ML13115A955

From kanterella
Jump to navigation Jump to search
Final ASP Analysis-Browns Ferry Nuclear Plant, Unit 3, Reactor Trip and Subsequent Loss of Offsite Power Due Failure of Unit Station System Transformer Differential Relay (LER 296/12-004)
ML13115A955
Person / Time
Site: Browns Ferry Tennessee Valley Authority icon.png
Issue date: 05/16/2013
From:
NRC/RES/DRA
To:
Office of Nuclear Reactor Regulation
hunter Christopher 301-251-7575
Shared Package
ML13115A891 List:
References
LER-12-003-01
Download: ML13115A955 (15)
v  d  e


Text

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Browns Ferry Reactor Trip and Subsequent Loss of Offsite Power due Nuclear Plant, Unit 3 Failure of Unit Station System Transformer Differential Relay LER: 296/12-003-01 Event Date: 05/22/2012 CCDP = 2x10-5 IR: 50-296/12-04 EVENT

SUMMARY

Event Description. On May 22, 2012, at 2:49 a.m., Brown Ferry Nuclear Plant, Unit 3, the reactor was automatically scrammed due to de-energization of the reactor protection system (RPS) from actuation of Unit Station Service Transformer (USST) 3A Differential Relay 387SA, which resulted in a loss of 500 kV power to Unit 3. This relay was picked up during a transfer of 4 kV Unit Board 3C from alternate power (161 kV) to normal power (USST 3A). All Unit 3 emergency diesel generators (EDGs) successfully started and tied to their respective 4 kV shutdown boards. Power from the 161 kV offsite circuit remained available during the entire event.

At 4:30 a.m., operators restored 500 kV power through the alternate feeder breakers to all Unit 3 4 kV unit boards. All safety systems responded as expected and no emergency core cooling system water level initiation set points were reached. The reactor core isolation cooling (RCIC) system was manually started to control reactor water level. Primary containment isolation system initiation signals for Groups 1-3, 6, and 8 were received as expected due to loss of offsite power. At the time of the reactor scram, the high pressure coolant injection (HPCI) system was tagged out for removal of temporary instrumentation following planned maintenance.

It was determined that the differential relay failure for USST 3A was installed with incorrect design calculation settings. This new differential relay was replaced during the last refueling outage that ended on May 20, 2012. Additional information is provided in References 1 and 2.

MODELING ASSUMPTIONS Analysis Type. The Browns Ferry Unit 3 SPAR model, created in May 2012, was used for this event analysis. This event was modeled as a LOOP initiating event.

Analysis Rules. The ASP program uses Significance Determination Process results for degraded conditions when available. However, the ASP Program performs independent analysis for initiating events.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

Enclosure 1

LER 296/12-003-01

  • Offsite power was restored to Unit 3 shutdown boards one hour and 41 minutes after the LOOP occurred. However, offsite power from 161 kV source was available throughout the event; therefore, operators could have restored power to a Unit 3 shutdown boards earlier, if needed [i.e., during a postulated station blackout (SBO)]. See the section on Recovery Analysis for further details.
  • The HPCI pump was considered inoperable at the onset of the LOOP because plant personnel were removing temporary instrumentation; however, the maintenance work instructions for the pump contained procedures to restore the pump if needed to provide a source of high-pressure makeup to the reactor. The analysis assumes that the pump could be recovered within 10-15 minutes.

Fault Tree Modification. The following fault tree modifications were necessary to perform this event analysis:

  • A new basic event was added to the two HPCI fault trees: HCI and HCI-01. Basic event HCI-XHE-RECOVER (Operators fail to recover HPCI Pump from Maintenance) was added to account for potential recovery of the HPCI pump from maintenance. This new basic event along with basic event HCI-TDP-TM-TRAIN (HPCI Train Is Unavailable Because Of Maintenance) was moved and inserted under a new AND gates (HCI-8 and HCI01-7, respectively). See Figures B-1 and B-2 in Appendix B for the modified HPCI fault trees.

Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

  • This analysis models the May 22, 2012 reactor trip at Browns Ferry Nuclear Plant, Unit 3 as a switchyard-centered LOOP initiating event.

- The probability of switchyard-centered LOOP (IE-LOOPSC) was set to 1.0; all other initiating event probabilities were set to zero.

  • Basic Event HCI-TDP-TM-TRAIN (HPCI Train is Unavailable Due to Test and Maintenance) was set to 1.0 because the HPCI pump was out for maintenance.

- The HPCI pump was determined to be recoverable within 10-15 minutes and procedures to return the pump to service were contained in the maintenance work instructions. The SPAR-H Human Reliability Analysis Method (References 4 and 5) was used to estimate this new human failure event (HFE). Tables 1 and 2 provide the key qualitative information for these recovery HFEs and the performance shaping factor (PSFs) adjustments required for the quantification for this recovery event using SPAR-H.

Table 1. Qualitative Evaluation for the Recovery of the HPCI Pump from Maintenance.

The definition for this recovery event is the operators failing to restore the HPCI pump to service from maintenance (to remove temporary instrumentation) to Definition provide a source of high-pressure makeup to the to the reactor coolant system (RCS) given a LOOP and failure of RCIC.

HPCI availability is only a key concern during event mitigation if RCIC fails. If Description and Event Context RCIC fails during a postulated SBO, only 30 minutes would be available to restore power to the shutdown board prior to core uncovery.

2

LER 296/12-003-01 For successful recovery, operators must restore HPCI to operable status (i.e.,

Operator Action Success Criteria able to perform its safety function) within 30 minutes of the loss of offsite power, postulated SBO, and subsequent failure of RCIC.

  • Loss of offsite power occurs Nominal Cues
  • RCIC fails Procedural Guidance Maintenance work instructions Diagnosis/Action This recovery contains sufficient diagnosis and action components.

Table 2. SPAR-H Evaluation of HEP for Recovery of the HPCI Pump from Maintenance.

Diagnosis / Action PSF Notes Multiplier The operators would need 10 to 15 minutes to perform the action component (i.e., to manipulate the valve, etc.) to align the HPCI pump to supply the RCS with high-pressure makeup. Therefore, the minimum time for diagnosis is approximately 15 minutes.

Therefore, available time for the diagnosis component for Time Available 1/1 30 minute recovery is assigned as Nominal Time (i.e., x1).

Since sufficient time was available to for the action component of the recovery, the available time for the action component for the all recovery times is evaluated as Nominal (i.e., x1). See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the LOOP, the failure of RCIC, and potential unavailability of RCS depressurization (due to Stress 2/1 operator error or hardware failure).

The PSF for action stress was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities and the concurrent actions/multiple procedures during the Complexity 2/1 LOOP, the failure of RCIC, and potential unavailability of RCS depressurization.

The PSF for action complexity was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

Procedures Experience/Training No event information is available to warrant a change in Ergonomics/HMI 1/1 these PSFs (for diagnosis and action) from Nominal for Fitness for Duty these HFEs.

Work Processes 3

LER 296/12-003-01 An HEP evaluated using SPAR-H is calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the failure probability for HCI-XHE-RECOVER was set to 4x10-2.

  • Basic Event RCI-TDP-TM-TRAIN (RCIC is Unavailable Because of Maintenance) was set to FALSE because the RCIC pump will not be taken out of testing or maintenance while the HPCI pump is out for maintenance (would violate Technical Specifications).
  • The offsite power was recovered to all of the Unit 3 shutdown boards in one hour and 41 minutes after the reactor trip and LOOP occurred; therefore, the default EDG and turbine-driven pump (RCIC and HPCI) mission times were changed to reflect the actual time offsite power was restored to the essential buses. Since the overall fail-to-run is made up of two separate factors, the mission times for these factors were set to the following: ZT-DGN-FR-E

= 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and ZT-TDP-FR-E = 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (base case values) and ZT-DGN-FR-L = 0.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br /> and ZT-TDP-FR-L= 0.75 hours8.680556e-4 days <br />0.0208 hours <br />1.240079e-4 weeks <br />2.85375e-5 months <br />.

Offsite Power Recovery Analysis. The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a LOOP. The LOOP/SBO modeling within the SPAR models include various sequence-specific power recovery factors that are based on the time available to recover offsite power to prevent core damage. Depending on the (1) availability of the turbine-driven, high-pressure injection systems (RCIC, HPCI); (2) the success or failure to depressurize the RCS; (3) the battery depletion time; the time available to restore offsite power prior to core damage during a postulated SBO for Browns Ferry, Unit 3 ranges from 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

In this analysis, offsite power recovery probabilities are based on:

  • Known information about when offsite power was available in the switchyard and when power was restored to the first shutdown board, and
  • A determination on whether offsite power could have been restored sooner given a postulated SBO.
  • Estimated probabilities of operators failing to realign offsite power to a shutdown board.

During the event, operators restored power to all of Unit 3 shutdown boards (from the 500 kV source) one hour and 41 minutes after the LOOP occurred. However, power from the 161 kV source was available for the entire duration of the event. To restore offsite power to one shutdown board, operators would need to determine that a LOOP occurred due to a loss of 500 kV offsite source. In addition, the operators would need to determine that offsite power was still available via the 161 kV source.

The SPAR-H Method was used to estimate non-recovery probabilities as a function of time following restoration of offsite power to the switchyard. Tables 3 and 4 provide the key qualitative information for these recovery HFEs and the PSFs adjustments required for the quantification of the HEPs using SPAR-H.

4

LER 296/12-003-01 Table 3. Qualitative Evaluation of HFEs for Recovery of Offsite Power to a Unit 3 Shutdown Board.

The definition for these recovery HFEs is the operators failing to restore offsite Definition power to a Unit 3 shutdown board via the 161 kV source within 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (depending on the sequence) given a postulated LOOP or SBO.

Depending on postulated failures of the recirculation pump seals (due to unavailability of seal injection/cooling), the availability of the high-pressure Description and Event Context injection systems (HPCI, RCIC), and the time until the station batteries are depleted, operators would have between 30 minutes to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> to restore power to a Unit 3 shutdown board via the unit boards powered by the 161 kV source.

For successful recovery, operators would have to align power from a unit board to Operator Action Success Criteria a shutdown board prior to core uncovery. The time available for operators to perform this action would be a minimum of 30 minutes (given the failure of RCIC).

  • Momentary de-energization of all plant AC electrical boards resulting in de-energization of running equipment
  • EDGs start and provide power to 4160 V and 480 V shutdown boards Nominal Cues
  • Diesel Generator Start Failure annunciation
  • Reactor Scram and Main Turbine-Generator Trip
  • RPS MG Sets A and B trip resulting in all RPS trips sealed in
  • Primary and Secondary Containment Isolation 0-AOI-57-1A, Loss of Offsite Power (161 kV and 500 kV)/Station Blackout Procedural Guidance 0-AOI-57-1B, Loss of 500 kV OI-82, EDG Operations Diagnosis/Action These recovery HFEs contain sufficient diagnosis and action components.

Table 4. SPAR-H Evaluation of HEPs for Recovery of Offsite Power to a Unit 3 Shutdown Board.

Diagnosis / Action PSF Notes Multiplier The operators would need less than five minutes to perform the action component (i.e., to shut two breakers) to restore power to a shutdown board via the 161 kV offsite power source. Therefore, the minimum time for diagnosis is approximately 25 minutes.

Therefore, available time for the diagnosis component for 30 minute recovery is assigned as Nominal Time (i.e., x1).

Available time for the diagnosis component for recoveries Time Available 1 or 0.01 / 1 with at least one hour available are assigned as Expansive Time (i.e., x0.01; time available is >2 times nominal and >30 minutes).

Since sufficient time was available to for the action component of the recovery, the available time for the action component for the all recovery times is evaluated as Nominal (i.e., x1). See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

5

LER 296/12-003-01 Diagnosis / Action PSF Notes Multiplier The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the postulated SBO.

Stress 2/1 The PSF for action stress was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities and the concurrent actions/multiple procedures during a Complexity 2/1 postulated SBO.

The PSF for action complexity was not determined to be a performance driver for these HFEs; and therefore, was assigned a value of Nominal (i.e., x1).

Procedures Experience/Training No event information is available to warrant a change in Ergonomics/HMI 1/1 these PSFs (for diagnosis and action) from Nominal for Fitness for Duty these HFEs.

Work Processes Therefore, the failure probability for OEP-XHE-XL-NR30MHSC (Operator Fails to Recover Offsite Power in 30 Minutes) was set to 4x10-2.

In addition, the failure probabilities for OEP-XHE-XL-NR01HSC (Operator Fails to Recover Offsite Power in 1 Hour), OEP-XHE-XL-NR04HSC (Operator Fails to Recover Offsite Power in 4 Hours), OEP-XHE-XL-NR10HSC (Operator Fails to Recover Offsite Power in 10 Hours), and OEP-XHE-XL-NR12HSC (Operator Fails to Recover Offsite Power in 12 Hours) were set to 1x10-3.

ANALYSIS RESULTS Conditional Core Damage Probabilities. The point estimate conditional core damage probability (CCDP) for this event is 2.0x10-5.

The Accident Sequence Precursor Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feed water and condensate), whichever is greater. This CCDP equivalent for Browns Ferry Unit 3 is 5x10-6.

Dominant Sequence. The dominant accident sequence is LOOP/SBO Sequence 28-18 (CCDP = 1.4x10-5) which contributes approximately 75% of the total internal events CCDP for Unit 1. The cutsets/sequences that contribute to the top 95% and/or at least 1% of the total internal events CCDP are provided in Appendix A.

The dominant sequence is shown graphically in Figures B-3 and B-4 in Appendix B. The events and important component failures in LOOP Sequence 28-18 are:

  • Emergency powers fails, 6

LER 296/12-003-01

  • Recirculation pump seals integrity succeeds,
  • Operators fail to recover offsite power in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and
  • Operators fail to recover an EDG in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

REFERENCES

1. Browns Ferry Nuclear Plant, Unit 3, "LER 296/12-003 Automatic Reactor Scram Due to De-Energization of Reactor Protection System from Actuation of 3A Unit Station Service Transformer Differential Relay, dated November, 26 2012. (ML12333A007)
2. U.S. Nuclear Regulatory Commission, Browns Ferry Nuclear Plant - NRC Integrated Inspection Report 05000259/2012004, 05000260/2012004, and 05000296/2012004 and Notice of Enforcement Discretion, dated November 13, 2012. (ML12319A182)
3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).
4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).

7

LER 296/12-003-01 Appendix A: Analysis Results Summary of Conditional Event Changes Cond. Nominal Event Description Value Value HCI-XHE-RECOVERY OPERATORS FAIL TO RECOVERY HPCI PUMP FROM 4.00E-2 N/A MAINTENANCE HCI-TDP-TM-TRAIN HPCI TRAIN IS UNAVAILABLE DUE TO TEST AND TRUE 1.13E-2 MAINTENANCE IE-LOOPSCa LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD- 1.00E+0 1.04E-2 CENTERED)

OEP-XHE-XL-NR01HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1 1.00E-3 4.01E-1 HOUR (SWITCHYARD)

OEP-XHE-XL-NR04HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4 1.00E-3 1.02E-1 HOURS (SWITCHYARD)

OEP-XHE-XL-NR10HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1.00E-3 2.61E-2 10 HOURS (SWITCHYARD)

OEP-XHE-XL-NR12HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 1.00E-3 1.90E-2 12 HOURS (SWITCHYARD)

OEP-XHE-XL-NR30MSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 4.00E-2 6.02E-1 30 MINUTES (SWITCHYARD)

RCI-TDP-TM-TRAIN RCIC PUMP TRAIN IS UNAVAILABLE BECAUSE OF FALSE 1.09E-2 MAINTENANCE ZT-DGN-FR-L DIESEL GENERATOR FAILS TO RUN 8.17E-4 1.09E-3 ZT-TDP-FR-L TURBINE DRIVEN PUMP FAILS TO RUN 1.17E-3 3.52E-2

a. All other initiating event probabilities were set to zero.

Dominant Sequences (Contribute 1% of the Total CCDP)

Name CCDP Percentage Sequence Path LOOPSC: 28-18 1.44E-05 74.6% /RPS, EPS, /SRV, /RPSL, /RCI01, OPR-04H, DGR-04H LOOPSC: 28-34-3 1.44E-06 7.5% /RPS, EPS, /SRV, RPSL, /RCI01, OPR-04H, DGR-04H LOOPSC: 25 1.42E-06 7.4% /RPS, /EPS, /SRV, HPI, DEP LOOPSC: 04 5.36E-07 2.8% /RPS, /EPS, /SRV, /HPI, SPC, /DEP, /LPI, RHR, /CVS, LI01 LOOPSC: 06 5.31E-07 2.8% /RPS, /EPS, /SRV, /HPI, SPC, /DEP, /LPI, RHR, CVS, LI LOOPSC: 24 3.29E-07 1.7% /RPS, /EPS, /SRV, HPI, /DEP, LPI, VA LOOPSC: 13 2.70E-07 1.4% /RPS, /EPS, /SRV, /HPI, SPC, DEP LOOPSC 28-30 2.22E-07 1.2% /RPS, EPS, /SRV, /RPSL, RCI01, /HCI01, OPR-04H, DGR-04H Total 1.93E-05 Referenced Fault Trees Fault Tree Description CVS CONTAINMENT VENTING DEP MANUAL REACTOR DEPRESS DGR-04H DIESEL GENERATOR RECOVERY IN 4 HRS EPS TRANSFER BRANCH SBO EXT ACTIONS TO EXTEND ECCS OPERATION HPI HIGH-PRESSURE INJECTION (RCIC or HPCI)

A-1

LER 296/12-003-01 Fault Tree Description LI LATE INJECTION LI01 BROWNS FERRY 3 LATE INJECTION FAULT TREE LPI LOW PRESSURE INJECTION (CS or LPCI)

OPR-04H OFFSITE POWER RECOVERY IN 4 HRS RCI01 REACTOR COOLANT INJECION RHR LOSS OF RESIDUAL HEAT REMOVAL SYSTEMS RPSL RECIRC PUMP SEAL INTEGRITY SPC SUPPRESSION POOL COOLING VA ALTERNATE LOW PRESS INJECTION Important Cutsets (from Dominant Sequences)

  1. CCDP Total % Cutset Description 1 9.79E-6 53.4 LOOPSC: 28-18 /RPS, EPS, /SRV, /RPSL, /RCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 9.79E-6 ACP-CRB-CF-OPSD3 COMMON CAUSE FAILURE OF OFFSITE POWER FEED TO SHUTDOWN BOARDS 2 4.57E-6 24.9 LOOPSC: 28-18 /RPS, EPS, /SRV, /RPSL, /RCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 4.57E-6 RSW-STR-CF-ALL RHRSW STRAINERS FAIL FROM COMMON CAUSE 3 9.79E-7 5.34 LOOPSC: 28-34-3 /RPS, EPS, /SRV, RPSL, /RCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 9.79E-6 ACP-CRB-CF-OPSD3 COMMON CAUSE FAILURE OF OFFSITE POWER FEED TO SHUTDOWN BOARDS 1.00E-1 RRS-MDP-LK-SEALS RECIRCULATION PUMP SEALS FAIL 4 5.00E-7 2.73 LOOPSC: 04 /RPS, /EPS, /SRV, /HPI, SPC, /DEP, /LPI, RHR, /CVS, LI01 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 1.00E-3 OPR-XHE-XM-LI01 OPERATOR FAILS TO START/CONTROL LATE INJECTION 5.00E-4 RHR-XHE-XM-ERROR OPERATOR FAILS TO START/CONTROL RHR 5 5.00E-7 2.73 LOOPSC: 06 /RPS, /EPS, /SRV, /HPI, SPC, /DEP, /LPI, RHR, CVS, LI 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 1.00E-3 CVS-XHE-XM-VENT OPERATOR FAILS TO VENT CONTAINMENT 5.00E-4 RHR-XHE-XM-ERROR OPERATOR FAILS TO START/CONTROL RHR 6 4.57E-7 2.49 LOOPSC: 28-34-3 /RPS, EPS, /SRV, RPSL, /RCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 1.00E-1 RRS-MDP-LK-SEALS RECIRCULATION PUMP SEALS FAIL 4.57E-6 RSW-STR-CF-ALL RHRSW STRAINERS FAIL FROM COMMON CAUSE A-2

LER 296/12-003-01

  1. CCDP Total % Cutset Description 7 3.80E-7 2.07 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 4.00E-2 HCI-XHE-RECOVERY OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE 1.90E-2 RCI-XHE-XE-MISCAL RCIC FAILS FROM MISCALIBRATION OF RUPTURE DISC 8 2.50E-7 1.36 LOOPSC: 13 /RPS, /EPS, /SRV, /HPI, SPC, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 5.00E-4 RHR-XHE-XM-ERROR OPERATOR FAILS TO START/CONTROL RHR 9 1.71E-7 0.93 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 1.50E-1 HCI-MOV-CC-IVFRO HPCI INJECTION VALVE FAILS TO REOPEN 1.50E-1 HCI-MULTIPLE-INJECT MULTIPLE HPCI INJECTIONS REQUIRED 8.00E-1 HCI-XHE-XL-INJECT OPERATOR FAILS TO RECOVER HPCI INJECT MOV FAILURE TO REOPEN 1.90E-2 RCI-XHE-XE-MISCAL RCIC FAILS FROM MISCALIBRATION OF RUPTURE DISC 10 1.30E-7 0.71 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 4.00E-2 HCI-XHE-RECOVERY OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE 6.49E-3 RCI-TDP-FS-TRAIN RCIC PUMP FAILS TO START 11 1.12E-7 0.61 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 4.00E-2 HCI-XHE-RECOVERY OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE 5.59E-3 RCI-TDP-FR-TRAIN RCIC PUMP FAILS TO RUN GIVEN THAT IT STARTED 12 6.36E-8 0.35 LOOPSC: 28-30 /RPS, EPS, /SRV, /RPSL, RCI01, /HCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 9.79E-6 ACP-CRB-CF-OPSD3 COMMON CAUSE FAILURE OF OFFSITE POWER FEED TO SHUTDOWN BOARDS 6.49E-3 RCI-TDP-FS-TRAIN RCIC PUMP FAILS TO START 13 6.17E-8 0.34 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 6.49E-3 HCI-TDP-FS-TRAIN HPCI PUMP FAILS TO START 1.90E-2 RCI-XHE-XE-MISCAL RCIC FAILS FROM MISCALIBRATION OF RUPTURE DISC A-3

LER 296/12-003-01

  1. CCDP Total % Cutset Description 14 6.00E-8 0.33 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 4.00E-2 HCI-XHE-RECOVERY OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE 1.50E-1 RCI-RESTART RESTART OF RCIC IS REQUIRED 8.00E-2 RCI-TDP-FS-RSTRT RCIC FAILS TO RESTART GIVEN START AND SHORT-TERM RUN 2.50E-1 RCI-XHE-XL-RSTRT OPERATOR FAILS TO RECOVER RCIC FAILURE TO RESTART 15 5.84E-8 0.32 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 1.50E-1 HCI-MOV-CC-IVFRO HPCI INJECTION VALVE FAILS TO REOPEN 1.50E-1 HCI-MULTIPLE-INJECT MULTIPLE HPCI INJECTIONS REQUIRED 8.00E-1 HCI-XHE-XL-INJECT OPERATOR FAILS TO RECOVER HPCI INJECT MOV FAILURE TO REOPEN 6.49E-3 RCI-TDP-FS-TRAIN RCIC PUMP FAILS TO START 16 5.47E-8 0.3 LOOPSC: 28-30 /RPS, EPS, /SRV, /RPSL, RCI01, /HCI01, OPR-04H, DGR-04H 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 9.79E-6 ACP-CRB-CF-OPSD3 COMMON CAUSE FAILURE OF OFFSITE POWER FEED TO SHUTDOWN BOARDS 5.59E-3 RCI-TDP-FR-TRAIN RCIC PUMP FAILS TO RUN GIVEN THAT IT STARTED 17 5.31E-8 0.29 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 5.59E-3 HCI-TDP-FR-TRAIN HPCI PUMP TRAIN FAILS TO RUN GIVEN IT STARTED 1.90E-2 RCI-XHE-XE-MISCAL RCIC FAILS FROM MISCALIBRATION OF RUPTURE DISC 18 5.03E-8 0.27 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 1.50E-1 HCI-MOV-CC-IVFRO HPCI INJECTION VALVE FAILS TO REOPEN 1.50E-1 HCI-MULTIPLE-INJECT MULTIPLE HPCI INJECTIONS REQUIRED 8.00E-1 HCI-XHE-XL-INJECT OPERATOR FAILS TO RECOVER HPCI INJECT MOV FAILURE TO REOPEN 5.59E-3 RCI-TDP-FR-TRAIN RCIC PUMP FAILS TO RUN GIVEN THAT IT STARTED A-4

LER 296/12-003-01

  1. CCDP Total % Cutset Description 19 3.98E-8 0.22 LOOPSC: 25 /RPS, /EPS, /SRV, HPI, DEP 1.00E+0 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 5.00E-4 ADS-XHE-XM-MDEPR OPERATOR FAILS TO DEPRESSURIZE THE REACTOR 4.00E-2 HCI-XHE-RECOVERY OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE 7.97E-3 RCI-MOV-FC-XFER RCIC FAILS TO TRANSFER DURING RECIRCULATION 2.50E-1 RCI-XHE-XL-XFER OPERATOR FAILS TO RECOVER SUCTION TRANSFER FAILURE A-5

LER 296/12-003-01 Appendix B: Modified Fault Trees and Key Event Trees HPCI HCI HPCI WATER SUPPLIES ARE HPCI FLOW CONTROL HPCI PUMP TRAIN IS UNAVAILABLE FEEDWATER CHECK VALVES FAIL UNAVAILABLE FROM COMMON CAUSE HCI-1 HPCI-CTL Ext HCI-2 MFW-CKV-CF-FEED 6.14E-07 BROWNS FERRY 3 MOV BOARD 3A FEEDWATER CHECK VALVE 3-558 FAULT TREE FAILS TO OPEN DCP-RMOV3A Ext FAILURE OF THE HPCI INJECTION HPCI Train Is Unavailable Because of HPCI FAILS TO RUN HPCI FAILS TO START MFW-CKV-CC-TRNA 1.07E-05 VALVE TO REOPEN Maintenance OPERATOR FAILS TO START/CONTROL HCI INJECTION HCI-7 HCI-8 HCI-5 HCI-4 HCI-XHE-XO-ERROR 1.00E-03 MISCALIBRATION OF HPCI EXHAUST PRESSURE INSTRUMENTATION HPCI TRAIN IS UNAVAILABLE BECAUSE OF MAINTENANCE HCI-XHE-XE-MISCAL 1.70E-03 HCI-TDP-TM-TRAIN 1.13E-02 OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE HCI-XHE-RECOVERY 1.00E+00 Figure B-1. Modified HPCI fault tree (HCI).

BROWNS FERRY 3 HPCI SYSTEM FAULT TREE HCI01 HPCI FLOW CONTROL HPCI PUMP TRAIN IS UNAVAILABLE HPCI WATER SUPPLIES ARE FEEDWATER CHECK VALVES FAIL UNAVAILABLE FROM COMMON CAUSE HPCI-CTL Ext HCI01-2 HCI01-1 MFW-CKV-CF-FEED 6.14E-07 BROWNS FERRY 3 MOV BOARD 3A FEEDWATER CHECK VALVE 3-558 FAULT TREE FAILS TO OPEN DCP-RMOV3A Ext HPCI TRAIN IS UNAVAILABLE DUE HPCI FAILS TO START HPCI FAILS TO RUN MFW-CKV-CC-TRNA 1.07E-05 TO MAINTENANCE OPERATOR FAILS TO START/CONTROL HCI INJECTION HCI01-7 HCI01-4 HCI01-5 HCI-XHE-XO-ERROR 1.00E-03 HPCI TRAIN IS UNAVAILABLE HPCI FAILS TO START OPERATOR FAILS TO RECOVER BECAUSE OF MAINTENANCE HPCI FAILURE TO START HCI-TDP-TM-TRAIN 1.13E-02 HCI01-6 HCI-XHE-XL-START True OPERATORS FAIL TO RECVOVER HPCI PUMP FROM MAINTENANCE HCI-XHE-RECOVERY 1.00E+00 Figure B-2. Modified HPCI fault tree (HCI01).

B-1

LER 296/12-003-01 LOSS OF OFFSITE POWER REACTOR SHUTDOWN TRANSFER BRANCH SBO SRV'S CLOSE HIGH PRESSURE INJECTION SUPPRESSION POOL MANUAL REACTOR LOW PRESSURE INJECTION ALTERNATE LOW PRESS LOSS OF RESIDUAL HEAT CONTAINMENT VENTING LATE INJECTION # End State INITIATOR (SWITCHYARD- (RCIC or HPCI) COOLING DEPRESS (CS or LPCI) INJECTION REMOVAL SYSTEMS (Phase - CD)

CENTERED)

IE-LOOPSC RPS EPS FTF-SBO SRV HPI SPC DEP LPI VA RHR CVS LI 1 OK 2 OK 3 OK LI01 4 CD 5 OK 6 CD 7 OK 8 OK LI02 9 CD RH1 10 OK 11 CD 12 CD 13 CD 14 OK 15 OK LI01 16 CD 17 OK 18 CD 19 OK 20 OK LI02 21 CD RH1 22 OK 23 CD 24 CD 25 CD P1 26 LOOP-1 P2 27 LOOP-2 28 SBO 29 ATWS 30 CD Figure B-3. Browns Ferry Nuclear Plant, Unit 3 LOOP event tree.

B-2

LER 296/12-003-01 TRANSFER BRANCH SBO SRV'S CLOSE RECIRC PUMP SEAL RCIC HPCI ACTIONS TO EXTEND ECCS MANUAL REACTOR FIREWATER INJECTION OFFSITE POWER RECOVERY DIESEL GENERATOR CONTAINMENT VENTING LATE INJECTION # End State INTEGRITY OPERATION DEPRESS RECOVERY (Phase - CD)

EPS FTF-SBO SRV RPSL RCI HCI EXT DEP01 FTF-SBO FWS OPR DGR CVS LI 1 @SBO-OP 2 OK 3 OK OPR-12H LI-EXT 4 CD DGR-12H 5 OK CVS01 6 CD 7 @SBO-OP 8 OK 9 OK OPR-12H LI02 10 CD DGR-12H 11 OK CVS01 12 CD 13 @SBO-OP 14 OK OPR-04H DGR-04H 15 CD 16 @SBO-OP 17 OK OPR-04H DGR-04H 18 CD 19 @SBO-OP 20 OK 21 OK OPR-12H LI02 22 CD DGR-12H 23 OK CVS01 24 CD 25 @SBO-OP RCI01 26 OK OPR-04H DGR-04H 27 CD 28 @SBO-OP 29 OK OPR-04H DGR-04H 30 CD 31 @SBO-OP HCI01 32 OK OPR-30M DGR-30M 33 CD 34 SBO-1 P1 35 SBO-1 P2 36 SBO-2 Figure B-4. Browns Ferry Nuclear Plant, Unit 3 SBO event tree.

B-3

Retrieved from "https://kanterella.com/w/index.php?title=ML13115A955&oldid=2544425"