Text

ASP Program Summary Description (Revision 1)
	ML20049G020
Person / Time
Issue date:	02/24/2020
From:	Michael Cheok; NRC/RES/DRA
To:	Raymond Furstenau; Office of Nuclear Regulatory Research
	C. Hunter 415-1394
Shared Package
ML20049G011	List: ML20049G013; ML20049G017; ML20049G020;
References
	Download: ML20049G020 (34)
	v • d • e

U.S. Nuclear Regulatory Commission Accident Sequence Precursor Program Summary Description Revision 1 February 2020 Contacts:

Christopher Hunter, (301) 415-1394 (Christopher.Hunter@nrc.gov)

Performance and Reliability Branch Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

TABLE OF CONTENTS

1. Introduction .......................................................................................................................... 1 1.1. Program Objectives ..................................................................................................... 1 1.2. Background ................................................................................................................. 2 1.3. Program Scope ........................................................................................................... 3 1.4. Analysis Types and Program Thresholds.................................................................... 4 1.5. Significant Precursors ................................................................................................. 4 1.6. Precursor Trends......................................................................................................... 5

2. ASP Process ........................................................................................................................ 6 2.1. Initial LER Screening ................................................................................................... 6 2.2. Analyst Review of Potential Precursors ...................................................................... 8 2.2.1. Windowed Events .......................................................................................... 10 2.3. Detailed ASP Analysis............................................................................................... 11 2.3.1. Analysis Review Process .............................................................................. 12 2.4. Consideration of Other Hazards ................................................................................ 12

3. References ......................................................................................................................... 13 Appendix A: Summary of Significant Precursors ...................................................................... A-1 Appendix B: Historical Precursor Occurrence Rates ................................................................ B-1 Appendix C: Treatment of Maintenance/Testing Unavailability in ASP Analyses of Windowed Events ..................................................................................................................... C-1 Appendix D: Guidance for Licensee Review of ASP Analysis with CCDP or CDP Greater than or Equal to 10-4 .................................................................................................... D-1 ii

1. INTRODUCTION The purpose of this report is to provide a complete overview of the Accident Sequence Precursor (ASP) Program. This includes:

the program objectives and scope;

a brief history of why and how the ASP Program began; and

a detailed description of the ASP analysis process.

This report compliments the annual ASP reports, which document the precursor results and trends. These reports and can be found at the public ASP Program Webpage.

1.1. Program Objectives The ASP Program has the following primary objectives:

Assists in ensuring that the agency meets Safety Objective 1 (see NRC Strategic Plan)to prevent, mitigate, and respond to accidents and ensure radiation safety.

Contributes to Safety Strategy 1 (see NRC Strategic Plan) to evaluate domestic and international operating events and trends and advances in science and technology for safety implications and enhance the regulatory framework as warranted. 1

Assists in fulfillment of agency Safety Performance Goal 4 (see NRC Congressional Budget Justification)to prevent accident precursors and reductions of safety margins at commercial nuclear power plants (operating or under construction) that are of high safety significance.

Assesses the efficacy of existing agency programs (Appendix B in the NRC Strategic Plan) and helps shape the agencys objectives and strategies for reactors. 2

Reviews and evaluates operating experience to identify precursors to potential core damage in accordance with Management Directive 8.7, Reactor Operating Experience Program.

Additional ASP Program objectives include:

Providing feedback to improve NRC Standardized Plant Analysis Risk (SPAR) models.

- Examples include: common-cause interactions and events; operator recovery actions; inclusion of support systems; alternate success paths.

- Models are used in a different manner and reviews of model results allow for model improvements that aid other NRC programs (e.g., Significance Determination Pocess (SDP), Management Directive 8.3, NRC Incident Investigation Program.).

1 The ASP Program scope is limited to domestic operating events and trends.

2 The Reactor Oversight Process and Abnormal Occurrence report are the other two programs that support this function.

1

- Assists in fulfillment of the Management Directive 8.7 requirement to provide feedback to agency risk models based on operating experience lessons learned from the application of these tools and models.

Providing analyses to licensees for incorporation into their operating experience programs.

Increasing NRC and licensee staff knowledge and increasing better harmonization of the PRA models by discussing and reviewing key modeling issues and assumptions with licensees.

Providing insights into the adequacy of current PRA standards and guidance.

Communicating risk-significant insights not associated with licensee performance to enable consideration of corrective actions or plant improvements, as appropriate.

1.2. Background The U.S. Nuclear Regulatory Commission (NRC) formed the Risk Assessment Review Group (commonly referred to as the Lewis Committee) to perform an independent evaluation of WASH-1400, The Reactor Safety Study. That committee made multiple recommendations in 1978, including that more use be made of operational data to assess the risk from commercial nuclear power plants (NPPs). Specifically, NUREG/CR-0400, Risk Assessment Review Group Report (also known as the Lewis Report) stated:

It is important, in our view, that potentially significant sequences and precursors, as they appear, be subjected to the kind of analysis contained in WASH-1400, in such a way that the analyses are subjected to peer review.

After the accident at Three Mile Island (Unit 2), the NRC instituted a special inquiry to review and report on the accident. The principal objectives of the inquiry were to:

determine what happened and why;

assess the actions of utility and NRC personnel before and during the accident; and

identify deficiencies in the system and areas where further investigation might be warranted.

This inquiry, as documented in NUREG/CR-1250, Three Mile Island; A Report to the Commissioners and to the Public (also known as the Rogovin Report) concluded, in part, that:

the systematic evaluation of operating experience must be undertaken on an industrywide basis, both by the utility industry, which has the greatest direct stake in safe operations, and by the NRC.

In response to these insights and recommendations, the NRC established the Accident Sequence Precursor (ASP) Program as part of the Office of Analysis and Evaluation of Operational Data (AEOD). In 1998, the Commission issued a Staff Requirements Memorandum, SECY-98-228, Proposed Streamlining and Consolidation of AEOD Functions and Responsibilities, which approved the transfer of the ASP Program to the Office of Nuclear Regulatory Research (RES). The Commission stated that:

2

The lessons learned from the independent assessment of operational events must continue to be shared with the nuclear industry in an effort to improve the safety of licensed operations and to assess the effectiveness of agency wide programs. It is important that these functions continue with a degree of independence and, in particular, remain independent of licensing functions. The Office of Research should provide focused analysis of the operational data and not expend scarce resources on those operational incidents that are not risk significant.

1.3. Program Scope The ASP Program is one of three agency programs that assess the risk significance of events at operating NPPs. The other two programs are the Significance Determination Process (SDP), as defined in Inspection Manual Chapter (IMC) 0609, and the event-response evaluation process, as defined in Management Directive 8.3. The SDP evaluates the risk significance of individual licensee performance deficiencies, while the risk assessments performed under Management Directive 8.3 are used to determine, in part, the appropriate level of reactive inspection in response to an event. SDP evaluations have the benefit of information obtained from the inspection, whereas the Management Directive 8.3 assessments are expected to be performed within several days of the event notification.

In contrast to the other two programs, a comprehensive and integrated risk analysis under the ASP Program includes all anomalies observed at the time of the event or discovered after the event. These anomalies may include unavailable and degraded plant structures, systems, and components (SSCs); human errors; and an initiating event (i.e., a reactor trip). In addition, an unavailable or degraded SSC does not have to be attributed to a performance deficiency (e.g., SSCs out for test and maintenance) or an analyzed condition in the plant design basis.

The ASP Program has the benefit of time to complete the analysis of complex issues and thus produces a more refined estimate of risk. The ASP Program analysis schedules provide time so that NRC or licensee engineering evaluations can be made available for review. State-of-the-art methods can be developed, or current techniques can be refined for unique conditions when necessary. In addition, the SPAR models can be modified for special considerations (e.g., hazards such as seismic, internal fires, and flooding). The discussion of these differences is meant to highlight the programmatic differences and how they impact the results of risk assessments. Each program has been designed to achieve their respective objectives in an efficient manner.

There are similarities in the risk assessments conducted by the three programs. All three programs use SPAR models, the same documented methods and guidance in the Risk Assessment Standardization Project (RASP) manual, and similar analysis assumptions.

Differences arise where the programs objectives deviate from one another. ASP and SDP analyses assumptions are typically the same when the event is driven by a single performance deficiency. Because of this specific similarity, since 2006, in accordance with Regulatory Issue Summary (RIS) 2006-24, Revised Review and Transmittal Process for Accident Sequence Precursor Analyses, SDP evaluation results have been used in lieu of ASP analyses in specific instances where the SDP evaluations considered all concurrent degraded conditions or equipment unavailabilities that existed during the time period of the condition. For initiating events, many of the modeling assumptions made for Management Directive 8.3 assessments can be adopted by ASP analyses. However, it often becomes necessary to revise some modeling assumptions as more detailed information about the event becomes available upon completion of inspection activities. In addition, there are program differences on how certain 3

modeling aspects are incorporated (e.g., SSCs unavailable due to testing or maintenance).

These key similarities provide opportunities for considerable ASP Program efficiencies. For a potential significant precursor, analysts from the three programs work together to provide a timely determination of plant risk. As such, duplication between the programs is minimized to the extent practicable within the program objectives.

1.4. Analysis Types and Program Thresholds There are two types of quantitative risk analyses that can be performed for an operational event.

The first type of analysis is for a degraded plant condition characterized by the unavailability or degradation of one or more SSCs without the occurrence of an initiating event. An increase in cored damage probability (CDP) is calculated for this type of analysis. 3 This metric represents the increase in core damage probability for the exposure period during which a one or more SSCs were deemed unavailable or degraded. The ASP Program defines a degraded condition with a CDP greater than or equal to 10-6 to be a precursor.

The second type of analysis is for the occurrence of an initiating event, such as a reactor trip or a loss of offsite power (LOOP), with or without any subsequent unavailability or degradation of one or more SSCs. A conditional core damage probability (CCDP) is calculated for this type of analysis. This metric represents a conditional probability that a core damage state is reached given the occurrence of the observed initiating event (given subsequent, postulated SSC failures). An initiating event is precursor if it exceeds the 10-6 threshold unless the value of the plant-specific CCDPs for a non-recoverable loss of feedwater or condenser heat sink is greater than 10-6, the largest value of the plant-specific CCDP for either of these events is used as the threshold for an initiating event precursor. This ensures the more safety-significant events are analyzed. Since 1988, this initiating-event precursor threshold has screened out uncomplicated trips (i.e., reactor trips with no losses of safety-related equipment) from being precursors because of their relatively low risk significance.

The choice of which analysis type is performed is dictated by the event information contained in the licensee event reports (LERs) submitted to the NRC per Title 10 of the Code of Federal Regulations (10 CFR) Section 50.73. If a reactor trip did not occur, then only a first type analysis can be performed. The second type of analysis must be performed if the reactor tripped. However, if there was a reactor trip concurrent with one or more degraded SSCs, then both types of analyses should be performed to determine the complete risk impact. For these cases, the higher of the CDP and CCDP is chosen as the ASP Program result.

1.5. Significant Precursors The ASP Program defines a significant precursor as an event with a CCDP or CDP greater than or equal to 10-3. Significant precursors are included in the annual Abnormal Occurrence (Criterion II.C) and Performance and Accountability (Safety Performance Goal 4) reports to Congress. A summary of the all significant precursors identified since the inception of the ASP Program is provided in Appendix A.

3 This metric is also known as an importance.

4

1.6. Precursor Trends The ASP Programs performs trend analyses on the occurrence rate of all precursors on calendar-year basis. In addition, the trend analyses are performed on the following precursor groups:

precursors with a CCDP or CDP greater than or equal to 10-4 (also known as important precursors),

precursors with a CCDP or CDP greater than or equal to 10-5,

precursors caused by initiating events,

precursors caused by degraded condition(s),

precursors due to a LOOP,

precursors due to a failure of an emergency diesel generator (EDG),

precursors that occur at pressurized-water reactors (PWRs), and

precursors that occur at boiling-water reactors (BWRs).

The purpose of the trending analysis is to determine if a statistically significant trend exists for the precursor group of interest during a specified period (e.g., past decade, 20 years, for the history of the ASP Program). A statistically significant trend is defined in terms of the p-value.

A p-value is a probability indicating whether to reject the null hypothesis that no trend exists in the data. A p-value less than or equal to 0.05 indicates that there is 95 percent confidence that a trend exists in the data (i.e., leading to a rejection of the null hypothesis that there is no trend)

The results of the trend analyses are provided in the annual ASP reports, which can be found at the public ASP Program Webpage. A figure containing the precursor occurrence rates for complete history of the ASP Program is provided in Appendix B.

5

2. ASP PROCESS Figure 1 shows a flow chart of the ASP process. The three stages of the ASP process are the initial LER screening, analyst review of potential precursors, and detailed ASP analysis, and are described in the following sections of the report.

2.1. Initial LER Screening To identify potential precursors, a contractor to the NRC, the Idaho National Laboratory (INL) reviews operational events from LERs. This initial LER screening is performed as part of their overall LER review project, which supports other NRC data collection activities (e.g., initiating event and system studies). 4 In recent years, the number of LERs undergoing a complete review as part of this initial screening is approximately 300 to 400 LERs annually. Each LER is evaluated against qualitative criteria to identify events that warrant further analysis as potential precursors. If an LER describes an event that does not meet at least one of these criteria, then the LER is screened out of the ASP Program.

The LER screening criteria were first developed in 1988 and have changed over the history of the ASP Program. The current criteria used to identify potential precursors are provided below:

Unplanned Scrams with Complications. An event involving an unplanned scram with a complication that results in a yes to any question per Nuclear Energy Institute 99-02, Regulatory Assessment Performance Indicator Guideline.

PWRs

- Failure of two or more control rods to insert

- Failure of turbine to trip

- Loss of power to safety-related electrical bus

- Safety injection signal

- Operators entered emergency procedures other than scram procedure BWRs

- Failure of reactor protection system (RPS) to indicate or establish a shutdown rod pattern for a cold clean core

- Pressure control unavailable following initial transient

- Loss of power to safety-related electrical bus

- Level 1 injection signal

- Reactor pressure/level and drywell pressure meet the entry conditions for emergency operating procedures 4 Only LERs associated with power reactors are reviewed by INL. Note that security-related LERs are not reviewed by INL and are not evaluated as part of the ASP Program.

6

Figure 1. ASP process diagram 7

Core Damage Initiators. A reactor scram due to either an initial plant fault or a functional impact in one of the following categories from NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995.

- LOOPs, including partial LOOP events

- Loss of safety-related electrical bus

- Loss of instrument air

- Loss of safety-related cooling water (e.g., service water)

- Steam generator tube rupture

- Loss-of-coolant accidents (LOCAs)

- High-energy line break

- Loss of condenser heat sink

Failure of Safety-Related Systems or Components. A loss of safety function for one or more trains of the following safety related systems require a detailed analysis to be performed. Short-term exposure periods (i.e., less than a shift) may not be reported if they do not appear risk significant. 5

- RPS

- Auxiliary feedwater (AFW) or emergency feedwater

- Essential service water

- Emergency core cooling systems (ECCS)

- Emergency alternating current (AC) and direct current (DC) power systems

- Ultimate heat sink

- Safety relief valve (SRV) or reactor coolant system (RCS) pressurizer relief valve

Other Risk-Significant Events. Any event that, based on the reviewers experience, could have resulted in potential core damage.

Risk Significant Events Based on a Probabilistic Risk Assessment (PRA). Events in which the licensee indicates the CCDP or CDP was greater than or equal to 10-6.

Approximately 85 percent of all LERs are screened out of the ASP Program in this initial process. This initial screening supports agency efficiency goals by focusing analyst resources on events of higher risk significance. The LERs that are not screened out are considered potential precursors and, therefore, require detailed analyses.

2.2. Analyst Review of Potential Precursors The LERs that are determined to be potential precursors in the initial LER screening are assigned to an ASP analyst for further review. It is important to note that a detailed ASP analysis is not always required to conclude that an LER is not precursor. This evaluation can be performed both quantitatively or qualitatively. Bounding assumptions regarding the exposure period and loss of safety function can be used in relatively simple risk calculations using the plant-specific SPAR model, which is often sufficient to conclude an event is not a precursor.

5 The term exposure period should not be confused with the technical specification (TS) inoperability time. The exposure period is the total time for which the SSC could not fulfil its safety function. Whereas the TS inoperability time is typically from when a degraded condition is identified until repairs are completed or the plant operating mode is changed.

8

In addition, further review of the LER may show that the event is not a precursor due to one of the following qualitative considerations:

Although the affected SSC was degraded, there was no loss of safety function.

The affected SSC was unavailable for an exposure period less than allowed outage time per the plants TS.

Given the occurrence of a reactor trip, the event CCDP is bounded by a non-recoverable loss of feedwater or condenser heat sink, whichever is greater.

If a quantitative analysis is not readily feasible and other qualitative considerations can be used to show a minimal risk impact.

In addition, risk evaluations performed as part of the SDP for degraded conditions in accordance with RIS 2006-24 can be leveraged by the ASP Program. The use of the SDP risk evaluation results by the ASP Program prevents duplication of effort, which reduces the overall program resources. However, SDP evaluation results cannot be used for ASP Program purposes if LERs are associated with:

a reactor trip, 6

a licensee performance deficiency was not identified, 7 or

concurrent unavailabilities (i.e., windowed events) not considered in the SDP evaluation. 8 If none of these three conditions are met, the ASP analyst can use an available SDP evaluation.

Typically, LERs that are determined as potential precursors are assigned to ASP analysts prior to the SDP evaluation being documented in an inspection report. In this case, the ASP analyst can contact the applicable region senior reactor analyst (SRA) to determine if an SDP evaluation is being performed (i.e., a licensee performance deficiency has been identified), and if so, the expected results and completion date. 9 Note that when risk evaluations performed as part of the SDP are used for ASP program purposes, the SDP color representing the significance of the inspection finding is used as the official ASP Program result. The associated risk of the four SDP colors is as follows:

Green (Very Low Safety Significance), which corresponds to an event with a CDP less than 10-6;

White (Low to Moderate Safety Significance), which corresponds to an event with a CDP greater than or equal to 10-6, but less than 10-5; 6 Event assessments that calculate a CCDP assuming the probability of observed initiating event is 1.0 are not typically performed by the SDP.

7 An SDP evaluation is not performed if a licensee performance deficiency is not identified.

8 Risk evaluations performed as part of the SDP are limited to individual licensee performance deficiencies.

Therefore, unless the same performance deficiency affected multiple components, concurrent unavailabilities (due to separate causes) are not evaluated by the SDP. Some exceptions apply such as evaluation of shutdown events, which consider plant configuration (e.g., SSCs unavailable due to maintenance) at the time of the event.

9 The region SRAs perform detailed risk assessments of licensee performance deficiencies. In many cases, a detailed risk evaluation is not required by the SDP, which allows inspectors to qualitatively determine licensee performance deficiencies are Green (i.e., very low safety significance) if certain criteria are met.

9

Yellow (Substantial Safety Significance), which corresponds to an event with a CDP greater than or equal to 10-5, but less than 10-4; and

Red (High Safety Significance), which corresponds to an event with a CDP greater than or equal to 10-4.

If an LER is determined to not be precursor in this stage of the ASP process, the results are summarized and are subsequently made available in Appendix A of the applicable annual ASP Program report.

2.2.1. Windowed Events Windowed events are when multiple SSCs are unable to perform their safety function at the same time. In other words, a windowed event exists when some portion of an exposure period from an SSC unavailability occurs at the same time as an exposure period of another SSC unavailability. These unavailabilities can be due to failure, degradations, or planned maintenance/testing. Examples include:

An EDG fails its monthly surveillance text. It is determined that the EDG was unable to fulfil its safety function going back to the previous successful monthly test. During this 1-month exposure period, an opposite train EDG was unavailable due to planned maintenance for 5 days.

A residual heat removal pump (RHR) fails during testing. It is determined that the pump was unable to fulfill its safety function for 3-months. During this 3-month exposure period, an AFW pump fails it surveillance test and is determined to be unavailable for 3 months as well. The exposure periods overlap for 1.5 months, which constitutes the windowed portion of event. The portion of the exposure periods in which only one SSC was unavailable is evaluated individually.

A reactor trip occurs at a BWR, all systems function as designed with decay heat removal via the condenser and with feedwater maintained. Reactor core isolation cooling (RCIC) is not demanded during the event. However, 20 days later RCIC fails its surveillance test and it was determined the pump would have been unavailable during the trip if demanded.

Most windowed events are determined by a review of other LERs for the applicable plant to identify potentially concurrent unavailabilities. However, the effort to identify windowed events has the following limitations:

Analysts limit their review of other LERs for the associated plant to a maximum of 1 year from the event date. In most cases, the exposure period of the event being reviewed dictates how far back the analyst goes.

ASP analysis timeliness has significantly increased during the past few years. As such, ASP analysis can be completed prior to the issuance of LERs that may contain windowed events. Once completed, ASP analyses are not reperformed. However, if the subsequent LER(s) are determined to be potential precursors in the LER screening process, an evaluation for windowed events will be performed during the ASP evaluation for those subsequent LERs.

It should be noted that LERs are not typically issued for single-train failures in a multi-train system. Therefore, the review of LERs will not capture these sources of potential windowed events. This limitation is partially mitigated by reviews of the associated 10

inspection reports, discussions with SRAs, and input from the Operating Experience Clearinghouse.

It is important to note when treating windowed events when one of the SSC unavailabilities is due to planned maintenance/testing that the SPAR models already account for the potential that most components could be in this configuration. There are two concerns for these types of windowed events. First, to minimize duplication of efforts with other programs such as the SDP, analyst resources should not be used to account for events in which the SDP evaluations adequately consider the SSC maintenance/testing in their results. Specifically, a determination needs to be made whether the SSC maintenance/testing is captured adequately in the associated SPAR model basic event or whether more explicit treatment is needed. Second, ASP analyses that do explicitly treat SSC maintenance/testing need to ensure that double counting is eliminated. See Appendix C for additional information.

2.3. Detailed ASP Analysis The LERs not eliminated as potential precursors as part of the analyst review process are then subjected to a thorough, detailed analysis. The detailed ASP analysis involves the modification of the plant-specific SPAR model to reflect attributes of an operational incident to estimate the risk significance of the event. The assumptions, results, and insights of a detailed ASP analyses are documented in individual reports. These reports are made publicly available after internal reviews are completed and the analyses are transmitted to the licensees (via the Office of Nuclear Reactor Regulation) for incorporation into their operating experience programs. If an analysis is sufficiently complex but has a CCDP/CDP below the precursor threshold, it will be documented in a reject report. Reject reports are nearly identical to full precursor reports, except the review requirement are lessened and are not transmitted to the licensees. The process is structured to ensure the analysis is comprehensive and traceable. The detailed analysis and subsequent, independent reviews minimize the likelihood of errors and enhance the quality of the risk analysis. As a minimum, a detailed ASP analysis consists of the following:

Develop a risk-focused understanding of the event that occurred, relevant plant design and operational features, and plant status throughout the event.

Compare the observed event with the existing SPAR model to identify if any changes are necessary to support the analysis.

Modify the SPAR model, if necessary, to allow the risk-related features of the observed event to be properly represented.

Calculate initial risk estimate to evaluate the significance of the event without consideration of crew activities to recover risk-significant failures.

Determine if potential recovery actions are available to the crew to restore a function via alternate means not accounted for in the existing SPAR model.

Evaluate potential crew actions to repair any failed components associated with risk-significant sequences.

Review of the results to ensure that the applicable event tree and fault tree logic and incident mapping process is correct. The focus of this review is to identify inconsistencies, errors, and incompleteness in the risk model.

Perform any necessary SPAR model modification and resolve.

Identify key modeling uncertainties associated with the analysis. Sensitivity analyses 11

should be performed (when possible) to characterize the impacts of these uncertainties.

Final documentation of the inputs (facts), assumptions, results, and uncertainties.

Independent review(s) of the completed analysis.

The detailed ASP analysis process is iterative. The review of the SPAR model may highlight the need for additional detail related to the event. An evaluation of the initial analysis results (e.g., significant sequences and cut sets) frequently identifies the need for additional detail concerning the event, plant design, operational information, or the need for greater model fidelity.

2.3.1. Analysis Review Process All evaluations of potential precursors identified in the initial LER screening process receive a 2nd analyst review regardless of whether a simplified or detailed analysis was performed and whether the analysis result is below or exceeds the precursor threshold. In addition, the branch chief for the Performance and Reliability Branch reviews all these analyses as well. 10 All ASP analyses that exceed the precursor threshold also receive an additional review by management of the Division of Risk Analyses.

All analyses of precursors with a CCDP or CDP greater than or equal to 10-4 (also known as important precursors) are sent to the applicable licensee, region, and Office of Nuclear Reactor Regulation for a 60-day peer review. The review period allows key stakeholders to provide feedback on analysis assumptions and results. After external reviews are completed and any changes are made, the analysis is finalized and sent to licensee for consideration as part of its operating experience program. Analyses of precursors with CCDP or CDP less than 10-4 are sent to the licensee without the formal review period (i.e., only internal reviews are performed).

Detailed analyses (both precursors and rejects) are made publicly available in the NRCs Agencywide Documents Access and Management System (ADAMS).

2.4. Consideration of Other Hazards Historically, ASP analyses have been focused on the risk due to internal events unless an external hazard (e.g., fires, floods, seismic) resulted in a reactor trip (e.g., seismically induced LOOP) or a degraded condition is specific to an external hazard (e.g., degraded fire barrier).

This limitation was due to lack of external event modeling in the SPAR models for all plants.

However, the incorporation of seismic hazards in all SPAR models was completed in December 2017. Therefore, the decision was made to evaluate seismic risk for all degraded conditions. The inclusion of seismic hazard risk in ASP analyses will improve the SPAR models by identifying issues and insights in the seismic scenarios. To maintain consistency with previous ASP evaluations, and to study the effect of the inclusion of seismic scenarios, ASP results are documented with seismic contribution separated from the internal events impact. As SPAR models (for all plants) incorporate other external hazards (e.g., high winds), ASP analyses will evaluate the risk of these hazards when the modeling efforts are completed.

10 In some instances, the branch chief will perform the second analyst review as part of his/her management review.

12

3. REFERENCES U.S. Nuclear Regulatory Commission, Strategic Plan Fiscal Years 2018-2022, NUREG-1614, Vol. 7, February 2018 (ADAMS Accession No. ML18032A561).

U.S. Nuclear Regulatory Commission NRC Congressional Budget Justification: Fiscal Year 2020, NUREG-1100, Vol. 35, March 2019 (ADAMS Accession No. ML19065A279).

U.S. Nuclear Regulatory Commission, Reactor Operating Experience Program, Management Directive 8.7, February 2018 (ADAMS Accession No. ML18012A156).

U.S. Nuclear Regulatory Commission, The Reactor Safety Study, WASH-1400, October 1975 (ADAMS Accession No. ML15334A199).

U.S. Nuclear Regulatory Commission, Risk Assessment Review Group Report, NUREG/CR-0400, September 1978 (ADAMS Accession No. ML072320423).

U.S. Nuclear Regulatory Commission, Three Mile Island: A Report to the Commissioners and to the Public, NUREG/CR-1250, January 1980).

U.S. Nuclear Regulatory Commission, Staff Requirements Memorandum to SECY-98-228, Proposed Streamlining and Consolidation of AEOD Functions and Responsibilities, December 1998 (ADAMS Accession No. ML003752662).

U.S. Nuclear Regulatory Commission, Significance Determination Process, Inspection Manual Chapter 0609, January 2019 (ADAMS Accession No. ML18187A187).

U.S. Nuclear Regulatory Commission, NRC Incident Investigation Program, Management Directive 8.3, June 2014 (ADAMS Accession No. ML18073A200).

U.S. Nuclear Regulatory Commission, Revised Review and Transmittal Process for Accident Sequence Precursor Analyses, Regulatory Issue Summary 2006-24, December 2006 (ADAMS Accession No. ML060900007).

Nuclear Energy Institute, NEI 99-02Regulatory Assessment Performance Indicator Guideline, Revision 7, August 2013 (ADAMS Accession No. ML13261A116).

U.S. Nuclear Regulatory Commission, Rates of Initiating Events at U.S. Nuclear Power Plants:

1987-1995, NUREG/CR-5750, February 2009 (ADAMS Accession No. ML070580080).

13

Appendix A: Summary of Significant Precursors The following table provides a brief description of all significant precursors [i.e., events with conditional core damage probability (CCDP) or increase in core damage probability (CDP) greater than or equal to 10-3] that have been identified by the ASP Program.

These events are sorted by event date. The 1979 event at Three Mile Island (Unit 2) is not included in this list of precursors because the event resulted in actual core damage. The role that this event played in the development of the ASP Program is discussed in Section 1 of this report.

Date LER Plant Brief Description CCDP/CDP Reactor pressure vessel head leakage of control rod drive mechanism nozzles, potential unavailability of sump recirculation due to screen plugging, and potential unavailability of boron precipitation control. The analysis included multiple degraded conditions discovered on various dates.

2/27/2002 346-02-002 Davis-Besse 6x10-3 These conditions included cracking of control rod drive mechanism nozzles and reactor pressure vessel (RPV) head degradation, potential clogging of the emergency sump, and potential degradation of the high-pressure injection pumps during recirculation.

Plant-centered loss of offsite power (transformer ground faults) with an emergency diesel generator unavailable due to maintenance. When the reactor was at hot shutdown, a transformer in the switchyard shorted out during a storm, causing breakers to open and resulting in a loss of offsite power event.

2/6/1996 414-96-001 Catawba 2 2x10-3 Although both emergency diesel generators (EDG) started, the output breaker of EDG 1B, to essential bus 1B failed to close on demand, leaving bus 1B without alternate current (AC) power. After 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and 25 minutes, operators successfully closed the EDG 1B output breaker.

Reactor coolant system blowdown to the refueling water storage tank. When the plant was in cold shutdown, operators implemented two unpermitted simultaneous evolutions, which resulted in the transfer of 9,200 gallons of reactor 9/17/1994 482-94-013 Wolf Creek coolant system (RCS) inventory to the refueling water storage tank. Operators 3x10-3 immediately diagnosed the problem and terminated the event by closing the residual heat removal (RHR) cross-connect motor-operated valve. The temperature of the RCS increased by 7 F because of this event.

A-1

Date LER Plant Brief Description CCDP/CDP High-pressure injection unavailable for one refueling cycle because of inoperable alternate minimum flow valves. A degraded condition resulted from relief valve and drain line failures in the alternative minimum flow systems for the 4/3/1991 400-91-008 Shearon Harris charging/safety injection pumps, which would have diverted a significant amount of 6x10-3 safety injection flow away from the RCS. The root cause of the degradation is believed to have been water hammer, because of air left in the alternative minimum flow system following system maintenance and test activities.

Turbine load loss with trip; control rod drive auto insert fails; manual reactor trip; pressurizer power-operated relief valve sticks open. The reactor was tripped manually following a loss of turbine governor oil system pressure and the subsequent rapid electrical load decrease. Control rods failed to insert 12/27/1986 250-86-39 Turkey Point 3 automatically because of two cold solder joints in the power mismatch circuit. 10-3 During the transient, a pressurizer power-operated relief valve (PORV) opened but failed to close (the block valve had to be closed). The loss of governor oil pressure was the result of a cleared orifice blockage and the auxiliary governor dumping control oil.

Chemical and volume control system from the component cooling water exchanger joint. A weld break on the letdown piping, near the component cooling water (CCW)/chemical and volume control system (CVCS) heat exchanger caused 6/13/1986 413-86-031 Catawba 1 excessive RCS leakage (130 gpm). A loss of motor control center power caused 3x10-3 the variable letdown orifice to fail open. The weld on the 1-inch outlet flange on the variable letdown orifice failed because of excessive cavitation-induced vibration.

This event was a small-break loss-of-coolant accident (LOCA).

Loss of feedwater; scram; operator error fails emergency feedwater; pressurizer PORV fails open. While at 90-percent power, the reactor tripped with main feedwater (MFW) pump 1 tripped and MFW 2 unavailable. Operators made an error in initiating the steam and feedwater rupture control system and 6/9/1985 346-85-013 Davis-Besse 10-2 isolated emergency feedwater (EFW) to both steam generators. A pressurizer PORV actuated three times and did not reseat at the proper RCS pressure.

Operators closed the PORV block valves, recovered EFW locally, and used high-pressure injection pump 1 to reduce RCS pressure.

A-2

Date LER Plant Brief Description CCDP/CDP Heating, ventilation, and air conditioning water shorts panel; safety relief valve fails open; high-pressure coolant injection fails; reactor core isolation cooling unavailable. Water from a Heating, ventilation, and air conditioning (HVAC) vent fell onto an analog transmitter trip system panel in the control room (the water was from the control room HVAC filter deluge system which had been 5/15/1985 321-85-018 Hatch 1 2x10-3 inadvertently activated because of unrelated maintenance activities). This resulted in the lifting of the safety relief valve four times. The safety relief valve stuck open on the fourth cycle, initiating a transient. Moisture also energized the high-pressure coolant injection (HPCI) trip solenoid rendering the system unavailable.

Reactor core isolation cooling (RCIC) was unavailable due to maintenance.

Operator error causes scram; RCIC and RHR unavailable. While at 23-percent power, an operator error caused a reactor scram and main steam isolation valve closure. Later that day, RCIC was found to be unavailable during testing and failed 9/21/1984 373-84-054 LaSalle 1 again 8 days later. Nine days after the reactor scram, RHR was found to be 2x10-3 unavailable during testing because of an inboard suction isolation valve failing to open on demand. Both RCIC and RHR may have been unavailable after the reactor scram.

Trip with automatic reactor trip capability failed. When the reactor was at 25-percent power, both reactor trip breakers failed to open on demand of a low-low steam generator level trip signal. A manual trip was successfully initiated 2/25/1983 272-83-011 Salem 1 approximately 3 seconds after the automatic trip breaker failed to open. The same 5x10-3 event occurred 3 days later, at 12-percent power. Mechanical binding of the latch mechanism in the breaker under-voltage trip attachment failed both breakers in both events.

Loss of vital bus; failure of an EFW pump; main steam safety valve lifted and failed to reseat. With the plant at 74-percent power, the loss of bus E2 occurred because of a maintenance error during control rod drive mechanism breaker logic testing. A reactor trip occurred, due to loss of control rod drive mechanism power 6/24/1981 346-81-037 Davis-Besse 2x10-3 (bus E2), and instrumentation power was also lost (bus E2 and a defective logic card on the alternate source). During the recovery, EFW pump 2 failed to start because of a maladjusted governor slip clutch and bent low speed stop pin. A main steam safety valve lifted and failed to reseat (valve was then gagged).

A-3

Date LER Plant Brief Description CCDP/CDP Loss of shutdown cooling due oyster shell buildup in the RHR heat exchanger. While the reactor was in cold shutdown during a maintenance outage, the normal decay heat removal system was lost because of a failure of the single RHR heat exchanger that was currently in service. The failure occurred when the 4/19/1981 325-81-032 Brunswick 1 7x10-3 starting of a second RHR service water pump caused the failure of a baffle in the water box of the RHR heat exchanger, thereby allowing cooling water to bypass the tube bundle. The redundant heat exchanger was inoperable because maintenance was in progress.

Loss of DC power and one EDG because of operator error; partial loss of offsite power. When the reactor was at full power, the 125-volt (V) direct current (DC) emergency bus was lost due to an operator error. The loss of the bus caused the reactor to trip, but the turbine failed to trip because of the unavailability of DC bus A. Loads were not switched to the reserve transformer (following the manual 1/2/1981 336-81-005 Millstone 2 5x10-3 turbine trip) because of the loss of DC bus A. Two breakers (on the train B 6.9 kilovolt (kV) and 4.16 kV busses) remained open, thereby causing a loss of offsite power. EDG B tripped due to leakage of the service water flange, which also caused the 4.16 kV bus B to be de-energized. An operator recognition error caused the pressurizer PORV to be opened at 2380 psia.

Reactor coolant pump seal LOCA due to loss of CCW; top vessel head bubble. At 100-percent power, a moisture-induced short circuit in a solenoid valve caused a CCW containment isolation valve to shut causing loss of CCW to all reactor coolant pumps (RCPs). While pressure was reduced to initiate the 6/11/1980 335-80-029 St. Lucie 1 shutdown cooling system, the top head water flashed to steam, thus forming a 10-3 bubble (initially undetected by the operators). During the cooldown, the shutdown cooling system relief valves lifted and low-pressure safety injection initiated (i.e.,

one low-pressure safety injection pump started charging, while the other was used for cooldown).

Loss of two essential buses leads to loss of decay heat removal. When the reactor was in cold shutdown, two essential busses were lost because of breaker 4/19/1980 346-80-029 Davis-Besse ground fault relay actuation during an electrical lineup. The decay heat drop line 10-3 valve was shut, and air was drawn into the suction of the decay heat removal pumps, resulting in loss of a decay heat removal path.

A-4

Date LER Plant Brief Description CCDP/CDP Loss 24V DC non-nuclear instrumentation causes reactor trip and stuck-open pressurizer PORV and subsequent steam generator dry out. The 24 V power supply to non-nuclear instrumentation was lost due to a short to ground.

This initiated a sequence of events in which the pressurizer PORV opened (and stayed open) as a direct result of the loss of non-nuclear instrumentation power supply. High-pressure injection initiated because depressurization through the 2/26/1980 302-80-010 Crystal River 5x10-3 open PORV, and with approximately 70 percent of non-nuclear instrumentation inoperable or inaccurate, the operator correctly decided that there was insufficient information available to justify terminating high-pressure injection. Therefore, the pressurizer was pumped solid, one safety valve lifted, and flow through the safety valve was sufficient to rupture the reactor coolant drain tank rupture disk, thereby spilling approximately 43,000 gallons of primary water into the containment.

Reactor trip with failure of RCIC and HPCI unavailable due to maintenance.

Following a reactor scram, the RCIC turbine tripped on mechanical over-speed 11/20/1979 325-79-089 Brunswick 2 3x10-3 with high pressure core injection out for maintenance. RCIC was reset and manually set into operation. The reactor water level had reached -40 inches.

Steam generator tube rupture. With the reactor at 100-percent power, a 390 gpm tube break occurred in steam generator A. The reactor tripped, and safety 10/2/1979 282-79-027 Prairie Island 1 injection actuated due to low pressurizer level. The RCS was placed in cold 2x10-3 shutdown and drained. The break resembled a classic overpressure break. Two other tubes showed reduction in wall thickness.

Loss of offsite power with the subsequent failure of an EDG while plant is shutdown. While in cold shutdown during the passage of Hurricane David, a cable fell across the lines of startup transformer B, causing a lockout on the east 9/3/1979 NSIC152187 St. Lucie 1 3x10-3 bus and de-energization of the startup transformer. EDG B failed to start due to the binding of a relay in the auto start circuitry. Analysis assumed 0.75 probability that event could have occurred at power.

Reactor trip with subsequent failure of HPCI pump to start and RCIC unavailable. During a power increase, the reactor tripped because a condensate system trip. HPCI failed to initiate on low-low level due to a failed turbine stop 6/3/1979 366-79-045 Hatch 2 10-2 valve. In addition, water from leaking mechanical seal lines and an unknown valve caused water to back up and contaminate the pump oil. RCIC was out of service for unspecified reasons.

Reactor trip results in loss of feedwater with subsequent failure of isolation condenser. During testing of the isolation condenser, a reactor scram occurred.

5/2/1979 219-79-014 Oyster Creek 3x10-2 The feedwater pump tripped and failed to restart. The recirculation pump inlet valves were closed. The isolation condenser was used during cooldown.

A-5

Date LER Plant Brief Description CCDP/CDP Stuck open steam dump valves lead to reactor trip and safety injection. A load reduction was in progress due to a tripped heater drain pump, when the condenser steam dump valves opened causing high steam flow. The valves failed 1/18/1979 334-79-005 Beaver Valley 1 to close because the operators were subjected to excessively cold temperatures 10-3 due to improperly positioned ventilation dampers. The open valves resulted in low steam line pressure and consequent reactor trip and safety injection initiation.

Event was modeled as a main steam line break.

Loss of vital bus results in reactor trip and inadvertent safety injection with failure of EFW pump. While the reactor was at 100-percent power, vital instrument bus 1B was lost because of the failure of an output transformer and two regulating resistors. Loss of the vital bus caused a false low RCS loop flow 11/27/1978 272-78-073 Salem 1 5x10-3 signal, thereby causing a reactor trip. Two EFW pumps failed to start (one because of the loss of vital bus 1B, and the other because of a maladjustment of the over-speed trip mechanism). Inadvertent safety injection occurred due to decreasing average coolant temperature and safety injection signals.

Loss of offsite power and subsequent EDG failure. An electrical fault occurred in the station main transformer resulting in generator, turbine, and reactor trip and 7/28/1978 334-78-043 Beaver Valley 1 6x10-3 safety injection. Approximately 4 minutes later a loss of offsite power occurred.

Both EDGs started, but the EDG 2 failed due to field flash failure.

Loss of offsite power during refueling with an EDG out for maintenance.

Improper switching at a substation, in combination with incorrect wiring of 5/14/1978 335-78-017 St. Lucie 1 protective relays, resulted in a loss of offsite power. One EDG was out of service 5x10-3 for maintenance. The other EDG started and provided electrical power to its respective bus.

Reactor trip with subsequent stuck-open relief valves. Following a reactor trip from 30-percent power, the main steam relief valves did not reseat at the correct 4/23/1978 320-78-033 TMI 2 pressure. The relief valves eventually reseated in approximately 4 minutes. The 6x10-3 RCS rapidly cooled down and depressurized, which cause a safety injection initiation. Pressurizer level was lost for approximately 1 minute.

Loss of offsite power while plant was shut down and failure of an EDG. With the plant shut down, a protective relay automatically opened the switchyard 4/13/1978 317-78-020 Calvert Cliffs 1 5x10-3 breakers, resulting in a loss of offsite power. EDG 11 failed to start. EDG 22 started and supplied the safety busses.

A-6

Date LER Plant Brief Description CCDP/CDP Reactor trip with all EFW pumps ineffective. A low-level condition in a single steam generator resulted in a reactor trip. The turbine-driven EFW pump failed to 3/25/1978 348-78-021 Farley 1 start. Both motor-driven EFW pumps started but were deemed ineffective because 10-2 all recirculation bypass valves were open (thereby diverting flow). A recirculation valve was manually closed.

Failure of non-nuclear instrumentation leads to reactor trip and steam generator dry out. When the reactor was at power, a failure of the non-nuclear instrumentation power supply resulted in a loss of MFW, which caused a reactor 3/20/1978 312-78-001 Rancho Seco trip. Because instrumentation drift falsely indicated that the steam generator 3x10-1 contained enough water, control room operators did not act promptly to open the EFW flow control valves to establish secondary heat removal. This resulted in steam generator dry out.

Both EFW pumps found inoperable during testing. During EFW pump testing, operators found that control over both pumps was lost because of mechanical 12/11/1977 346-77-110 Davis-Besse 3x10-2 binding in the governor of one pump and blown control power supply fuses for the speed changer motor on the other pump.

Reactor trip with subsequent momentary loss of offsite power with the failure of an EDG. Power was lost to all four RCPs following a temporary loss of 13.8 kV power caused by operators inadvertently opening the main generator breakers due to a procedural error shortly after a turbine trip. Electrical power was supplied from 11/29/1977 346-77-098 Davis-Besse 10-3 EDG 2 in 7 seconds and normal offsite power was returned within 11 seconds on bus B and 25 seconds on bus A. During the temporary loss of offsite power, EDG 1 started but failed to supply power to bus C1 due to the diesel tripping on over-speed.

Partial trip signal leads to stuck-open pressurizer PORV and subsequent reactor trip. A spurious half-trip of the steam and feedwater rupture control 9/24/1977 346-77-016 Davis-Besse system initiated a closure of the startup feedwater valve. This resulted in reduced 10-3 water level in steam generator 2. The pressurizer PORV lifted nine times and then stuck open because of rapid cycling.

Blown fuse leads to partial loss of feedwater and subsequent reactor trip; RCIC and HPCI pumps fail to reach rated speed. A blown fuse caused the normal power supply to the feedwater and RCIC controllers to fail. The alternate 8/31/1977 298-77-040 Cooper power supply was unavailable because of an unrelated fault. A partial loss of 10-2 feedwater occurred, and the reactor tripped on low water level. RCIC and HPCI operated, however, both pumps did not accelerate to full speed (RCIC because of the failed power supply and HPCI because of a failed governor actuator).

A-7

Date LER Plant Brief Description CCDP/CDP Reactor trip and subsequent stuck open safety relief valve. A turbine trip resulted in a reactor scram. HPCI and RCIC initiated; however, the pumps tripped on high water level. Safety relief valves were opened three times to maintain 7/15/1977 324-77-054 Brunswick 2 reactor pressure below 1050 psig. One of the safety relief valves failed to close 2x10-3 after opening for the third time. RCIC was started and provided injection to the reactor; however, the pump's capacity was insufficient. Operators then started HPCI to restore reactor water level.

Incorrect signals on reactor protection system leads to loss of accurate instrumentation and trip settings during testing. With the reactor in hot 7/12/1977 304-77-044 Zion 2 shutdown, testing caused operators to lose indications of reactor and secondary 10-3 system parameters. In addition, inaccurate inputs were provided to control and protection systems.

Six main steam relief valves fail to lift properly during testing. During bench 3/28/1977 331-77-026 Duane Arnold testing of six main steam relief valves failed to lift at the required pressure. Four 2x10-3 valves failed to open and the remaining two lifted at elevated pressures.

Inverter failure leads to loss of vital bus and subsequent reactor trip and loss of condenser heat sink. An inverter output diode failed, resulting in loss of vital 3/3/1977 302-77-020 Crystal River 10-3 bus B and subsequent reactor trip, turbine trip, and 50 percent opening of the atmospheric dump valves. EFW was used for decay heat removal.

Loss of offsite power with failure of EDG load shed signals. With the reactor at power, a main circulating water pump was started, which resulted in an in-plant voltage reduction to below the revised trip set point. This isolated the safety-7/16/1976 336-76-042 Millstone 2 related busses and started the EDGs. Each time a major load was tied onto the 10-2 EDG, the revised under-voltage trip set points tripped the load. As a result, at the end of the EDG loading sequence, all major loads were isolated, even though the EDGs were tied to the safety-related busses.

Clogged suction strainers for EFW pumps. Mixed bed resin beads were leaking from the demineralizer in the makeup water system and migrated to the 11/5/1975 305-75-020 Kewaunee condensate storage tank. As a result, during startup, both motor-driven EFW 3x10-2 pump suction strainers became clogged, thereby resulting in low pump flow. The same condition occurred for the turbine-driven EFW pump suction strainer.

A-8

Date LER Plant Brief Description CCDP/CDP RCP seal failure leads to LOCA and subsequent reactor trip. The plant was at power and diluting for xenon control. The number 1 seal for RCP C was exhibiting gradual flow variations associated with the RCS inventory addition. The RCP C, number 1 seal leak-off spiked several times, oscillated full range several times, then stabilized with a seal flow greater than 6 gpm. Plant load was reduced, and RCP C was idled. A reactor trip occurred due to turbine trip on high steam generator level, resulting from the rapid load reduction and cooldown. The flow control valve in the combined return line from the three RCP thermal barrier cooling lines closed due to high flow caused by cooling water flashing in the thermal barrier for RCP C. The flashing was caused by hot primary coolant flowing upward through the thermal barrier. Closure of the flow control valve resulted in loss of thermal barrier cooling in all three RCPs. RCPs A and B were manually tripped.

The RCP C number 1 seal return flow isolation valve was closed to decrease pressure surges in the letdown line. Seal flow was lost on RCP A and B. Leakage 5/1/1975 261-75-009 Robinson 3x10-3 through RCP C number 2 seal resulted in high reactor cooldown drain tank (RCDT) pressures. The RCDT was drained to the containment sump. The flow control valve in the combined return line from the three RCP thermal barriers was blocked open, restoring thermal barrier cooling on all three RCPs. RCP C was started with increased seal flow and RCS cooldown was started using the condenser via the steam dump valves. A high standpipe alarm was received for RCP C and the pump was stopped. Rapidly falling pressurizer level indicated failure of RCP C number 2 and 3 seals. The safety injection pumps were started to make up for rapidly decreasing pressurizer level. Pressurizer level was stabilized, and operators reduced safety injection. Auxiliary pressurizer spray was used to reduce plant pressure to the operating pressure of the RHR system.

During this pressure reduction, the accumulators partially discharged into the RCS before their isolation valves were closed. Cooldown via the RHR system was used to achieve cold shutdown conditions.

Multiple valve failures including stuck-open relief valve with RCIC inoperable.

At 10-percent power, the RCIC system was determined to be inoperable, and safety relief valve B was stuck open. The operator failed to scram the reactor according to the emergency operating procedures. The HPCI system failed to run 4/29/1975 324-75-013 Brunswick 2 3x10-3 and was manually shut down due to high torus level. Loop B of RHR failed because of a failed service water supply valve to the heat exchanger. The reactor experienced an automatic scram on manual closure of the main steam isolation valve.

A-9

Date LER Plant Brief Description CCDP/CDP Cable tray fire caused extensive damage and loss of electrical power to safety systems. The fire was started by an engineer, who was using a candle to check for air leaks through a firewall penetration seal to the reactor building. The fire resulted in significant damage to cables related to the control of Units 1 and 2.

All Unit 1 emergency core cooling system were lost, as was the capability to 3/22/1975 259-75-006 Browns Ferry 1 monitor core power. Unit 1 was manually shut down and cooled using remote 4x10-1 manual relief valve operation, the condensate booster pump, and control rod drive system pumps. Unit 2 was shut down and cooled for the first hour by the RCIC system. After depressurization, Unit 2 was placed in the RHR shutdown cooling mode with makeup water available from the condensate booster pump and control rod drive system pump.

Failure of three EFW pumps to start during test. Operators attempted to start all three EFW pumps while the reactor was at power for testing. Two of the pumps 5/8/1974 250-74-LTR Turkey Point 3 3x10-2 failed to start due to over-tightened packing. The third pump failed to start because of a malfunction in the turbine regulating valve pneumatic controller.

Clogged suction strainers for EFW pumps. While the reactor was in cooldown mode, motor-driven EFW pump A did not provide adequate flow. The operators 4/7/1974 266-74-LTR Point Beach 1 were unaware that the in-line suction strainers were 95-percent plugged (both 3x10-2 motor-driven pumps A and B). A partially plugged strainer was found in each of the suction lines for both turbine-driven EFW pumps.

Loss of offsite power due to ice storm with failure of EDG service water pump to start. A total loss of offsite power occurred during an ice storm due to a momentary fault in one line and a subsequent inadvertent trip on the other due to 1/19/1974 213-74-003 Haddam Neck 10-2 improper blocking relay placement. Both EDGs started, but one EDG service water pump had to be manually started due to a malfunction in the time delay under-voltage relay in the pump motor start circuit.

Turbine trip leads to loss of offsite power during testing. In preparation for the turbine trip and loss of offsite power testing, the 4 kV unit boards were plated in manual to prevent automatic transfer. The turbine was manually tripped due to 11/19/1973 259-73-LTR-1 Browns Ferry 1 3x10-3 vibration. This resulted in a scram since offsite power could no longer be supplied.

The RCIC and HPCI systems could not be started until the standby EDGs were energized because there reset logic required AC power.

RCIC and HPCI failed during startup. During startup testing the RCIC system failed to operate due to the failure of the steam supply valve to open. HPCI was 11/19/1973 259-73-LTR-2 Browns Ferry 1 manually initiated to maintain vessel water level; however, the pump tripped. The 3x10-3 operator reset the isolation circuit and successfully reinitiated HPCI, which successfully maintained reactor water level.

A-10

Date LER Plant Brief Description CCDP/CDP Loss of offsite power, excessive RCS cooldown, and failure of a vital instrument bus. With 1 of 4 transmission circuits out of service due to construction, a second line was lost due to a ground fault. Power fluctuations resulted in the remaining two 115 kV transmission lines to trip, causing a total loss of offsite power and a turbine trip. An electrical disturbance on an instrument bus causes a reactor trip on a false overpower/high T signal. The EDGs successfully 10/21/1973 244-73-010 Ginna 2x10-3 started and supplied electrical power to the vital buses. The auxiliary feedwater (AFW) pumps started on low steam generator level. The operator secured the AFW pumps due to increasing water level and decreasing RCS temperature; however, safety injection was automatically initiated due to low pressurizer pressure caused by the excessive cooldown. Vital bus 1A momentarily failed and caused the boric acid storage tank level transmitters powered from this bus to fail.

Reactor trip and subsequent failure of AFW pumps to start automatically.

During startup and low power physics testing, the turbine generator control valves opened rapidly. Due to high steam flow and reduced RCS temperature, safety 6/18/1973 251-73-007 Turkey Point 4 10-3 injection was actuated. All three AFW pumps failed to start due to failure to install 125 V DC power supply fuses in the AFW pump auto-start logic circuits. Operators manually started the AFW pumps.

Reactor trip with a stuck open relief valve and failure of turbine bypass valve to close. A malfunction in the turbine pressure control system caused a pressure transient which resulted in a reactor trip on high neutron flux. The turbine was manually tripped, which caused the turbine bypass valve to open (as expected). A 10/10/1971 245-71-099 Millstone 1 bypass valve failed to close so the operator manually closed the main steam 2x10-3 isolation valves. The blowdown continued through an open relief valve until the reactor pressure reached 263 psig when it reseated. The operator initiated the isolation condenser and proceeded with a controlled cooldown. A total of 75,000 gallons of water was lifted from the torus.

Loss of offsite power and EDG output breaker failed to close automatically.

A loss of offsite power due to the trip of one line and inadvertent tripping of two 9/2/1971 255-71-LTR-1 Palisades breakers caused by a faulty breaker failure relay. Both EDGs started; however, the 6x10-3 output breaker for EDG 1-2 failed to close automatically. Operators manually closed the breaker.

Loss of offsite power due to switchyard fire. Failure of a potential transformer in the switchyard caused a fire, loss of power to the reactor, a load rejection, and a 3/24/1971 409-71-LTR-2 La Crosse 2x10-2 scram. The shutdown condenser and core spray were used for reactor temperature and pressure control. Offsite power was restored in 61 minutes.

A-11

Date LER Plant Brief Description CCDP/CDP Failure of both EDGs during testing. Both EDGs failed to run after new low oil pressure switches were remounted on a wall, approximately 15 feet away. The 3/8/1971 261-71-057 Robinson 10-3 failures to run were determined to be caused by low lube oil pressure at the pressure switches caused by trapped air and high viscosity cold lube oil.

Loss of offsite power while plant in hot standby due to ice storm. With the reactor in hot standby during an ice storm, breakers on all three high lines opened 2/5/1971 266-71-053 Point Beach 1 resulting in a loss of offsite power and subsequent reactor trip. Both EDGs started 2x10-3 and supplied safety-related loads. Due to the continuing storm conditions, the RCS was borated to the cold shutdown level and cooled down to 300°F.

Failure of containment sump isolation valves. During a routine check of the containment tendon access gallery, air was observed leaking from the packing of one sump isolation valve. Operators attempted to open the valve, but the valve 1/12/1971 266-71-LTR-1 Point Beach 1 2x10-3 failed to open because of a shorted solenoid in the hydraulic positioner. The redundant sump isolation valve was also found inoperable because of a stuck solenoid in the hydraulic positioner.

Loss of offsite power with subsequent failure of isolation condenser valve. A switching error at the Humboldt substation caused protective relaying which resulted in a generator and turbine trip, loss of the 60-kV bus, and consequent loss of offsite power. The loss of offsite power resulting in an automatic reactor scram, loss of feedwater flow, loss of drywell cooling, and loss of control room indication of reactor vessel pressure and level. The emergency propane generator started and 7/17/1970 133-70-LTR Humboldt Bay assumed safety-related loads. A control rod drive pump was started to provide 9x10-3 reactor inventory makeup. The emergency condenser return valve failed closed due to an incorrectly adjusted torque switch. Reactor vessel level decreased to the low water level set point (due to the opening of a safety valve) and resulted in the actuation of the reactor vent system. The low-pressure core flood and core spray systems subsequently automatically initiated and were used for core cooling until normal power was restored.

Loss of offsite power. One of the two 115 kV offsite power lines was removed from service. When the dispatcher opened other terminals on the Montville line, trip signals were generated which caused the two station service transformer low 7/15/1969 213-69-LTR Haddam Neck side breakers to open, resulting in a loss of offsite power. All three EDGs started 2x10-3 and assumed safety related loads. A charging pump tripped during the starting sequence and one RCP seal failed with excessive leakage, requiring 15 gpm of seal injection.

A-12

Appendix B: Historical Precursor Occurrence Rates The figure in this appendix provides the annual occurrence rates of all precursors for the entire history of the Accident Sequence Precursor (ASP) Program (1969-2019). The occurrence rates of precursors have decreased significantly since plants began operating in the United States. 11 The overall risk due to precursors has also decreased significantly as shown by the decreasing number of precursors with conditional core damage probability (CCDP) or increase in core damage probability (CDP) of greater than or equal to 10-4 (also called important precursors).

Applicable NRC regulatory initiatives and program changes that could potentially influence precursor occurrence rates are shown in the figure (not an exhaustive list). One of the examples shown in the figure is the use of simplified calculations until 1992, when the initial version of the standardized plant analysis risk (SPAR) models were developed and used for ASP analyses. The simplified calculations were likely sufficient to quantify reasonable estimates most of the time. However, it is possible that the simplified calculations overestimated the risk impact of events in some cases.

An example of a factor not shown in the figure, which influenced precursor occurrence rates is the change in LER screening criteria over the years. The screening criteria used for the analyses of events that occurred in the 1970s and 1980s, would typically screen-out failures of safety-related equipment where redundancy was not lost. Subsequent experience has shown that single-train failures of safety-related equipment can have CDPs that exceed the precursor threshold of 10-6. Given the initiating event frequencies and equipment reliability in the 1970s and 1980s, the precursor counts for these years are likely underestimated.

Based on the observation of the precursor occurrence rates during the 1969-2019 period, it appears that safety at U.S. nuclear power plants has improved significantly due to the implementation of NRC and licensee initiatives. However, ASP data alone should only be one input to determine an overall conclusion on the safety trends of commercial nuclear fleet in the U.S.

11 The occurrence rate of all precursors exhibits a statistically significant decreasing trend (p-value = 0.000) during the 1969-2019 period.

B-1

Note: This figure identifies program changes that could potentially influence precursor occurrence rates and is not an exhaustive list.

B-2

Appendix C: Treatment of Maintenance/Testing Unavailability in ASP Analyses of Windowed Events Background. The treatment of a structure, system, and component (SSC) unavailability due to maintenance/testing within an event and condition assessment (ECA) depends on the objective of the program. The Accident Sequence Precursor (ASP) Program attempts to provide a holistic perspective of the risk of operational events. Therefore, since its inception, ASP analyses have accounted for concurrent unavailabilities (i.e., windowed events) of SSCs, regardless of the unavailability cause (including SSCs unavailable for maintenance/testing).

However, there is potential for overestimating the risk by double counting because the probability of SSCs being unavailable for maintenance/testing is already included in the base standardized plant analysis risk (SPAR) models.

If no performance deficiency is identified as the cause of failure for a risk-significant SSC or an initiating event occurred, an independent ASP analysis is required. If a performance deficiency is identified, the SDP evaluation will not consider the unavailability of other safety-related SSC(s) during the exposure time of the degraded condition (including equipment unavailable for maintenance/testing), unless it is the direct result of the same performance deficiency.

Therefore, the ASP Program must consider if there are potential windowed events and, if so, whether an independent ASP analysis is warranted.

For windowed events due to a degraded condition of a risk-significant SSC, it is important to note that the SSC unavailable due to maintenance/testing within the same exposure time as the failed SSC will already be accounted for (via basic events representing the nominal maintenance/testing probabilities of applicable SSCs) in risk assessments using the SPAR models. Therefore, unless the maintenance/testing unavailability time for the SSC is greater than the nominal unavailability time for a specific exposure period, explicitly accounting for the SSC unavailability due to maintenance/testing (i.e., setting the applicable maintenance/testing basic events to TRUE for parts of the exposure period) should not result in significant differences in the ASP analysis. To make best use of limited ASP resources, prior to performing an independent ASP analysis for degraded conditions associated with a safety-related SSC (where no licensee performance deficiency is identified), an evaluation of whether the SSC unavailable for maintenance/testing warrants an independent ASP analysis should be performed. In addition, guidance is needed on how to explicitly model the SSC unavailability due to maintenance/testing in an independent ASP analysis to ensure that there is no potential for double counting.

Determination of whether an Unavailable SSC due to Maintenance/Testing Requires an Independent ASP Analysis. If an analyst determines that an SSC was unavailable due to maintenance/testing during the exposure period of a degraded condition in which no licensee performance deficiency is identified, the analyst shall perform an evaluation of whether the exposure period of the SSC in maintenance/testing is sufficiently represented by the nominal probability within the SPAR model.

The first step of this evaluation is determining the nominal time that the applicable SSC(s) is expected to be unavailable due to maintenance/testing during the exposure period of the degraded condition. To illustrate this step, we will use an example of an emergency diesel generator (EDG) that failed during surveillance testing and was later determined to be unable to fulfill its safety function for the previous 3 months. NRC inspectors identified a licensee performance deficiency associated with the EDG failure and an SDP evaluation was performed.

C-1

In reviewing this event to determine if the SDP evaluation result can be used as the ASP Program result, an ASP analyst determines that the opposite train EDG was unavailable for maintenance/testing for approximately 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months during the 3-month exposure period. The nominal SPAR model probability for an EDG to be unavailable due to maintenance/testing is 1.48x10-2. Therefore, the nominal time that an EDG is expected to be unavailable due to maintenance/testing during the 3-month exposure period of the opposite train EDG is calculated as follows:

8760 1

= 1.48 x 102 x x x 3 = 32.48 1 12 This calculation reveals that the assumed time within the SPAR model that the EDG would be unavailable due to maintenance/testing during the 3-month exposure time of the failed EDG is less than the nominal time. The conclusion is that the EDG maintenance/testing basic event contained in the SPAR model is sufficient to account for the concurrent unavailability of the EDGs in this example. Therefore, the EDG unavailability due to maintenance/testing in this example would not warrant an independent ASP analysis for an event in which a licensee performance deficiency was identified with the failed EDG (i.e., the SDP evaluation result would be used as the ASP Program result for this event).

Considering another example using the same affected components (i.e., the two EDGs), but in this case it was determined that the failed EDG was unable to fulfill its safety function for 15 days. During this exposure period, the opposite train EDG underwent a significant maintenance activity that resulted in it being unavailable for 7 days during the 15-day exposure period. A calculation reveals that the nominal time for an EDG to be unavailable due to maintenance/testing during a 15-day exposure period is:

8760 1

= 1.48 x 102 x x x 7 = 2.49 1 365 This calculation reveals that the actual time of the EDG unavailability due to maintenance/testing while its opposite train EDG was failed during the 15-day exposure time is more than the nominal time. Therefore, the EDG maintenance/testing basic event contained in the SPAR models is not sufficient to account for the concurrent unavailability of the EDGs in this example, and an independent ASP analysis should be performed.

Treatment of an Unavailable SSC Unavailable for Maintenance/testing within an Independent ASP Analysis. If an independent ASP analysis needs to be performed because no performance deficiency associated with a degraded condition was identified, then a determination of whether a concurrent unavailability due to maintenance/testing needs to be explicitly modeled can be made using the process from the previous section. An unavailability of an SSC due to maintenance/testing should always be modeled explicitly in initiating event analyses.

Using the example in the previous section in which it was determined that the EDG unavailability due to maintenance/testing must be explicitly considered in an independent ASP analysis, the process includes the following steps:

Step 1Divide the exposure period between periods where the degraded condition is by itself and is concurrent with the maintenance/testing unavailability. Lets consider the second example from the previous section. Exposure Period A would be the 8 days C-2

where the single EDG is failed and Exposure Period B would be the 7 days where both EDGs are unavailable.

Step 2For the exposure period where the failure is by itself, the applicable SSC maintenance/testing basic event(s) should be set to FALSE. For the exposure period with concurrent unavailabilities, the applicable SSC maintenance/testing basic events should be set to TRUE. Therefore, for this example, the applicable basic event for the EDG unavailable due to maintenance/testing would be set to FALSE in Exposure Period A and set to TRUE in Exposure Period B.

Step 3Sum the increase in core damage probabilities (CDPs) to calculate the overall ASP analysis result.

Step 4 (Optional)Consider running sensitivity analyses that show the effects of these modeling assumptions (e.g., if the best-estimate case used the nominal probability, perform an analysis setting the maintenance/testing basic event to TRUE for the applicable exposure period).

C-3

Appendix D: Guidance for Licensee Review of ASP Analysis with CCDP or CDP Greater than or Equal to 10-4 The information below provides specific guidance to licensees for performing a review of an accident sequence precursor (ASP) analysis with a preliminary conditional core damage probability (CCDP) or increase in core damage probability (CDP) greater than or equal to 10-4 that has been transmitted to them by the Office of Nuclear Regulatory Regulation (NRR). The licensee is under no obligation to respond or provide comments if they do not wish. However, if no feedback is provided, the preliminary analysis will be finalized after the 60-day period is completed, and after consideration of internal comments from NRR and the applicable region (if provided).

Background. A preliminary precursor analysis of an initiating event or degraded condition that occurred at your plant has been provided for your review. This review is a required element of Regulatory Issue Summary (RIS) 2006-24, Revised Review and Transmittal Process for Accident Sequence Precursor Analyses, only analyses that have CCDP or CDP greater than or equal to 10-4 are sent to the licensee for a formal 60-day review. The ASP Program uses probabilistic risk assessment techniques to provide estimates of operational event significance in terms of the potential for core damage. The types of events evaluated include actual initiating events (e.g., losses of offsite power or loss-of-coolant accident) and/or plant conditions (e.g., safety equipment failures or unavailabilities due to maintenance) that could increase the probability of core damage from postulated accident sequences.

This preliminary analysis was conducted using the information contained in the applicable licensee event report (LER), NRC inspection report (IR), the plant-specific final safety analysis report (FSAR), individual plant examination (IPE) and other pertinent reports. Since all licensees have access to the standardized plant analysis risk (SPAR) model for their respective plant(s), the modeling assumptions section of the precursor analysis report allows licensees to recreate the analysis using the plant-specific SPAR model. The detailed reports available in SAPHIRE software also allow licensees to make more detailed comparisons of accident sequences and cut sets with any analysis performed using the licensee probabilistic risk assessment (PRA).

Guidance for Peer Review. Comments regarding the analysis should address:

Does the ASP analysis report accurately describe the event as it occurred and provide correct information concerning the operation of the plant, including plant configuration and response of operators and plant systems during the event?

Do the modeling assumptions accurately describe the modeling performed for the event, including event attributes that occurred or had the potential to occur (e.g., recovery actions)?

Do accident sequences and cut sets align with licensee analysis (if performed)?

Criteria for Evaluating Comments. The NRC will consider modifications to the ASP analysis based on the comments that are provided. However, documentation will likely be required to support the proposed analysis changes. References should be made to portions of the LER or other event documentation concerning the sequence of events. System and component capabilities should be supported by references to the FSAR, updated PRA, plant procedures, or analyses. Comments related to operator response times and capabilities should reference plant D-1

procedures, the FSAR, the plant PRA, or applicable operator response models. Assumptions used in determining failure probabilities should be clearly stated.

Criteria for Evaluating Additional Recovery Measures. Additional systems, equipment, or specific recovery actions may also be considered for incorporation into the ASP analysis.

However, to assess the viability and effectiveness of the equipment and methods, the appropriate documentation must be included in your response, including:

normal or emergency operating procedures,

piping and instrumentation diagrams,

electrical one-line diagrams,

results of thermal-hydraulic analyses, and

operator training (both procedures and simulation).

Systems, equipment, or specific recovery actions that were not in place at the time of the event will not be considered. Also, the documentation should address the impact (both positive and negative) of the use of the specific recovery measure on sequence/timing of events, the probability of operator error in using the system or equipment, and any effects on systems or operator actions already considered in the analysis.

An Example of a Recovery Measure Evaluation. A pressurized-water reactor plant experiences a reactor trip. During the subsequent recovery, it is discovered that one train of the auxiliary feedwater (AFW) system is unavailable. Absent any further information regarding this event, the ASP Program would analyze it as a reactor trip with one train of AFW unavailable.

However, if information is received from you about the use of an additional system (such as a standby steam generator feedwater system) in recovering from this event, the transient would be modeled as a reactor trip with one train of AFW unavailable, but this unavailability would be mitigated by the standby feedwater system.

The mitigation effect for the standby feedwater system would be credited in the analysis provided that the following material was available:

Standby feedwater system characteristics are documented in the FSAR or accounted for in the updated PRA.

Procedures for using the system during recovery existed at the time of the event.

The plant operators had been trained in the use of the system prior to the event.

A clear diagram of the system is available.

Previous analyses have indicated that there would be sufficient time available to implement the procedure successfully under the circumstances of the event under analysis.

The effects of using the standby feedwater system has been considered not to have an adverse impact on recovery operations. In this case, use of the standby feedwater system may reduce the likelihood of recovering failed AFW equipment or initiating feed-and-bleed due to time and personnel constraints.

D-2

ML20049G020

Text

Navigation menu

Search