ML13182A031

From kanterella
Jump to navigation Jump to search
Transmittal of Final Byron Station, Unit 2, Accident Sequence Precursor Analysis
ML13182A031
Person / Time
Site: Byron Constellation icon.png
Issue date: 07/03/2013
From: Joel Wiebe
Plant Licensing Branch III
To: Pacilio M
Exelon Generation Co
Joel Wiebe, NRR/DORL 415-6606
References
Download: ML13182A031 (19)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 July 3, 2013 Mr. Michael J. Pacilio Senior Vice President Exelon Generation Company, LLC President and Chief Nuclear Officer (CNO)

Exelon Nuclear 4300 Winfield Road Warrenville, IL 60555

SUBJECT:

BYRON STATION, UNIT NO.2 - TRANSMITTAL OF FINAL BYRON STATION, UNIT 2, ACCIDENT SEQUENCE PRECURSOR ANALYSIS

Dear Mr. Pacilio:

The enclosure provides the final results of an accident sequence precursor (ASP) analysis of an operational event that occurred at Byron Station, Unit 2 on January 30,2012. The U.S. Nuclear Regulatory Commission (NRC) requested a formal analysis review from the licensee in accordance with NRC Issue Summary 2006-24, "Revised Review and Transmittal Process for Accident Sequence Precursor Analyses," because the analysis had a preliminary conditional core damage probability (CCDP) greater than 1 x10-4.

Comments from the licensee were incorporated into the analysis, as determined appropriate.

The ASP Program continues to systematically review licensee event reports (LERs) and all other event reporting information [e.g., inspection reports] for potential precursors, and to analyze those events which have the potential to be precursors. The complete summary of Fiscal Year 2012 ASP events will be provided in the upcoming Commission paper on the status of the ASP Program and Standardized Plant Analysis Risk (SPAR) Models due to be issued in October 2013.

If you have any questions, please contact me at (301) 415-6606.

Sincerely, el S. Wiebe, Senior Project Manager lant Licensing Branch 111-2 Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket No. STN 50-455

Enclosure:

Final Accident Sequence Precursor Analysis

Transformer and Breaker Failures Cause Loss of Offsite Byron Station, Unit 2 Power, Reactor Trip, and De-Energized Safety Buses LER: 454/12-001-01 1x10-4 Event Date: 01130/2012 CCDP=

IR: 50-455/12-08 EVENT

SUMMARY

Event Description. At 10:01 on January 30, 2012, Byron Station, Unit 2 experienced an event, in which the 4.16 kV engineered safety feature (ESF) buses were not energized by an operable power source for eight minutes. The event was initiated by a mechanical failure of an electrical insulator in the 345 kV switchyard. The failed insulator caused the loss of one of three electrical phases (Phase "C") supplying 345 kV offsite power to the Unit 2 station auxiliary transformers (SATs). Following the insulator failure, the reactor automatically tripped from full power due to an under-voltage condition on 6.9 kV Buses 258 and 259 that supply power to two of four reactor coolant pumps (RCPs). About 30 seconds after the reactor trip, the power source for 6.9 kV Buses 256 and 257 and 4 kV Buses 243 and 244 automatically fast transferred from the unit auxiliary transformers (UATs) to the SATs, as designed. As a result, the remaining two RCPs tripped on an over-current condition due to the increased current flow through the "A" and "B" phases.

The loss of Phase C, however, did not result in an automatic under-voltage protection signal for either 4 kV ESF Buses 241 or 242, because the buses under-voltage protection scheme did not provide adequate protection from a single phase loss of either Phase "A" or "C". As a result, all running equipment powered by Buses 241 and 242 had tripped. This included the charging pumps which supply RCP seal injection, the component cooling water (CCW) pumps, system which supply thermal barrier heat exchanger cooling to the RCP seals, and the essential service water (ESW) pumps. These conditions existed until operators manually opened (from the main control room) the SAT feeder breakers about eight minutes after the event had initiated.

Following the opening of the SAT feeder breakers. both emergency diesel generators (EDGs) started and loaded supplying power to Buses 241 and 242, as designed. The Operations crew declared a Notice of Unusual Event (NOUE) at 10:18 for a loss of offsite power (LOOP) to essential buses for greater than 15 minutes.

No significant degradation to the RCP seals occurred based on the manual action occurring within the time it would have taken for the RCP seal water volume to deplete (about 13 minutes). Reactor decay heat was removed utilizing the diesel-driven auxiliary feedwater (AFW) pump and steam generator (SG) power operated relief valves (PORVs) while the primary system cooled down in the natural circulation mode of operation. On January 31, 2012, Unit 2 entered Mode 5 (Le., Cold Shutdown). The licensee remained in the UE until repairs were completed and the Unit 2 SATs were returned to their normal alignment on January 31,2012.

Additional event details are provided in References 1 and 2.

Enclosure 1

LER 454/12-001-01 Sequence of Key Events. The following table provides a sequence of key events (Reference 2):

January 30. 2012

-1001 :54 An insulator stack supporting the Phase "c" Conductor for 345 kV Bus 13 that n

supplies power to the Unit 2 SATs breaks, resulting in an open Phase "C Conductor.

1001 :55 Non-safety related (NSR) 6.9 kV RCP Buses 258 and 259 supplied by the Unit 2 SATs are affected by the open Phase "cn. Unit 2 reactor protection system senses the RCP bus under-voltage and initiates an automatic reactor trip.

1001 :55 Unit 2 ESF Buses 241 and 242 supplied by the Unit 2 SATs are affected by the open Phase "C". However, due to the design of the under-voltage protection logic, a bus under-voltage protection signal is not processed and Buses 241 and 242 remain energized with the Phase A-B at nominal 4000 Vac, the Phase A-C at about 2400 Vac, and the Phase B-C at about 2400 Vac.

1001 :56 ESW Pump 2A low discharge pressure annunciator alarm is received due to an over-current trip of the pump.

1001 :56 AFW Pumps 2A (motor-driven) and 2B (diesel-driven) receive auto-start signals as designed due to the RCP bus under-voltage condition. AFW Pump 2B starts and operates as designed. AFW Pump 2A is unable to start and run due to the under-voltage condition.

1001 :59 Over-current trip of the running CCW Pump 2A; CCW Pump 2B is unable to start and run due to the under-voltage condition. A loss of cooling to all four RCP thermal barrier heat exchangers occurs.

-1002 Unit 2 operators enter procedure 2BEP-0, "Reactor Trip or Safety Injection."

1002:00 Over-current trip of the running Centrifugal Charging (CC) Pump 2B.

1002:01....(12 RCP seal injection flow annunciator alarms received for RCPs 2A, 2B, 2C, and 20 indicating a loss of RCP seal injection to all four RCPs.

1002:02....(13 Over-current trip of the running Condensate/Condensate Booster Pumps 2A, 2B, and 20.

1002:05 Over-current trip of the running auxiliary building supply fan.

1002:13 Over-current trip of the running auxiliary building exhaust fan.

1002:32 Main generator reverse power trip occurs and generator output breakers 10-11 and 11-12 trip open.

1002:33 NSR Buses 243 and 244 supplied by the Unit 2 UATs trip upon the main generator reverse power trip. NSR loads including Circulating water pumps, feedwater pumps, a reactor cavity fan, station air compressors, control rod drive mechanism booster and exhaust fans, and heater drain pumps de-energize.

NSR 6.9 kV Buses 256 and 257 automatically transfer from the Unit 2 UATs to the (degraded) SATs as designed. With Phase "C" open, the current flow on Phases "AI! and "B" increase.

1002:35 Over-current trip of RCPs 2C and 20.

2

LER 454/12-001-01 1002:43 ESF Bus 241 low voltage alarm is received in the main control room for about 2 seconds then clears.

1003:13 Over-current trip of RCPs 2A and 2B.

-1004 Operators attempt to start the ESW Pump 2B, but the pump fails to start.

1004:54 Operators start the ESW Pump 1A and open the Unit 1 to Unit 2 cross-connect valves to supply ESWfrom Unit 1 to Unit 2.

-1009-1010 Based upon a field report of smoke from the Unit 2 SATs 242-1 and 242-2, and a suspected electrical issue, operators open the SAT 242-1 and SAT 242-2 feeder breakers to ESF Buses 241 and 242, and NSR Buses 243 and 244.

1009:48 ESF Bus 241 is electrically isolated following the manual operator action. Under voltage logic is satisfied and an under-voltage signal is processed. EDG 2A starts and restores power to ESF Bus 241 in about 6-8 seconds. Safe shutdown loads begin to automatically sequence onto ESF Bus 241.

1010:07 ESF Bus 242 is electrically isolated following the manual operator action. Under voltage logic is satisfied and an under-voltage signal is processed. EDG 2B starts and restores power to ESF Bus 242 in about 6-8 seconds. Safe shutdowns loads begin to automatically sequence onto ESF Bus 242.

1009:56 CCW Pump 2A automatically starts and runs.

1010:15 CCW Pump 2B automatically starts and runs.

1010:16 CC Pump 2A automatically starts and runs. Seal cooling is restored to the RCP seals.

1018 Byron Station declares a Unit 2 NOUE due to the loss of offsite power to ESF Buses 241 and 242 for greater than 15 minutes.

1023 The licensee requests offsite assistance from the Byron Fire Department based upon the report of smoke from the Unit 2 SATs.

1048 The Byron Fire Department arrives and is available as a resource. No actual fire occurred. The smoke from the Unit 2 SATs was caused by a sudden heat up of the SAT windings due to an electrical current inrush following the insulator failure.

1026 NSR Bus 243 is energized from ESF Bus 241, and NSR Bus 244 is energized from ESF Bus 242. Operators begin restoring NSR loads in accordance with licensee procedures.

1039 The licensee notifies the NRC Headquarters Operations Center of the Unit 2 reactor trip, loss of offsite power, and NOUE emergency declaration.

1041 The Unit 2 SAT high side windings are de-energized by the opening of switchyard Breakers 7-13 and 12-13 and associated motor-operated disconnects.

1048 The Unit 2 main steam isolation valves are closed in accordance with licensee procedure due to the loss of main condenser circulating water flow and the Unit 2 shutdown condition.

1100 Operators enter procedure 2BEP ESO.2, "Natural Circulation Cooldown."

3

LER 454/12-001-01 1320 The Operations Field Supervisor completes an investigation of water reportedly spraying onto RHR Pump 2A. The assessment concludes that the water spray does not impact the ability of the pump to start and operate.

2201 Unit 2 enters Mode 4.

January 31! 2012 1233 Operators place Unit 2 in shutdown cooling using the RHR Pump 2B.

1428 Unit 2 enters Mode 5 2000 The Byron NOUE is terminated following the completion of a Unit 2 SAT functionality assessment and physical restoration of the Unit 2 SATs supplying power to ESF Buses 241 and 242.

MODELING ASSUMPTIONS Analysis Type. The Byron Station Standardized Plant Analysis Risk (SPAR) model for Units 1 and 2 created in April 2012 was used for this event analysis. This event was modeled as a switchyard-related LOOP initiating event. The Byron SPAR model is designed to represent Unit 1; however, due the similarities between the units, the model was used for analysis of this Unit 2 event. Therefore, in some cases, Unit 1 basic events are used to represent Unit 2 components.

Analysis Rules. The ASP program uses Significance Determination Process results for degraded conditions when available. However, the ASP Program performs independent analysis for initiating events.

Key Modeling Assumptions. The following modeling assumptions were determined to be vital to this event analysis:

  • This analYSis models the January 30, 2012 Unit 2 reactor trip at Byron Station as a switchyard-related LOOP initiating event.
  • The Unit 2 SAT feeder breakers remained closed, thus preventing the Unit 2 EDGs from automatically starting and loading onto their respective ESF buses. This analysis credits the operator action to isolate the SATs from the ESF buses, and thus restoring power via the EDGs, by opening the SAT feeder breakers. Operators successfully performed this action in approximately eight minutes during the event.
  • The Unit 2 offsite power source was not available for approximately 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the LOOP occurred, when the failed insulator was replaced, electrical lines were reconnected and an assessment of the SAT condition concluded that it was acceptable to re-energize.

However, offsite power from Unit 1 could be cross-connected almost immediately after the event occurred. The steps needed to align the Unit 1 offsite power source to Unit 2 include the opening of the Unit 2 SAT feeder breakers. Since the operator action of opening the SAT feeder breakers is already modeled in this analysis the inclusion of additional action to cross-connect the Unit 1 offsite power to Unit 2 was not explicitly modeled as part of this analysis. However, this additional method of recovery was factored into the Recovery AnalysiS and Sensitivity Analyses described later in this report.

4

LER 454/12-001-01

  • Prior to the event, EDG 2B was in an available, but inoperable (in terms of Technical Specifications), status prior as a result of maintenance that had recently been completed.

On the morning of January 31,2012, inspectors observed slight speed and frequency oscillations of EDG 2B. It was determined that these frequency oscillations did not prevent EDG 2B from performing its safety function during this event; therefore, no modifications to EDG 2B reliability were made for this analysis.

  • The battery chargers are assumed to be unavailable due to the loss of Phase "C". The battery chargers did supply some dc power during the first eight minutes of the event, but it is expected that the breakers to chargers would soon trip and/or the batteries would be supplying most of the dc load.

Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

  • The switchyard-related LOOP initiating event probability (IE-LOOPSC) was set 1.0 to represent the operational event that occurred at Byron Station; Unit 2 on January 30,2012.

All other initiating events probabilities were set to zero.

  • ACP-TFM-FC-SAT1421 (System Auxiliary Transformer 142-1 Fails) and ACP-TFM-FC SAT1422 (System Auxiliary Transformer 142-2 Fails) were set to TRUE because both Unit 2 SATs were inoperable due to the insulator failure causing a loss of Phase "C".1
  • The LOOP event was limited to Unit 2; therefore, basic events OEP-VCF-LP-SNGLSC (Single Unit LOOP Switchyard-Related) was set to TRUE and OEP-VCF-LP-SITESC (Site LOOP Switchyard-Re/ated) was set to FALSE.
  • The non-recovery probability for basic events OEP-XHE-XL-NR01 HSC (Operator Fails to Recover Offsite Power in 1 HourJ, OEP-XHE-XL-NR02HSC (Operator Fails to Recover Offsite Power in 2 Hours), OEP-XHE-XL-NR03HSC (Operator Fails to Recover Offsite Power in 3 Hours), and OEP-XHE-XL-NRD4HSC (Operator Fails to Recover Offsite Power in 4 Hours) were set to TRUE because oftsite power recovery to an emergency bus via the Unit 2 oftsite power was not possible until approximately 34 hours3.935185e-4 days <br />0.00944 hours <br />5.621693e-5 weeks <br />1.2937e-5 months <br /> after the LOOP occurred.

Cross-connecting the Unit 1 oftsite power source to Unit 2 was not credited (see Key Modeling Assumptions for additional details).

Recovery Analysis. In this analysis, the potential for operators to open the Unit 2 SAT feeder breakers, thus allowing the EDGs to automatically start and load onto the ESF buses. prior to core damage was modeled. Depending on the availability of the diesel-driven AFW pump, the occurrence and size of a potential seal RCP loss-of-coolant accident (LOCA). and the time to battery depletion, the time to core damage during a loss of all power to the ESF buses for Byron. Unit 2 ranges from 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. For this analYSis. the base SPAR model Emergency Power System (EPS) recovery events (i.e., sequence-specific EDG recovery events) were used to represent operators' ability to open the Unit 2 SAT feeder breakers to restore power to the ESF buses prior to core damage.

The basic events applicable to the unavailabilities of the Unit 1 SATs are used to represent the failures of the Unit 2 SA Ts in this analysis.

5

LER 454/12-001-01 The applicable human failure events (HFEs) for this analysis are EPS-XHE-XL-NR01 H (Operator Fails to Open the SAT Feeder Breakers in 1 Hour'), EPS-XHE-XL-NR02H (Operator Fails to Open the SAT Feeder Breakers in 2 Hours), EPS-XHE-XL-NR03H (Operator Fails to Open the SA T Feeder Breakers in 3 Hours), and EPS-XHE-XL-NR04H (Operator Fails to Open the SAT Feeder Breakers in 4 Hours).2 In addition to these recovery events, potential recovery (Le., opening the Unit 2 SAT feeder breakers) prior to Reps seals being challenged due to the loss of injection and cooling within 13 minutes needs to modeled to ensure the validity of the sequences and cutsets. 3 Therefore, an additional HFE, EPS-XHE-XL-NR13M (Operator Fails to Open the SAT Feeder Breakers in 13 Minutes), was added to EPS Fault Tree (see Figure 1).4 EMERGENCY POWER EPS FAIWRE OF AC DIVISIONS OPERATOR FAILS TO OPEN SAT FEEct:R BREAKERS IN 13 MINUTES EPS2 EPS-XHE-XL-NR13M IIgnore 0

~

DIVISION 1A AC POWER SYS1EM ACP-1A-AC IExt DIVISION 18 AC POWER SYSTEM ACP-1&AC IExt D

Figure 1. Modified EPS Fault Tree for Byron, Unit 2.

With the addition of EPS-XHE-XL-NR13M, the Byron, Unit 2 SPAR model now has two HFEs (i.e., prior to 13 minutes and prior to core damage) that represent one recovery action (Le., to restore power to the ESF buses).5 Therefore, the applicable human error probabilities (HEPs) for these two HFEs must be evaluated and quantified as a jOint recovery action. This joint HEP was evaluated and quantified using SPAR-H Method (References 4 and 5).

2 The descriptions of these four basic events were changed to indicate that the opening SAT feeder breakers was required to restore power to the ESF buses via the EDGs.

3 The Westinghouse Owners Group 2000 Rep Seat Model (Reference 3) assumes that if both seal cooling and injection are lost, the Rep seals will experience voiding conditions in approximately 13 minutes (based on the Rep purge volume and average seal leak-off rates).

4 The Unit 1 EPS fault tree and its associated basic events is used in this analysis to represent the Unit 2 EPS components in this analysis.

5 There are not really two opportunities for operators to open the SAT feeder breakers. Rather there is one continuous opportunity for operators to open the SAT feeder breakers prior to core damage.

6

LER 454/12*001-01 Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSFs) adjustments required for the HEP quantification using SPAR-H.

Table 1. Qualitative Evaluation of Joint HFE for Overall The definition for overall recovery is the operators failing to open the feeder breakers for the Unit 2 SATs within 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (depending on the sequence).

Depending on postulated failures of the RCP seals (due to unavailability of seal injection/cooling). the availability of the diesel-driven AFW pump. and the time until the station batteries are depleted. operators would have between 1-4 hours to open the SAT feeder breakers prior to core uncovery.

For successful recovery. operators would have to open SAT feeder breakers (from the control room) with sufficient time for the EDGs to start and load to their respective ESF buses prior to core uncovery. The time available for operators to perform this action would be a minimum of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> (given the failure of the diesel driven AFW pump). The dominant sequences have a time available equal to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> (Le .* the time to battery depletion given successful operation of the diesel driven AFW pump with or without the failure of the Stage 2 RCP seals).

  • ESF Bus Alive Lights not lit; however. these lights remained energized during the event because two of the three phases were energized.
  • No voltage indicated on ESF buses. The voltage of all three phases are checked as standard operator practice per Step 21 of Procedure 2BOSR 0.1 1.2.3 as part ofthe bus voltage checks. Phase A-B indicated it was its nominal voltage (Le.* 4000 V), while Phase A-C and Phase B-C indicted about 2400 V.
  • Deenergized safety equipment (e.g., EDGs, CCW, and charging).
  • Inability to manually start Unit 2 ESW pump.

The procedure for the Bus 241 Overload or Voltage Low Annunciator is the only procedure available that discusses tripping the SAT feeder breakers to a safety buses. However, the annunciator did not alarm during the event; and therefore, the procedure entry conditions were not met.

This recovery action contains sufficient diagnosis and action components.

7

LER 454/12-001-01 The operators would need minimal time << 1 minute) to open the SAT feeder breakers from the control room.

Minimal time is needed for an EDG to'start and load to its respective safety bus, and safety equipment to be sequenced onto the EDG << 1 minute). Therefore, a minimum of 58 minutes was available for operators to diagnose the need to open the SAT breakers prior to core uncovery. Therefore, available time for the diagnosis Time Available 0.01/1 component for the overall recovery is assigned as Expansive Time (i.e., xO.01; time available is >2 times nominal and >30 minutes).

Sufficient time was available to open the SAT feeder breakers; therefore, the available time for the action component for the overall recovery is evaluated as Nominal (Le., x1). See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) due to the LOOP and loss of all power to the ESF buses.

Stress 2/1 The PSF for action stress was not determined to be a performance driver for this HFE; and therefore, was assigned a value of Nominal (i.e., x1).

The PSF for diagnosis complexity is assigned a value of Moderately Complex (Le., x2) because operators would have to deal with multiple equipment unavailabilities and Complexity 2/1 the concurrent actions/multiple procedures.

The PSF for action complexity was not determined to be a performance driver for this HFE; and therefore, was assigned a value of Nominal (Le., x1).

8

LER 454/12-001-01 The Emergency Operating Procedure E-O, "Reactor Trip/Safety Injection Actuation", requirements to enter the loss of all AC power procedure or the loss of a single ESF bus procedure were not met. Specifically, (1) the ESF bus active lights were lit and (2) ESF bus voltage meters were reading the correct voltage (i.e., 4160V) because the bus voltage selector switch was selected to default position of Phases "A"I"B"]. However, standard operating practices dictate that operators check Phase "CO voltage. During the event, operators successfully performed this check within two minutes to determine the degraded Phase "C" voltage.

Only the annunciator procedure for "Bus 241 Overload or Voltage Low" was available to explicitly direct operators to open the SAT feeder breakers; however, the annunciator Procedures 511 did not alarm during the event. The operators never formally entered this procedure during the event, but did use the annunciator procedure as guidance to open the SAT feeder breakers in eight minutes after determining the SATs were damaged.

Considering operators had strong cues of degraded Phase

  • C" voltage (via bus voltage checks) and the report of smoke coming from the SAT; but didn't have explicit procedural guidance to open the Unit 2 SAT feeder breakers, the diagnosis component of the PSF for procedures was set to Available, but Poor (i.e., x5) for this HFE.

The action component of the PSF for procedures was not determined to be a performance driver for this HFE; and therefore, was aSSigned a value of Nominal (i.e., x1).

Experiencerrraining, No event information is available to warrant a change in Ergonomics/HMI.

Fitness for Duty, 1/1 these PSFs (for diagnosis and action) from Nominal for this Work Processes HFE.

HEPs evaluated using SPAR-H are calculated using the following formula:

Calculated HEP =(Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the joint HEP for the overall recovery via direct SPAR-H calculation is to be 3x10-3 .

However, there are three factors that are not explicitly handled in the SPAR-H calculation would decrease this calculated joint HEP for the overall recovery.

  • For accident sequences greater than one hour, the Technical Support Center would be manned (due to the loss of all ac power to the Unit 2 ESF buses) to provide additional technical guidance to restore power to the ESF buses.
  • Offsite power from Unit 1 could be cross-connected almost immediately after the event occurred. The steps needed to align the Unit 1 offsite power source to Unit 2 include the opening of the Unit 2 SAT feeder breakers. When modeling recovery with an ASP analysis, 9

LER 454/12-001-01 only the most likely recovery method is explicitly modeled. However, if operators did fail to open the Unit 2 SAT feeder breaker given the cues they received, they could potentially pursue cross-connecting the Unit 1 and Unit 2 ESF buses; therefore, increasing the likelihood the operators restored power to the Unit 2 ESF buses prior to core damage.

  • ASP analyses do not typically give probabilistic credit recovery of the electrical systems after battery depletion because of the lack of knowledge on how operators would perform or how equipment (i.e., breakers, interlocks, and EDG start logic) would behave without direct current (dc) power. 6 This can be a source of conservatism in this analysis.

Considering these factors, the best estimate joint HEP for overall recovery for accident sequences greater than one hour is reduced to 1x 104 for this analysis. The joint HEP for overall recovery for one-hour sequences will remain at 3 x 10-3 .

With the joint HEP calculated, the HEPs for the two modeled HFEs can be calculated by using SPAR-H to evaluate the HEP for the 13-minute recovery action (Le., EPS-XHE-XL-NR13M) and the dividing the joint HEP by this result to determine the HEP for the 1 to 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> sequence specific recovery action (Le., EPS-XHE-XL-NR01 H, EPS-XHE-XL-NR02H, EPS-XHE-XL NR03H, and EPS-XHE-XL-NR04H).

The HEP for EPS-XHE-XL-NR13M has the same qualitative inputs as the overall recovery with the exception of the time available. For successful recovery within 13 minutes, operators would have to reopen SAT feeder breakers (from the control room) with sufficient time for the EDGs to start and load to their respective ESF buses, including time for the charging pumps and/or CCW pumps to start, prior to voiding within the RCPs occur. The operators would need minimal time

<< 1 minute) to open the SAT feeder breakers from the control room. Minimal time is needed for an EDG to start and load to its respective safety bus, and for a charging pump and/or CCW pump to be sequenced onto the EDG << 1 minute). Therefore, approximately 11 minutes are available for operators to diagnose the need to open the SAT breakers prior to voiding conditions within RCPs; therefore, the Time Available PSF for diagnosis was set to Nominal. All other PSF selections from the overall recovery are the same for the 13-minute recovery; thus the individual HEP for EPS-XHE-XL-NR13M is calculated to be 0.2.

With the joint HEP and the HEP for the 13-minute recovery calculated, the HEP for recovery prior to core damage for one-hour accident sequences (Le., EPS-XHE-XL-NR01 H). is calculated to be 1.5x10-2. The HEPs for recovery prior to core damage for accident sequences greater than one hour (Le., EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H) is calculated to be 5x104.

ANALYSIS RESULTS Conditional Core Damage Probability. The point estimate conditional core damage probability (CCDP) for this event is 1x 104 using the H EPs for recovery as described above.

This CCDP is strongly dependent on the overall HEP for recovery; and it is expected that the recovery event would have large uncertainties because (1) the recovery event modeled in this analysis is a previously unanalyzed event in plant PRAs, (2) the normal uncertainties associated with using HRA methods can be significant, and (3) current HRA methods were not designed with recovery actions in mind. Considering these facts, it may be better to express these analysis results as a range using sensitivity cases to form the upper and lower bounds.

6 The battery depletion time for Byron, Unit 2 is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

10

LER 454/12-001-01 Sensitivity Analyses. Because some factors are not evaluated in SPAR-H (e.g., crediting the manning of the Technical Support Center) and uncertainties associated with SPAR-H quantification method, the recovery events were evaluated using additional human reliability analysis methods to provide a range of CCDPs for this analysis. 7 The Cause Based Decision Tree (CBDT) model, along with the Human Cognitive Reliability (HCR) model combined with the minimum HEP recommended by the HRA Good Practices (Reference 6) were used to evaluate the recovery actions. In addition, a case using the direct SPAR-H calculation for the HEPs without the qualitative factors (that decrease the HEPs is also provided). Table 3 provides the results of these sensitivity cases.

CCDP Using the CBDT model. the joint HEP for the overall recovery is calculated to be 2.5x10-4 with a time available to core damage of 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. If only one hour is available, the joint HEP for overall recovery is calculated to be 5x10*3 . 8 The HEP for recovery within 13 minutes is calculated to be 0.1. Dividing the HEP for overall recovery action by the HEP for the 13-minute action yields HEPs of 5x1 0. 2 for EPS-XHE-XL-NR01 Hand 2.5x1 0.3 for EPS-XHE-XL-NR02H, EPS-XHE-XL-NR03H, and EPS-XHE-XL-NR04H.

Using the HCR model, the HEPs for the overall recovery action are calculated to be 3

2.1 x10*

  • 5.6 x 10*5
  • 4.4 x 10-O, and 6.0 x 10*7 for 1 to 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> times available to core damage, respectively. Because the extremely low values calculated using HCR of the recovery actions with time available to core damage of 2 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, the minimum HEP of 1 x1 0.5 9

recommended by the HRA Good Practices was applied for these two events. The HEP for recovery within 13 minutes is calculated to be 0.26. The analysiS assumed an elevated sigma (0) due to the deficient procedure condition. Therefore, HEPs of 8.1 x1 0-3 for EPS XHE-XL-NR01 H, 2.2x1 0.4 for EPS-XHE-XL-NR02H. and 3.9x1 0.5 for EPS-XHE-XL-NR03H and EPS-XHE-XL-NR04H were calculated for this case.

Using the SPAR-H method without the qualitative factors that reduced the HEP for all recovery in the best estimate case (see Recovery Analysis) yields an HEP for the overall recovery action of 3x1 0.3 with time available to core damage of 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The HEP for recovery within 13 minutes of 0.2 that was calculated using SPAR-H was also used in this case. Therefore, HEPs of 1.5x 10.2 were calculated for EPS-XHE-XL-NR01 H. EPS-XHE XL-NR02H. EPS-XHE-XL-NR03H, and EPS-XHE-XL-NRD4H.

Dominant Sequence. The dominant accident sequence is LOOPSC (Loss of Offsite Power Switchyard-Related) Sequence 16-03 (CCDP = B.Ox 10.5) which contributes 75% of the total internal events CCDP. Additional sequences that contribute greater than 1% of the total internal events CCDP are provided in Appendix A. The dominant sequence is shown graphically in Figures B-1 and B-2 in Appendix B.

7 The uncertainties aSSOCiated with SPAR-H also apply to other HRA methods.

8 The CBDT model includes credit for additional staffing for emergency response. Upon the declaration of an elevated emergency response level (e.g., Unusual Event, Alert, etc), the plant has one hour to staff the technical support center. Since it takes some time before the elevated emergency response is declared (after event initiation), recovery actions of one hour or less do not include this credit (this is the CBDT default setting).

9 Typically, another HRA method (e.g., CBDT) is used to address operator actions with longer time frames where extrapolation using the HCR Time Reliability Curve could yield unrealistic results. See Reference 6 for further details.

11

LER 454/12-001-01 The events and important component failures in LOOPSC Sequence 16-03 are:

  • Switchyard-related LOOP occurs,
  • Emergency power fails,
  • Power-operated relief valves successfully close (if opened),
  • Rapid secondary depressurization succeeds,
  • RCP seal cooling fails,
  • RCP Seal 1 integrity is maintained,
  • RCP Seal 2 integrity is maintained,
  • Operators fail to restore offsite power within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, and
  • Operators fail to open the SAT feeder breakers within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

REFERENCES

1. Byron Station, Unit 1 and Unit 2, Licensee Event Report 2012-001-01, "Unit 2 Loss of Normal Offsite Power and Reactor Trip and Unit 1 Loss of Normal Offsite Power Due to Failure of System Auxiliary Transformer Inverted Insulators," dated September 28,2012 (ML12272A358).
2. U.S. Nuclear Regulatory Commission, "Byron Unit 2 - NRC Special Inspection Team (SIT)

Report 05000455/2012008," dated March 27,2012 (ML12087A213).

3. Westinghouse Electric Company, LLC, "WOG 2000 Reactor Coolant Pump Seal Leakage Model for Westinghouse PWRs, WCAP-15603, Revision 1n, dated May 2002.
4. Idaho National Laboratory, NUREG/CR-6883, "The SPAR-H Human Reliability Analysis Method," August 2005 (ML051950061).
5. Idaho National Laboratory, "INUEXT-10-18533, SPAR-H Step-by-Step Guidance," May 2011 (ML112060305).
6. U.S. Nuclear Regulatory Commission, NUREG-1792, "Good Practices for Implementing Human Reliability Analysis," April 2005 (ML051160213).

12

LER 454112-001-01 Appendix A: Analysis Results ACP-TFM-FC-SAT1422 SYSTEM AUXILIARY TRANSFORMER 142-2 FAILS TRUE EPS-XHE-XL-NR01 H i OPERATOR FAILS TO OPEN SAT FEEDER 1.50E-2 1.00E+0 BREAKERS IN 1 HOUR EPS-XHE-XL-NR02H OPERATOR FAILS TO OPEN SAT FEEDER 5.00E-4 1.00E+0 BREAKERS IN 2 HOURS EPS-XHE-XL-NR03H OPERATOR FAILS TO OPEN SAT FEEDER 5.00E-4 1.00E+0 BREAKERS IN 3 HOURS EPS-XHE-XL-NR04H OPERATOR FAILS TO OPEN SAT FEEDER 5.00E-4 1.00E+0 BREAKERS IN 4 HOURS ~

EPS-XHE-XL-NR 13M OPERATOR FAILS TO OPEN SAT FEEDER 2.00E-1 O.OOE+O BREAKERS IN 13 MINUTES B

IE-LOOPSC SWiTCHYARD-RELATED LOOP 1.00E+0 1.D4E-2 OEP-VCF-LP-SITESC SITE LOOP (SWITCHYARD-RELATED) FALSE 1.94E-1 OEP-VCF-LP-SNGLSC SINGLE UNIT LOOP (SWITCHYARD-RELATED) TRUE 8.06E-1 OEP-XHE-XL-NR01 HSC OPERATOR FAILS TO RECOVER OFFSITE POWER TRUE 1.00E+0 IN 1 HOUR (SWITCHYARD)

OEP-XHE-XL-NR02HSC OPERATOR FAILS TO RECOVER OFFSITE POWER TRUE l.00E+O IN 2 HOURS (SWITCHYARD)

OEP-XHE-XL-N R03HSC OPERATOR FAILS TO RECOVER OFFSITE POWER TRUE 1.00E+0 IN 3 HOURS (SWITCHYARD)

OEP-XHE-XL-NRD4HSC OPERATOR FAILS TO RECOVER OFFSITE POWER TRUE 1.00E+0 IN 4 HOURS (SWITCHYARD)

a. All other initiating event probabilities were set to zero.

Dominant Sequence Results Onlyltems,cof)trli?lJtiflgat leastL.O.% tothetqtf;il CCDP are displayed.

EventTree \*~uen~> CCDP ok Contribution Description.

LOOPSC 16-03 8.00E-5 74.7% IRPS, EPS, IAFW-B./PORV-B./RSD-B, IBP1.

/BP2. OPR-04H. DGR-04H LOOPSC 16-06 2.00E-5 18.7% /RPS, EPS, IAFW-B./PORV-B./RSD-B, IBP1.

BP2, OPR-04H. DGR-04H LOOPSC 15 2.29E-6 2.1% /RPS, /EPS, AFW-L. FAB-L LOOPSC 16-42 2.15E-6 2.0% /RPS, EPS, IAFW-B. PORV-B, OPR-01 H. DGR 01H TOTAL 1.07E-4 100.0%

Referenced Fault Trees Fault Tree Description AFW-B AUXILIARY FEEDWATER (SBO)

AFW-L AUXILIARY FEEDWATER (LOOP)

BP1 RCP SEAL STAGE 1 INTEGRITY (BINDING/POPPING)

BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING)

DGR-01H DIESEL GENERATOR RECOVERY (IN 1 HOUR)

DGR-04H DIESEL GENERATOR RECOVERY (IN 4 HOURS)

EPS EMERGENCY POWER SYSTEM A-1

LER 454/12-001-01 FEED AND BLEED (LOOP)

OFFSITE POWER RECOVERY (IN 1 HOUR OFFSITE POWER RECOVERY (IN 4 HOURS)

PORVs ARE CLOSED (SBO)

REACTOR PROTECTION SYSTEM Cutset Report - LOOPSC 16-03 Qplljtems~On!ri~J1~flll.~V~a~s.L1%!0 thl! t~~~~~~(e~r:I!sp'/~lfJ.~c~~_

.# CCDP ! Total% Cutset ..... ;

I~~~,,~~,~,., ";;,, - '" ~,~,_._~~,~~~~' "",~",~

i Total B.00E-5 100 Displaying 1 of 1 Cutsets.

1 B.00E-5 100 IE-LOOPSC,EPS-XHE-XL-NR04H,EPS-XHE-XL-NR13M,IRCS-MDP-LK-BP2 Cutset Report - LOOPSC 16-06 On'lJ{e.,,?s..Eo.n~rf~l!t~n.rl..~t. .!~.<!~Ll~J() t~~ tgtall3re displal~rL.

'# . CCDP'; Total%;Cutset Total 2.00E-5 100 ~~~LI)J~p~ayin..9 1 of 1 Cutsets.

1 2.00E-5 100 IE-LOOPSC,EPS-XHE-XL-NR04H,EPS-XHE-XL-NR13M,RCS-MDP-LK-BP2 Cutset Report - LOOPSC 15 Onll~ems contributipg at least.r1~t~~.e.tQ~<!L<!.~~ d[sp!al~cJ* .

l # CCDP; Total%"r 'Cutset Total 2.29E-6 100 Displaying 117B of 117B Cut Sets.

1 1.1BE-6 51.6 IE-LOOPSC,AFW-PMP-CF-FSALL,HPI-XHE-XM-FB 2 2.30E-7 10 IE-LOOPSC,AFW-CKV-CF-ALLB,HPI-XHE-XM-FB 3 2.16E-7 9.43 IE-LOOPSC,AFW-EDP-FR-1 B,AFW-EDP-FR-2B,AFW-MDP-TM-1A,HPI-XHE-XM I FB 4 7.0BE-B 3.09 IE-LOOPSC,AFW-FCV-CF-ALLB,HPI-XHE-XM-FB 5 6.47E-B 2.B2 IE-LOOPSC,AFW-EDP-FR-1 B,AFW-EDP-FR-2B, ESW-SOV-CC-AFW-1A, HPI XHE-XM-FB 6 5.15E-B 2.25 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-FR-2B,AFW-MDP-FS-1A,HPI-XHE-XM FB 7 2.9BE-B 1.3 IE-LOOPSC,AFW-EDP-FR-1B,AFW-EDP-TM-2B,AFW-MDP-TM-1A,HPI-XHE-XM FB Cutset Report - LOOPSC 16-42 Only items contributing at least 1% to the total are displayed.

  1. CCDP Total% Cutset Total 2.15E-6 100 Displaying 7 of 7 Cutsets.

1 1.07E-6 49.B IE-LOOPSC, EPS-XHE-XL-NR01 H, EPS-XHE-XL-NR 13M, PPR-SRV-CO SBO,PPR-SRV-00-456 2 1.07E-6 49.B IE-LOOPSC, EPS-XHE-XL-NR01 H, EPS-XHE-XL-NR 13M, PPR-SRV-CO SBO,PPR-SRV-00-455A Referenced Events Event Description Probability AFW-CKV-CF-ALLB CCF OF ALL B PUMP DISC CKVS (PSA) 1.15E-5 AFW-EDP-FR-1 B AFW DIESEL DRIVEN PUMP FAILS TO RUN 5.21E-2 AFW-EDP-FR-2B UNIT 2 AFW DIESEL DRIVEN PUMP FAILS TO RUN 5.21E-2 A-2

LER 454/12-001-01 UNIT 2 AFW DDP FAILS DUE TO TEST AND MAINTENANCE AFW-FCV-CF-ALLS AFW S FCVS 005A-H FAIL FROM CCF (PSA)

AFW-MDP-FS-1A 9.47E-4 AFW-MDP-TM-1A AFWMDP UNAVAILABLE DUE TO TEST AND MAINTENANCE 3.9SE-3 AFW-PMP-CF-FSALL COMMON CAUSE FAILURE OF AFW PUMPS TO START - PSA 5.91E-5 EPS-XHE-XL-NR01 H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 1 1.50E-2 I HOUR EPS-XHE-XL-NR04H OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 4 5.00E-4 HOURS EPS-XHE-XL-NR13M OPERATOR FAILS TO OPEN SAT FEEDER BREAKERS IN 13 2.00E-1 MINUTES I ESW-SOV-CC-AFW-1A AFW MOP 1A OIL COOLER VALVE 1 SX101A FAILS 1.19E-3 HPI-XHE-XM-FB OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING 2.00E-2 IE-LOOPSC SWiTCHYARD RELATED LOOP 1.00E+O PPR-SRV-CO-SBO PORVs/SRVs OPEN DURING STATION BLACKOUT 3.70E-1 PPR-SRV-00-455A PORV 455A FAILS TO RECLOSE AFTER OPENING 9.66E-4 PPR-SRV-00-456 PORV 456 FAILS TO RECLOSE AFTER OPENING 9.66E-4 RCS-MDP-LK-BP2 RCP SEAL STAGE 2 INTEGRITY (BINDING/POPPING OPEN) 2.00E-1 FAILS A-3

LER 454112-001 Appendix B: Key Event Trees

> - - - - , l - - > - - - - ( l - - >----'0 Ol--

r---01---0>---r--[~+/-:1

< ;.---( >----O>----'Ol---'O--

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 "'"

~

0 0 0 0 0 0 0 0 0 0 Figure B-1. Byron Station Switchyard-Relatect LOOP Event Tree.

B-1

LER 454/12-001 Figure B-2. Byron Station SBO Event Tree.

8-2

ML13182A031 OFFICE LPL3-2/PM LPL3-2/LA LPL3-2/PM NAME JWiebe SRohrer (SFiguero wen JWiebe 7/1 113 7/1/13 13 7/3/13 DATE

Retrieved from "https://kanterella.com/w/index.php?title=ML13182A031&oldid=2061560"