Text

1 Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oyster Creek Nuclear Generating Station Failure of Emergency Diesel Generator during Surveillance Testing due to a Broken Electrical Connector Event Date: 10/9/2017 LER(s):

219-2017-005 CDP =

6x10-6 IR(s):

TBD Plant Type:

General Electric Type 2 Boiling-Water Reactor (BWR) with a Mark I Containment Plant Operating Mode (Reactor Power Level):

Mode 1 (100% Reactor Power)

Analyst:

Reviewer:

Contributors:

Approval Date:

Christopher Hunter Ian Gifford N/A 5/23/2018 EXECUTIVE

SUMMARY

On October 9, 2017, during the bi-weekly load test on emergency diesel generator (EDG) 2, a generator lockout signal was received which tripped the EDG output breaker. The EDG had run for 4 minutes loaded in the procedurally prescribed band of 2600-2800 kilowatt (kW) prior to receiving the lockout signal. This failure resulted in EDG 2 being declared inoperable, and the plant entered into an unplanned 7-day limiting condition for operation (LCO) according to Technical Specification (TS) 3.7.C. Repairs were completed on October 10th and EDG 2 was satisfactorily tested and declared operable.

This accident sequence precursor (ASP) analysis reveals that the most likely core damage scenarios are a loss of 4.16 kilovolt (kV) safety-related alternating current (AC) bus initiating event with opposite train electrical failures that result in the unavailability of the isolation condensers, reactor depressurization, and/or containment temperature/pressure control. These accident sequences account for approximately 60 percent of the increase in core damage probability (CDP) for the event. The point estimate CDP for this event is 6x10-6 (internal events), which is considered a precursor in the ASP Program. The seismic contribution for 198-day unavailability of EDG 2 is CDP of 1x10-7 (approximately 2 percent of the internal events contribution).

To date, no performance deficiency associated with this event has been identified and, therefore, an ASP analysis was performed since an SDP evaluation was not performed.

EVENT DETAILS Event Description. On October 9, 2017, during the bi-weekly load test on EDG 2, a generator lockout signal was received which tripped the EDG output breaker. The EDG had run for 4 minutes loaded in the procedurally prescribed band of 2600-2800 kW prior to receiving the lockout signal. This failure resulted in EDG 2 being declared inoperable, and the plant entered into an unplanned 7-day LCO (TS 3.7.C). Repairs were completed on October 10th and EDG 2 was satisfactorily tested and declared operable. Additional information is provided in licensee event report (LER) 219/2017-005 (Ref. 1).

LER 219-2017-005 2

Cause. During troubleshooting, the licensee identified a broken electrical ring lug connector on a current transformer that provides an input to the protective relay logic. A subsequent investigation determined the connector failure was due to fatigue cracking caused by stresses from bending and twisting of the electrical lug beyond the limits specified in industry guidelines.

The electrical lug was most likely stressed during initial installation in the 1990s.

MODELING ASSUMPTIONS Analysis Type. The Oyster Creek standardized plant analysis risk (SPAR) model, Version 8.52 dated December 7, 2017, was used for this condition assessment. This SPAR model version includes seismic inititiating events/

SDP Results/Basis for ASP Analysis. The ASP Program uses Significance Determination Process (SDP) results for degraded conditions when available (and applicable). To date, no inspection reports have been released that provide additional information on this event.

Discussions with Region 1 staff indicated that no performance deficiency has been identified to date; however, the LER remains open. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.

A search for additional Oyster Creek LERs was performed to determine if any initiating events or additional unavailabilities existed during the exposure period of EDG 2. This review revealed that a reactor scram occurred on July 3, 2017, which was during the period that EDG 2 was unable to fulfill its safety function. Operators manually scrammed the reactor due to degraded vacuum; however, a complete loss of condenser heat sink did not occur. See LER 219-2017-002 (Ref. 2) for additional information. A sensitivity analysis shows that a reactor trip concurrent with an EDG 2 failure-to-run results in a conditional core damage probability of the 1.8x10-6, which is less than the CDP for this condition assessment.

Therefore, the ASP analysis result is reflected by the condition assessment provided in this report.

SPAR Model Modifications. The following base SPAR model modifications were made as part this analysis:

The probabilities for stuck-open safety relief valves (SRVs) were recently updated in the SPAR models. These probabilities significantly increased from previous calculations because previous calculations did not consider the number of expected valve cycles, which increase the potential for a stuck-open SRV. However, Oyster Creek Nuclear Generating Station has isolation condensers that provide reactor pressure control and, therefore, limit SRV open and close cycles. Given this information, the probabilities of stuck-open SRV(s) were changed to previous calculations. Specifically, basic events PPR-SRV-OO-1VLV (one BWR SRV fails to close), PPR-SRV-OO-2VLVs (two or more BWR SRVs fails to close), and PPR-SRV-OO-3VLVs (three or more BWR SRVs fails to close) were changed to 8.6x10-4, 1.3x10-4, and 5.5x10-5, respectively.

The recirculation pump seals at Oyster Creek are the same as those installed at Nine Mile Point. These seals were evaluated to have a lower probability of failure; therefore, the probability for basic event RRS-MDP-LK-SEALS (recirculation pump seals fail during SBO) was changed to 5x10-2.

The following changes were made to the station blackout (SBO) event tree (the revised SBO event tree is shown in Figure A-2 of Appendix A):

LER 219-2017-005 3

Basic event DCP-XHE-XM-LOADSHED (operator fails to shed unnecessary DC loads) is set to TRUE (i.e., no credit is provided) in the base SPAR model. A review of the plant information, including procedures, indicates that operators will shed DC loads during a SBO, thus extending time until battery depletion. According to revised licensee battery calculations, the nominal depletion time for the safety-related batteries at Oyster Creek Nuclear Generating Station is 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />. The successful shedding of loads can extend the batteries to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The probability of basic event DCP-XHE-XM-LOADSHED was set to a screening value of 0.1.1 Any further refinement of this human error probability (HEP) has a negligible effect on the results. The SBO event tree branching was modified to match the revised battery depletion times.

Firewater injection to the reactor is not credited in the base SPAR model. Firewater can be injected into the reactor relatively quickly via redundant diesel-driven pumps.2 To model this credit, the FWS (firewater injection) fault tree was replaced in the SBO event tree with the FWS3 (Oyster Creek firewater system) fault tree. Firewater is needed for all scenarios to provide inventory makeup to the reactor, including scenarios with successful operation of the isolation condenser(s) with no loss-of-coolant accident (LOCA). At a minimum, reactor inventory makeup is needed due to recirculation seal leakage and decreased reactor water level caused by the cooldown. If firewater injection is successful, it is assumed that restoration of AC power is necessary for operators to place the plant in a safe/stable end state.

Some top events were eliminated from the SBO event tree because the safety functions were either not available during a SBO, their success or failure did not affect the potential for core damage, or were considered as part of other fault trees. These top events include EXT (actions to extend ECCS operation), DGR (diesel generator recovery), CVS (containment venting), and LI (late injection).

The potential for EDG recovery was added to the applicable OPR (offsite power recovered) fault trees. Specifically, basic events EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR01H (operator fails to recover emergency diesel in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), EPS-XHE-XL-NR14H (operator fails to recover emergency diesel in 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />), and EPS-XHE-XL-NR24H (operator fails to recover emergency diesel in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) were added to the OPR-30M (operator fails to recovery offsite power in 30 minutes), OPR-01H (operator fails to recovery offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), OPR-14H (operator fails to recovery offsite power in 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />), and OPR-24H (operator fails to recovery offsite power in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) fault trees, respectively.3 These basic events were set to TRUE in the base SPAR model. An example of this modified fault tree logic (for OPR-14H) is provided in Figure B-1 of Appendix B.

Increased failure probabilities for manual reactor depressurization and firewater injection were used for scenarios where less time is available for operators to initiate these functions. Therefore, for sequences that involve failures of isolation condensers and/or a LOCA, the DEP1 (manual reactor depressurization) and FWS3 fault trees were replaced by new fault trees, DEPISO (manual reactor depress (isolation condenser fails)) and FWSISO (firewater injection (isolation condenser fails)), respectively. These 1

NUREG-1792, Good Practices for Implementing Human Reliability Analysis, provides that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator human failure events.

2 The firewater pumps are low-head pumps and, therefore, manual reactor depressurization is needed for successful reactor injection.

3 The OPR-14H and OPR-24H fault trees were created based on the other OPR fault trees but with 14-and 24-hour specific offsite power and EDG recovery basic events.

LER 219-2017-005 4

two new fault trees include only a single basic event that represents the failure of operators to initiate these systems, which is expected to have a failure probability of at least two orders-of-magnitude higher than potential hardware failures. A new basic event, ADS-XHE-XM-MDEPRLOCA (operator fails to depressurize the reactor (LOCA or isolation condenser fails)), was inserted under the top gate in the DEPISOFAIL fault tree.

A new basic event, FWS-XHE-XL-ISO (operator fails to initiate firewater (LOCA or isolation condenser fails)), was inserted under the top gate in the FWSISO fault tree.

The probabilities of basic events ADS-XHE-XM-MDEPRLOCA and FWS-XHE-XL-ISO were set to a screening value of 0.1. Any further refinement of these HEPs has a minimal effect on the results. These fault trees are provided in Figures B-2 and B-3 of Appendix B.

Exposure Period. EDG 2 successfully passed its previous biweekly surveillance tests prior to the failure on October 9, 2017. However, the nature of the failure mechanism makes it likely that EDG 2 would not have been able to fulfill its safety function for its probabilistic risk assessment (PRA) mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for some time. Therefore, the run history for EDG 2 was used to estimate the exposure period (see the following table). Based on the run history, it has been determined that EDG 2 was unable to fulfill its safety function from March 26th until October 10, 2017, a period of 198 days.

Date Description Run Duration (Hours)

Cumulative Run Time (Hours) 10/10/2017 EDG 2 is repaired and returned to operable status 10/9/2017 Failed biweekly test 0.37 0.37 9/25/2017 Successful biweekly test 1.90 2.27 9/2/2017 Successful biweekly test 1.50 4.49 8/28/2017 Successful biweekly test 1.59 6.08 8/16/2017 Successful biweekly test 1.56 7.64 7/31/2017 Successful biweekly test 1.49 9.13 7/17/2017 Successful biweekly test 1.66 10.79 7/3/2017 Successful biweekly test 1.39 12.18 6/19/2017 Successful biweekly test 1.68 13.86 6/3/2017 Successful biweekly test 1.52 15.76 5/22/2017 Successful biweekly test 1.77 17.54 5/7/2017 Successful biweekly test 1.60 19.14 4/24/2017 Successful biweekly test 1.73 21.12 4/10/2017 Successful biweekly test 1.63 23.33 3/26/2017 Successful biweekly test 0.54 23.87 Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event:

Basic event EPS-DGN-FR-DG2 (diesel generator DG2 fails to run) was set to TRUE to represent the failure of EDG 2 to fulfill its safety function for the complete 24-hour mission time.

EDG Recovery. After EDG 2 failed on October 9th, the licensee was able to repair and restore the EDG the next day (approximately 27 hours3.125e-4 days <br />0.0075 hours <br />4.464286e-5 weeks <br />1.02735e-5 months <br /> later). Discussions with Region 1

LER 219-2017-005 5

staff indicated that, if needed, the recovery could have been accomplished sooner. In a postulated SBO, it is estimated that EDG 2 could be repaired in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. A conservative screening value of 0.1 was used for basic event EPS-XHE-XL-NR14H.4 Any further refinement of this HEP has a negligible effect on the results. However, a more detailed evaluation was needed for the recovery of EDG 2 for the applicable 24-hour SBO sequences. Specifically, basic event EPS-XHE-XL-NR24H was evaluated using the SPAR-H Method (Ref. 3 and Ref. 4). Table 1 and Table 2 provide the key qualitative information for this human failure event (HFE) and the performance shaping factor (PSF) adjustments required for the quantification of the HEP using SPAR-H.

Table 1. Qualitative Evaluation of EPS-XHE-XL-NR24H Definition The definition for this HFE is operators failing to repair EDG 2 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> given a postulated loss of offsite power (LOOP) and subsequent SBO.

Description and Event Context Given a LOOP and a failure of both EDGs, a subsequent SBO will occur. If the combustion turbine generators (CTGs) cannot be aligned, operators must restore AC power. Without recovery of AC power, the safety-related batteries will eventually deplete, rendering decay heat removal and reactor inventory makeup unavailable. Recovery of offsite power is modeled in separate basic events. This basic event represents the repair and restoration of EDG 2. Credit for recovery following the postulated failure of the other EDG is not provided.

Operator Action Success Criteria Repair and restore EDG 2 to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Nominal Cues Safety-related bus under-voltage annunciators EDG failure annunciators Procedural Guidance Generic EDG maintenance and troubleshooting procedures exist; however, explicit procedures are not available. Skill-of-the-craft and other cues will indicate the failure cause to the technicians.

Diagnosis/Action This HFE contains sufficient diagnosis and action components.

Table 2. SPAR-H Evaluation of EPS-XHE-XL-NR24H PSF Diagnosis/

Action Multiplier Notes Time Available 0.01 / 1 It was determined through discussions with regional staff that the licensee, if needed, could have recovered EDG 2 in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Therefore, an additional 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> was available to determine the failure cause and complete repairs. A conservative estimate of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> was assumed for the time required to complete the repair (i.e, the action portion of the HFE), leaving approximately 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> available for diagnosis.

Therefore, diagnosis PSF for available time is set to Expansive Time (i.e., x0.01; greater than 2x nominal time and greater than 30 minutes).

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Ref. 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

4 Recovery of the failed EDG is only given for SBO scenarios, which is potentially conservative.

LER 219-2017-005 6

PSF Diagnosis/

Action Multiplier Notes Stress 2 / 1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because core damage would occur if technicians fail to recover the EDG within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the applicable scenario.

The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Complexity 5 / 1 The PSF for diagnosis complexity is assigned a value of Highly Complex (i.e., x5) because technicians would be dealing with multiple EDG failures that required troubleshooting.

The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Procedures 5 / 1 The PSF for diagnosis complexity is assigned a value of Available, but Poor (i.e., x5) because technicians have guidance, but not explicit procedures for troubleshooting activities.

The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Experience/Training Ergonomics/HMI Fitness-for-Duty Work Processes 1 / 1 No event information is available to warrant a change in these PSFs (diagnosis or action) from Nominal for this HFE.

An HEP evaluated using SPAR-H is calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the probability of basic event EPS-XHE-XL-NR24H was set to 6x10-3.

ANALYSIS RESULTS CDP. The point estimate CDP for this event is 5.7x10-6, which is the sum of all exposure periods. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions.

The CDP for this event exceeds this threshold; therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequences are loss of safety-related bus 1C, sequences 32 and 14 (CDP = 1.7x10-6), which each contribute approximately 31 percent of the total internal events CDP. The dominant sequences are shown graphically in Figure A-1 Appendix A. Accident sequences that contribute at least 1.0 percent to the total internal events CDP for this analysis are provided in the following table.

Sequence CCDP CDP CDP Description LO1C 32 1.95x10-6 2.15x10-7 1.74x10-6 30.5%

Loss of safety-related bus 1C initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; and reactor depressurization fails

LER 219-2017-005 7

Sequence CCDP CDP CDP Description LO1C 14 1.96x10-6 2.27x10-7 1.74x10-6 30.5%

Loss of safety-related bus 1C initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; operators restore main feedwater (MFW); condenser heat sink fails; reactor depressurization fails; suppression pool cooling fails; and containment venting fails LOOP 16 3.98x10-7 2.33x10-8 3.75x10-7 6.6%

LOOP initiating event; successful reactor trip; emergency power system succeeds; makeup to isolation condensers fails; control rod drive injection fails; and reactor depressurization fails LOOP 29-36 3.32x10-7 9.99x10-9 3.23x10-7 5.7%

LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; safety relief valve (SRV) fails to close resulting in a LOCA; isolation condensers succeed; and offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> fails LOOP 29-17 2.86x10-7 8.45E-09 2.78x10-7 4.9%

LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; recirculation pump seals fail resulting in a LOCA; isolation condensers succeed; reactor depressurization fails; and failure of offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> LOOP 29-15 2.58x10-7 7.59x10-9 2.50x10-7 4.4%

LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; recirculation pump seals fail resulting in a LOCA; isolation condensers succeed; reactor depressurization succeeds; firewater injection fails; and failure of offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> TRANS 14 1.36x10-7 2.17x10-8 1.14x10-7 2.0%

Transient initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; MFW succeeds; condenser heat sink fails; reactor depressurization fails; suppression pool cooling fails; and containment venting fails TRANS 32 1.27x10-7 2.43x10-8 1.03x10-7 1.8%

Transient initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; MFW fails; and reactor depressurization fails

LER 219-2017-005 8

Sequence CCDP CDP CDP Description LOOPWR 12 9.73x10-8 4.50x10-9 9.28x10-8 1.6%

Weather-related LOOP initiating event; successful reactor trip; emergency power system succeeds; makeup to isolation condensers fails; control rod drive injection fails; reactor depressurization succeeds; low-pressure coolant injection succeeds; failure of offsite power recovery within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />; suppression pool cooling fails; shutdown cooling fails; successful containment venting; and late (alternate) injection fails LOOPWR 29-26 7.95x10-8 2.74x10-9 7.67x10-8 1.3%

Weather-related LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; isolation condensers fail; reactor depressurization fails; and failure of offsite power recovery within 30 minutes LOOPWR 29-24 7.15x10-8 2.44x10-9 6.91x10-8 1.2%

Weather-related LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; isolation condensers fail; reactor depressurization succeeds; firewater injection fails; and failure of offsite power recovery within 30 minutes LOOPSC 29-38 6.99x10-8 3.52x10-9 6.63x10-8 1.2%

Switchyard-centered LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; and multiple SRVs fail to close Total 1.27x10-5 6.98x10-6 5.70x10-6 Uncertainties. The best estimate analysis does not consider FLEX credit or successful run time of EDG 2 (for the applicable portion of the exposure period), which is potentially conservative. A review of the sequences/cut sets indicates that crediting FLEX would not significantly affect the results because the dominant sequences/cut sets are either non-SBO scenarios or short-term SBO scenarios (core damage within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or less). Therefore, it is expected that there is inadequate time available mitigate these scenarios through the implementation of FLEX.

ASP analyses use the failure memory approach in which successful operation of equipment is not credited.5 However, EDG 2 successfully passed its biweekly surveillance tests prior to the failure on October 9, 2017. Therefore, depending on when it was demanded, it is likely that the 5

Convolution factors are applied to the postulated failures-to-run of the other EDG.

LER 219-2017-005 9

EDG 2 would have run for some time prior to failing within the PRA mission time (i.e., 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).

Recent ASP analyses have included a sensitivity analysis crediting additional time for the expected successful run time for the failed EDG (based on the surveillance test data) by adjusting the offsite power recovery probabilities for the applicable exposure periods. However, a review of the dominant sequences/cut sets reveals that this credit would have a negligible effect on the results and, therefore, no quantitative analysis was performed.

Seismic Contribution. Historically, independent condition assessments performed as part of the ASP Program only included the risk impact from internal events and did not include the consideration of other hazards such as fires, floods, earthquakes, etc.6 The reason for the exclusion of the impacts of other hazards in most ASP analyses was due to the lack of modeling capability within the SPAR models. However, seismic hazards modeling was completed for all SPAR models in December 2017. Therefore, beginning in 2018, seismic hazards will be evaluated as part of all condition assessments performed by the ASP Program. The seismic contribution for an EDG 2 unavailability of 198 days is CDP of 1.2x10-7. The following table provides the seismic bin results that contribute at least 1 percent of the total seismic CDP for this analysis.

Seismic Bin CDP Notes/Observations Seismic Event in Bin 3 (0.5-1.0 G) occurs (Bin peak ground acceleration (PGA) 0.71) 7.25x10-8 Dominant scenarios are seismically-induced LOOP and small LOCA. Seismically induced electrical failures (e.g., batteries, 480 volt AC buses) or failure of low-pressure core spray result in a failure of reactor depressurization capability, reactor inventory makeup, and/or containment temperature/pressure control.

Seismic Event in Bin 2 (0.3-0.5 G) occurs (Bin PGA 0.39) 4.10x10-8 Similar sequences and cut sets to Seismic Bin 3, except with lower seismic failure probabilities.

Seismic Event in Bin 4 (1.0-1.5G) occurs (Bin PGA 1.22) 6.35x10-9 Dominant scenarios are seismically-induced LOOP and small LOCA. Seismically induced electrical failures low-pressure core spray and service water/turbine building cooling water result in a failure of reactor inventory makeup.

Seismic Event in Bin 1 (0.1-0.3 G) occurs (Bin PGA 0.17) 3.75x10-9 Dominant scenarios are seismically-induced LOOP and small LOCA. Random failure of the other EDG results in SBO with core damage assumed.

TOTAL = 1.24x10-7 6

Initiating events caused by other hazards (e.g., tornado results in a LOOP) or degradations specific to a particular hazard (e.g., degraded fire barrier) have been analyzed as part of ASP Program.

LER 219-2017-005 10 REFERENCES

1. Oyster Creek Nuclear Generating Station, "LER 219/17-005 - Failure of the Emergency Diesel Generator #2 During Surveillance Testing due to a Broken Electrical Connector, dated January 3, 2018 (ADAMS Accession No. ML18009A436).

2. Oyster Creek Nuclear Generating Station, "LER 219/17-002 - Manual Scram due to Degraded Main Condenser Vacuum, dated August 31, 2017 (ADAMS Accession No. ML17249A124).

3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).

4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

LER 219-2017-005 A-1 Appendix A: Key Event Trees Figure A-1. Oyster Creek LO1C Event Tree IE-LOACB-1C LOSS OF 4160 V AC BUS 1C RPS REACTOR PROTECTION SYSTEM OEP OFFSITE ELECTRICAL POWER SRV SRVS ARE CLOSED ISO ISOLATION CONDENSER FAILS TO PROVIDE COOLING MFW FEEDWATER DEP MANUAL REACTOR DEPRESS FAILS CDS CONDENSATE LCI LOW PRESSURE COOLANT INJECTION CND MAIN CONDENSER SPC SUPPRESSION POOL COOLING DEP MANUAL REACTOR DEPRESS FAILS SDC SHUTDOWN COOLING PCSR POWER CONVERSION SYSTEM RECOVERY CVS CONTAINMENT VENTING (TORUS)

LI LATE INJECTION End State (Phase - CD) 1 OK 2

OK 3

OK 4

OK 5

OK 6

OK LI01 7

CD 8

OK LI02 9

CD 10 OK 11 OK LI01 12 CD 13 OK LI02 14 CD 15 OK 16 OK 17 OK 18 OK 19 OK LI01 20 CD 21 OK LI02 22 CD 23 OK 24 OK 25 OK 26 OK 27 OK 28 CD 29 OK LI02 30 CD 31 CD 32 CD P1 33 1SORV P2 34 2SORVS P3 35 3SORVS 36

@LOOPPC 37 ATWS 38 CD

LER 219-2017-005 A-2 Figure A-2. Modified Oyster Creek SBO Event Tree FTF-SBO EPS EMERGENCY POWER SRV SRVS ARE CLOSED FTF-SBO ISO1 ISOLATION CONDENSER CTG FORKED RIVER COMBUSTION TURBINES SEALS RECIRC PUMP SEALS FAIL DURING SBO FTF-SBO DEP1 MANUAL REACTOR DEPRESS FWS3 OYSTER CREEK FIREWATER SYSTEM FAULT TREE DCL OPERATOR SHEDS DC LOADS OPR OFFSITE POWER RECOVERED End State (Phase - CD) 1 OK 2

OK OPR-24H 3

CD 4

OK OPR-14H 5

CD 6

OK OPR-04H 7

CD 8

OK OPR-04H 9

CD DEPISO FWSISO 10 SBO-OP OPR-24H 11 CD 12 SBO-OP OPR-14H 13 CD FWSISO 14 SBO-OP OPR-01H 15 CD DEPISO 16 SBO-OP OPR-01H 17 CD CTG1 18 OK CTG1 DEPISO FWSISO 19 SBO-OP OPR-24H 20 CD 21 SBO-OP OPR-14H 22 CD FWSISO 23 SBO-OP OPR-30M 24 CD DEPISO 25 SBO-OP OPR-30M 26 CD DEPISO FWSISO 27 SBO-OP OPR-24H 28 CD 29 SBO-OP OPR-14H 30 CD FWSISO 31 SBO-OP OPR-30M 32 CD DEPISO 33 SBO-OP OPR-30M 34 CD P1 35 SBO-OP OPR-01H 36 CD 37 CD P2 38 CD P3 39 CD

LER 219-2017-005 B-1 Appendix B: Modified Fault Trees Figure B-1. Modified OPR Fault Tree OPR-14H OFFSITE POWER RECOVERY IN 14 HRS OPR-14WR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (WEATHER RELATED) 3.12E-01 OEP-XHE-XL-NR14HWR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (WEATHER-RELATED)

True EPS-XHE-XL-NR14H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 14 HOURS False HE-LOOPWR HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED (WEATHER-RELATED)

OPR-14SC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (SWITCHYARD) 5.00E-02 OEP-XHE-XL-NR14HSC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (SWITCHYARD)

True EPS-XHE-XL-NR14H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 14 HOURS False HE-LOOPSC HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED (SWITCHYARD-RELATED)

OPR-14PC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (PLANT CENTERED) 2.03E-02 OEP-XHE-XL-NR14HPC OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (PLANT-CENTERED)

True EPS-XHE-XL-NR14H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 14 HOURS False HE-LOOPPC HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED (PLANT-CENTERED)

OPR-14GR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (GRID RELATED) 5.76E-02 OEP-XHE-XL-NR14HGR OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS (GRID-RELATED)

True EPS-XHE-XL-NR14H OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 14 HOURS False HE-LOOPGR HOUSE EVENT - LOSS OF OFFSITE POWER IE HAS OCCURRED (GRID-RELATED)

OPR-14AV OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS

LER 219-2017-005 B-2 Figure B-2. DEPISO Fault Tree Figure B-3. FWSISO Fault Tree DEPISO MANUAL REACTOR DEPRESS (LOCA OR ISOLATION CONDENSER FAILS) 1.00E-01 ADS-XHE-XM-MDEPRLOCA OPERATOR FAILS TO DEPRESSURIZE THE REACTOR (LOCA OR ISOLATION CONDENSER FAILS)

FWSISO FIREWATER INJECTION (LOCA OR ISOLATION CONDENSER FAILS) 1.00E-01 FWS-XHE-XL-ISO OPERATOR FAILS TO INITIATE FIREWATER (LOCA OR ISOLATION CONDENSER FAILS)