Text

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Oyster Creek Nuclear Failure of Emergency Diesel Generator during Surveillance Generating Station Testing due to a Broken Electrical Connector LER(s): 219-2017-005 Event Date: 10/9/2017 CDP = 6x10-6 IR(s): TBD General Electric Type 2 Boiling-Water Reactor (BWR) with a Mark I Plant Type:

Containment Plant Operating Mode Mode 1 (100% Reactor Power)

(Reactor Power Level):

Analyst: Reviewer: Contributors: Approval Date:

Christopher Hunter Ian Gifford N/A 5/23/2018 EXECUTIVE

SUMMARY

On October 9, 2017, during the bi-weekly load test on emergency diesel generator (EDG) 2, a generator lockout signal was received which tripped the EDG output breaker. The EDG had run for 4 minutes loaded in the procedurally prescribed band of 2600-2800 kilowatt (kW) prior to receiving the lockout signal. This failure resulted in EDG 2 being declared inoperable, and the plant entered into an unplanned 7-day limiting condition for operation (LCO) according to Technical Specification (TS) 3.7.C. Repairs were completed on October 10th and EDG 2 was satisfactorily tested and declared operable.

This accident sequence precursor (ASP) analysis reveals that the most likely core damage scenarios are a loss of 4.16 kilovolt (kV) safety-related alternating current (AC) bus initiating event with opposite train electrical failures that result in the unavailability of the isolation condensers, reactor depressurization, and/or containment temperature/pressure control. These accident sequences account for approximately 60 percent of the increase in core damage probability (CDP) for the event. The point estimate CDP for this event is 6x10-6 (internal events), which is considered a precursor in the ASP Program. The seismic contribution for 198-day unavailability of EDG 2 is CDP of 1x10-7 (approximately 2 percent of the internal events contribution).

To date, no performance deficiency associated with this event has been identified and, therefore, an ASP analysis was performed since an SDP evaluation was not performed.

EVENT DETAILS Event Description. On October 9, 2017, during the bi-weekly load test on EDG 2, a generator lockout signal was received which tripped the EDG output breaker. The EDG had run for 4 minutes loaded in the procedurally prescribed band of 2600-2800 kW prior to receiving the lockout signal. This failure resulted in EDG 2 being declared inoperable, and the plant entered into an unplanned 7-day LCO (TS 3.7.C). Repairs were completed on October 10th and EDG 2 was satisfactorily tested and declared operable. Additional information is provided in licensee event report (LER) 219/2017-005 (Ref. 1).

1

LER 219-2017-005 Cause. During troubleshooting, the licensee identified a broken electrical ring lug connector on a current transformer that provides an input to the protective relay logic. A subsequent investigation determined the connector failure was due to fatigue cracking caused by stresses from bending and twisting of the electrical lug beyond the limits specified in industry guidelines.

The electrical lug was most likely stressed during initial installation in the 1990s.

MODELING ASSUMPTIONS Analysis Type. The Oyster Creek standardized plant analysis risk (SPAR) model, Version 8.52 dated December 7, 2017, was used for this condition assessment. This SPAR model version includes seismic inititiating events/

SDP Results/Basis for ASP Analysis. The ASP Program uses Significance Determination Process (SDP) results for degraded conditions when available (and applicable). To date, no inspection reports have been released that provide additional information on this event.

Discussions with Region 1 staff indicated that no performance deficiency has been identified to date; however, the LER remains open. An independent ASP analysis was performed given the lack of an identified performance deficiency and the potential risk significance of this event.

A search for additional Oyster Creek LERs was performed to determine if any initiating events or additional unavailabilities existed during the exposure period of EDG 2. This review revealed that a reactor scram occurred on July 3, 2017, which was during the period that EDG 2 was unable to fulfill its safety function. Operators manually scrammed the reactor due to degraded vacuum; however, a complete loss of condenser heat sink did not occur. See LER 219-2017-002 (Ref. 2) for additional information. A sensitivity analysis shows that a reactor trip concurrent with an EDG 2 failure-to-run results in a conditional core damage probability of the 1.8x10-6, which is less than the CDP for this condition assessment.

Therefore, the ASP analysis result is reflected by the condition assessment provided in this report.

SPAR Model Modifications. The following base SPAR model modifications were made as part this analysis:

• The probabilities for stuck-open safety relief valves (SRVs) were recently updated in the SPAR models. These probabilities significantly increased from previous calculations because previous calculations did not consider the number of expected valve cycles, which increase the potential for a stuck-open SRV. However, Oyster Creek Nuclear Generating Station has isolation condensers that provide reactor pressure control and, therefore, limit SRV open and close cycles. Given this information, the probabilities of stuck-open SRV(s) were changed to previous calculations. Specifically, basic events PPR-SRV-OO-1VLV (one BWR SRV fails to close), PPR-SRV-OO-2VLVs (two or more BWR SRVs fails to close), and PPR-SRV-OO-3VLVs (three or more BWR SRVs fails to close) were changed to 8.6x10-4, 1.3x10-4, and 5.5x10-5, respectively.

• The recirculation pump seals at Oyster Creek are the same as those installed at Nine Mile Point. These seals were evaluated to have a lower probability of failure; therefore, the probability for basic event RRS-MDP-LK-SEALS (recirculation pump seals fail during SBO) was changed to 5x10-2.

• The following changes were made to the station blackout (SBO) event tree (the revised SBO event tree is shown in Figure A-2 of Appendix A):

2

LER 219-2017-005

- Basic event DCP-XHE-XM-LOADSHED (operator fails to shed unnecessary DC loads) is set to TRUE (i.e., no credit is provided) in the base SPAR model. A review of the plant information, including procedures, indicates that operators will shed DC loads during a SBO, thus extending time until battery depletion. According to revised licensee battery calculations, the nominal depletion time for the safety-related batteries at Oyster Creek Nuclear Generating Station is 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />. The successful shedding of loads can extend the batteries to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The probability of basic event DCP-XHE-XM-LOADSHED was set to a screening value of 0.1.1 Any further refinement of this human error probability (HEP) has a negligible effect on the results. The SBO event tree branching was modified to match the revised battery depletion times.

- Firewater injection to the reactor is not credited in the base SPAR model. Firewater can be injected into the reactor relatively quickly via redundant diesel-driven pumps.2 To model this credit, the FWS (firewater injection) fault tree was replaced in the SBO event tree with the FWS3 (Oyster Creek firewater system) fault tree. Firewater is needed for all scenarios to provide inventory makeup to the reactor, including scenarios with successful operation of the isolation condenser(s) with no loss-of-coolant accident (LOCA). At a minimum, reactor inventory makeup is needed due to recirculation seal leakage and decreased reactor water level caused by the cooldown. If firewater injection is successful, it is assumed that restoration of AC power is necessary for operators to place the plant in a safe/stable end state.

- Some top events were eliminated from the SBO event tree because the safety functions were either not available during a SBO, their success or failure did not affect the potential for core damage, or were considered as part of other fault trees. These top events include EXT (actions to extend ECCS operation), DGR (diesel generator recovery), CVS (containment venting), and LI (late injection).

- The potential for EDG recovery was added to the applicable OPR (offsite power recovered) fault trees. Specifically, basic events EPS-XHE-XL-NR30M (operator fails to recover emergency diesel in 30 minutes), EPS-XHE-XL-NR01H (operator fails to recover emergency diesel in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), EPS-XHE-XL-NR14H (operator fails to recover emergency diesel in 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />), and EPS-XHE-XL-NR24H (operator fails to recover emergency diesel in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) were added to the OPR-30M (operator fails to recovery offsite power in 30 minutes), OPR-01H (operator fails to recovery offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), OPR-14H (operator fails to recovery offsite power in 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br />), and OPR-24H (operator fails to recovery offsite power in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) fault trees, respectively.3 These basic events were set to TRUE in the base SPAR model. An example of this modified fault tree logic (for OPR-14H) is provided in Figure B-1 of Appendix B.

- Increased failure probabilities for manual reactor depressurization and firewater injection were used for scenarios where less time is available for operators to initiate these functions. Therefore, for sequences that involve failures of isolation condensers and/or a LOCA, the DEP1 (manual reactor depressurization) and FWS3 fault trees were replaced by new fault trees, DEPISO (manual reactor depress (isolation condenser fails)) and FWSISO (firewater injection (isolation condenser fails)), respectively. These 1 NUREG-1792, Good Practices for Implementing Human Reliability Analysis, provides that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator human failure events.

2 The firewater pumps are low-head pumps and, therefore, manual reactor depressurization is needed for successful reactor injection.

3 The OPR-14H and OPR-24H fault trees were created based on the other OPR fault trees but with 14- and 24-hour specific offsite power and EDG recovery basic events.

3

LER 219-2017-005 two new fault trees include only a single basic event that represents the failure of operators to initiate these systems, which is expected to have a failure probability of at least two orders-of-magnitude higher than potential hardware failures. A new basic event, ADS-XHE-XM-MDEPRLOCA (operator fails to depressurize the reactor (LOCA or isolation condenser fails)), was inserted under the top gate in the DEPISOFAIL fault tree.

A new basic event, FWS-XHE-XL-ISO (operator fails to initiate firewater (LOCA or isolation condenser fails)), was inserted under the top gate in the FWSISO fault tree.

The probabilities of basic events ADS-XHE-XM-MDEPRLOCA and FWS-XHE-XL-ISO were set to a screening value of 0.1. Any further refinement of these HEPs has a minimal effect on the results. These fault trees are provided in Figures B-2 and B-3 of Appendix B.

Exposure Period. EDG 2 successfully passed its previous biweekly surveillance tests prior to the failure on October 9, 2017. However, the nature of the failure mechanism makes it likely that EDG 2 would not have been able to fulfill its safety function for its probabilistic risk assessment (PRA) mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for some time. Therefore, the run history for EDG 2 was used to estimate the exposure period (see the following table). Based on the run history, it has been determined that EDG 2 was unable to fulfill its safety function from March 26th until October 10, 2017, a period of 198 days.

Run Cumulative Date Description Duration Run Time (Hours) (Hours) 10/10/2017 EDG 2 is repaired and returned to operable status 10/9/2017 Failed biweekly test 0.37 0.37 9/25/2017 Successful biweekly test 1.90 2.27 9/2/2017 Successful biweekly test 1.50 4.49 8/28/2017 Successful biweekly test 1.59 6.08 8/16/2017 Successful biweekly test 1.56 7.64 7/31/2017 Successful biweekly test 1.49 9.13 7/17/2017 Successful biweekly test 1.66 10.79 7/3/2017 Successful biweekly test 1.39 12.18 6/19/2017 Successful biweekly test 1.68 13.86 6/3/2017 Successful biweekly test 1.52 15.76 5/22/2017 Successful biweekly test 1.77 17.54 5/7/2017 Successful biweekly test 1.60 19.14 4/24/2017 Successful biweekly test 1.73 21.12 4/10/2017 Successful biweekly test 1.63 23.33 3/26/2017 Successful biweekly test 0.54 23.87 Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event:

• Basic event EPS-DGN-FR-DG2 (diesel generator DG2 fails to run) was set to TRUE to represent the failure of EDG 2 to fulfill its safety function for the complete 24-hour mission time.

• EDG Recovery. After EDG 2 failed on October 9th, the licensee was able to repair and restore the EDG the next day (approximately 27 hours3.125e-4 days <br />0.0075 hours <br />4.464286e-5 weeks <br />1.02735e-5 months <br /> later). Discussions with Region 1 4

LER 219-2017-005 staff indicated that, if needed, the recovery could have been accomplished sooner. In a postulated SBO, it is estimated that EDG 2 could be repaired in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. A conservative screening value of 0.1 was used for basic event EPS-XHE-XL-NR14H.4 Any further refinement of this HEP has a negligible effect on the results. However, a more detailed evaluation was needed for the recovery of EDG 2 for the applicable 24-hour SBO sequences. Specifically, basic event EPS-XHE-XL-NR24H was evaluated using the SPAR-H Method (Ref. 3 and Ref. 4). Table 1 and Table 2 provide the key qualitative information for this human failure event (HFE) and the performance shaping factor (PSF) adjustments required for the quantification of the HEP using SPAR-H.

Table 1. Qualitative Evaluation of EPS-XHE-XL-NR24H Definition The definition for this HFE is operators failing to repair EDG 2 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> given a postulated loss of offsite power (LOOP) and subsequent SBO.

Description and Given a LOOP and a failure of both EDGs, a subsequent SBO will occur. If the Event Context combustion turbine generators (CTGs) cannot be aligned, operators must restore AC power. Without recovery of AC power, the safety-related batteries will eventually deplete, rendering decay heat removal and reactor inventory makeup unavailable. Recovery of offsite power is modeled in separate basic events. This basic event represents the repair and restoration of EDG 2. Credit for recovery following the postulated failure of the other EDG is not provided.

Operator Action Repair and restore EDG 2 to operable status within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Success Criteria Nominal

• Safety-related bus under-voltage annunciators Cues

• EDG failure annunciators Procedural Generic EDG maintenance and troubleshooting procedures exist; however, explicit Guidance procedures are not available. Skill-of-the-craft and other cues will indicate the failure cause to the technicians.

Diagnosis/Action This HFE contains sufficient diagnosis and action components.

Table 2. SPAR-H Evaluation of EPS-XHE-XL-NR24H Diagnosis/

PSF Action Notes Multiplier Time Available 0.01 / 1 It was determined through discussions with regional staff that the licensee, if needed, could have recovered EDG 2 in approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Therefore, an additional 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> was available to determine the failure cause and complete repairs. A conservative estimate of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> was assumed for the time required to complete the repair (i.e, the action portion of the HFE), leaving approximately 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> available for diagnosis.

Therefore, diagnosis PSF for available time is set to Expansive Time (i.e., x0.01; greater than 2x nominal time and greater than 30 minutes).

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Ref. 4 for guidance on apportioning time between the diagnosis and action components of an HFE.

4 Recovery of the failed EDG is only given for SBO scenarios, which is potentially conservative.

5

LER 219-2017-005 Diagnosis/

PSF Action Notes Multiplier Stress 2/1 The PSF for diagnosis stress is assigned a value of High Stress (i.e., x2) because core damage would occur if technicians fail to recover the EDG within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for the applicable scenario.

The PSF for action stress was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Complexity 5/1 The PSF for diagnosis complexity is assigned a value of Highly Complex (i.e., x5) because technicians would be dealing with multiple EDG failures that required troubleshooting.

The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Procedures 5/1 The PSF for diagnosis complexity is assigned a value of Available, but Poor (i.e., x5) because technicians have guidance, but not explicit procedures for troubleshooting activities.

The PSF for action complexity was not determined to be a performance driver for this HFE and, therefore, was assigned a value of Nominal (i.e., x1).

Experience/Training 1/1 No event information is available to warrant a change in these Ergonomics/HMI PSFs (diagnosis or action) from Nominal for this HFE.

Fitness-for-Duty Work Processes An HEP evaluated using SPAR-H is calculated using the following formula:

Calculated HEP = (Product of Diagnosis PSFs x 0.01) + (Product of Action PSFs x 0.001)

Therefore, the probability of basic event EPS-XHE-XL-NR24H was set to 6x10-3.

ANALYSIS RESULTS CDP. The point estimate CDP for this event is 5.7x10-6, which is the sum of all exposure periods. The ASP Program acceptance threshold is a CDP of 1x10-6 for degraded conditions.

The CDP for this event exceeds this threshold; therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequences are loss of safety-related bus 1C, sequences 32 and 14 (CDP = 1.7x10-6), which each contribute approximately 31 percent of the total internal events CDP. The dominant sequences are shown graphically in Figure A-1 Appendix A. Accident sequences that contribute at least 1.0 percent to the total internal events CDP for this analysis are provided in the following table.

Sequence CCDP CDP CDP  % Description

-6 -7 -6 LO1C 32 1.95x10 2.15x10 1.74x10 30.5% Loss of safety-related bus 1C initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; and reactor depressurization fails 6

LER 219-2017-005 Sequence CCDP CDP CDP  % Description

-6 -7 -6 LO1C 14 1.96x10 2.27x10 1.74x10 30.5% Loss of safety-related bus 1C initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; operators restore main feedwater (MFW); condenser heat sink fails; reactor depressurization fails; suppression pool cooling fails; and containment venting fails LOOP 16 3.98x10-7 2.33x10-8 3.75x10-7 6.6% LOOP initiating event; successful reactor trip; emergency power system succeeds; makeup to isolation condensers fails; control rod drive injection fails; and reactor depressurization fails LOOP 29-36 3.32x10-7 9.99x10-9 3.23x10-7 5.7% LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; safety relief valve (SRV) fails to close resulting in a LOCA; isolation condensers succeed; and offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> fails LOOP 29-17 2.86x10-7 8.45E-09 2.78x10-7 4.9% LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; recirculation pump seals fail resulting in a LOCA; isolation condensers succeed; reactor depressurization fails; and failure of offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> LOOP 29-15 2.58x10-7 7.59x10-9 2.50x10-7 4.4% LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; recirculation pump seals fail resulting in a LOCA; isolation condensers succeed; reactor depressurization succeeds; firewater injection fails; and failure of offsite power recovery within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> TRANS 14 1.36x10-7 2.17x10-8 1.14x10-7 2.0% Transient initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; MFW succeeds; condenser heat sink fails; reactor depressurization fails; suppression pool cooling fails; and containment venting fails TRANS 32 1.27x10-7 2.43x10-8 1.03x10-7 1.8% Transient initiating event; successful reactor trip; offsite power remains available; isolation condensers fail; MFW fails; and reactor depressurization fails 7

LER 219-2017-005 Sequence CCDP CDP CDP  % Description

-8 -9 -8 LOOPWR 12 9.73x10 4.50x10 9.28x10 1.6% Weather-related LOOP initiating event; successful reactor trip; emergency power system succeeds; makeup to isolation condensers fails; control rod drive injection fails; reactor depressurization succeeds; low-pressure coolant injection succeeds; failure of offsite power recovery within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />; suppression pool cooling fails; shutdown cooling fails; successful containment venting; and late (alternate) injection fails LOOPWR 29-26 7.95x10-8 2.74x10-9 7.67x10-8 1.3% Weather-related LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; isolation condensers fail; reactor depressurization fails; and failure of offsite power recovery within 30 minutes LOOPWR 29-24 7.15x10-8 2.44x10-9 6.91x10-8 1.2% Weather-related LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; CTGs fail; isolation condensers fail; reactor depressurization succeeds; firewater injection fails; and failure of offsite power recovery within 30 minutes LOOPSC 29-38 6.99x10-8 3.52x10-9 6.63x10-8 1.2% Switchyard-centered LOOP initiating event; successful reactor trip; emergency power system fails resulting in an SBO; and multiple SRVs fail to close Total 1.27x10-5 6.98x10-6 5.70x10-6 Uncertainties. The best estimate analysis does not consider FLEX credit or successful run time of EDG 2 (for the applicable portion of the exposure period), which is potentially conservative. A review of the sequences/cut sets indicates that crediting FLEX would not significantly affect the results because the dominant sequences/cut sets are either non-SBO scenarios or short-term SBO scenarios (core damage within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> or less). Therefore, it is expected that there is inadequate time available mitigate these scenarios through the implementation of FLEX.

ASP analyses use the failure memory approach in which successful operation of equipment is not credited.5 However, EDG 2 successfully passed its biweekly surveillance tests prior to the failure on October 9, 2017. Therefore, depending on when it was demanded, it is likely that the 5 Convolution factors are applied to the postulated failures-to-run of the other EDG.

8

LER 219-2017-005 EDG 2 would have run for some time prior to failing within the PRA mission time (i.e., 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).

Recent ASP analyses have included a sensitivity analysis crediting additional time for the expected successful run time for the failed EDG (based on the surveillance test data) by adjusting the offsite power recovery probabilities for the applicable exposure periods. However, a review of the dominant sequences/cut sets reveals that this credit would have a negligible effect on the results and, therefore, no quantitative analysis was performed.

Seismic Contribution. Historically, independent condition assessments performed as part of the ASP Program only included the risk impact from internal events and did not include the consideration of other hazards such as fires, floods, earthquakes, etc.6 The reason for the exclusion of the impacts of other hazards in most ASP analyses was due to the lack of modeling capability within the SPAR models. However, seismic hazards modeling was completed for all SPAR models in December 2017. Therefore, beginning in 2018, seismic hazards will be evaluated as part of all condition assessments performed by the ASP Program. The seismic contribution for an EDG 2 unavailability of 198 days is CDP of 1.2x10-7. The following table provides the seismic bin results that contribute at least 1 percent of the total seismic CDP for this analysis.

Seismic Bin CDP Notes/Observations

-8 Seismic Event in Bin 3 7.25x10 Dominant scenarios are seismically-induced LOOP and small (0.5-1.0 G) occurs LOCA. Seismically induced electrical failures (e.g., batteries, (Bin peak ground 480 volt AC buses) or failure of low-pressure core spray result in acceleration (PGA) 0.71) a failure of reactor depressurization capability, reactor inventory makeup, and/or containment temperature/pressure control.

Seismic Event in Bin 2 4.10x10-8 Similar sequences and cut sets to Seismic Bin 3, except with (0.3-0.5 G) occurs lower seismic failure probabilities.

(Bin PGA 0.39)

Seismic Event in Bin 4 6.35x10-9 Dominant scenarios are seismically-induced LOOP and small (1.0-1.5G) occurs LOCA. Seismically induced electrical failures low-pressure core (Bin PGA 1.22) spray and service water/turbine building cooling water result in a failure of reactor inventory makeup.

-9 Seismic Event in Bin 1 3.75x10 Dominant scenarios are seismically-induced LOOP and small (0.1-0.3 G) occurs LOCA. Random failure of the other EDG results in SBO with (Bin PGA 0.17) core damage assumed.

TOTAL = 1.24x10-7 6 Initiating events caused by other hazards (e.g., tornado results in a LOOP) or degradations specific to a particular hazard (e.g., degraded fire barrier) have been analyzed as part of ASP Program.

9

LER 219-2017-005 REFERENCES

1. Oyster Creek Nuclear Generating Station, "LER 219/17-005 - Failure of the Emergency Diesel Generator #2 During Surveillance Testing due to a Broken Electrical Connector, dated January 3, 2018 (ADAMS Accession No. ML18009A436).

2. Oyster Creek Nuclear Generating Station, "LER 219/17-002 - Manual Scram due to Degraded Main Condenser Vacuum, dated August 31, 2017 (ADAMS Accession No. ML17249A124).

3. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).

4. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

10

LER 219-2017-005 Appendix A: Key Event Trees LOSS OF 4160 V AC BUS 1C REACTOR PROTECTION OFFSITE ELECTRICAL SRVS ARE CLOSED ISOLATION CONDENSER FEEDWATER MANUAL REACTOR CONDENSATE LOW PRESSURE COOLANT MAIN CONDENSER SUPPRESSION POOL MANUAL REACTOR SHUTDOWN COOLING POWER CONVERSION CONTAINMENT VENTING LATE INJECTION # End State SYSTEM POWER FAILS TO PROVIDE DEPRESS FAILS INJECTION COOLING DEPRESS FAILS SYSTEM RECOVERY (TORUS) (Phase - CD)

COOLING IE-LOACB-1C RPS OEP SRV ISO MFW DEP CDS LCI CND SPC DEP SDC PCSR CVS LI 1 OK 2 OK 3 OK 4 OK 5 OK 6 OK 7 CD LI01 8 OK 9 CD LI02 10 OK 11 OK 12 CD LI01 13 OK 14 CD LI02 15 OK 16 OK 17 OK 18 OK 19 OK 20 CD LI01 21 OK 22 CD LI02 23 OK 24 OK 25 OK 26 OK 27 OK 28 CD 29 OK 30 CD LI02 31 CD 32 CD 33 1SORV P1 34 2SORVS P2 35 3SORVS P3 36 @LOOPPC 37 ATWS 38 CD Figure A-1. Oyster Creek LO1C Event Tree A-1

LER 219-2017-005 EMERGENCY POWER SRVS ARE CLOSED ISOLATION CONDENSER FORKED RIVER RECIRC PUMP SEALS FAIL MANUAL REACTOR OYSTER CREEK FIREWATER OPERATOR SHEDS DC OFFSITE POWER # End State COMBUSTION TURBINES DURING SBO DEPRESS SYSTEM FAULT TREE LOADS RECOVERED (Phase - CD)

EPS FTF-SBO SRV ISO1 FTF-SBO CTG SEALS DEP1 FTF-SBO FWS3 DCL OPR 1 OK 2 OK 3 CD OPR-24H 4 OK 5 CD OPR-14H 6 OK 7 CD OPR-04H 8 OK 9 CD OPR-04H 10 SBO-OP 11 CD OPR-24H FWSISO 12 SBO-OP DEPISO 13 CD OPR-14H 14 SBO-OP FWSISO 15 CD OPR-01H 16 SBO-OP DEPISO 17 CD OPR-01H 18 OK CTG1 19 SBO-OP 20 CD OPR-24H FWSISO 21 SBO-OP DEPISO 22 CD OPR-14H 23 SBO-OP FWSISO 24 CD OPR-30M 25 SBO-OP DEPISO 26 CD OPR-30M CTG1 27 SBO-OP 28 CD OPR-24H FWSISO 29 SBO-OP DEPISO 30 CD OPR-14H 31 SBO-OP FWSISO 32 CD OPR-30M 33 SBO-OP DEPISO 34 CD OPR-30M 35 SBO-OP 36 CD P1 OPR-01H 37 CD 38 CD P2 39 CD P3 Figure A-2. Modified Oyster Creek SBO Event Tree A-2

LER 219-2017-005 Appendix B: Modified Fault Trees OFFSITE POWER RECOVERY IN 14 HRS OPR-14H OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OFFSITE POWER IN 14 HOURS OFFSITE POWER IN 14 HOURS OFFSITE POWER IN 14 HOURS OFFSITE POWER IN 14 HOURS OFFSITE POWER IN 14 HOURS (WEATHER RELATED) (SWITCHYARD) (PLANT CENTERED) (GRID RELATED)

OPR-14WR OPR-14SC OPR-14PC OPR-14GR OPR-14AV OPERATOR FAILS TO RECOVER HOUSE EVENT - LOSS OF OFFSITE OPERATOR FAILS TO RECOVER HOUSE EVENT - LOSS OF OFFSITE OPERATOR FAILS TO RECOVER HOUSE EVENT - LOSS OF OFFSITE OPERATOR FAILS TO RECOVER HOUSE EVENT - LOSS OF OFFSITE OFFSITE POWER IN 14 HOURS POWER IE HAS OCCURRED OFFSITE POWER IN 14 HOURS POWER IE HAS OCCURRED OFFSITE POWER IN 14 HOURS POWER IE HAS OCCURRED OFFSITE POWER IN 14 HOURS POWER IE HAS OCCURRED (GRID-(WEATHER-RELATED) (WEATHER-RELATED) (SWITCHYARD) (SWITCHYARD-RELATED) (PLANT-CENTERED) (PLANT-CENTERED) (GRID-RELATED) RELATED)

OEP-XHE-XL-NR14HWR 3.12E-01 HE-LOOPWR False OEP-XHE-XL-NR14HSC 5.00E-02 HE-LOOPSC False OEP-XHE-XL-NR14HPC 2.03E-02 HE-LOOPPC False OEP-XHE-XL-NR14HGR 5.76E-02 HE-LOOPGR False OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER OPERATOR FAILS TO RECOVER EMERGENCY DIESEL IN 14 HOURS EMERGENCY DIESEL IN 14 HOURS EMERGENCY DIESEL IN 14 HOURS EMERGENCY DIESEL IN 14 HOURS EPS-XHE-XL-NR14H True EPS-XHE-XL-NR14H True EPS-XHE-XL-NR14H True EPS-XHE-XL-NR14H True Figure B-1. Modified OPR Fault Tree B-1

LER 219-2017-005 MANUAL REACTOR DEPRESS (LOCA OR ISOLATION CONDENSER FAILS)

DEPISO OPERATOR FAILS TO DEPRESSURIZE THE REACTOR (LOCA OR ISOLATION CONDENSER FAILS)

ADS-XHE-XM-MDEPRLOCA 1.00E-01 Figure B-2. DEPISO Fault Tree FIREWATER INJECTION (LOCA OR ISOLATION CONDENSER FAILS)

FWSISO OPERATOR FAILS TO INITIATE FIREWATER (LOCA OR ISOLATION CONDENSER FAILS)

FWS-XHE-XL-ISO 1.00E-01 Figure B-3. FWSISO Fault Tree B-2