Final Accident Sequence Precursor Analysis - Perry Nuclear Power Plant, Loss of Safety-Related Electrical Bus Results in a Loss of Shutdown Cooling (LER 440-2016-003-01) - Precursor

ML18228A845
Person / Time
Site:	Perry
Issue date:	08/23/2018
From:	Christopher Hunter NRC/RES/DRA/PRB
To:
References
LER 440-2016-003-01
Download: ML18228A845 (36)
v • d • e

Text

Final ASP Program Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Perry Nuclear Loss of Safety-Related Electrical Bus Results in a Loss of Shutdown Power Plant Cooling LER: 440-2016-003-01 Event Date: 2/11/2016 CCDP= 2x10-6 IRs: 05000440/2016008 and 05000440/2016002 Plant Type: Boiling-Water Reactor (BWR); General Electric 6 with a Mark III Containment Plant Operating Mode Mode 4 (0% Reactor Power); Reactor Coolant Temperature at 87°F; (Reactor Power Level): Reactor Water Level at 200 inches Analyst: Reviewer: Contributors: Approval Date:

Christopher Hunter Ian Gifford N/A 8/23/2018 EXECUTIVE

SUMMARY

On February 11, 2016, at 3:05 p.m. with the plant in mode 4 (i.e., cold shutdown), the phase A potential transformer secondary fuse on 4.16 kilovolt (kV) safety-related bus EH11 failed, resulting in its supply breaker tripping open due to an invalid undervoltage signal. The bus EH11 loads were shed as designed, including residual heat removal (RHR) pump A, which was supplying shutdown cooling (SDC) at the time. The invalid EH11 undervoltage signal resulted in the start of the division 1 emergency diesel generator (EDG), which connected to bus EH11 with proper three-phase bus voltage levels present. However, the EDG did not receive cooling water from emergency service water (ESW) pump A because pump breaker trip logic was locked in due to EH11 undervoltage sensing logic incorrectly indicating that the bus was not at the rated voltage on all phases. Operators manually secured the division 1 EDG due to the lack of cooling water.

Operators subsequently started RHR pump B and reestablished SDC at 3:47 p.m. SDC did not operate for 42 minutes, which resulted in reactor coolant temperature increasing from 87°F to 115°F during this period. The plant had been shut down for 3 days after a reactor scram on February 8th due to the spurious opening of two safety relief valves (SRVs).

This event was modeled as a loss of SDC initiating event with recoverable failure of the safety-related bus EH11, which resulted in a conditional core damage probability (CCDP) of 2x10-6. According to the risk analysis modeling assumptions used in this accident sequence precursor (ASP) analysis, the most likely core damage sequence is a loss of SDC initiating event with operators failing to restore SDC prior to RHR system isolation (dominated by postulated common-cause failure (CCF) of safety-related buses) and all sources of high- and low-pressure injection failing (dominated by failure of operators to initiate injection). This accident sequence accounts for approximately 98 percent of the CCDP for the event.

In response to this event, Region III performed a special inspection, which identified a concern associated with the adequacy of Perrys 4.16 kV bus undervoltage protection scheme. This issue was subsequently referred to the Office of Nuclear Reactor Regulation (NRR) for assistance in determining whether the licensee was in compliance with the current licensing basis. NRR staff determined that the existing bus undervoltage protection scheme complies with its licensing basis; however, a design vulnerability was identified that can defeat coincident 1

LER 440-2016-003-01 logic. The licensee committed to modify the design of the bus undervoltage protection scheme to address this vulnerability.

EVENT DETAILS Event Description. On February 11, 2016, at 3:05 p.m. with the plant in mode 4, the phase A potential transformer secondary fuse on 4.16 kV safety-related bus EH11 failed.1 Because of this failure, the bus EH11 supply breaker (EH1115) tripped open due to an invalid undervoltage signal. The bus EH11 loads were shed as designed, including RHR pump A, which was supplying SDC at the time.2 The invalid EH11 undervoltage signal resulted in the start of the division 1 EDG. However, the EDG did not receive cooling water from ESW pump A. The pump did not start because the pump breaker (EH1106) logic sensed an undervoltage condition on bus EH11. The ESW pump A breaker trip signal was locked in because the bus EH11 undervoltage sensing logic indicated that the bus was not at the rated voltage on all phases due to the failed fuse, even though proper three-phase voltage levels were provided by both offsite power and the division 1 EDG. Operators manually secured the division 1 EDG due to the lack of cooling water.

Without the division 1 EDG, all division 1 equipment was de-energized, with RHR pump A no longer available to provide SDC. The plant entered several technical specifications (TS) due to the loss of bus EH11, including:

• TS 3.4.10, RHR Shutdown Cooling SystemCold Shutdown

• TS 3.8.2, AC SourcesShutdown

• TS 3.8.5, DC SourcesShutdown

• TS 3.8.8, Distribution SystemsShutdown To comply with action 1 of TS 3.4.10, the alternate decay heat removal (ADHR) system was credited as the alternate method of decay heat removal for the inoperable SDC system; however, in order to credit ADHR as available the system needed to be filled and vented.3 Operators subsequently started RHR pump B and reestablished SDC at 3:47 p.m. SDC did not operate for 42 minutes, which resulted in reactor coolant temperature increasing from 87°F to 115°F during this period. The plant had been shut down for 3 days after a reactor scram on February 8th due to the spurious opening of two SRVs.4 The licensee performed troubleshooting to identify the issue associated with the loss of bus EH11 and determined that phase A of the potential transformer secondary fuse was exhibiting intermittent continuity. The defective fuse was replaced and bus EH11 was 1 This fuse supplies the undervoltage and degraded voltage circuitry for the bus.

2 SDC is a phase of RHR system operation in which reactor decay heat is removed from the core following a reactor shutdown. One of the two RHR pumps able to provide SDC is aligned to take suction from a recirculation loop. The heat sink is provided by the applicable RHR heat exchanger. The cooled reactor water is then discharged back to the recirculation line.

3 An exact time estimate for filling and venting the ADHR system was not available. However, conversations with cognizant NRC staff indicate that it will likely take several hours to complete.

4 The opening of the SRVs resulted in the suppression pool temperature increasing to 95°F, at which point plant procedures direct operators to initiate a manually scram. See LER 440-2016-002 for additional information.

2

LER 440-2016-003-01 re-energized at 12:32 a.m. on February 12th. Additional information regarding this event can be found in licensee event report (LER) 440-2016-003-01 (Ref. 1) and inspection report (IR) 05000440/2016008 (Ref. 2).

Cause. The failure analysis performed by the licensee revealed that the failed fuses internals were not soldered correctly during the manufacturing process. The licensee determined that the bus EH11 undervoltage relay logic functioned as designed given the failed phase A secondary potential transformer fuse. In addition, the licensee determined that the division 1 ESW system logic functioned as designed because the pump trip signal was locked in based on indications that the bus EH11 voltage was not at the rated values for all three phases.

MODELING Basis for ASP Analysis/SDP Results. The ASP Program performs independent analyses for initiating events. In addition, ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for test/maintenance) that occurred during the event, regardless of licensee performance.5 Performance deficiencies associated with shutdown events are evaluated by the Significance Determination Process (SDP) in a similar manner to that of an ASP analysis (i.e., an initiating event assessment is performed). In these cases, the SDP evaluation results are adopted if the analysis meets the needs of the ASP Program.

The NRC conducted a special inspection for the event associated with LER 440-2016-003-01 in accordance with Management Directive 8.3, NRC Incident Investigation Program.6 NRC inspectors identified an unresolved issue 05000440/201608-01 associated with the design basis of the 4.16 kV bus undervoltage protection scheme. See IR 05000440/2016008 for additional information. This issue was subsequently referred to NRR for assistance in determining whether the licensee was in compliance with the current licensing basis. NRR staff determined that the existing bus undervoltage protection scheme complies with its licensing basis; however, a design vulnerability was identified, which can defeat coincident logic. The licensee committed to modify the design of the bus undervoltage protection scheme to address this vulnerability. See Perry Nuclear Power Plant - Final Response to Task Interface Agreement 2016-01 Regarding Adequacy of the Design and Licensing Bases for the Undervoltage Protection Scheme (TIA 2016-01; CAC No. MF8266, EPID L-2016-LRA-0001),

(Ref. 3) for additional information.

LER 440-2016-003-01 was subsequently closed in IR 05000440/2016002 (Ref. 4). Since no licensee performance deficiency was identified, an independent ASP analysis is required for this event.

5 ASP analyses also account for any degraded condition(s) identified after the initiating event occurred, if the failure/degradation exposure period(s) overlaps the initiating event date.

6 This evaluation covered two events: (1) the spurious opening of two SRVs that led to a manual reactor scram on February 8th and (2) the loss of SDC event caused by the loss of safety-related bus EH11 on February 11th. The first event met two deterministic criteria in that the event involved a major deficiency in design, construction, or operation having potential generic safety implications, and involved possible adverse generic implications.

The risk evaluation for this first event resulted in a CCDP of approximately 5x10-8 to 4x10-6. The second also met two deterministic criteria in that the event led to the loss of a safety function or multiple failures in systems used to mitigate an actual event, and involved repetitive failures or events involving safety-related equipment or deficiencies in operations. The risk evaluation for this second event resulted in a CCDP of 1x10-6. Based on the deterministic criteria met and the results of the risk evaluations, a special inspection was performed.

3

LER 440-2016-003-01 Analysis Type. An initiating event analysis was performed using a test/limited use (TLU) version of the Perry standardized plant analysis risk (SPAR) model, created on March 20, 2018.

The model was created because the Perry SPAR model of record does not contain modeling for shutdown scenarios. The loss of SDC (mode 4) event tree used in this model was based on a similar tree contained in the Grand Gulf SPAR model. In addition, the TLU model contains CCF modeling of the safety-related buses with revised rate-based alpha factors developed by Idaho National Laboratory (INL). The alpha factors used for the common cause component group (CCCG) comprised of the three 4.16 kV safety-related buses are:

• 1 = 0.99

• 2 = 8.4x10-3

• 3 = 2.7x10-3 SPAR Model Modifications. The following modifications were made to the SPAR model used for this initiating event analysis:

• The revised loss of SDC event tree (SD-M4E-LOSDC) is shown in Figure A-1 of Appendix A, and includes modified top events and system descriptions. The SD-M4E-LOSDC event tree was revised (from the TLU model) to use the following logical progression after the initiating event occurs:

- Operators need to understand that a loss of SDC occurred.

- If a loss of SDC is correctly diagnosed, operators will attempt to align the other SDC train. If successful, a safe/stable end state is assumed. A failure to align the other SDC train results in system isolation due to high pressure after the reactor coolant begins to boil.

Other potential sources of early decay heat removal exist, such as the ADHR or reactor water cleanup (RWCU) systems. However, it would take operators several hours to fill and vent the ADHR system for use and the heat removal capability of the RWCU system was not sufficient given the number of days after shutdown. Therefore, these systems were not credited in the event tree for early decay heat removal. Decay heat removal by steaming to the condenser is normally possible; however, it was not initially available during this event because the condenser mechanical vacuum was lost when the bus EH11 failed.

This strategy could be pursued after bus EH11 was repaired and subsequently reenergized.

- If operators fail to align the other SDC train for any reason (e.g., failed diagnosis of loss of SDC or hardware failure), procedures direct operators to provide inventory makeup to the reactor. Feedwater from the reactor feed booster pumps or motor feedwater pump will be pursued first. At a reactor water level of 130 inches (level 2),

the high-pressure core spray (HPCS) is expected to inject (if available). Control-rod drive (CRD) injection could also be used. If high-pressure sources are unavailable, the operators would manually depressurize the reactor and inject using an available low-pressure system, such as low-pressure coolant injection (LPCI), low-pressure core spray (LPCS), firewater, condensate transfer injection, etc.

- Late recovery of SDC is credited for sequences with successful reactor injection and reactor depressurization. In addition, the ADHR system is credited for late decay heat removal. If SDC or ADHR is successfully initiated, decay heat will stop being 4

LER 440-2016-003-01 rejected to the suppression pool/containment and, therefore, containment temperature/pressure control is not queried to achieve a safe/stable end state.

- Containment temperature and pressure control is needed for scenarios where decay heat is being rejected to the suppression pool via the SRVs. Containment temperature/pressure control is normally provided by the suppression pool cooling (SPC) function of the RHR system. If normal suppression pool cooling is unavailable, RWCU, ADHR, or suppression pool cleanup systems can provide an alternate source of containment temperature/pressure control. If normal or alternate SPC fails, operators have the ability to vent containment to prevent containment failure due to over pressure.

• The top event fault trees contained in the SD-M4E-LOSDC event tree were modified.

Existing system logic (HPCS, CRD, LPCI, LPCS, etc.) was used if already available in the base SPAR model. However, the TLU SPAR model does not contain fault tree logic for many systems available for reactor decay heat removal and inventory control while the plant is in mode 4. This is also the case for containment temperature/pressure control. No attempt was made to include all potentially available systems because preliminary insights showed that CCF of the 4.16 kV safety-related buses dominates the risk of this event. Therefore, the focus of adding systems to the applicable top event fault tree was limited to those that were not dependent on electrical power from the safety-related 4.16 kV buses. An undeveloped basic event with a conservative screening probability of 0.1 was used for each missing system/function. These modeling simplifications have minimal impact on the analysis results because the results are often dominated by human error probabilities (HEPs) for the applicable function. The HEPs for the human failure events (HFEs) used in applicable systems fault trees were calculated using the SPAR-H method (Ref. 5). A brief description of the top event fault trees in the SD-M4E-LOSDC event tree, along with any important notes, are provided in the following:

- The SD-XD-SDC (fail to diagnose loss of SDC before system isolation) fault tree (shown in Figure B-1) only contains the basic event SD-XHE-XD-SDC (operators fail to diagnose loss of SDC before system isolation). The HEP for this HFE is 1x10-5; see Appendix C for additional information. The operators successfully diagnosed the loss of SDC during the event.

- The SD-SDC-EARLY (heat removal using SDC (early)) fault tree (shown in Figure B-2) contains the system logic for SDC already contained in the base SPAR model. Changes made included removing the electrical dependency of the SDC suction valves because they were already open during the event. In addition, logic was added to ensure that alignment of the SDC before system isolation is failed given the postulated CCF of the safety-related 4.16 kV buses EH11 and EH12.

Credit for recovery of these buses is provided in other (later) system functions given successful troubleshooting and repair activities. The HFE for this function is SD-XHE-XM-SDC-EARLY (operators fail to establish SDC prior to system isolation).

The HEP for this HFE is 1x10-3; see Appendix C for additional information. The operators successfully realigned the SDC train B in approximately 42 minutes after train A failed to initiate during the event.

- The SD-HPI (high pressure injection systems (normal and alternate)) fault tree (shown in Figure B-3) contains the system logic for HPCS and CRD injection already contained in the base SPAR model. In addition, feedwater via either reactor feed booster pumps or motor feedwater pump is credited via basic event 5

LER 440-2016-003-01 SD-MFW-SYS-HW (feedwater fails), which has a conservative failure probability of 0.1.7 The system-specific HFEs for HPCS and CRD were eliminated and are represented by a single HFE, SD-XHE-XM-INJECTION (operators fail to establish an injection source). The HEP for this HFE is 2x10-4; see Appendix C for additional information.

- The SD-DEP (manual reactor depressurization) fault tree (shown in Figure B-4) structure is the same as that contained in the TLU SPAR model except that unneeded seismic logic was eliminated. The HFE for this fault tree is ADS-XHE-XM-MDEPR (operators fail to initiate reactor depressurization). The base SPAR model HEP of 5x10-4 was used for this HFE.

- The SD-LPI (low-pressure coolant injection (normal and alternate)) fault tree (shown in Figure B-5) contains the system logic for LPCI and LPCS already contained in the base SPAR model. In addition, ADHR injection, firewater, and condensate transfer injection are credited via basic events SD-ADHR-SYS-HW (alternate decay heat removal and/or injection), SD-FWS-SYS-HW (firewater injection), and SD-CTS-SYS-HW (condensate transfer injection), respectively. A conservative failure probability of 0.1 was used for these basic events.8 The system-specific HFEs for LPCI and LPCS were eliminated and SD-XHE-XM-INJECTION, the same HFE used SD-HPI fault tree, is used to represent to the overall HFE to initiate low-pressure injection.9

- The SD-SDC-LATE (heat removal using SDC (late)) fault tree (shown in Figure B-6) contains similar system logic as the SD-SDC-EARLY fault tree. Credit for the initiation of ADHR after the system is filled and vented is provided via basic event SD-ADHR-SYS-HW. The HFE for this function is SD-XHE-XM-SDC-LATE (operators fail to establish late decay heat removal (SDC or ADHR)). The HEP for this HFE is 2x10-3; see Appendix C for additional information.

- The SD-SPC (heat removal using suppression pool (normal and alternate)) fault tree (shown in Figure B-7) structure is the same as that contained in the TLU SPAR model except that alternate sources of cooling were added. The HFE for this fault tree is SD-XHE-XM-SPC (operators fail to establish SPC (normal or alternate)). The RWCU, ADHR, or suppression pool cleanup systems are credited via basic events SD-RWC-SYS-HW (RWCU system), SD-ADHR-SYS-HW, and SD-SPCU-SYS-HW (suppression pool cleanup system), respectively. A conservative failure probability of 0.1 was used for these basic events. The HFE for this function is SD-XHE-XM-SPC (operators fail to establish SPC (normal or alternate)). The HEP for this HFE is 2x10-3; see Appendix C for additional information.

- The SD-CVS (containment venting) fault tree (shown in Figure B-8) structure is the same as that contained in the TLU SPAR model with a few exceptions. First, unneeded seismic logic was eliminated. Second, logic was moved from a transfer 7 The feedwater fault tree contained in the at-power Perry SPAR model was solved to determine the system failure probability due to hardware failures. This probability was shown to be less than 0.1.

8 The firewater and condensate transfer system fault trees contained in the at-power Perry SPAR model were solved to determine the system failure probabilities due to hardware failures. These probabilities were shown to be less than 0.1. No ADHR fault tree exists in the Perry SPAR model; however, a review of the current reliability of motor-driven pumps, valves, etc., indicates that the system failure probability is likely less than 0.1.

9 The high- and low-pressure systems are provided within the same procedure steps of the reactor pressure vessel (RPV) control flowchart.

6

LER 440-2016-003-01 gate to directly under the top gate. Third, the electrical dependencies for motor-operated valves (MOVs) 140 and 145 were removed because these valves can be opened locally without power. The HFE for this fault tree is SD-XHE-XM-CVS (operators fail to vent containment). The HEP for this HFE is 2x10-3; see Appendix C for additional information.

• Dependency. A review of the key HFE combinations for dependency was performed. It is typical SPAR model practice to leverage the licensee probabilistic risk assessment (PRA) results for dependency considerations between HFEs. Specifically, dependency between applicable HFEs in the SPAR model is only considered if licensee PRA cut sets indicate that some level of dependency exists. However, no such dependency comparison with the licensee PRA could be performed for shutdown scenarios for Perry because there was no shutdown SPAR model. Therefore, a dependency analysis was completed as part of this analysis. To identify the HFE combinations for loss of SDC scenarios modeled as part of this analysis, the applicable HFE probabilities were set to 0.99 and the SD-M4E-LOSDC event tree was resolved.10 The following HFE combinations were identified that could potentially affect the analysis results in a significant manner (i.e., combinations that could contribute at least 1x10-7 given a loss of SDC event occurs):

Key HFE Combinations 1st HFE 2nd HFE 3rd HFE 4th HFE 5th HFE SD-XHE-XM-INJECTION; ADS-XHE-XM-MDEPR; ADS-XHE-XM-MDEPR; SD-XHE-XM-SPC; SD-XHE-XM-CVS; SD-XHE-XD-SDC; SD-XHE-XM-INJECTION; SD-XHE-XD-SDC; SD-XHE-XM-INJECTION; ADS-XHE-XM-MDEPR; SD-XHE-XD-SDC; SD-XHE-XM-SPC; SD-XHE-XM-CVS; SD-XHE-XM-SDC-LATE; SD-XHE-XM-SPC; SD-XHE-XM-CVS; SD-XHE-XM-SPC; SD-XHE-XM-CVS; DCP-XHE-XL-U2XTIE; SD-XHE-XM-CVS; SD-XHE-XM-SPC; SD-XHE-XM-INJECTION; DCP-XHE-XL-U2XTIE; ECW-XHE-XL-F665A; ECW-XHE-XL-F665B; SD-XHE-XM-CVS; SD-XHE-XM-SDC-LATE; SD-XHE-XM-SPC; ECW-XHE-XL-F665A; ECW-XHE-XL-F665B; SD-XHE-XM-INJECTION; ECW-XHE-XL-F665A; ECW-XHE-XL-F665B; ADS-XHE-XM-MDEPR; SD-XHE-XM-CVS; SD-XHE-XM-SPC; ECW-XHE-XL-F665A; ECW-XHE-XL-F665B; SD-XHE-XM-INJECTION; ADS-XHE-XM-MDEPR; EPS-XHE-XM-DGXTIE2; SD-XHE-XM-SDC-LATE; SD-XHE-XM-SPC; EPS-XHE-XM-DGXTIE2; ADS-XHE-XM-MDEPR; SD-XHE-XM-SPC; Upon review, combinations associated with basic events DCP-XHE-XL-U2XTIE (operators fail to align Unit 2 DC power to Unit 1), ECW-XHE-XL-F665A (operators fail to control TCV1P42-F665A), ECW-XHE-XL-F665B (operators fail to control 10 Exceptions include pre-initiator HFEs (e.g., failures to restore components after testing/maintenance), along with basic events SD-XHE-XD-SDC, ACP-XHE-XL-EBUS (failure to recover failed 'E' bus), and SD-XHE-XM-SDC-EARLY. Basic event SD-XHE-XD-SDC was not adjusted because it is queried first in the SD-M4E-LOSDC event tree and, therefore, is always independent. Basic event ACP-XHE-XL-EBUS was not adjusted because this HFE represents repair of safety-related bus failures and it not expected to influence the main control room operators. Basic event SD-XHE-XM-SDC-EARLY was not adjusted because it only contains action (i.e., execution) activities and, therefore, is not expected to affect the diagnosis portions of other HFEs.

7

LER 440-2016-003-01 TCV1P42-F665B), and EPS-XHE-XM-DGXTIE2 (operators fail to cross-tie HPCS diesel) would not significantly affect the analysis results even if complete dependence was assumed.11 Therefore, these HFE combinations were not evaluated further. From the remaining HFE combinations, the HFE pairs shown in the following sections were identified.12 While the identification of HFE pairs is not an area of disagreement with the PRA community, the evaluation of whether dependency exists and, if so, the appropriate level of dependency can have considerable variability depending on the method used and different analyst assumptions. INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, (Ref. 6) states that:

Simply having two or more HFEs together in a sequence or cut set does not make them dependent. A psychological basis must exist (the HFEs must be psychologically connected). Analysts should review the situation and context carefully and consider, for example, the following factors:

Time (to allow forgetting and emptying of working memory),

Location (introducing new information, potentially interrupting the script),

Same person or crew (allows for mindset to develop), and Cues (stimulate the human to think differently).

All these aspects should be considered within the framework of the accident scenario context (e.g., simply having the same person, close in time, no additional cues, etc.,

does not necessarily mean dependence is present).

Also, analysts should be alert to a situation that produces a cut set with two HFEs, which are separated by a success. The success will not be evident in the cut set but will be seen by following the sequence in the event tree. The presence of the success could indicate a break in the mindset of the operators.

In a normal or familiar situation, with good procedures, no compelling reason for dependence exists.

The SPAR-H method (Ref. 5) adopted the Technique for Human Error-Rate Prediction (THERP) dependency model, which was designed for dependency considerations at the sub-task level (i.e., tasks within the same HFE). Both NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, and INL/EXT-10-18533 direct that the THERP dependency table should not be directly applied without performing an initial evaluation on whether dependence is likely. Unfortunately, explicit guidance on how to perform this initial evaluation does not currently exist.

The Electric Power Research Institute (EPRI) developed a separate dependency method that is used heavily within industry. The EPRI dependency tree is also largely based on the THERP dependency method; however, the dependency level when using the 11 These basic events at their elevated probabilities (0.99) have a combined contribution CCDP of approximately 1x10-6. At a minimum, the first HFE in these combinations is independent. Therefore, the total CCDP contribution would be at least an order of magnitude lower. Consequently, any dependency consideration for these HFE combinations has a negligible effect on the analysis results. However, some HFE pairs of these HFE combinations are evaluated because the applicable HFE pairs are part of more significant HFE combinations.

12 Current dependency methodologies are limited to evaluating HFE pairs.

8

LER 440-2016-003-01 SPAR-H and EPRI methods can differ significantly. For example, as long as two operator actions do not share a common cognitive function (i.e., identical cues, procedures, etc.) and there is at least 60 minutes between the HFEs, then zero dependence is determined using the EPRI dependency tree.13 Whereas, the same operator action pair could have up to high dependence when using the SPAR-H method (depending on the evaluation of other factors).

Given the current state of dependence modeling and current dependence guidance provided for SPAR-H, the key factors are evaluated for the applicable HFE pairs and if no readily apparent reason for dependency exists, independence will be assumed.14 This assumption is in agreement with the SPAR-H step-by-step guidance, which states that independence is more likely; dependence is the exception rather than the rule. A sensitivity analysis was performed assuming a direct application of the SPAR-H/THERP dependency table (see Key Modeling Uncertainties for additional information).

- HFE Pair 1: SD-XHE-XM-INJECTION and ADS-XHE-XM-MDEPR Applicable Sequence Information. Loss of SDC initiating event occurs and operators cannot restore SDC prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease, requiring a source of either high- or low-pressure injection to provide inventory makeup. If all sources of high-pressure injection fail, manual reactor depressurization is required to allow for low-pressure injection.

Summary. Because the HFE SD-XHE-XM-INJECTION is used for both high- and low-pressure injection, dependency concerns for this HFE combination are rendered moot. In other words, if operators fail to initiate high-pressure injection, the current modeling assumes that they will fail to initiate low-pressure injection as well.

Therefore, dependency is already considered for HFE pair 1 via this separate modeling assumption.

- HFE Pair 2: ADS-XHE-XM-MDEPR and SD-XHE-XM-SPC Applicable Sequence Information. Loss of SDC initiating event occurs and operators cannot restore SDC prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease, requiring a source of either high- or low-pressure injection to provide inventory makeup. For this sequence, high-pressure injection is successful. However, containment heat removal is required because the decay heat is rejected to the suppression pool via the SRVs. If operators fail to depressurize the reactor, SDC cannot be restored. Normal or alternate SPC can be aligned to provide containment temperature/pressure control.

Cues and Procedures. Primary Containment Control EOP-02 Flowchart directs operators to initiate SPC when pool temperature reaches 95°F. The Reactor Pressure Vessel Control EOP-01 Flowchart directs operators depressurize the reactor to less than 135 psig before aligning SDC. These HFEs are determined to not share a common cognitive function.

13 The 60-minute threshold between HFEs was extrapolated from THERP, which assumed zero dependence between subtasks that are at least 60 seconds apart.

14 This evaluation assumed (for all HFE pairs) that all needed cues/indications are available/accurate and no concurrent activities are ongoing that could mask indications needed for the operator actions modeled.

9

LER 440-2016-003-01 Timing Information. The suppression pool is expected to reach 95°F within the first hour after reactor boiling begins (i.e., 3-4 hours after loss of SDC occurs). However, there are potential delays in initiating SPC, depending on the availability of safety-related alternating current (AC) power or other systems (such as ADHR).

There is a lot of variability on when operators would depressurize the reactor and it is dependent on how quickly they are able to initiate a source of high-pressure injection. In addition, for the dominant scenario of postulated CCF of the safety-related buses, both trains of SDC would be unavailable for several hours until repairs are completed. A time gap of at least a few hours is likely between the cues for these operator actions during the postulated dominant scenario. It is conservatively assumed that these operator actions will be performed by the same crew (12-hour shifts); however, the total time window for the applicable accident sequence will likely cross over to another crew.

Adequate Resources. There are adequate resources to perform both of these operator actions.

Location. Manual reactor depressurization is performed from the main control room (MCR). The initiation of SPC could be performed from the MCR if using RHR, but would involve effort outside the control room from some or all of the alternative systems.

Summary. These operator actions were determined to be independent due the following considerations:

Given the time between cues (at least a few hours) and the overall time window for the applicable accident sequence, additional personnel are expected to be involved in event response (e.g., technical support center, other crew) resulting in additional opportunities to break an incorrect operational picture/mindset.

The cues and procedure guidance are diverse. In addition, the suppression pool temperature and containment pressure signals provide continuous feedback throughout the postulated accident sequence.

- HFE Pair 3: SD-XHE-XD-SDC and SD-XHE-XM-INJECTION Applicable Sequence Information. Loss of SDC initiating event occurs and operators fail to diagnose that a loss of SDC occurred prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease requiring a source of either high- or low-pressure injection to provide inventory makeup. For this sequence, operators fail to initiate either high- or low-pressure injection resulting in core uncovery and subsequent core damage.

Cues and Procedures. Operators will enter ONI-E12-2, Loss of Decay Heat Removal on a loss of SDC. Examples of key cues include trip of the running SDC pump and safety-related 4.16 kV bus undervoltage. The Reactor Pressure Vessel Control EOP-01 Flowchart directs operators to initiate a source of high-pressure injection when the reactor water level is less than 130 inches (Level 2). However, operators are likely to initiate feedwater and/or condensate prior to reactor water level reaching the prescribed level band before the loss of SDC. These HFEs are determined to not share a common cognitive function.

10

LER 440-2016-003-01 Timing Information. The cues for loss of SDC occur immediately (i.e., T0). Reactor water level will not start until boiling begins (i.e., 2-3 hours after T0). It will take an additional few hours to decrease the reactor water level to 130 inches (from an initial water level 200 inches). A likely time gap of 4-6 hours exists between the cues for these operator actions during the postulated dominant scenario and, therefore, it is expected that these operator actions will be performed by the same crew (12-hour shifts).

Adequate Resources. There are adequate resources to perform both of these operator actions.

Location. Diagnosis of a loss of SDC is performed from the MCR. The initiation of high- and/or low-pressure injection is typically performed from the MCR. However, some of the alternate systems may require some alignment activities outside the MCR.

Summary. These operator actions were determined to be independent due the following considerations:

Given the time between cues (at least a few hours) and the overall time window for the applicable accident sequence, additional personnel are expected to be involved in event response (e.g., technical support center) resulting in additional opportunities to break an incorrect operational picture/mindset.

The cues and procedure guidance are diverse. In addition, the suppression pool temperature and containment pressure signals provide continuous feedback throughout the postulated accident sequence.

- HFE Pair 4: SD-XHE-XD-SDC and SD-XHE-XM-SPC Applicable Sequence Information. Loss of SDC initiating event occurs and operators fail to diagnose that a loss of SDC occurred prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease requiring a source of either high- or low-pressure injection to provide inventory makeup. For this sequence, high-pressure injection is successful. However, containment heat removal is required because the decay heat is rejected to the suppression pool via the SRVs.

Operators have a few options to provide containment temperature and pressure control. Operators can manually depressurize the reactor to align SDC (if available).

Another option available to operators is to align SPC.

Cues and Procedures. Operators will enter ONI-E12-2, Loss of Decay Heat Removal on a loss of SDC. Examples of key cues include trip of the running SDC pump and safety-related 4.16 kV bus undervoltage. Primary Containment Control EOP-02 Flowchart directs operators to initiate SPC when pool temperature reaches 95°F. These HFEs are determined to not share a common cognitive function.

Timing Information. The cues for loss of SDC occur immediately (i.e., T0). The suppression pool is expected to reach 95°F within the first hour after reactor boiling begins (i.e., 3-4 hours after loss of SDC occurs). However, there are potential delays in initiating SPC depending on the availability of safety-related AC power or other systems (such as ADHR). A minimum time gap of 3-4 hours exists between these operator actions during the postulated dominant scenarios and, therefore, it is 11

LER 440-2016-003-01 expected that these operator actions will be performed by the same crew (12-hour shifts).

Adequate Resources. There are adequate resources to perform both of these operator actions.

Location. Diagnosis of a loss of SDC is performed from the MCR. The initiation of SPC could be performed from the MCR if using RHR, but would involve some effort outside the control room from some or all of the alternative systems.

Summary. These operator actions were determined to be independent because there is an intervening success (high-pressure injection).

- HFE Pair 5: SD-XHE-XM-SDC-LATE and SD-XHE-XM-SPC Applicable Sequence Information. Loss of SDC initiating event occurs and operators cannot restore SDC prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease requiring a source of either high- or low-pressure injection to provide inventory makeup. For this sequence, high-pressure injection is successful. However, containment heat removal is required because the decay heat is rejected to the suppression pool via the SRVs. If operators cannot restore SDC, containment temperature/pressure control can be provided by normal or alternate SPC.

Cues and Procedures. Primary Containment Control EOP-02 Flowchart directs operators to initiate SPC when pool temperature reaches 95°F. The Reactor Pressure Vessel Control EOP-01 Flowchart directs operators to align SDC if reactor pressure is less than 135 psig. These HFEs are determined to not share a common cognitive function.

Timing Information. The suppression pool is expected to reach 95°F within the first hour after reactor boiling begins (i.e., 3-4 hours after loss of SDC occurs). However, there are potential delays in restoring normal or alternate SDC depending the availability of safety-related AC power or other systems (such as ADHR). There is a lot of variability on when operators would restore SDC after RHR system isolation.

For the dominant scenario of postulated CCF of the safety-related buses, both trains of SDC would be unavailable for several hours until repairs are completed. A time gap of at least a few hours is likely between the cues for these operator actions during the postulated dominant scenario. It is conservatively assumed that these operator actions will be performed by the same crew (12-hour shifts); however, the total time window for the applicable accident sequence will likely cross over to another crew.

Adequate Resources. There are adequate resources to perform both of these operator actions.

Location. The initiation of SPC could be performed from the MCR if using RHR, but would involve some effort outside the control room from some or all of the alternative systems. The restoration of SDC after RHR system isolation would be performed from the MCR. However, if the ADHR system is used to provide decay heat 12

LER 440-2016-003-01 removal, some of the execution steps (e.g., fill and venting the system) are performed outside the MCR.

Summary. These operator actions were determined to be independent due the following considerations:

Given the time between cues (at least a few hours) and the overall time window for the applicable accident sequence, additional personnel are expected to be involved in event response (e.g., technical support center) resulting in additional opportunities to break an incorrect operational picture/mindset.

The cues and procedure guidance are diverse. In addition, the suppression pool temperature and containment pressure signals provide continuous feedback throughout the postulate accident sequence.

- HFE Pair 6: SD-XHE-XM-SPC and SD-XHE-XM-CVS Applicable Sequence Information. Loss of SDC initiating event occurs and operators cannot restore SDC prior to RHR system isolation. As the reactor begins to boil, reactor level will decrease requiring a source of either high- or low-pressure injection to provide inventory makeup. For the applicable sequences, high- or low-pressure injection is successful. However, containment heat removal is required because the decay heat is rejected to the suppression pool via the SRVs. Operators have a few options to provide containment temperature and pressure control. If SDC or ADHR cannot be aligned, operators need to align normal or alternate SPC. If containment temperature control fails, operators will need to vent containment prior to reaching 40 psig to prevent over-pressure failure.

Cues and Procedures. Primary Containment Control EOP-02 Flowchart directs operators to initiate SPC when pool temperature reaches 95°F and to vent when containment pressure reaches 15 psig and prior to 40 psig. These HFEs are determined to not share a common cognitive function.

Timing Information. The suppression pool is expected to reach 95°F within the first hour after reactor boiling begins (i.e., 3-4 hours after loss of SDC occurs). However, there are potential delays in restoring normal or alternate SDC depending the availability of safety-related AC power or other systems (such as ADHR). Given the time to suppression pool boiling, containment pressure would reach its design limit of 40 psig in approximately 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. An exact time for when containment pressure reaches 15 psig is not available. A time gap of at least 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> between the cues for these operator actions during the applicable sequences exists and, therefore, it is conservatively assumed that these operator actions will be performed by the same crew (12-hour shifts). However, the total time window for the applicable accident sequence will cross over to another crew.

Adequate Resources. There are adequate resources to perform both of these operator actions.

Location. The initiation of SPC could be performed from the MCR if using RHR, but would involve some effort outside the control room from some or all of the alternative systems. If safety-related AC power is available, containment venting can be performed from the MCR. If electrical power is unavailable, containment venting must be performed locally.

13

LER 440-2016-003-01 Summary. These operator actions were determined to be independent due the following considerations:

Given the time between cues (at least a few hours) and the overall time window for the applicable accident sequence, additional personnel are expected to be involved in event response (e.g., technical support center, other crew) resulting in additional opportunities to break an incorrect operational picture/mindset.

The cues and procedure guidance are diverse. In addition, the suppression pool temperature and containment pressure signals provide continuous feedback throughout the postulate accident sequence.

Key Modeling Assumptions. The following modeling assumptions were determined to be significant to the modeling of this event analysis:

• The following timing assumptions were taken from licensee information:

- Based on the heat-up rate experienced during the event, time-to-boil was estimated to be approximately 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />. Initial estimates performed during the event calculated 1.9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />.

- Assuming no reactor decay heat removal, inventory makeup, nor containment cooling, suppression pool temperature would reach 212°F approximately 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> after the loss of SDC occurred.

- Given the time to suppression pool boiling, containment pressure would reach its design limit of 40 psig in approximately 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.

• This analysis models the February 11, 2016, event at Perry Nuclear Power Plant as a loss of SDC initiating event with the plant in mode 4. Therefore, the probability for IE-LOSDC-M4 (loss of shutdown cooling initiating event while in mode 4) was set to 1.0.

• Basic event ACP-BAC-LP-D1 (4160 V bus EH11 hardware failures) was set to TRUE due the loss of safety-related 4.16 kV bus EH11 caused by the failure of the phase A potential transformer secondary fuse.

- Bus Recovery. After safety-related 4.16 kV bus EH11 failed on February 11th, the licensee was able to repair and reenergize the bus approximately 9.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> later. It is possible that, if needed, the repair/recovery of the failed bus could be accomplished in less time. However, no estimate is currently available to the analyst. Therefore, ACP-XHE-XL-EBUS was set to a screening value of 0.1.15 Any further refinement is not expected to significantly affect the analysis result.

• Basic events ECW-MDP-TM-C001B (ECC train 1B is in test or maintenance),

ESW-MDP-TM-PUMPB (ESW pump 1P45-C001B is in test or maintenance),

RHR-HTX-TM-TRNB (RHR heat exchanger train B is in test or maintenance), and RHR-MDP-TM-TRNB (RHR train B is unavailable because of maintenance) were set to FALSE because test and maintenance on the alternate SDC train is not expected with SDC as the primary source of decay heat removal.

15 NUREG-1792, Good Practices for Implementing Human Reliability Analysis, provides that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator HFEs.

14

LER 440-2016-003-01 ANALYSIS RESULTS CCDP. The point estimate CCDP for this event is 2x10-6. The ASP Program acceptance threshold is a CCDP of 1x10-6 for shutdown events; therefore, this event is a precursor.

Dominant Sequence. The dominant accident sequence is LOSDC-M4 sequence 12 (CCDP =

2.36x10-6), which contributes 98 percent of the total internal events CCDP. This sequence is shown graphically in Figure A-1 of Appendix A. The dominant sequences that contribute at least 1.0 percent to the total internal events CCDP are provided in the following table:

Sequence CCDP Percentage Description Loss of SDC initiating event occurs; operators cannot restore SDC prior to system isolation (dominated by SD-M4E-LOSDC 12 2.36x10-6 97.6%

CCF of safety-related buses); all sources of high- and low-pressure injection fail, resulting in core damage.

Loss of SDC initiating event occurs; operators cannot restore SDC prior to system isolation (dominated by SD-M4E-LOSDC 13 4.58x10-8 1.9% CCF of safety-related buses); all sources of high-pressure injection fail; and manual reactor depressurization fails, resulting in core damage.

Key Modeling Uncertainties. The two main drivers in this ASP analysis were human reliability analysis (HRA) and CCF modeling of the safety-related AC buses.

• The lack of complete dependency evaluation guidance and limitations associated with the current methods are considered as key modeling uncertainties for this analysis. Per existing guidance, an analyst should first determine that dependency exists prior to applying the SPAR-H/THERP dependency table. The analyst determined that there was no strong evidence for considering the key HFE pairs as dependent for this analysis.

However, it is not expected that all analysts would make the same determination. A sensitivity analysis was performed applying the SPAR-H/THERP dependency table, assuming moderate dependence (i.e., same crew, not close in time, same location, additional cues) for HFE combinations 2, 3, 5, and 6.16, 17 This sensitivity results in a CCDP of 5x10-6 (approximately 117 percent increase from the best estimate analysis).

• The modeling of CCF of the buses is not included in the base SPAR models. However, it was determined that CCF modeling is important for this analysis. The CCCG of the safety-related AC buses is considered a key modeling uncertainty. There a number of ways that the electrical buses could be grouped. It was determined to be most appropriate to place the three 4.16 kV safety-related AC buses (EH11, EH12, and EH13) in the same CCCG. While safety- and nonsafety-related buses likely share many of the same coupling factors (e.g., environment, maintenance, etc.), the CCCG was limited to the 4.16 kV safety-related buses based on two factors. First, the CCCG was limited to the three safety-related buses because their functions are unique, as well as having different importance (as compared to the nonsafety-related buses). Second, including the nonsafety-related buses would result in a CCCG size that becomes unmanageable given current CCF methodology and available data.

16 For HFE pairs with the same crew and not close in time, SPAR-H/THERP dependency table yields either high, moderate, or low dependence. HFE combinations 2, 3, 5, and 6 have different location or additional cues and, therefore, a maximum dependency level of moderate would be selected.

17 Moderate dependence results in a HEP of approximately 0.15 for the second HFE of the pair.

15

LER 440-2016-003-01 REFERENCES

1. Perry Nuclear Power Plant, "LER 440/16-003 Loss of Safety Related Electrical Bus Results in a Loss of Shutdown Cooling, dated December 21, 2016 (ADAMS Accession No. ML16364A210).

2. U.S. Nuclear Regulatory Commission, Perry Nuclear Power PlantReactive Inspection Report 05000440/2016008, dated May 25, 2016 (ADAMS Accession No. ML16147A437).

3. U.S. Nuclear Regulatory Commission, Perry Nuclear Power Plant - Final Response to Task Interface Agreement 2016-01 Regarding Adequacy of the Design and Licensing Bases for the Undervoltage Protection Scheme (TIA 2016-01; CAC No. MF8266, EPID L-2016-LRA-0001), dated June 18, 2018 (ADAMS Accession No. ML17023A191).

4. U.S. Nuclear Regulatory Commission, Perry Nuclear Power PlantNRC Integrated Inspection Report 05000440/2016002, dated August 10, 2016 (ADAMS Accession No. ML16223A968).

5. Idaho National Laboratory, NUREG/CR-6883, The SPAR-H Human Reliability Analysis Method, August 2005 (ADAMS Accession No. ML051950061).

6. Idaho National Laboratory, INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, May 2011 (ADAMS Accession No. ML112060305).

16

LER 440-2016-003-01 Appendix A: Key Event Tree LOSS OF SHUTDOWN FAIL TO DIAGNOSE LOSS HEAT REMOVAL USING SDC HIGH PRESSURE INJECTION MANUAL REACTOR LOW PRESSURE COOLANT HEAT REMOVAL USING SDC HEAT REMOVAL USING CONTAINMENT VENTING # End State COOLING - M4E OF SDC BEFORE SYSTEM (EARLY) SYSTEMS (NORMAL and DEPRESSURIZATION INJECTION (NORMAL and or ADHR (LATE) SUPPRESSION POOL (Phase - CD)

ISOLATION ALTERNATE) ALTERNATE) (NORMAL and ALTERNATE)

IE-SD-M4E-LOSDC SD-XD-SDC SD-SDC-EARLY SD-HPI SD-DEP SD-LPI SD-SDC-LATE SD-SPC SD-CVS 1 OK 2 OK 3 OK 4 OK 5 CD-SD 6 OK 7 OK 8 CD-SD 9 OK 10 OK 11 CD-SD 12 CD-SD 13 CD-SD 14 OK 15 OK 16 CD-SD 17 OK 18 OK 19 OK 20 CD-SD 21 CD-SD 22 CD-SD Figure A-1. Perry Loss of SDC (Mode 4) Event Tree A-1

LER 440-2016-003-01 Appendix B: Fault Trees FAIL TO DIAGNOSE LOSS OF SDC BEFORE SYSTEM ISOLATION SD-XD-SDC OPERATORS FAIL TO DIAGNOSE LOSS OF SDC BEFORE SYSTEM ISOLATION SD-XHE-XD-SDC 1.00E-05 Figure B-1. SD-XD-SDC Fault Tree B-1

LER 440-2016-003-01 HEAT REMOVAL USING SDC (EARLY)

SD-SDC-EARLY SHUTDOWN COOLING DURING M4 CCF of safety-related buses results OPERATORS FAIL TO ESTABLISH OR M5 EVENTS in unavailability of SDC SDC PRIOR TO SYSTEM ISOLATION SD-SDC-EARLY-2 SD-SDC-EARLY-3 SD-XHE-XM-SDC-EARLY 1.00E-03 SDC SUCTION VALVE F008 FAILS TO SDC SUCTION VALVE F009 FAILS TO FAILURE OF BOTH TRAINS OF SDC System Generated Event based OPEN OPEN upon Rasp CCF event : ACP-BAC-CF-EBUS SD-SDC-EARLY-21 SD-SDC-EARLY-22 SD-SDC-EARLY-23 ACP-BAC-CF-EBUS-AB 2.00E-07 System Generated Event based upon Rasp CCF event : ACP-BAC-CF-EBUS SDC SUCTION VALVE F008 FAILS TO SDC SUCTION VALVE F009 FAILS TO FAILURE OF TRAIN A SDC FAILURE OF TRAIN B SDC ACP-BAC-CF-EBUS-ABC 2.73E-07 OPEN OPEN RHR-MOV-CC-8 8.16E-04 RHR-MOV-CC-9 8.16E-04 SD-SDC-EARLY-231 SD-SDC-EARLY-232 Figure B-2. SD-SDC-EARLY Fault Tree B-2

LER 440-2016-003-01 HIGH PRESSURE INJECTION SYSTEMS (NORMAL and ALTERNATE)

SD-HPI HCS AND CRD FAULTS OPERATORS FAIL TO ESTABLISH AN INJECTION SOURCE SD-HPI-2 SD-XHE-XM-INJECTION 2.00E-04 CRD FAILS HPCS FAILS TO PROVIDE ADEQUATE FEEDWATER FAILS FLOW TO RPV SD-HPI-3 HCS Ext SD-MFW-SYS-HW 1.00E-01 PERRY CRD PUMP TRAIN A IS CONDENSATE STORAGE TANK FAILS UNAVAILABLE CRD-A-STBY Ext CDS-TNK-FC-CST 6.26E-06 PERRY CRD PUMP TRAIN B IS UNAVAILABLE CRD-B-STBY Ext INJECTION PATHS FAIL CRD-INJECTION-PATHS Ext Figure B-3. SD-HPI Fault Tree B-3

LER 440-2016-003-01 MANUAL REACTOR DEPRESSURIZATION SD-DEP PERRY MANUAL REACTOR ADS VALVES FAIL FROM COMMON DEPRESSURIZATION SUPPORT CAUSE SYSTEMS DEP-SS-LT Ext ADS-SRV-CF-VALVS 7.70E-06 OPERATORS FAIL TO INITIATE REACTOR DEPRESSURIZATION ADS-XHE-XM-MDEPR 5.00E-04 Figure B-4. SD-DEP Fault Tree B-4

LER 440-2016-003-01 LOW PRESSURE COOLANT INJECTION (NORMAL and ALTERNATE)

SD-LPI NORMAL and ALTERNATE LPI FAILS OPERATORS FAIL TO ESTABLISH AN INJECTION SOURCE SD-LPI-1 SD-XHE-XM-INJECTION 2.00E-04 LOW-PRESSURE COOLANT ALTERNATE INJECTION - WATER INJECTION AND CORE SPRAY FAIL SOURCES SD-LPI-2 SD-LPI-3 PERRY LOW PRESSURE COOLANT ALTERNATE DECAY HEAT REMOVAL INJECTION FAULT TREE AND/OR INJECTION LCI Ext SD-ADHR-SYS-HW 1.00E-01 LOW PRESSURE CORE SPRAY FAILS FIREWATER INJECTION LCS Ext SD-FWS-SYS-HW 1.00E-01 CONDENSATE TRANSFER INJECTION SD-CTS-SYS-HW 1.00E-01 Figure B-5. SD-LPI Fault Tree B-5

LER 440-2016-003-01 HEAT REMOVAL USING SDC or ADHR (LATE)

SD-SDC-LATE HEAT REMOVAL USING SDC - OPERATORS FAIL TO ESTABLISH NOMINAL TIME (M4 OR M5 EVENTS) LATE DECAY HEAT REMOVAL (SDC OR ADHR)

SD-SDC-LATE-2 SD-XHE-XM-SDC-LATE 2.00E-03 SHUTDOWN COOLING DURING ALTERNATE DECAY HEAT REMOVAL MODE 4 AND/OR INJECTION SD-SDC-LATE-3 SD-ADHR-SYS-HW 1.00E-01 SDC SUCTION VALVE F008 FAILS TO SDC SUCTION VALVE F009 FAILS TO FAILURE OF BOTH TRAINS OF SDC OPEN OPEN SD-SDC-LATE-31 SD-SDC-LATE-32 SD-SDC-LATE-33 Figure B-6. SD-SDC-LATE Fault Tree B-6

LER 440-2016-003-01 HEAT REMOVAL USING SUPPRESSION POOL (NORMAL and ALTERNATE)

SD-SPC NORMAL AND ALTERNATE SPC OPERATORS FAIL TO ESTABLISH FAILS SPC (NORMAL or ALTERNATE)

SD-SPC-2 SD-XHE-XM-SPC 2.00E-03 SUPPRESSION POOL COOLING ALTERNATE SPC SYSTEMS FAIL MODE OF RHR FAILS SPC Ext SD-SPC-3 RWCU SYSTEM SD-RWC-SYS-HW 1.00E-01 ALTERNATE DECAY HEAT REMOVAL AND/OR INJECTION SD-ADHR-SYS-HW 1.00E-01 SUPPRESSION POOL CLEANUP SYSTEM SD-SPCU-SYS-HW 1.00E-01 Figure B-7. SD-SPC Fault Tree B-7

LER 440-2016-003-01 CONTAINMENT VENTING SD-CVS VENT PATHS FAIL OPERATORS FAIL TO VENT CONTAINMENT SD-CVS-1 SD-XHE-XM-CVS 2.00E-03 PERRY CONTAINMENT VENTING FPCC VENT PATH FAILS (RHR CONT. SPRAY TRAIN A) FAULT TREE CVS-RHR-A Ext SD-CVS-2 PERRY CONTAINMENT VENTING (RHR CONT. SPRAY TRAIN B) FAULT TREE CVS-RHR-B Ext MOV 145 FAILS TO OPEN CONTAINMENT VENT MOV F0140 FAILS TO OPEN SD-CVS-3 CVS-MOV-CC-F0140 8.16E-04 LOSS OF POWER FAILS MOV 145 CONTAINMENT VENT MOV F0145 FAILS TO OPEN SD-CVS-4 CVS-MOV-CC-F0145 8.16E-04 CCF OF BUSES RESULTS IN MOV 145 FAILURE OF DIVISION III CROSS- PERRY DIVISION II POWER SYSTEM REMAINING OPEN TIE FAULT TREE CVS-BUSCCF SD-CVS-5 ACP-EH12 Ext System Generated Event based PERRY DIVISION III POWER SYSTEM OPERATORS FAIL TO CROSS-TIE upon Rasp CCF event : ACP-BAC- FAULT TREE HPCS DIESEL CF-EBUS ACP-BAC-CF-EBUS-AB 2.00E-07 ACP-EH13 Ext EPS-XHE-XM-DGXTIE2 6.00E-02 System Generated Event based upon Rasp CCF event : ACP-BAC-CF-EBUS ACP-BAC-CF-EBUS-AC 2.00E-07 System Generated Event based upon Rasp CCF event : ACP-BAC-CF-EBUS ACP-BAC-CF-EBUS-BC 2.00E-07 System Generated Event based upon Rasp CCF event : ACP-BAC-CF-EBUS ACP-BAC-CF-EBUS-ABC 2.73E-07 Figure B-8. SD-CVS Fault Tree B-8

LER 440-2016-003-01 Appendix C: Evaluation of Key HFEs Evaluation of SD-XHE-XD-SDC (operators fail to diagnose loss of SDC before system isolation).

The definition for this HFE is the operators failure to determine that a loss of Definition SDC cooling occurred prior to system isolation at reactor pressure of 135 psig.

Given the loss of the operating SDC train, operators would have 2-3 hours prior Description and to the onset of boiling in the reactor. Reactor pressure is expected to increase Event Context quickly after boiling begins. System isolation is conservatively assumed to occur 20 minutes after boiling begins.

Operators need to determine that a loss of SDC occurred prior to system Operator Action isolation. In addition, time must be available to align and start the alternate SDC Success Criteria train.

Key Cue(s) Trip of running SDC pump, safety-related 4.16 kV bus undervoltage Procedural ONI-E12-2, Loss of Decay Heat Removal Guidance Diagnosis/Action This HFE contains only diagnosis activities.

Performance Multiplier Shaping Factor Notes Diagnosis (PSF)

The limiting time for the overall recovery action is conservatively assumed to be 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (lower estimate of time to boil). The time needed to manually align and start the alternative SDC train is estimated to be approximately 30 minutes, leaving approximately Time Available 0.01 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available for diagnosis. The nominal time for diagnosis is estimated to take less than 5 minutes. Since the 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.

The PSF for diagnosis complexity is assigned a value of Obvious Diagnosis (i.e., x0.1) because there are very few Complexity 0.1 operating systems while the plant is in mode 4. Therefore, it is expected that operators are easily able to discern the cues.

Stress, Procedures, Experience/Training, No event information is available to warrant a change in 1

Ergonomics/HMI, these diagnosis PSFs from Nominal for this HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP)

= (0.001* 0.01) = 1x10-5 Therefore, the HEP for SD-XHE-XD-SDC was set to 1x10-5.

C-1

LER 440-2016-003-01 Evaluation of SD-XHE-XM-SDC-EARLY (operators fail to establish SDC prior to system isolation).

The definition for this HFE is the operators failure to align and start the alternate Definition SDC train, after successfully determining the operating SDC train had failed, prior to system isolation at reactor pressure of 135 psig.

After successfully determining the operating SDC train had failed, it is expected Description and to take operators approximately 30 minutes to align and start the alternate SDC Event Context train.

Operator Action Operators must align and start the alternate SDC train within 30 minutes.

Success Criteria Key Cue(s) Trip of running SDC pump, safety-related 4.16 kV bus undervoltage Procedural ONI-E12-2, Loss of Decay Heat Removal Guidance Diagnosis/Action This HFE contains only action activities.

Multiplier PSF Notes Action Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See INL/EXT-10-18533, Time Available 1 SPAR-H Step-by-Step Guidance, ( Ref. 6) for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures No event information is available to warrant a change in Experience/Training, 1 these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI, HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Action PSFs

• Nominal Action HEP)

= (1

• 0.001) = 1x10-3 Therefore, the HEP for SD-XHE-XM-SDC-EARLY was set to 1x10-3.

C-2

LER 440-2016-003-01 Evaluation of SD-XHE-XM-INJECTION (operators fail to establish an injection source).

The definition for this HFE is the operators failure to align a high- or Definition low-pressure injection source to the reactor prior to core uncovery (i.e., core damage).

If SDC is not restored prior to RHR system isolation, the reactor will start to boil Description and resulting in a decreasing reactor water level. Operators will need to maintain Event Context level above top of active fuel to prevent core damage.

Operators must initiate a high- or low-pressure source of inventory makeup to the reactor prior to core uncovery. For this event, core uncovery is estimated to Operator Action occur 12-15 hours after the loss of SDC if no source of decay heat removal and Success Criteria inventory makeup is initiated. Note that reactor depressurization is needed for use of low-pressure injection systems.

Key Cue(s) Reactor water level below 130 inches (level 2)

Procedural Reactor Pressure Vessel Control EOP-01 Flowchart Guidance Diagnosis/Action This HFE contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action Reactor water level will begin to decrease at the onset of boiling, 2-3 hours after the loss of SDC occurs. The estimated time to core damage is conservatively assumed to be 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> (lower estimate of time to core damage) after boiling begins. The time needed to initiate one of the high- or low-pressure injection systems is conservatively estimated to be 30 minutes, leaving several hours available for diagnosis. The nominal time for diagnosis is Time Available 0.01 / 1 estimated to take less than 5 minutes. Since time available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

The dominant scenario in this ASP analysis is expected to increase the complexity for both the diagnosis and action components for this HFE. Specifically, a CCF of the safety-related AC buses will force operators to use Complexity 2/2 alternate systems that are powered from nonsafety-related sources. In addition, some of these alternate systems require efforts outside the MCR. Therefore, this PSF is set to Moderately Complex (i.e., x2) for both the diagnosis and action components of this HFE.

Stress, Procedures No event information is available to warrant a change in Experience/Training, 1/1 these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI, HFE.

Fitness for Duty, Work Processes C-3

LER 440-2016-003-01 The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP) + (Product of Action PSFs

• Nominal Action HEP)

= (0.02

• 0.01) + (2

• 0.001) = 2x10-3 This HEP is limited to a lower bound of 2x10-3 due largely to the apportioning of time as nominal for the action component of the HFE. This lower bound HEP is sufficient for many HFEs; however, it is too conservative for some HFEs. Given the excess time, availability of multiple injection systems, and the staffing of the technical support center prior to core damage, 0.1 reduction credit is provided for the HFE. Therefore, the HEP for SD-XHE-XM-INJECTION was set to 2x10-4.

C-4

LER 440-2016-003-01 Evaluation of DCP-XHE-XL-U2XTIE (operators fail to align Unit 2 DC power to Unit 1).

The definition for this HHFE is operators failure to align Unit 2 direct-current Definition (DC) power to Unit 1.

Description and If Unit 1 safety-related power becomes unavailable (e.g., CCF of safety-related Event Context buses), operators will cross-connect DC power from Unit 2.

Operator Action Operators successfully cross-connect DC power between units to support Success Criteria successful reactor injection and/or reactor depressurization.

Key Cue(s) Low voltage on Unit 1 safety-related buses Procedural SOI-R42 (System A), Non-Divisional DC System A Distribution, Buses D-1-A Guidance and D-2-A: Batteries, Chargers, and Switchgear Diagnosis/Action This HFE contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action For the most limiting scenario (i.e., CCF of safety-related buses), DC power will be available until the safety-related batteries are depleted. However, operators can align DC power from Unit 2. The time to align the DC power from Unit 2 to Unit 1 is conservatively estimated to be 30 minutes. Since operators would need DC power to depressurize the reactor for injection with low-pressure systems, several hours would be available for diagnosis.

Time Available 0.01 / 1 Since time available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress, Complexity, Procedures No event information is available to warrant a change in Experience/Training, 1/1 these PSFs (diagnosis or action) from Nominal for this Ergonomics/HMI, HFE.

Fitness for Duty, Work Processes The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP) + (Product of Action PSFs

• Nominal Action HEP)

= (0.01

• 0.01) + (1

• 0.001) = 1x10-3 Therefore, the HEP for DCP-XHE-XL-U2XTIE was set to 1x10-3.

C-5

LER 440-2016-003-01 Evaluation of SD-XHE-XM-SDC-LATE (operators fail to establish late decay heat removal (SDC or ADHR).

The definition for this HFE is the operators failure to establish late decay heat Definition removal via SDC or the ADHR system.

If operators successfully injection using either high- or low-pressure injection and have the capability to depressurize the reactor, operators can align decay heat Description and removal via SDC or the ADHR system. The dominant scenario involves CCF of Event Context the safety-related buses, resulting in the unavailability of SDC until the buses can be repaired. The ADHR system is unavailable initially until the system is filled and vented, which could take several hours.

Operator Action Operators must align and start the SDC train or ADHR prior to containment Success Criteria pressure reaching 40 psig with subsequent venting required.

Key Cue(s) Successful injection with reactor pressure below 135 psig.

Procedural Reactor Pressure Vessel Control EOP-01 Flowchart and ONI-E12-2, Loss of Guidance Decay Heat Removal Diagnosis/Action This HFE contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action It is estimated that containment pressure will reach its design limit of 40 psig in 15-16 hours with no reactor injection or containment cooling. The nominal time to diagnose the availability of SDC or ADHR is estimated to take 5-10 minutes. The time needed to manually align and start the alternative SDC train is estimated to be approximately 30 minutes. The total time available to operators is dependent on when reactor injection and reactor depressurization is initiated. Although an exact time estimate is dependent on the timing of earlier operator Time Available 0.01 / 1 action, it is expected that several hours are available to operators. Therefore, the diagnosis PSF for available time is set to Expansive (i.e., greater than 2x nominal time and greater than 30 minutes).

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See INL/EXT-10-18533, SPAR-H Step-by-Step Guidance, ( Ref. 6) for guidance on apportioning time between the diagnosis and action components of an HFE.

The determination of status of safety-related AC buses (given ongoing repair activities) and the use of ADHR is expected to increase the complexity for both the diagnosis Complexity 2/2 and action components for this HFE. The use of ADHR requires efforts outside the MCR. Therefore, this PSF is set to Moderately Complex (i.e., x2) for both the diagnosis and action components of this HFE.

Stress, Procedures Experience/Training, No event information is available to warrant a change in 1/1 Ergonomics/HMI, these PSFs (diagnosis or action) from Nominal for this HFE.

Fitness for Duty, Work Processes C-6

LER 440-2016-003-01 The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP) + (Product of Action PSFs

• Nominal Action HEP)

= (0.02

• 0.01) + (2

• 0.001) = 2x10-3 Therefore, the HEP for SD-XHE-XM-SDC-LATE was set to 2x10-3.

C-7

LER 440-2016-003-01 Evaluation of SD-XHE-XM-SPC (operators fail to establish SPC (normal or alternate)).

The definition for this HFE is the operators failure to align SPC prior to Definition containment failure.

Given the loss of all SDC, decay heat is directed to the suppression pool after boiling begins and the reactor is pressurized. This decay heat from the reactor Description and via the SRVs will heat up the suppression pool. If SPC is not aligned, the Event Context suppression pool will begin to boil resulting in the pressurization of containment, which would require venting to prevent containment failure (40 psig).

Operator Action Operators successfully align either normal or alternate SPC prior to containment Success Criteria failure.

Nominal Cues Suppression pool temperature reaches 95°F.

Procedural Primary Containment Control EOP-02 Flowchart Guidance Diagnosis/Action This HFE contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action It is estimated that containment pressure will reach its design limit of 40 psig in 15-16 hours with no reactor injection or containment cooling. The nominal time to diagnose the need to align SPC is estimated to take less than 5 minutes. The time needed to align normal or alternate SPC is estimated to be approximately 30 minutes. The suppression pool is expected to reach 95°F within the first hour after reactor boiling begins (i.e., 3-4 hours after loss of SDC occurs). Therefore, at Time Available 0.01 / 1 least several hours are available for operators to diagnose the need for SPC and, thus, the diagnosis PSF for available time is set to Expansive (i.e., greater than 2x nominal time and greater than 30 minutes).

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

The dominant scenario in this ASP analysis is expected to increase the complexity for the both the diagnosis and action components for this HFE. Specifically, a CCF of the safety-related AC buses will force operators to use Complexity 2/2 alternate systems that are powered from nonsafety-related sources. In addition, some of these alternate systems require efforts outside the MCR. Therefore, this PSF is set to Moderately Complex (i.e., x2) for both the diagnosis and action components of this HFE.

Stress, Experience/Training, No event information is available to warrant a change in Ergonomics/HMI, 1/1 these PSFs (diagnosis or action) from Nominal for this Fitness for Duty, HFE.

Work Processes C-8

LER 440-2016-003-01 The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP) + (Product of Action PSFs

• Nominal Action HEP)

= (0.02

• 0.01) + (2

• 0.001) = 2x10-3 Therefore, the HEP for SD-XHE-XM-SPC was set to 2x10-3.

C-9

LER 440-2016-003-01 Evaluation of SD-XHE-XM-CVS (operators fail to vent containment).

The definition for this HFE is the operators failure to vent containment prior to Definition failure (40 psig).

Given the loss of all SDC, decay heat is directed to the suppression pool after boiling begins and the reactor is pressurized. This decay heat from the reactor Description and via the SRVs will heat up the suppression pool. If SPC is not aligned, the Event Context suppression pool will begin to boil resulting in the pressurization of containment.

Procedures direct operators to vent when containment pressure reaches 15 psig.

Operator Action Operators successfully vent containment prior to failure.

Success Criteria Nominal Cues Containment pressure reaches 15 psig.

Procedural Primary Containment Control EOP-02 Flowchart Guidance Diagnosis/Action This HFE contains both diagnosis and action activities.

Multiplier PSF Notes Diagnosis/Action It is estimated that containment pressure will reach its design limit of 40 psig in 15-16 hours with no reactor injection or containment cooling. Suppression pool is expected to begin boiling in 8-9 hours after the loss of SDC occurred. The nominal time to diagnose the need to vent containment is estimate to take less than 5 minutes.

The time needed to vent containment is estimated to be approximately 30 minutes. Operators are procedurally directed to vent when containment pressure reaches 15 psig. An exact time which containment pressure will Time Available 0.01 / 1 reach 15 psig is not available. However, at least 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> are expected to be available for operators to diagnose the need to vent containment and, therefore, the diagnosis PSF for available time is set to Expansive (i.e., greater than 2x nominal time and greater than 30 minutes).

Sufficient time exists to perform the action component of the offsite power recovery; therefore, the action PSF for available time is set to Nominal. See Reference 5 for guidance on apportioning time between the diagnosis and action components of an HFE.

The dominant scenario in this ASP analysis is expected to increase the complexity for the both the diagnosis and action components for this HFE. Specifically, a CCF of the safety-related AC buses will force operators to use Complexity 2/2 alternate systems that are powered from nonsafety-related sources. In addition, some of these alternate systems require efforts outside the MCR. Therefore, this PSF is set to Moderately Complex (i.e., x2) for both the diagnosis and action components of this HFE.

Stress, Experience/Training, No event information is available to warrant a change in Ergonomics/HMI, 1/1 these PSFs (diagnosis or action) from Nominal for this Fitness for Duty, HFE.

Work Processes C-10

LER 440-2016-003-01 The HEP is calculated using the following SPAR-H formula:

HEP = (Product of Diagnosis PSFs

• Nominal Diagnosis HEP) + (Product of Action PSFs

• Nominal Action HEP)

= (0.02

• 0.01) + (2

• 0.001) = 2x10-3 Therefore, the HEP for SD-XHE-XM-CVS was set to 2x10-3.

C-11