Text

1 Final ASP Program Analysis - Reject Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Pilgrim Nuclear Power Station Online Maintenance Configuration Could Result in De-energized Electrical Buses during a Postulated Transient Event Date: 4/19/2016 LER: 293-2016-002-01 IRs: TBD CDP = 6x10-7 Plant Type: Boiling-Water Reactor (BWR); General Electric 3 with a Mark I Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)

Analyst:

Chris Hunter Reviewer:

David Aird Contributors:

N/A BC Approved Date:

12/30/2016 EVENT DETAILS Event Description. On April 19, 2016, it was discovered that maintenance activities (procedure 3.M.3-1, Attachment 10) performed on protective relays between 8:10 p.m., on August 26, 2014 and 1:43 a.m. on August 27, 2014, had rendered the startup transformer (SUT) and the standby emergency diesel generators (EDGs) unable to automatically supply/align power to 4.16kV safety-related AC buses A5 and A6. Specifically, a breaker interlock would prevent the SUT breakers (152-504 and 152-604) and EDG output breakers (152-509 and 152-609) from closing when the breakers for buses A5 and A6 (152-501 and 152-601) are in the test position and are closed. In addition, power from the shutdown transformer (SDT) was unavailable; therefore, the limiting condition for operation (LCO) 3.9.B.2 was not met.

During functional testing of negative sequence and under-voltage relays, breakers 152-501 and 152-601 (SDT supplies to buses A5 and A6) are closed briefly and tripped on three different occasions in accordance with Procedure 3.M.3-1, Attachment 10. Based on an initial review of associated alarm data, operator logs, and interviews with maintenance personnel, the combined duration when breakers 152-501 and 152-601 were in the test position and closed was approximately 33 minutes.1 Additional information is provided in licensee event report (LER) 293-2016-002-1 (Ref. 1).

Cause. The root cause of this event is that the decision to perform Procedure 3.M.3-1, 0 testing at-power, instead of during cold shutdown, lacked sufficient rigor to ensure compliance with Technical Specifications. A contributing cause of this condition is corrective actions were ineffective in resolving identified risks with the online performance of protective relay functional tests.

MODELING SDP Results/Basis for ASP Analysis. To date, no inspection reports have been released that provided additional information on this event. Discussions with Region 1 staff indicated that no 1

Similar testing, using procedure 3.M.3-29, was performed in February 2014. During this testing, the plant was in a similar configuration (i.e., both 4.16kV safety-related buses A5 and A6 would have been prevented from automatically transferring to back-up power sources) existed for approximately 26 minutes. The modeling assumptions for this analysis are bounding for both events.

LER 293-2016-002-01 2

performance deficiency has been identified to date; however, the LER remains open. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.

Analysis Type. The version 8.24 Pilgrim Standardized Plant Analysis Risk (SPAR) Model, created in May 2014, was used for this condition assessment.

SPAR Model Modifications. The following modifications were required for this condition assessment:

To model the loss of electrical power to buses A5 and A6 that would have occurred given a postulated reactor scram, the ACP-A5 (Pilgrim 4160 VAC power bus A5 fails) and ACP-A6 (Pilgrim 4160 VAC power bus A6 fails) fault trees were modified. In the ACP-A5 fault tree, a new AND gate ACP-A5-TEST (testing results in loss of power to bus A5) was inserted under the existing top gate. Two new basic events were inserted under the gate ACP-A5-TEST.

Basic event ACP-A5A6-DEENERGIZED (testing results in loss of all power to buses A5 and A6) was added to account for the loss of power due to testing (given a postulated reactor scram). In addition, basic event ACP-XHE-A5A6RECOVERY (operators fail to trip breakers 501 and 601) was added because operators could restore power to buses A5 and A6 by opening breakers 152-501 and 152-601. Both of these basic events were set to IGNORE.

Similar modifications were made to the ACP-A6 fault tree. The modified ACP-A5 and ACP-A6 fault trees are shown in Figure C-1 and Figure C-2, respectively.

Exposure Period. A bounding estimate of 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> was used for this analysis.2 Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this bounding condition assessment:

Basic event ACP-A5A6-DEENERGIZED was set to TRUE because buses A5 and A6 would have lost all electrical power during a postulated reactor scram during testing.

During testing, if a postulated reactor scram had occurred, operators would need to manually open breakers 152-501 and 152-601 to restore electrical power to buses A5 and A6. This recovery action is simple, could be performed from the main control room (or locally), and was part of the pre-job brief. Basic event ACP-XHE-A5A6RECOVERY was used to model this recovery action. This human failure event (HFE) was evaluated using SPAR-H (Ref. 2 and Ref. 3). Table 1 and Table 2 provide the key qualitative information for this HFE and the performance shaping factor (PSF) adjustments required for the quantification of the human error probability (HEP) using SPAR-H.

An HEP evaluated using SPAR-H is calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the probability of basic event ACP-XHE-A5A6RECOVERY was set to 5x10-3.

2 The exposure period for the August 2014 event was approximately 33 minutes, while February 2014 event exposure period was approximately 26 minutes. Therefore, the 1-hour exposure period is bounding for either case.

LER 293-2016-002-01 3

Table 1. Qualitative Evaluation of ACP-XHE-A5A6RECOVERY Definition The definition for this HFE is the operators failing open breakers 152-501 and 152-601 prior to core uncovery.

Description and Event Context Given a postulated reactor scram while breakers 152-501 and 152-601 are in the test position and are closed, buses A5 and A6 would become deenergized resulting in a loss of feedwater and condenser heat sink. If both high-pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) fail at the onset of the event, core uncovery is expected to occur in approximately 30 minutes.3, 4 However, the more likely scenario is that HPCI and/or RCIC, along with the safety relief valves (SRVs), would provide decay heat removal initially; however, both sources would eventually be lost when the operators depressurize the reactor when the suppression pool reaches its heat capacity temperature limit (HCTL).5 If operators fail to depressurize the reactor, HPCI and RCIC would be rendered unavailable when the safety-related batteries are depleted (8-14 hours, depending on whether DC loads are shed or whether suppression pool can no longer support decay heat removal).

Operator Action Success Criteria Recover the electrical power to 4.16kV safety-related buses (from the SAT) prior to core uncovery.

Nominal Cues De-energized 4.16kV safety-related buses A5 and A6.

Cues associated with reactor trip.

EDG running but EDG output breakers not closed.

Procedural Guidance Directions to open breakers 152-501 and 152-601 were included in pre-job briefing.

Procedure 5.3.31, Station Blackout Procedure 2.4.16, Distribution Alignment Electrical System Malfunctions.

Diagnosis/Action This HFE contains sufficient diagnosis and action components.

Table 2. SPAR-H Evaluation of ACP-XHE-A5A6RECOVERY PSF Diagnosis/

Action Multiplier Notes Time Available 0.1 / 1 The operators would need approximately 1 minute to perform the action component of manually opening breakers 152-501 and 152-601. The time for diagnosis is approximately 59 minutes.6 Therefore, available time (i.e., 59 minutes) for the diagnosis component for this operator action is assigned as Extra Time (i.e., x0.1). Since sufficient time was available for the diagnosis component, the available time for the action component for this operator action is evaluated as Nominal (i.e., x1). See Reference 3 for guidance on apportioning time between the diagnosis and action components of an HFE.

3 The combined failure probability of HPCI and RCIC is approximately 5x10-3. This failure probability does not include eventual system failures due to subsequent losses of DC power (i.e., battery depletion).

4 Operators could depressurize the reactor and attempt to initiate firewater injection; however, it is not expected that this could be accomplished within 30 minutes.

5 Licensee thermal-hydraulic calculations indicated that the suppression pool would reach its HCTL in approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

6 The 1-hour available time is bounding except for all scenarios that both HPCI and RCIC fail immediately after the reactor trip. Sensitivity analyses show that these scenarios have a negligible effect on the results. In all other scenarios, operators would likely have at least 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> or more to manually open breakers 152-501 and 152-601.

LER 293-2016-002-01 4

PSF Diagnosis/

Action Multiplier Notes Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e.,

x2) due to the SBO-like conditions given a postulated reactor scram.

The action stress was determined to be Nominal since it is not expected to be a performance driver in the execution of manually opening the two breakers.

Complexity 2 / 1 The PSF for diagnosis complexity is conservatively assigned a value of Moderately Complex (i.e., x2). Although the recovery action was part of the pre-job brief for both the February 2014 and August 2014 testing, which included discussion of recovery actions, procedure 3.M.3-29 did not contain (unlike procedure 3.M.3-1, Attachment 10) a caution statement explaining the consequences given a reactor scram. In addition, compensatory measures were not identified to direct specific actions in the event of reactor scram. Recovery actions (i.e., operators manually open breakers 152-501 and 152-601) were identical in both cases. The action complexity was determined to be Nominal since the manual opening of two breakers is simple.

Procedures Experience/Training Ergonomics/HMI Fitness-for-Duty Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (for diagnosis and action) from Nominal for these HFEs.

ANALYSIS RESULTS Importance. The increase in core damage probability (CDP) for this analysis is conservatively calculated to be 5.9x10-7. The ASP Program acceptance threshold is a CDP of 1x10-6; and therefore, this event is not a precursor.

Dominant Sequence. The dominant accident sequence is general transient (TRANS) sequence 41 (CDP = 4.4x10-7), which contributes approximately 74 percent of the total internal events CDP. The sequences and cut sets that contribute to the top 95 percent and/or at least 1 percent of the total CDP for this analysis are provided in Appendix A.

The dominant sequence is shown graphically in Figure B-1 of Appendix B. The events and important component failures in TRANS sequence 41 are:

A general transient initiating event occurs, Reactor scram succeeds, Safety relief valves reclose (if opened),

High-pressure injection (HPCI/RCIC) fails, and Manual reactor depressurization fails.

REFERENCES

1. Pilgrim Nuclear Power Station, "LER 293/16-002 Online Maintenance Test Configuration Prohibited by Technical Specifications, dated August 18, 2016 (ML16250A013).

LER 293-2016-002-01 5

2. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).

3. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).

LER 293-2016-002-01 A-1 Appendix A: SAPHIRE 8 Worksheet Summary of Conditional Event Changes Event Description Cond.

Value Nominal Value ACP-A5A6-DEENERGIZED TESTING RESULTS IN LOSS OF ALL POWER TO BUSES A5 AND A6 TRUE IGNORE ACP-XHE-A5A6RECOVERY OPERATORS FAIL TO TRIP BREAKERS 501 AND 601 5.00E-3 IGNORE Event Tree Dominant Results Only items contributing at least 1.0% to the total CDP are displayed.

Event Tree CCDP CDP CDP Description TRAN 4.38E-7 9.84E-10 4.37E-7 GENERAL PLANT TRANSIENT LOCHS 8.00E-8 2.74E-10 7.98E-8 LOSS OF CONDENSER HEAT SINK LOMFW 3.96E-8 1.10E-10 3.95E-8 LOSS OF FEEDWATER IORV 9.57E-9 2.68E-10 9.30E-9 INADVERTENT OPEN RELIEF VALVE LOOPGR 7.84E-9 2.91E-10 7.55E-9 LOSS OF OFFSITE POWER (GRID-RELATED)

LOOPSC 6.68E-9 2.48E-10 6.44E-9 LOSS OF OFFSITE POWER (SWITCHYARD-CENTERED)

Total 5.96E-7 2.99E-9 5.93E-7 Dominant Sequence Results Only items contributing at least 1.0% to the total CDP are displayed.

Event Tree Sequence CCDP CDP CDP Description TRAN 41 4.36E-7 9.48E-10 4.35E-7

/RPS, /SRV, PCS, HPI, DEP LOCHS 40 7.96E-8 2.13E-10 7.93E-8

/RPS, /SRV, HPI, DEP LOMFW 40 3.94E-8 1.06E-10 3.93E-8

/RPS, /SRV, HPI, DEP IORV 47 9.33E-9 3.02E-11 9.30E-9

/RPS, PCS, HPI, DEP LOOPGR 28-06 7.22E-9 2.59E-10 6.96E-9

/RPS, EPS, /SRV, /RCI-B, /DCL, OPR-12H, DGR-12H, CVS-EXT, LI09 LOOPSC 28-06 6.16E-9 2.20E-10 5.93E-9

/RPS, EPS, /SRV, /RCI-B, /DCL, OPR-12H, DGR-12H, CVS-EXT, LI09 Total 5.96E-7 2.99E-9 5.93E-7 Referenced Fault Trees Fault Tree Description CVS-EXT CONTAINMENT VENTING DEP MANUAL REACTOR DEPRESS DGR-12H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 12 HOURS EPS EMERGENCY POWER HPI HIGH PRESSURE INJECTION LI09 PILGRIM LATE INJECTION FAULT TREE OPR-12H OPERATOR FAILS TO RECOVER OFFSITE POWER IN 12 HOURS PCS POWER CONVERSION SYSTEM

LER 293-2016-002-01 A-2 Cut Set Report - TRANS 41 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 3.82E-3 100 Displaying 95 Cut Sets. (95 Original) 1 3.81E-3 99.78 IE-TRANS,ACP-XHE-A5A6RECOVERY Cut Set Report - LOCHS 40 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 6.97E-4 100 Displaying 40 Cut Sets. (40 Original) 1 6.95E-4 99.73 IE-LOCHS,ACP-XHE-A5A6RECOVERY Cut Set Report - LOMFW 40 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 3.45E-4 100 Displaying 32 Cut Sets. (32 Original) 1 3.44E-4 99.73 IE-LOMFW,ACP-XHE-A5A6RECOVERY Cut Set Report - IORV 47 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 8.18E-5 100 Displaying 137 Cut Sets. (137 Original) 1 8.15E-5 99.68 IE-IORV,ACP-XHE-A5A6RECOVERY Cut Set Report - LOOPGR 28-06 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 6.33E-5 100 Displaying 313 Cut Sets. (313 Original) 1 6.10E-5 96.44 IE-LOOPGR,ACP-XHE-A5A6RECOVERY Cut Set Report - LOOPSC 28-06 Only items contributing at least 1% to the total are displayed.

CCDF Total %

Cut Set 5.39E-5 100 Displaying 305 Cut Sets. (305 Original) 1 5.20E-5 96.44 IE-LOOPSC,ACP-XHE-A5A6RECOVERY Referenced Events Event Description Probability ACP-XHE-A5A6RECOVERY OPERATORS FAIL TO TRIP BREAKERS 501 AND 601 5.00E-3 IE-IORV INADVERTENT OPEN RELIEF VALVE 1.63E-2 IE-LOCHS LOSS OF CONDENSER HEAT SINK 1.39E-1 IE-LOMFW LOSS OF FEEDWATER 6.89E-2 IE-LOOPGR LOSS OF OFFSITE POWER INITIATOR (GRID-RELATED) 1.22E-2 IE-LOOPSC LOSS OF OFFSITE POWER INITIATOR (SWITCHYARD-CENTERED) 1.04E-2 IE-TRANS GENERAL PLANT TRANSIENT 7.62E-1

LER 293-2016-002-01 B-1 Appendix B: Key Event Tree Figure B-1. General Transient Event Tree IE-TRANS GENERAL PLANT TRANSIENT RPS REACTOR SHUTDOWN SRV TWO OR MORE STUCK OPEN SRVs PCS POWER CONVERSION SYSTEM HPI HIGH PRESSURE INJECTION SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS CDS CONDENSATE LPI LOW PRESS COOLANT INJECTION (LCS or LPCI)

VA ALTERNATE INJECTION SPC SUPPRESSION POOL COOLING CSS CONTAINMENT SPRAY PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LONG-TERM LOW PRESS INJECTION End State (Phase - CD) 1 OK 2

OK 3

OK 4

OK 5

OK 6

OK 7

CD 8

OK 9

OK 10 OK LI01 11 CD 12 OK 13 CD 14 OK 15 OK 16 OK 17 OK 18 CD 19 CD 20 CD 21 OK 22 OK 23 OK 24 OK 25 OK 26 CD 27 OK 28 OK 29 OK 30 OK LI01 31 CD 32 OK 33 CD 34 OK 35 OK 36 OK 37 OK 38 OK 39 CD 40 CD 41 CD P1 42 1SORV P2 43 2SORVS 44 ATWS

LER 293-2016-002-01 C-1 Appendix C: Modified Fault Trees Figure C-1. Modified ACP-A5 Fault Tree ACP-A5 PILGRIM 4160 VAC POWER BUS A5 FAILS ACP-A5-TEST TESTING RESULTS IN LOSS OF POWER TO BUS A5 Ignore ACP-A5A6-DEENERGIZED TESTING RESULTS IN LOSS OF ALL POWER TO BUSES A5 AND A6 Ignore ACP-XHE-A5A6RECOVERY OPERATORS FAIL TO TRIP BREAKERS 501 AND 601 DIV-1-AC-1 LOSS OF POWER TO 4160V AC BUS Ext SGV-A PILGRIM SWITCHGEAR VENTILLATION TRAIN A FAILS ACP-A532 BUS A5 FEED AND INTERLOCK FAILURES 3.33E-05 ACP-BAC-LP-A5 4160 VAC POWER BUS A5 FAILS

LER 293-2016-002-01 C-2 Figure C-2. Modified ACP-A6 Fault Tree ACP-A6 PILGRIM 4160 VAC POWER BUS A6 FAILS ACP-A6-TEST TESTING RESULTS IN LOSS OF POWER TO BUS A6 Ignore ACP-A5A6-DEENERGIZED TESTING RESULTS IN LOSS OF ALL POWER TO BUSES A5 AND A6 Ignore ACP-XHE-A5A6RECOVERY OPERATORS FAIL TO TRIP BREAKERS 501 AND 601 DIV-2-AC-1 LOSS OF POWER TO 4160V AC BUS Ext SGV-B PILGRIM SWITCHGEAR VENTILLATION TRAIN B FAILS ACP-A63 BUS A6 FEED AND INTERLOCK FAILURES 3.33E-05 ACP-BAC-LP-A6 4160 VAC POWER BUS A6 FAILS