ML17249A968
| ML17249A968 | |
| Person / Time | |
|---|---|
| Site: | Columbia  |
| Issue date: | 11/06/2017 |
| From: | Michael Cheok NRC/RES/DRA |
| To: | Boland A Office of Nuclear Reactor Regulation |
| C. Hunter 301-415-1394 | |
| Shared Package | |
| ML17249A966 | List: |
| References | |
| IR 2017008, LER 397-2016-004 | |
| Download: ML17249A968 (15) | |
Text
1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Columbia Generating Station Offsite Load Reject Causes Automatic Scram with Subsequent Operator Errors Resulting in a Loss of Condenser Heat Sink Event Date: 12/18/2016 LER: 397-2016-004 IR: 05000397/2017008 CCDP = 1x10-5 Plant Type: General Electric Type 5 Boiling-Water Reactor (BWR) with Wet, Mark II Containment Plant Operating Mode (Reactor Power Level): Mode 1 (100% Reactor Power)
Analyst:
Christopher Hunter Reviewer:
Ian Gifford Contributors:
N/A BC Review Date:
6/29/2017 EXECUTIVE
SUMMARY
On December 18, 2016, at 11:24 a.m., an automatic scram occurred due to a fault on an offsite transmission network. A reactor scram was automatically initiated by the plant response to the transient. All control rods fully inserted and main steam isolation valves (MSIVs) automatically closed due to the loss of power to both reactor protection system (RPS) busses that occurred during the transient following the scram. All safety systems operated as designed. A full safety system isolation occurred due to the loss of RPS, which isolated reactor closed cooling water flow from containment causing primary containment temperature and pressure to increase, and subsequent high pressure actuations. Two reactor safety relief valves (SRVs) cycled automatically and then were manually cycled to maintain reactor pressure. Reactor water level was restored using reactor core isolation cooling (RCIC), control rod drive flow, and high pressure core spray (HPCS). The following complications occurred during the event response:
Operators failed to trip the main generator (after successfully tripping the main turbine),
which prevented the automatic fast transfer of the safety-related buses to their normal source of power (startup auxiliary transformer) with the plant offline.
Operators failed to establish the proper lineup for RCIC restart, which subsequently required operators to maintain reactor water level using HPCS.
Due to the reactor trip and MSIV closure, this event was modeled as a loss of condenser heat sink initiating event with complications. Given the modeling assumptions used in this analysis, the conditional core damage probability (CCDP) was calculated to be 1x10-5. For most BWRs, a loss of condenser heat yields CCDPs in the 10-6-10-5 range, which is largely dependent on the availability of feedwater. The most likely core damage sequence involves the postulated failures of RCIC and HPCS, and the subsequent failure of manual reactor depressurization.
This accident sequence accounts for approximately 62 percent of the event CCDP.
Three Green findings were identified with this event. All three findings were screened within Phase 1 of the Significance Determination Process (SDP) evaluation. Two of the findings were due to the operators failing to follow procedures, resulting in the complications noted above. A third finding was associated with the licensees failure to identify and correct a condition adverse to quality related to the use of spiral wound gaskets for restricting orifices in the HPCS system.
LER 397-2016-004 2
EVENT DETAILS Event Description. On December 18, 2016, at 11:24 a.m., an automatic scram occurred due to a fault on an offsite transmission network. A reactor scram was automatically initiated by the plant response to the transient. All control rods fully inserted and MSIVs automatically closed due to the loss of power to both RPS busses that occurred during the transient following the scram. All safety systems operated as designed. A full safety system isolation occurred due to the loss of RPS, which isolated reactor closed cooling water flow from containment causing primary containment temperature and pressure to increase, and subsequent high-pressure actuations. Two reactor SRVs cycled automatically, and then were manually cycled, to maintain reactor pressure. Reactor water level was restored using RCIC, control rod drive flow, and HPCS.
The plant response resulted in a few complications. After the initial successful start and injection of RCIC, a plant operator failed to establish the proper lineup for restart. This resulted in a trip of the RCIC pump after which operators used HPCS to maintain reactor water level.
Operators successfully tripped the main turbine per plant procedures, but failed to trip the main generator, which resulted in degraded voltage until power was automatically transferred to the backup power sources. The primary containment was successfully vented through a standby gas treatment filter per plant procedures to lower primary containment pressure. Additional information is provided in licensee event report (LER) 397-2016-004 (Ref. 1) and inspection report (IR) 05000397/2017008 (Ref. 2).
Cause. The cause of the offsite transmission network fault is still under evaluation by Bonneville Power Administration (the offsite transmission network operator).
MODELING ASSUMPTIONS Analysis Type. A test/limited use Standardized Plant Analysis Risk (SPAR) model for Columbia Generating Station, created in June 2017, was used for this initiating event analysis.
Analysis Rules. The ASP Program uses SDP results for degraded conditions when available.
However, the ASP Program performs independent analysis for initiating events.
IR 05000397/2017008 describes the results of the special inspection performed at Columbia Generating Station in response to this event. Three Green (i.e., very low safety significance) findings were identified and LER 397-2016-004 is closed. These three findings were associated with the licensee failure to:
Follow Procedure 3.3.1, Reactor Scram, Revision 62. Specifically, the licensee failed to trip the main generator per Procedure PPM 3.3.1, Step 6.2.9, although it was required for a load rejection scram.
Follow Procedure SOP-RCIC-INJECTION-QC, RCIC RPV Injection - Quick Card, Revision 5. During a complicated reactor scram on December 18th, licensed operators failed to open the RCIC turbine trip valve, RCIC-V-1, prior to initiating RCIC. As a result, RCIC tripped on over-speed, required local resetting, and led to licensed operations personnel injecting with the HPCS system, a non-preferred injection source.
Promptly identify and correct a condition adverse to quality. Specifically, since 2009, the licensee failed to implement prompt corrective actions to correct an adverse condition related to the use of spiral wound gaskets for restricting orifices in the HPCS system.
LER 397-2016-004 3
These three Green findings were screened within Phase 1 of the SDP evaluation because the findings:
Were not deficiencies affecting the design or qualification of a mitigating system, Did not represent a loss of system and/or function, Did not represent an actual loss of function of a single train for greater than its technical specification (TS) allowed outage time, and Did not represent an actual loss of function of one or more non-TS trains of equipment designated as high safety-significant in accordance with the licensees maintenance rule program for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
A review of the Columbia Generating Station LERs within 1 year of this event revealed no windowed degradations.
SPAR Model Changes. In reviewing the base SPAR model, incorrect logic was identified for some of the electrical fault tree buses. Specifically, the base SPAR model did not credit the ability of the backup auxiliary transformer to supply offsite power to buses SM-7 and SM-8.1 In addition, the fault trees for buses SM-1, SM-2, and SM-3 incorrectly credit supply power from the normal auxiliary transformer, which is unavailable after the main generator is tripped. These fault trees also did not credit power from the startup auxiliary transformer.2 Therefore, Idaho National Laboratory created a test/limited use model to address these issues.
In addition to the base SPAR model changes, the following analysis-specific modifications were necessary:
The ACP-BUS-SM4 (division III AC bus SM-4 power fails) fault tree was modified to provide credit for recovery of offsite power (via bus SM-2) to bus SM-4. Basic event HE-LOOP-SM4 (loss of offsite power to division III bus SM-4) was moved under a new AND gate ACP-BUS-DIV3-4 (offsite power to bus SM-4 is unavailable). Gate ACP-BUS-DIV3-4 was inserted under existing gate ACP-BUS-DIV3-2 (normal offsite power supply is unavailable).
A new basic event, ACP-XHE-RECOVERY (operators fail to align offsite power), was inserted under gate ACP-BUS-DIV3-4 and set to IGNORE. The revised ACP-BUS-SM4 fault tree is provided in Figure B-1 in Appendix B.
The HE-LOOP (house event-loss of offsite power initiating event has occurred) house event was inserted to replace HE-LOOP-SM7 (loss of offsite power to division I bus SM-7),
HE-LOOP-SM4, HE-LOOP-SM8 (loss of offsite power to division II bus SM-8), in the ACP-BUSSM1 (AC power from bus SM-1 is unavailable), ACP-BUSSM2 (AC power from bus SM-2 is unavailable), and ACP-BUSSM3 (AC power from bus SM-3 is unavailable) fault trees, respectively. This modification allows the use of HE-LOOP-SM7, HE-LOOP-SM4, HE-LOOP-SM8 house events in this analysis to model the loss of offsite power only to 1
The backup auxiliary transformer cannot supply offsite power to bus SM-4. Only the startup auxiliary transformer and the HPCS EDG can provide power to bus SM-4.
2 The startup auxiliary transformer normally supplies power to buses SM-1, SM-2, and SM-3 when the main generator is offline.
LER 397-2016-004 4
buses SM-7, SM-4, SM-8.3 The revised ACP-BUSSM1, ACP-BUSSM2, and ACP-BUSSM3 fault trees are provided in Figure B-2, Figure B-3, and Figure B-4 in Appendix B.
The HE-LOOP-BACKUP (loss of offsite power from backup aux transformer) house event was replaced with the HE-LOOP house event in the ACP-BUS-SM7 (division I AC bus SM-7 power fails) and ACP-BUS-SM8 (division II AC bus SM-8 power fails) fault trees. This change ensured that the consequential loss of offsite power (LOOP) sequences were correctly calculated in the analysis.4 The revised ACP-BUS-SM7 and ACP-BUS-SM8 fault trees are provided in Figure B-5 and Figure B-6 in Appendix B.
Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:
This analysis models the December 18, 2016, reactor trip at Columbia Generating Station as a loss of condenser heat sink transient due to the MSIV closure. Therefore, the probability for IE-LOCHS (loss of condenser heat sink) was set to 1.0; all other initiating event probabilities were set to zero.
No credit for recovery of the condenser heat sink was provided in this analysis, which is potentially conservative.5 Sensitivity analyses indicate that not crediting recovery of the condenser heat sink has a negligible effect on the results.
During the event, voltage degraded to the set-point of the degraded voltage relays, causing power to busses SM-7 and SM-8 to switch from the normal auxiliary transformer to the backup auxiliary transformer. Bus SM-4 was supplied by the division III emergency diesel generator (EDG). Therefore, basic events HE-LOOP-SM-7, HE-LOOP-SM-8, and HE-LOOP-SM-4 were set to TRUE.
Recovery. If postulated failures of the backup auxiliary transformer and/or the division III EDG had occurred, operators had the ability to align offsite power from the startup auxiliary transformer (through buses SM-1, SM-3, and SM-2) to repower buses SM-7, SM-8, and SM-4. Since buses SM-7 and SM-8 can be powered from either the backup auxiliary transformer or their respective EDGs, only potential recovery of electrical power to bus SM-4 is important for this analysis.6 Specifically, if postulated failures of the division III (HPCS) EDG, RCIC, and manual reactor depressurization were to occur, 3
Approximately 5 minutes after the reactor scram, the main generator tripped on volts-to-hertz protection. The main generator trip initiated the fast transfer logic and non-safety busses SM-1, SM-2, SM-3, SH-5, and SH-6 transferred to the startup auxiliary transformer.
4 Some consequential LOOPs may not result in the loss of offsite power to the backup auxiliary transformer.
Supply power to the backup auxiliary transformer comes from a different source (115kV line from Benton Switching Station) than the startup auxiliary transformer (230kV line from Ashe Substation). Therefore, this modeling change is potentially conservative.
5 Note that NRC inspectors identified an operator training weakness involving the execution of repowering the RPS buses during the recovery to the December 18th event. Specifically, the control room operations crew did not effectively implement procedure ABN-RPS, Loss of RPS, Revision 11, in a timely manner. See IR 05000397/2017008 for additional information.
6 For recovery of electrical power from the startup auxiliary transformer (via buses SM-1 and SM-3) to buses SM-7 and SM-8, both the backup auxiliary power transformer in conjunction with failures of the applicable EDG would need to occur. Given that the combined failure probability is sufficiently low, crediting recovery would have a negligible effect on the analysis results.
LER 397-2016-004 5
operators would have approximately 30 minutes to restore power to bus SM-4 via bus SM-2 and initiate HPCS.7 The SPAR-H Human Reliability Analysis Method (Ref. 3 and 4) was used to estimate non-recovery probability of operators to restore power to bus SM-4 via bus SM-2 (as represented by basic event ACP-XHE-RECOVERY). Tables 1 and 2 provide the key qualitative information for this recovery and the performance shaping factor (PSF) adjustments required for quantification of the human error probability for ACP-XHE-RECOVERY using SPAR-H.
Table 1. Key Qualitative Information for ACP-XHE-RECOVERY Definition The definition for this human failure event (HFE) is the operators failure to align power from bus SM-2 to bus SM-4 given the failure of the division III EDG within 30 minutes.
Description and Event Context Given the postulated failures of division III EDG, RCIC, and manual reactor depressurization, operators would have approximately 30 minutes (before core uncovery) to align power from bus SM-2 to bus SM-4 by manually closing breakers 2/4 and 4/2.
Operator Action Success Criteria For successful recovery, operators would have to manually close breakers 2/4 and 4/2 from the main control room.
Nominal Cues Loss of voltage on bus SM-4:
Deenergized safety equipment (e.g., division III EDG and HPCS).
Procedural Guidance ABN-ELEC-SM2/SM4, SM-2, SM-4 and SL-21 Distribution System Failures SOP-ELEC-SM4-MAINT, Removing/Restoring SM-4 from/to Service Diagnosis/Action This recovery action contains diagnosis and action activities.
Table 2. SPAR-H Evaluation for ACP-XHE-RECOVERY PSF Multiplier Diagnosis/Action Notes Time Available 1 / 1 The most limiting time for this recovery action is 30 minutes. The time needed to manually close the two breakers is approximately 5 minutes. This would leave approximately 25 minutes available for diagnosis, which is sufficient. However, because the time for diagnosis is less than 30 minutes, the diagnosis PSF for available time is set to Nominal.
Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 4 for guidance on apportioning time between the diagnosis and action components of an HFE.
7 In this analysis, operators are assumed to successfully initiate HPCS if they successfully align power from bus SM-2 to bus SM-4 because the execution portion of initiating HPCS is not expected to significantly increase the HEP for the overall recovery.
LER 397-2016-004 6
PSF Multiplier Diagnosis/Action Notes Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because core damage will occur if operators fail to restore power to bus SM-4.
The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).
Complexity 2 / 1 The PSF for diagnosis complexity is assigned a value of Moderately Complex (i.e., x2) because operators would have to deal with multiple equipment unavailabilities.
The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).
Procedures Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes 1 /1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.
The HEP is calculated using the following SPAR-H formula:
Power Recovery HEP = (Product of Diagnosis PSFs
- Nominal Diagnosis HEP) +
(Product of Action PSFs
- Nominal Action HEP)
= (4
- 0.01) + (1
Sensitivity analyses indicate that increased credit for restoring power to safety-related buses has only a minor effect on the results.
During the event, RCIC initially provided inventory makeup to the reactor. However, when operators attempted to re-initiate RCIC after it was terminated due to high reactor water level, operators failed to open the RCIC turbine trip valve prior to initiating RCIC.
As a result, RCIC tripped on over-speed and required a local reset. Operators successfully reset RCIC approximately 13 minutes after the pump trip. Basic events RCI-RESTART (restart of RCIC is required) and RCI-TDP-RS-RSTRT (RCIC fails to restart given start and short-term run) were set to TRUE to model the required restart of RCIC and initial failure to restart. Note that credit for recovery (provided in the base SPAR model) is provided by basic event RCI-XHE-XL-RSTRT (operator fails to recover RCIC failure to restart).8 During the event, HPCS was operated in the minimum flow configuration for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 42 minutes. On December 18, 2016, a leak and loose bolts were identified on the first flange downstream of the minimum flow isolation valve (HPCS-V-12) associated with restricting orifice RO-5. The licensee determined that the root cause for the observed leakage from the flange associated with restricting orifice RO-5 was due to inadequate gasket and flange design for the HPCS system operating conditions. The gasket for 8
The base SPAR model provides a nominal human error probability of 0.25 for this recovery event (based on data provided in NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S.
Commercial Nuclear Power Plants, Appendix C, Section C.2.
LER 397-2016-004 7
RO-5 was in service since initial plant construction; the licensee was unable to locate any documented maintenance on this mechanical joint. The licensee calculated the leak rate at the RO-5 flange to be approximately 4.7 gallons per minute with the HPCS pump in minimum flow mode. NRC inspectors agreed with the licensee determination that despite the failure of the gasket for RO-5, the HPCS system was capable of performing its safety function. Therefore, the HPCS leak was not considered in this analysis.9 All other safety systems responded as designed.
ANALYSIS RESULTS CCDP. The point estimate CCDP for this event is 1.0x10-5. The ASP Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink), whichever is greater. This CCDP equivalent for Columbia Generating Station is 5.5x10-6.10 Therefore, this event is a precursor.
Dominant Sequence. The dominant accident sequence is loss of condenser heat sink sequence 45 (CCDP = 6.8x10-6), which contributes approximately 62 percent of the total CCDP.
The dominant sequence is shown graphically in Figure A-1 in Appendix A. The sequences that contribute at least 1.0 percent to the total CCDP are provided in the following table.
Sequence CCDP
% Contribution Description LOCHS 45 6.33E-6 60.6%
Successful reactor trip; RCIC and HPCS fail; and reactor depressurization fails LOCHS 49-07 2.44E-6 23.4%
RPS fails resulting in an anticipated transient without scram (ATWS); recirculation pumps are successfully tripped; SRVs open successfully; power conversion system fails; standby liquid control system succeeds; operator successfully inhibit automatic depressurization; and reactor water level cannot be maintained above top of active fuel LOCHS 44 9.14E-7 8.8%
Successful reactor trip; RCIC and HPCS fail; reactor depressurization succeeds; and all available sources of low-pressure injection fail LOCHS 48-30 1.56E-7 1.5%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; reactor depressurization succeeds; and low-pressure injection fails LOCHS 48-33 1.39E-7 1.3%
Successful reactor trip; consequential LOOP occurs; EDGs successfully provide power to safety-related buses; RCIC and HPCS fail; and reactor depressurization fails 9
This issue is documented in a separate LER (397-16-005).
10 For BWRs, a loss of condenser heat sink initiating event typically assumes that the condensate system is available to provide a source of low-pressure injection to the reactor.
LER 397-2016-004 8
REFERENCES
- 1. Columbia Generating Station, "LER 397/16-004 - Automatic Scram Due to Offsite Load Reject, dated February 15, 2017 (ADAMS Accession No. ML17046A177).
- 2. U.S. Nuclear Regulatory Commission, Columbia Generating Station - NRC Special Inspection Report 05000397/2017008, dated April 6, 2017 (ADAMS Accession No. ML17096A781).
- 3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ML051950061).
- 4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ML112060305).
LER 397-2016-004 A-1 Appendix A: Key Event Tree Figure A-1. Columbia Generating Station Loss of Condenser Heat Sink Event Tree IE-LOCHS LOSS OF CONDENSER HEAT SINK RPS REACTOR SHUTDOWN OEP CONSEQUENTIAL LOSS OF OFFSITE POWER SRV SRV'S FAILS TO CLOSE HCS HPCS RCI RCIC SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS CRD TWO PUMPS CRD FLOW LPI LOW PRESSURE INJECTION (LPCI OR LPCS)
CDS CONDENSATE VA ALTERNATE LOW PRESS INJECTION SPC SUPPRESSION POOL COOLING PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING LI LATE INJECTION End State (Phase - CD) 1 OK 2
OK 3
OK 4
CD 5
OK LI01 6
CD 7
OK 8
OK 9
OK 10 CD 11 OK LI02 12 CD 13 OK 14 OK 15 CD 16 OK LI02 17 CD 18 OK 19 CD 20 OK LI02 21 CD 22 CD 23 OK 24 OK 25 CD 26 CD 27 CD 28 OK 29 OK 30 OK 31 CD 32 OK LI02 33 CD 34 OK 35 OK 36 OK 37 CD 38 OK LI02 39 CD 40 OK 41 CD 42 OK LI02 43 CD 44 CD 45 CD P1 46 1SORV P2 47 2SORVS 48 LOOPPC 49 ATWS 50 CD
LER 397-2016-004 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified ACP-BUS-SM4 Fault Tree ACP-BUS-SM4 COLM DIVISION III AC BUS SM-4 POWER FAILS Ext ACP-MC-4A1-EQ LOSS OF HPCS DUE TO SEISMIC FAILURE OF E-SM-4 ACP-DIV3-1 LOSS OF POWER TO 4160V AC BUS Ext DG3 DIESEL GENERATOR 3 FAILURES ACP-DIV3-2 NORMAL OFFSITE POWER SUPPLY IS UNAVAILABLE ACP-DIV3-4 OFFSITE POWER TO BUS SM-4 IS UNAVAILABLE False HE-LOOP-SM4 LOSS OF OFFSITE POWER TO DIVISION III (BUS SM-4)_
Ignore ACP-XHE-RECOVERY OPERATORS FAIL TO ALIGN OFFSITE POWER Ext ACP-BUSSM2 AC POWER FROM BUS SM-2 IS UNAVAILABLE 3.82E-06 ACP-CRB-CO-ECB24 BREAKER E-CB-2/4 FAILS OPEN 3.82E-06 ACP-CRB-CO-ECB42 BREAKER E-CB-4/2 FAILS OPEN 2.29E-05 ACP-BAC-LP-SM4 DIVISION III AC POWER BUS SM-4 FAILS
LER 397-2016-004 B-2 Figure B-2. Modified ACP-BUSSM1 Fault Tree ACP-BUSSM1 AC POWER FROM BUS SM-1 IS UNAVAILABLE Ext ROOP OFFSITE POWER IS UNAVAILABLE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 2.05E-03 ACP-CRB-OO-ECBS1 BREAKER E-CB-S1 FAILS TO CLOSE 2.05E-03 ACP-CRB-CC-ECBN11 BREAKER E-CB-N1/1 FAILS TO OPEN 2.29E-05 ACP-BAC-LP-ESM1 AC POWER BUS E-SM-1 FAILS 1.75E-03 ACP-TFM-TM-ETRS ALTERNATE TRANSFORMER TR-S OOS FOR T&M 6.07E-05 ACP-TFM-FC-ETRS ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION
LER 397-2016-004 B-3 Figure B-3. Modified ACP-BUSSM2 Fault Tree ACP-BUSSM2 AC POWER FROM BUS SM-2 IS UNAVAILABLE Ext ROOP OFFSITE POWER IS UNAVAILABLE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 2.29E-05 ACP-BAC-LP-ESM2 AC POWER BUS E-SM-2 FAILS 2.05E-03 ACP-CRB-CC-ECBN12 BREAKER E-CB-N1/2 FAILS TO OPEN 2.05E-03 ACP-CRB-OO-ECBS2 BREAKER E-CB-S2 FAILS TO CLOSE 1.75E-03 ACP-TFM-TM-ETRS ALTERNATE TRANSFORMER TR-S OOS FOR T&M 6.07E-05 ACP-TFM-FC-ETRS ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION
LER 397-2016-004 B-4 Figure B-4. Modified ACP-BUSSM3 Fault Tree ACP-BUSSM3 AC POWER FROM BUS SM-3 IS UNAVAILABLE Ext ROOP OFFSITE POWER IS UNAVAILABLE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 2.29E-05 ACP-BAC-LP-ESM3 AC POWER BUS E-SM-3 FAILS 2.05E-03 ACP-CRB-OO-ECBS3 BREAKER E-CB-S3 FAILS TO CLOSE 1.75E-03 ACP-TFM-TM-ETRS ALTERNATE TRANSFORMER TR-S OOS FOR T&M 6.07E-05 ACP-TFM-FC-ETRS ALTERNATE TRANSFORMER TR-S FAILS TO FUNCTION 2.05E-03 ACP-CRB-CC-ECBN13 BREAKER E-CB-N1/3 FAILS TO OPEN
LER 397-2016-004 B-5 Figure B-5. Modified ACP-BUS-SM7 Fault Tree ACP-BUS-SM7 COLM DIVISION I AC BUS SM-7 POWER FAILS Ext ACP-SM7-HVAC CRITICAL SWITCHGEAR SM7 HVAC Ext ACP-MC-7F-EQ SEISMIC FAILURE OF E-MC-7F ACP-DIV1-2 DIVISION I AC POWER FAILS ACP-DIV1-1 LOSS OF POWER TO 4160V AC BUS ACP-BUS-SM7203 ALTERNATE POWER FROM BACKUP AUX TRANSFORMER (E-TR-B)
Ext ROOP OFFSITE POWER IS UNAVAILABLE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 2.05E-03 ACP-CRB-OO-ECBB7 CIRCUIT BREAKER B-7 FAILS TO CLOSE 6.07E-05 ACP-TFM-FC-ETRB ALTERNATE TRANSFORMER TR-B FAILS TO FUNCTION 1.75E-03 ACP-TFM-TM-ETRB ALTERNATE TRANSFORMER TR-B OOS FOR T&M Ext DG1 DIESEL GENERATOR 1 FAILURES ACP-DIV1-3 NORMAL OFFSITE POWER SUPPLY IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-SM7 DIVISION I AC POWER BUS (SM-7)
FAILS False IESD-LOAC-FLAG IESD-LOAC-FLAG
LER 397-2016-004 B-6 Figure B-6. Modified ACP-BUS-SM8 Fault Tree ACP-BUS-SM8 COLM DIVISION II AC BUS SM-8 POWER FAILS Ext ACP-SM8-HVAC CRITICAL SWITCHGEAR SM8 HVAC Ext ACP-MC-8F-EQ SEISMIC FAILURE OF E-MC-8F ACP-DIV2-1 LOSS OF POWER TO 4160V AC BUS ACP-BUS-SM823 ALTERNATE POWER FROM BACKUP AUX TRANSFORMER (TR-B) IS UNAVAILABLE Ext ROOP OFFSITE POWER IS UNAVAILABLE False HE-LOOP HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED 6.07E-05 ACP-TFM-FC-ETRB ALTERNATE TRANSFORMER TR-B FAILS TO FUNCTION 1.75E-03 ACP-TFM-TM-ETRB ALTERNATE TRANSFORMER TR-B OOS FOR T&M 2.05E-03 ACP-CRB-OO-ECBB8 CIRCUIT BREAKER B-8 FAILS TO CLOSE Ext DG2 DIESEL GENERATOR 2 FAILURES ACP-DIV2-2 NORMAL OFFSITE POWER SUPPLY IS UNAVAILABLE 2.29E-05 ACP-BAC-LP-SM8 DIVISION II AC POWER BUS (SM-8)
FAILS