the under-voltage condition.

1001:59 Over-current trip of the running CCW Pump 2A; CCW Pump 2B is unable to start and run due to the under-voltage condition. A loss of cooling to all four RCP thermal barrier heat exchangers occurs.

~1002 Unit 2 operators enter procedure 2BEP-0, Reactor Trip or Safety Injection.

1002:00 Over-current trip of the running Centrifugal Charging (CC) Pump 2B.

1002:01-02 RCP seal injection flow annunciator alarms received for RCPs 2A, 2B, 2C, and 2D indicating a loss of RCP seal injection to all four RCPs.

1002:02-03 Over-current trip of the running Condensate/Condensate Booster Pumps 2A, 2B, and 2D.

1002:05 Over-current trip of the running auxiliary building supply fan.

1002:13 Over-current trip of the running auxiliary building exhaust fan.

1002:32 Main generator reverse power trip occurs and generator output breakers 10-11 and 11-12 trip open.

1002:33 NSR Buses 243 and 244 supplied by the Unit 2 UATs trip upon the main generator reverse power trip. NSR loads including circulating water pumps, feedwater pumps, a reactor cavity fan, station air compressors, control rod drive mechanism booster and exhaust fans, and heater drain pumps de-energize.

NSR 6.9 kV Buses 256 and 257 automatically transfer from the Unit 2 UATs to the (degraded) SATs as designed. With Phase C open, the current flow on Phases A and B increase.

1002:35 Over-current trip of RCPs 2C and 2D.

LER 454/12-001-01 3

1002:43 ESF Bus 241 low voltage alarm is received in the main control room for about 2 seconds then clears.

1003:13 Over-current trip of RCPs 2A and 2B.

~1004 Operators attempt to start the ESW Pump 2B, but the pump fails to start.

1004:54 Operators start the ESW Pump 1A and open the Unit 1 to Unit 2 cross-connect valves to supply ESW from Unit 1 to Unit 2.

~1009-1010 Based upon a field report of smoke from the Unit 2 SATs 242-1 and 242-2, and a suspected electrical issue, operators open the SAT 242-1 and SAT 242-2 feeder breakers to ESF Buses 241 and 242, and NSR Buses 243 and 244.

1009:48 ESF Bus 241 is electrically isolated following the manual operator action. Under-voltage logic is satisfied and an under-voltage signal is processed. EDG 2A starts and restores power to ESF Bus 241 in about 6-8 seconds. Safe shutdown loads begin to automatically sequence onto ESF Bus 241.

1010:07 ESF Bus 242 is electrically isolated following the manual operator action. Under-voltage logic is satisfied and an under-voltage signal is processed. EDG 2B starts and restores power to ESF Bus 242 in about 6-8 seconds. Safe shutdowns loads begin to automatically sequence onto ESF Bus 242.

1009:56 CCW Pump 2A automatically starts and runs.

1010:15 CCW Pump 2B automatically starts and runs.

1010:16 CC Pump 2A automatically starts and runs. Seal cooling is restored to the RCP seals.

1018 Byron Station declares a Unit 2 NOUE due to the loss of offsite power to ESF Buses 241 and 242 for greater than 15 minutes.

1023 The licensee requests offsite assistance from the Byron Fire Department based upon the report of smoke from the Unit 2 SATs.

1048 The Byron Fire Department arrives and is available as a resource. No actual fire occurred. The smoke from the Unit 2 SATs was caused by a sudden heat up of the SAT windings due to an electrical current inrush following the insulator failure.

1026 NSR Bus 243 is energized from ESF Bus 241, and NSR Bus 244 is energized from ESF Bus 242. Operators begin restoring NSR loads in accordance with licensee procedures.

1039 The licensee notifies the NRC Headquarters Operations Center of the Unit 2 reactor trip, loss of offsite power, and NOUE emergency declaration.

1041 The Unit 2 SAT high side windings are de-energized by the opening of switchyard Breakers 7-13 and 12-13 and associated motor-operated disconnects.

1048 The Unit 2 main steam isolation valves are closed in accordance with licensee procedure due to the loss of main condenser circulating water flow and the Unit 2 shutdown condition.

1100 Operators enter procedure 2BEP ES0.2, Natural Circulation Cooldown.

LER 454/12-001-01 4

1320 The Operations Field Supervisor completes an investigation of water reportedly spraying onto RHR Pump 2A. The assessment concludes that the water spray does not impact the ability of the pump to start and operate.

2201 Unit 2 enters Mode 4.

January 31, 2012 1233 Operators place Unit 2 in shutdown cooling using the RHR Pump 2B.

1428 Unit 2 enters Mode 5 2000 The Byron NOUE is terminated following the completion of a Unit 2 SAT functionality assessment and physical restoration of the Unit 2 SATs supplying power to ESF Buses 241 and 242.

MODELING ASSUMPTIONS Analysis Type. The Byron Station Standardized Plant Analysis Risk (SPAR) model for Units 1 and 2 created in April 2012 was used for this event analysis. This event was modeled as a switchyard-related LOOP initiating event. The Byron SPAR model is designed to represent Unit 1; however, due the similarities between the units, the model was used for analysis of this Unit 2 event. Therefore, in some cases, Unit 1 basic events are used to represent Unit 2 components.

Analysis Rules. The ASP program uses Significance Determination Process results for degraded conditions when available. However, the ASP Program performs independent analysis for initiating events.

Key Modeling Assumptions. The following modeling assumptions were determined to be vital to this event analysis:

This analysis models the January 30, 2012 Unit 2 reactor trip at Byron Station as a switchyard-related LOOP initiating event.

The Unit 2 SAT feeder breakers remained closed, thus preventing the Unit 2 EDGs from automatically starting and loading onto their respective ESF buses. This analysis credits the operator action to isolate the SATs from the ESF buses, and thus restoring power via the EDGs, by opening the SAT feeder breakers. Operators successfully performed this action in approximately eight minutes during the event.

The Unit 2 offsite power source was not available for approximately 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the LOOP occurred, when the failed insulator was replaced, electrical lines were reconnected and an assessment of the SAT condition concluded that it was acceptable to re-energize.

However, offsite power from Unit 1 could be cross-connected almost immediately after the event occurred. The steps needed to align the Unit 1 offsite power source to Unit 2 include the opening of the Unit 2 SAT feeder breakers. Since the operator action of opening the SAT feeder breakers is already modeled in this analysis the inclusion of additional action to cross-connect the Unit 1 offsite power to Unit 2 was not explicitly modeled as part of this analysis. However, this additional method of recovery was factored into the Recovery Analysis and Sensitivity Analyses described later in this report.

LER 454/12-001-01 5

Prior to the event, EDG 2B was in an available, but inoperable (in terms of Technical Specifications), status prior as a result of maintenance that had recently been completed.

On the morning of January 31, 2012, inspectors observed slight speed and frequency oscillations of EDG 2B. It was determined that these frequency oscillations did not prevent EDG 2B from performing its safety function during this event; therefore, no modifications to EDG 2B reliability were made for this analysis.

The battery chargers are assumed to be unavailable due to the loss of Phase C. The battery chargers did supply some dc power during the first eight minutes of the event, but it is expected that the breakers to chargers would soon trip and/or the batteries would be supplying most of the dc load.

Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

The switchyard-related LOOP initiating event probability (IE-LOOPSC) was set 1.0 to represent the operational event that occurred at Byron Station, Unit 2 on January 30, 2012.

All other initiating events probabilities were set to zero.

ACP-TFM-FC-SAT1421 (System Auxiliary Transformer 142-1 Fails) and ACP-TFM-FC-SAT1422 (System Auxiliary Transformer 142-2 Fails) were set to TRUE because both Unit 2 SATs were inoperable due to the insulator failure causing a loss of Phase C.1 The LOOP event was limited to Unit 2; therefore, basic events OEP-VCF-LP-SNGLSC (Single Unit LOOP Switchyard-Related) was set to TRUE and OEP-VCF-LP-SITESC (Site LOOP Switchyard-Related) was set to FALSE.

The non-recovery probability for basic events OEP-XHE-XL-NR01HSC (Operator Fails to Recover Offsite Power in 1 Hour), OEP-XHE-XL-NR02HSC (Operator Fails to Recover Offsite Power in 2 Hours), OEP-XHE-XL-NR03HSC (Operator Fails to Recover Offsite Power in 3 Hours), and OEP-XHE-XL-NR04HSC (Operator Fails to Recover Offsite Power in 4 Hours) were set to TRUE because offsite power recovery to an emergency bus via the Unit 2 offsite power was not possible until approximately 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the LOOP occurred.

Cross-connecting the Unit 1 offsite power source to Unit 2 was not credited (see Key Modeling Assumptions for additional details).

Recovery Analysis. In this analysis, the potential for operators to open the Unit 2 SAT feeder breakers, thus allowing the EDGs to automatically start and load onto the ESF buses, prior to core damage was modeled. Depending on the availability of the diesel-driven AFW pump, the occurrence and size of a potential seal RCP loss-of-coolant accident (LOCA), and the time to battery depletion, the time to core damage during a loss of all power to the ESF buses for Byron, Unit 2 ranges from 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. For this analysis, the base SPAR model Emergency Power System (EPS) recovery events (i.e., sequence-specific EDG recovery events) were used to represent operators ability to open the Unit 2 SAT feeder breakers to restore power to the ESF buses prior to core damage.

1 The basic events applicable to the unavailabilities of the Unit 1 SATs are used to represent the failures of the Unit 2 SATs in this analysis.

LER 454/12-001-01 6

The applicable human failure events (HFEs) for this analysis are EPS-XHE-XL-NR01H (Operator Fails to Open the SAT Feeder Breakers in 1 Hour), EPS-XHE-XL-NR02H (Operator Fails to Open the SAT Feeder Breakers in 2 Hours), EPS-XHE-XL-NR03H (Operator Fails to Open the SAT Feeder Breakers in 3 Hours), and EPS-XHE-XL-NR04H (Operator Fails to Open the SAT Feeder Breakers in 4 Hours).2 In addition to these recovery events, potential recovery (i.e., opening the Unit 2 SAT feeder breakers) prior to RCPs seals being challenged due to the loss of injection and cooling within 13 minutes needs to modeled to ensure the validity of the sequences and cutsets.3 Therefore, an additional HFE, EPS-XHE-XL-NR13M (Operator Fails to Open the SAT Feeder Breakers in 13 Minutes), was added to EPS Fault Tree (see Figure 1).4 Figure 1. Modified EPS Fault Tree for Byron, Unit 2.

With the addition of EPS-XHE-XL-NR13M, the Byron, Unit 2 SPAR model now has two HFEs (i.e., prior to 13 minutes and prior to core damage) that represent one recovery action (i.e., to restore power to the ESF buses).5 Therefore, the applicable human error probabilities (HEPs) for these two HFEs must be evaluated and quantified as a joint recovery action. This joint HEP was evaluated and quantified using SPAR-H Method (References 4 and 5).

2 The descriptions of these four basic events were changed to indicate that the opening SAT feeder breakers was required to restore power to the ESF buses via the EDGs.

3 The Westinghouse Owners Group 2000 RCP Seal Model (Reference 3) assumes that if both seal cooling and injection are lost, the RCP seals will experience voiding conditions in approximately 13 minutes (based on the RCP purge volume and average seal leak-off rates).

4 The Unit 1 EPS fault tree and its associated basic events is used in this analysis to represent the Unit 2 EPS components in this analysis.

5 There are not really two opportunities for operators to open the SAT feeder breakers. Rather there is one continuous opportunity for operators to open the SAT feeder breakers prior to core damage.

LER 454/12-001-01 7

Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSFs) adjustments required for the HEP quantification using SPAR-H.

Table 1. Qualitative Evaluation of Joint HFE for Overall Recovery Definition The definition for overall recovery is the operators failing to open the feeder breakers for the Unit 2 SATs within 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (depending on the sequence).

Description and Event Context Depending on postulated failures of the RCP seals (due to unavailability of seal injection/cooling), the availability of the diesel-driven AFW pump, and the time until the station batteries are depleted, operators would have between 1-4 hours to open the SAT feeder breakers prior to core uncovery.

Operator Action Success Criteria For successful recovery, operators would have to open SAT feeder breakers (from the control room) with sufficient time for the EDGs to start and load to their respective ESF buses prior to core uncovery. The time available for operators to perform this action would be a minimum of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (given the failure of the diesel-driven AFW pump). The dominant sequences have a time available equal to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (i.e., the time to battery depletion given successful operation of the diesel-driven AFW pump with or without the failure of the Stage 2 RCP seals).

Nominal Cues

  • ESF Bus Alive Lights not lit; however, these lights remained energized during the event because two of the three phases were energized.
  • No voltage indicated on ESF buses. The voltage of all three phases are checked as standard operator practice per Step 21 of Procedure 2BOSR 0.1-1.2, 3 as part of the bus voltage checks. Phase A-B indicated it was its nominal voltage (i.e., 4000 V), while Phase A-C and Phase B-C indicted about 2400 V.
  • Deenergized safety equipment (e.g., EDGs, CCW, and charging).
  • Inability to manually start Unit 2 ESW pump.

Procedural Guidance The procedure for the Bus 241 Overload or Voltage Low Annunciator is the only procedure available that discusses tripping the SAT feeder breakers to a safety buses. However, the annunciator did not alarm during the event; and therefore, the procedure entry conditions were not met.

Diagnosis/Action This recovery action contains sufficient diagnosis and action components.

LER 454/12-001-01 8

Table 2. SPAR-H Evaluation of Joint HEP for Overall Recovery PSF Diagnosis / Action Multiplier Notes Time Available 0.01 / 1 The operators would need minimal time (< 1 minute) to open the SAT feeder breakers from the control room.

Minimal time is needed for an EDG to start and load to its respective safety bus, and safety equipment to be sequenced onto the EDG (< 1 minute). Therefore, a minimum of 58 minutes was available for operators to diagnose the need to open the SAT breakers prior to core uncovery. Therefore, available time for the diagnosis component for the overall recovery is assigned as Expansive Time (i.e., x0.01; time available is >2 times nominal and >30 minutes).

Sufficient time was available to open the SAT feeder breakers; therefore, the available time for the action component for the overall recovery is evaluated as Nominal (i.e., x1). See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the LOOP and loss of all power to the ESF buses.

The PSF for action stress was not determined to be a performance driver for this HFE; and therefore, was assigned a value of Nominal (i.e., x1).

Complexity 2 / 1 The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities and the concurrent actions/multiple procedures.

The PSF for action complexity was not determined to be a performance driver for this HFE; and therefore, was assigned a value of Nominal (i.e., x1).

LER 454/12-001-01 9

PSF Diagnosis / Action Multiplier Notes Procedures 5 / 1 The Emergency Operating Procedure E-0, Reactor Trip/Safety Injection Actuation, requirements to enter the loss of all AC power procedure or the loss of a single ESF bus procedure were not met. Specifically, (1) the ESF bus active lights were lit and (2) ESF bus voltage meters were reading the correct voltage (i.e., 4160V) because the bus voltage selector switch was selected to default position of Phases A/B]. However, standard operating practices dictate that operators check Phase C voltage. During the event, operators successfully performed this check within two minutes to determine the degraded Phase C voltage.

Only the annunciator procedure for Bus 241 Overload or Voltage Low was available to explicitly direct operators to open the SAT feeder breakers; however, the annunciator did not alarm during the event. The operators never formally entered this procedure during the event, but did use the annunciator procedure as guidance to open the SAT feeder breakers in eight minutes after determining the SATs were damaged.

Considering operators had strong cues of degraded Phase C voltage (via bus voltage checks) and the report of smoke coming from the SAT; but didnt have explicit procedural guidance to open the Unit 2 SAT feeder breakers, the diagnosis component of the PSF for procedures was set to Available, but Poor (i.e., x5) for this HFE.

The action component of the PSF for procedures was not determined to be a performance driver for this HFE; and therefore, was assigned a value of Nominal (i.e., x1).

Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (for diagnosis and action) from Nominal for this HFE.

HEPs evaluated using SPAR-H are calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the joint HEP for the overall recovery via direct SPAR-H calculation is to be 3x10-3.

However, there are three factors that are not explicitly handled in the SPAR-H calculation would decrease this calculated joint HEP for the overall recovery.

For accident sequences greater than one hour, the Technical Support Center would be manned (due to the loss of all ac power to the Unit 2 ESF buses) to provide additional technical guidance to restore power to the ESF buses.

Offsite power from Unit 1 could be cross-connected almost immediately after the event occurred. The steps needed to align the Unit 1 offsite power source to Unit 2 include the opening of the Unit 2 SAT feeder breakers. When modeling recovery with an ASP analysis,

LER 454/12-001-01 10 only the most likely recovery method is explicitly modeled. However, if operators did fail to open the Unit 2 SAT feeder breaker given the cues they received, they could potentially pursue cross-connecting the Unit 1 and Unit 2 ESF buses; therefore, increasing the likelihood the operators restored power to the Unit 2 ESF buses prior to core damage.

ASP analyses do not typically give probabilistic credit recovery of the electrical systems after battery depletion because of the lack of knowledge on how operators would perform or how equipment (i.e., breakers, interlocks, and EDG start logic) would behave without direct-current (dc) power.6 This can be a source of conservatism in this analysis.

Considering these factors, the best estimate joint HEP for overall recovery for accident sequences greater than one hour is reduced to 1x10-4 for this analysis. The joint HEP for overall recovery for one-hour sequences will remain at 3x10-3.

With the joint HEP calculated, the HEPs for the two modeled HFEs can be calculated by using SPAR-H to evaluate the HEP for the 13-minute recovery action (i.e., EPS-XHE-XL-NR13M) and the dividing the joint HEP by this result to determine the HEP for the 1 to 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> sequence-specific recovery action (i.e., EPS-XHE-XL-NR01H, EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H).

The HEP for EPS-XHE-XL-NR13M has the same qualitative inputs as the overall recovery with the exception of the time available. For successful recovery within 13 minutes, operators would have to reopen SAT feeder breakers (from the control room) with sufficient time for the EDGs to start and load to their respective ESF buses, including time for the charging pumps and/or CCW pumps to start, prior to voiding within the RCPs occur. The operators would need minimal time

(< 1 minute) to open the SAT feeder breakers from the control room. Minimal time is needed for an EDG to start and load to its respective safety bus, and for a charging pump and/or CCW pump to be sequenced onto the EDG (< 1 minute). Therefore, approximately 11 minutes are available for operators to diagnose the need to open the SAT breakers prior to voiding conditions within RCPs; therefore, the Time Available PSF for diagnosis was set to Nominal. All other PSF selections from the overall recovery are the same for the 13-minute recovery; thus the individual HEP for EPS-XHE-XL-NR13M is calculated to be 0.2.

With the joint HEP and the HEP for the 13-minute recovery calculated, the HEP for recovery prior to core damage for one-hour accident sequences (i.e., EPS-XHE-XL-NR01H), is calculated to be 1.5x10-2. The HEPs for recovery prior to core damage for accident sequences greater than one hour (i.e., EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H) is calculated to be 5x10-4.

ANALYSIS RESULTS Conditional Core Damage Probability. The point estimate conditional core damage probability (CCDP) for this event is 1x10-4 using the HEPs for recovery as described above.

This CCDP is strongly dependent on the overall HEP for recovery; and it is expected that the recovery event would have large uncertainties because (1) the recovery event modeled in this analysis is a previously unanalyzed event in plant PRAs, (2) the normal uncertainties associated with using HRA methods can be significant, and (3) current HRA methods were not designed with recovery actions in mind. Considering these facts, it may be better to express these analysis results as a range using sensitivity cases to form the upper and lower bounds.

6 The battery depletion time for Byron, Unit 2 is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

LER 454/12-001-01 11 Sensitivity Analyses. Because some factors are not evaluated in SPAR-H (e.g., crediting the manning of the Technical Support Center) and uncertainties associated with SPAR-H quantification method, the recovery events were evaluated using additional human reliability analysis methods to provide a range of CCDPs for this analysis.7 The Cause Based Decision Tree (CBDT) model, along with the Human Cognitive Reliability (HCR) model combined with the minimum HEP recommended by the HRA Good Practices (Reference 6) were used to evaluate the recovery actions. In addition, a case using the direct SPAR-H calculation for the HEPs without the qualitative factors (that decrease the HEPs is also provided). Table 3 provides the results of these sensitivity cases.

Table 3. Description and Results of Sensitivity Cases.

Sensitivity Case Description CCDP Using the CBDT model, the joint HEP for the overall recovery is calculated to be 2.5x10-4 with a time available to core damage of 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. If only one hour is available, the joint HEP for overall recovery is calculated to be 5x10-3.8 The HEP for recovery within 13 minutes is calculated to be 0.1. Dividing the HEP for overall recovery action by the HEP for the 13-minute action yields HEPs of 5x10-2 for EPS-XHE-XL-NR01H and 2.5x10-3 for EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H.

3x10-4 Using the HCR model, the HEPs for the overall recovery action are calculated to be 2.1x10-3, 5.6x10-5, 4.4x10-6, and 6.0x10-7 for 1 to 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> times available to core damage, respectively. Because the extremely low values calculated using HCR of the recovery actions with time available to core damage of 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the minimum HEP of 1x10-5 recommended by the HRA Good Practices was applied for these two events.9 The HEP for recovery within 13 minutes is calculated to be 0.26. The analysis assumed an elevated sigma () due to the deficient procedure condition. Therefore, HEPs of 8.1x10-3 for EPS-XHE-XL-NR01H, 2.2x10-4 for EPS-XHE-XL-NR02H, and 3.9x10-5 for EPS-XHE-XL-NR03H and EPS-XHE-XL-NR04H were calculated for this case.

2x10-5 Using the SPAR-H method without the qualitative factors that reduced the HEP for all recovery in the best estimate case (see Recovery Analysis) yields an HEP for the overall recovery action of 3x10-3 with time available to core damage of 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The HEP for recovery within 13 minutes of 0.2 that was calculated using SPAR-H was also used in this case. Therefore, HEPs of 1.5x10-2 were calculated for EPS-XHE-XL-NR01H, EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H.

3x10-3 Dominant Sequence. The dominant accident sequence is LOOPSC (Loss of Offsite Power Switchyard-Related) Sequence 16-03 (CCDP = 8.0x10-5) which contributes 75% of the total internal events CCDP. Additional sequences that contribute greater than 1% of the total internal events CCDP are provided in Appendix A. The dominant sequence is shown graphically in Figures B-1 and B-2 in Appendix B.

7 The uncertainties associated with SPAR-H also apply to other HRA methods.

8 The CBDT model includes credit for additional staffing for emergency response. Upon the declaration of an elevated emergency response level (e.g., Unusual Event, Alert, etc), the plant has one hour to staff the technical support center. Since it takes some time before the elevated emergency response is declared (after event initiation), recovery actions of one hour or less do not include this credit (this is the CBDT default setting).

9 Typically, another HRA method (e.g., CBDT) is used to address operator actions with longer time frames where extrapolation using the HCR Time Reliability Curve could yield unrealistic results. See Reference 6 for further details.

LER 454/12-001-01 12 The events and important component failures in LOOPSC Sequence 16-03 are:

Switchyard-related LOOP occurs, Reactor scram succeeds, Emergency power fails, AFW succeeds, Power-operated relief valves successfully close (if opened),

Rapid secondary depressurization succeeds, RCP seal cooling fails, RCP Seal 1 integrity is maintained, RCP Seal 2 integrity is maintained, Operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and Operators fail to open the SAT feeder breakers within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

REFERENCES

1. Byron Station, Unit 1 and Unit 2, Licensee Event Report 2012-001-01, Unit 2 Loss of Normal Offsite Power and Reactor Trip and Unit 1 Loss of Normal Offsite Power Due to Failure of System Auxiliary Transformer Inverted Insulators, dated September 28, 2012 (ML12272A358).
2. U.S. Nuclear Regulatory Commission, Byron Unit 2 - NRC Special Inspection Team (SIT)

Report 05000455/2012008, dated March 27, 2012 (ML12087A213).

3. Westinghouse Electric Company, LLC, WOG 2000 Reactor Coolant Pump Seal Leakage Model for Westinghouse PWRs, WCAP-15603, Revision 1, dated May 2002.
4. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).
5. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).
6. U.S. Nuclear Regulatory Commission, NUREG-1792, Good Practices for Implementing Human Reliability Analysis, April 2005 (ML051160213).

LER 454/12-001-01 A-1 Appendix A: Analysis Results Summary of Conditional Event Changes Event Description Cond.

Value Nominal Value ACP-TFM-FC-SAT1421 SYSTEM AUXILIARY TRANSFORMER 142-1 FAILS TRUE 2.27E-5 ACP-TFM-FC-SAT1422 SYSTEM AUXILIARY TRANSFORMER 142-2 FAILS TRUE 2.27E-5 EPS-XHE-XL-NR01H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 1 HOUR 1.50E-2 1.00E+0 EPS-XHE-XL-NR02H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 2 HOURS 5.00E-4 1.00E+0 EPS-XHE-XL-NR03H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 3 HOURS 5.00E-4 1.00E+0 EPS-XHE-XL-NR04H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 4 HOURS 5.00E-4 1.00E+0 EPS-XHE-XL-NR13M OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 13 MINUTES 2.00E-1 0.00E+0 IE-LOOPSCa SWITCHYARD-RELATED LOOP 1.00E+0 1.04E-2 OEP-VCF-LP-SITESC SITE LOOP (SWITCHYARD-RELATED)

FALSE 1.94E-1 OEP-VCF-LP-SNGLSC SINGLE UNIT LOOP (SWITCHYARD-RELATED)

TRUE 8.06E-1 OEP-XHE-XL-NR01HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 HOUR (SWITCHYARD)

TRUE 1.00E+0 OEP-XHE-XL-NR02HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 2 HOURS (SWITCHYARD)

TRUE 1.00E+0 OEP-XHE-XL-NR03HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 3 HOURS (SWITCHYARD)

TRUE 1.00E+0 OEP-XHE-XL-NR04HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4 HOURS (SWITCHYARD)

TRUE 1.00E+0

a.

All other initiating event probabilities were set to zero.

Dominant Sequence Results Only items contributing at least 1.0% to the total CCDP are displayed.

Event Tree Sequence CCDP

% Contribution Description LOOPSC 16-03 8.00E-5 74.7%

/RPS, EPS, /AFW-B, /PORV-B, /RSD-B, /BP1,

/BP2, OPR-04H, DGR-04H LOOPSC 16-06 2.00E-5 18.7%

/RPS, EPS, /AFW-B, /PORV-B, /RSD-B, /BP1, BP2, OPR-04H, DGR-04H LOOPSC 15 2.29E-6 2.1%

/RPS, /EPS, AFW-L, FAB-L LOOPSC 16-42 2.15E-6 2.0%

/RPS, EPS, /AFW-B, PORV-B, OPR-01H, DGR-01H TOTAL 1.07E-4 100.0%

Referenced Fault Trees Fault Tree Description AFW-B AUXILIARY FEEDWATER (SBO)

AFW-L AUXILIARY FEEDWATER (LOOP)

BP1 RCP SEAL STAGE 1 INTEGRITY (BINDING/POPPING)

BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING)

DGR-01H DIESEL GENERATOR RECOVERY (IN 1 HOUR)

DGR-04H DIESEL GENERATOR RECOVERY (IN 4 HOURS)

EPS EMERGENCY POWER SYSTEM

LER 454/12-001-01 A-2 Fault Tree Description FAB-L FEED AND BLEED (LOOP)

OPR-01H OFFSITE POWER RECOVERY (IN 1 HOUR OPR-04H OFFSITE POWER RECOVERY (IN 4 HOURS)

PORV-B PORVs ARE CLOSED (SBO)

RPS REACTOR PROTECTION SYSTEM RSD-B RAPID SECONDARY DEPRESSURIZATION (SBO)

Cutset Report - LOOPSC 16-03 Only items contributing at least 1% to the total are displayed.

CCDP Total%

Cutset Total 8.00E-5 100 Displaying 1 of 1 Cutsets.

1 8.00E-5 100 IE-LOOPSC,EPS-XHE-XL-NR04H,EPS-XHE-XL-NR13M,/RCS-MDP-LK-BP2 Cutset Report - LOOPSC 16-06 Only items contributing at least 1% to the total are displayed.

CCDP Total%

Cutset Total 2.00E-5 100 Displaying 1 of 1 Cutsets.

1 2.00E-5 100 IE-LOOPSC,EPS-XHE-XL-NR04H,EPS-XHE-XL-NR13M,RCS-MDP-LK-BP2 Cutset Report - LOOPSC 15 Only items contributing at least 1% to the total are displayed.

CCDP Total%

Cutset Total 2.29E-6 100 Displaying 1178 of 1178 Cut Sets.

1 1.18E-6 51.6 IE-LOOPSC,AFW-PMP-CF-FSALL,HPI-XHE-XM-FB 2

2.30E-7 10 IE-LOOPSC,AFW-CKV-CF-ALL8,HPI-XHE-XM-FB 3

2.16E-7 9.43 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-FR-2B,AFW-MDP-TM-1A,HPI-XHE-XM-FB 4

7.08E-8 3.09 IE-LOOPSC,AFW-FCV-CF-ALL8,HPI-XHE-XM-FB 5

6.47E-8 2.82 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-FR-2B,ESW-SOV-CC-AFW-1A,HPI-XHE-XM-FB 6

5.15E-8 2.25 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-FR-2B,AFW-MDP-FS-1A,HPI-XHE-XM-FB 7

2.98E-8 1.3 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-TM-2B,AFW-MDP-TM-1A,HPI-XHE-XM-FB Cutset Report - LOOPSC 16-42 Only items contributing at least 1% to the total are displayed.

CCDP Total%

Cutset Total 2.15E-6 100 Displaying 7 of 7 Cutsets.

1 1.07E-6 49.8 IE-LOOPSC,EPS-XHE-XL-NR01H,EPS-XHE-XL-NR13M,PPR-SRV-CO-SBO,PPR-SRV-OO-456 2

1.07E-6 49.8 IE-LOOPSC,EPS-XHE-XL-NR01H,EPS-XHE-XL-NR13M,PPR-SRV-CO-SBO,PPR-SRV-OO-455A Referenced Events Event Description Probability AFW-CKV-CF-ALL8 CCF OF ALL 8 PUMP DISC CKVS (PSA) 1.15E-5 AFW-EDP-FR-1B AFW DIESEL DRIVEN PUMP FAILS TO RUN 5.21E-2 AFW-EDP-FR-2B UNIT 2 AFW DIESEL DRIVEN PUMP FAILS TO RUN 5.21E-2

LER 454/12-001-01 A-3 Event Description Probability AFW-EDP-TM-2B UNIT 2 AFW DDP FAILS DUE TO TEST AND MAINTENANCE 7.19E-3 AFW-FCV-CF-ALL8 AFW 8 FCVS 005A-H FAIL FROM CCF (PSA) 3.54E-6 AFW-MDP-FS-1A AFW MOTOR-DRIVEN PUMP 1A FAILS TO START 9.47E-4 AFW-MDP-TM-1A AFW MDP UNAVAILABLE DUE TO TEST AND MAINTENANCE 3.98E-3 AFW-PMP-CF-FSALL COMMON CAUSE FAILURE OF AFW PUMPS TO START - PSA 5.91E-5 EPS-XHE-XL-NR01H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 1 HOUR 1.50E-2 EPS-XHE-XL-NR04H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 4 HOURS 5.00E-4 EPS-XHE-XL-NR13M OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 13 MINUTES 2.00E-1 ESW-SOV-CC-AFW-1A AFW MDP 1A OIL COOLER VALVE 1 SX101A FAILS 1.19E-3 HPI-XHE-XM-FB OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING 2.00E-2 IE-LOOPSC SWITCHYARD RELATED LOOP 1.00E+0 PPR-SRV-CO-SBO PORVs/SRVs OPEN DURING STATION BLACKOUT 3.70E-1 PPR-SRV-OO-455A PORV 455A FAILS TO RECLOSE AFTER OPENING 9.66E-4 PPR-SRV-OO-456 PORV 456 FAILS TO RECLOSE AFTER OPENING 9.66E-4 RCS-MDP-LK-BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING OPEN)

FAILS 2.00E-1

LER 454/12-001 B-1 Appendix B: Key Event Trees Figure B-1. Byron Station Switchyard-Related LOOP Event Tree.

LER 454/12-001 B-2 Figure B-2. Byron Station SBO Event Tree.

Retrieved from "https://kanterella.com/w/index.php?title=ML13059A525&oldid=5241611"