ML20094B170
| ML20094B170 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 10/26/1995 |
| From: | Fitzpatrick E INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG |
| To: | NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| Shared Package | |
| ML20094B175 | List: |
| References | |
| AEP:NRC:10820, NUDOCS 9510310313 | |
| Download: ML20094B170 (55) | |
Text
_ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ - _ _ _ _
indiana Michigan Power Company PO Box 16631 Columbus, OH 43216 INDIANA MICHIGAN POWER October 26, 1995 AEP:NRC:10820 Docket Nos.:
50-315 50-316 U. S. Nuclear Regulatory Commission ATTN:
Document Control Desk Washington, D. C.
20555 Centlemen:
Donald C. Cook Nuclear Plant Units 1 and 2 INDIVIDUAL PLANT EXAMINATION RESPONSE TO NRC AUDIT CONCERNS AND REQUEST FOR ADDITIONAL INFORMATION
References:
1)
" Donald C. Cook Nuclear Plant, Individual Plant Examination Submittal, Response to Generic Letter 88-20," submitted to the NRC in letter AEP:NRC:1082E, May 1, 1992.
2)
NRC Letter, J. Hickman to E. E. Fitzpatrick, "Raview of D.
C. Cook Individual Plant Examination Submittal - Internal Events," March 31, 1995.
l On May 1,1992, the Individual Plant Examination for the Donald C.
Cook Nuclear Plant, Units 1 and 2, was submitted (Reference 1) to l
the NRC in response to Generic Letter 88-20, " Individual Plant Examination for Severe Accident vulnerabilities - 10CFR50.54(f)."
l Several rounds of questions and meetings followed in the NRC review l
process.
As a result of that review process, NRC questions concerning the human reliability analysis (HRA) methodology were summarized in a letter (Reference 2).
Revision 1 to the Individual Plant Examination addresses these i
questions by modifying the HRA analysis. A summary of the revised l
analysis and conclusions is found in Attachment 1.
As a result of the changes described herein, the new core damage frequency for Cook Nuclear Plant is 7.14E-05.
To assist in understanding the types of revisions to the HRA, Attachment 2 contains a summary of a.
9510310313 951026 PDR ADOCK 05000315 it i
. p PDR ll i
U. S. Nuclear Regulatory Commission AEP:NRC:10820 Page 2-the methodology changes and two typical examples of the revised human reliability calculations.
Sincerely, E. E. Fitzpatrick Vice President SWORN TO AND SUBSCRIBED BEFORE ME THIS A g DAY OF b l 4 d 1995 I
da //A%
N'otary Public My Commission Expires: A-2P-99 pit Attachments cc:
A. A. Blind G. Charnoff H. J. Miller NFEM Section Chief NRC Resident Inspector - Bridgman J. R. Padgett I
_._._.m_.____.
\\
4 P
1 l
i i
l j
ATTACHMENT 2 TO AEP:NRC:10820 k
Donald C. Cook Nuclear Planc Individual Plant Examination 2
Human Reliability Analysis Summary of Methodology l
Changes and Example Calculations
)
i 4
?
I i
?
I 4
9, s
R"
~ _.
I l
This attachment includes a summary of the changes made in the human reliability analysis methodology and example calculations.
I.
SUMMARY
OF METHODOLOGY CHANGES l
After a complete comparison of the original (Revision 0) AEPSC human reliability methods to the THERP [ Reference 1] mdhods was perfonned, the AEPSC methods were updated to be more consistent with the THERP method and to renect newer information. Below is a summary of the major inconsistencies identined and their resolution in the revised (Revision 1) human reliability analysis:
Human reliability action snecific to seauences:
)
Revision 0: A simplifying assumption was utilized that an operator action, such as establishing primary feed and bleed, was independent of the accident sequence.
Revision 1: Sequence specine human error probabilities were calculated based on differences in timing, stress, dependence, and possible recoveries, using THERP.
Denendence Modeline:
Revision 0: Dependence modeling was used infrequently.
Revision 1: Prior human action failures were assessed for modeling of dependent failures of subsequent actions, both within a modeled action ami between different modeled actions.
Performance shaning factors in diannosis:
Revision 0: Training and stress performance shaping factors were utilized for the diagnosis error frequencies.
Revision 1: The EPRI methodology [P:ference 2] was used for diagnosis, which is consistent with THERP.
Exolicit consideration of timina:
Revision 0: For most cases, timing was only considered in a qualitative manner, with the diagnosis error rate being frequently based on the time needed to complete the action.
Revision 1: Timing was used to check if there was adequate time available to perform the action and any recovery acticas. Workload was also considered as influencing the stress level.
Consistent use of second nerson checkinn:
Revision 0: Credit was generally taken for checking, to the extent needed to determine an acceptably accurate final result (i.e., once a human error failure path was found to be not the dominant path, funher credits were not taken). Thus, known actions such as second person checking were inconsistently used.
Revision 1: These credits were only used when the checking actions were clearly preceduralized (e.g.,
checker initials required), or on a case by case basis when it could be shown that the person actually makes a habit of reviewing what the operator was doing.
.. ~ -. _ _
t i
l l-Trainine nerformance shapine facton:
l Revision 0: Training performance shaping factors were included for execution type erron to address the impact of improved training and procedures.
Revision 1: These generic training shaping factors were not used. Training was only considered on i
a case by case basis. Section 3.3 (attached) is an example of how operator training and practices were credited.
Refereosat i
j 1.
" Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," A. D. Swain and H. E. Guttmann, NUREG/CR-1278,1983.
2.
"An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment," EPRI j
TR-100259, EPRI Project 2847-01, Final Report, June,1992.
i H.
EXAMPLE CALCULATIONS The following portions fism the Donald C. Cook Nuclear Plant's Human Reliability Analysis, Revision 1, are included with this attachment:
Section 3.3 High Pressure Cold Leg Recirculation (HPR) Event Tree Level HEP Calculation Section 3.5 Depressurization to Allow Low Pressure Indection (OLI) Event Tree Level HEP Calculation Attachment HPR Marked up procedure pages for Section 3.3 Attachment OLI Marked up procedure pages for Section 3.5 Figures E-8 HPR fault trees HPR1, HPR2, HPR3 and HPR4 (only more complex fault through E-11 trees, i.e., those with AND gates, are included)
Both HPR and OLI are good examples of how dependencies were treated in the analysis. The different types considered were dependencies between personnel, steps within a human failure event, and steps in different human failure events. Both cognitive and execution error dependence were considered.
The HPR fault trees are much more detailed than the msdority of the HRA fault trees due to dependence with switchover to containment spray recirculation (CSR), which is performed at the same time. These switchover actions had common cognitive errors (i.e., totally dependent), and some common execution errors. These common cognitive and execution errors were quantified as totally dependent by using the same identifiers in the corresponding fault trees.
As described in Section 3.5.6, for a Medium LOCA event, OLI is required about the same time as switchover to recirculation. As many factors influence which comes first, it was conservatively assumed that OLI precedes switchover and switchover was considered totally dependent on OLI.
l For more information on the assumptions used in the analysis, see Section 3.3.3 of Attachment 1 of this submittal. Results are summarized in Tables 3.3-2 and 3.3-3 of Attachment 1 of this submittal.
i a
. _ _ ~ -
~
a i
3.3 liEB - HIGH PRESSURE COLD LEG RECIRCULATION l
1 l
3.3.1 Anolication l
Small LOCA (SLO) with success of auxiliary feedwater (AF4) - HPRA (JMR) l
- SLO with failure of auxiliary feedwater (AF4) - HPRB (JMR)
Medium LOCA (MLO) with success of auxiliary feedwater (AF4)- HPRC (JMR) l Transient with Steam Conversion Systems Available (TRA) - HPRD (JAJ)
Transient without Steam Conversion Systems Available (TRS) - HPRE (JAJ) l Large Steam Line/Feedline Break (SL B) - HPRF (JAJ)
Loss of Offsite Power (LSP) - HPRG (JAJ)
I Steam Generator Tube Rupture (SGR) - HPRH (JAJ)
Station Blackout (SBO) with success of AFT, success or failure of RCC, success of AFC, XHR, CNU, RRI, and AF1, and success or failure of CSI - HPRS (JMR)
SBO with success of AFT, success or failure of RCC, success of AFC, XHR, CNU, and RRI, failure of AF1, success of PBB, and success or failure of CSI-HPRT (JMR) j SBO with success of AFT, success or failure of RCC, failure of AFC, success of XHR, CNU and PBB, and success or failure of CSI - HPRU (JMR)
SBO with failure of AFT, success of XHR, CNU, and PBB, and success or failure of CSI
- HPRV (JMR)
Loss of CCW or ESW with success of RCP and RR2 - HPRW (JMR) 3.3.2 Descriotion High pressure cold leg recirculation is required for several top events following successful ECCS high pressure injection when RWST reaches the low level setpoint of 32%. The transfer to recirculation is required to ensure a continued source of flow is available to the RCS so that core cooling is maintained following depletion of the RWST inventory. In the HPR phase, the water that is spilled from the break collects in the lower containment, flows through course and fine mesh strainers into the recirculation sump. The CCPs and SI pumps then take suction from the recirculation sump via the residual heat removal system. During the manual switchover from the injection phase to the recirculation phase, both the RHR and SI pumps discharge line cross-tie valves are shut. This provides two separate trains of injection during the recirculation phase.
3.3.3 Success Criteria and Timine Analysis Success of this event requires one of two SI pumps and one of two CCPs to inject to one of three intact cold legs with the pump suction supplied by one of two RHR trains operating in the recirculation mode. If this top event fails, late core damage with the RCS at high pressure is postulated to occur.
3.3-1
The Event Tree Notebook provides justification for the time to switchover from accident initiation and the amount of time the operator has to complete the switchover based on useable.
volume of the RWST for each application of this top event. A summary of these success criteria times is presented below. Refer to the Event Tree Notebook for additional information.
For medium LOCA (MLO) and small LOCA (SLO), the time from accident initiation until switchover is required would be approximately 30 minutes, assuming all safeguards pumps initially operating. This assumes containment spray is actuated early in the accident. The time to switchover would be longer if there are equipment failures or if spray actuation is delayed. Once RWST level reaches 32% and switchover is initiated, the operators will have 17 minutes to complete the switchover to high pressure recirculation before any of the safeguards pumps cavitate due to air entrainment (Reference 1).
For steam generator tube rupture (SGR) events, containment spray actuation would be expected about 30 minutes following initiation of primary bleed (See Success Criteria Notebook, Table 28). Switchover to high pressure cold leg recirculation would then be required about 30 minutes after this. This relative timing would also be expected for transient events in which bleed and feed recovery is used due to unavailability of feedwater for decay heat removal. Once RWST level reaches 32% and switchover is initiated, the operators will j
have 17 minutes to complete the switchover to high pressure recirculation before any of the safeguards pumps cavitate due to air entrainment. This time is the same as that for MLO and SLO since containment spray actuation'is expected following initiation of bleed and feed.
This timing analysis is also applicable to TRA, TRS and LSP events in which bleed and feed recovery is used due to the unavailability of feedwater for decay heat removal.
For SLB events, the time from accident initiation for a large secondary break inside containment until switchover is conservatively assumed to be approximately 30 minutes. This assumes containment spray is actuated early in the accident if the break is located inside containment. Similar to MLO and SLO, once RWST level reaches 32% and switchover is initiated, the operators will have 17 minutes to complete the switchover to high pressure recirculation before any of the safeguards pumps cavitate due to air entrainment.
For SBO events, depending on the amount of RCP seal leakage and the resulting need for containment spray injection, the time at which switchover to cold leg recirculation would be required could be as short as 30 minutes after spray and high pressure injection are actuated j
to several hours if spray actuation is not required. The timing requirements for completing the switchover to cold leg recirculation is 17 minutes, similar to MLO and SLO, since high pressure injection may also be actuated.
l For SSW and CCW events, the timing analysis is the same as that of SBO, recirculation may be required within 30 minutes of event initiation and completion of the switchover actions j
within 17 minutes.
3.3.4 Procedures Upon a small LOCA causing a reactor trip and Si actuation, the operators will enter E-0. At step 25, they will transfer to E-1, and at step 14 of E-1, they will transfer to ES-1.2.
' The Emergency Operating Procedure used to perform switchover to cold leg recirculation is 3.3-2
ES-1,3, TRANSFER TO COLD LEO RECIRCULATION, Rev. 2 ES-1.3 is entered from:
a)
E-1, LOSS OF REACTOR OR SECONDARY COOLANT, Rev. 5, Step 15, on low RWST level.
b)
ECA-2.1, UNCONTROLLED DEPRESSURIZATION OF ALL STEAM l
GENERATORS, Rev 4, Step 9, on low RWST level, c)
Other procedures whenever RWST level reaches the switchover setpoint.
For a small LOCA with success of AFW, entry into ES-1.3 will occur from the caution j
statement at the beginning of ES-1.2, and the RWST low level alarm provides cognitive recovery. This transition could also be from the foldout page for E-1 and ES-1.2, but this is conservatively not credited. Although the check for RWST level is performed in different procedures, depending on the initiating event, the action is the same for all cases. The Cue Table is applicable to all listed applications.
J 3.3.5 Critical and Recovery Actions The following are the primary tasks which must be completed for satisfying the success criteria of the HPR actions:
1.
Monitor for low RWST level and the need for establishing cold leg recirculation (Caution statement before ES-1.2) (cognitive) 2.
Reset SI (Step 1 of ES-1.3) 3.
Align West RHR for recirculation (Step 4 of ES-1.3) 4.
Align CCPs and SI pumps for recirculation (Step 5 of ES-1.3) 5.
Align east RHR pump for recirculation (Step 6 of ES-1,3)
See Table 3.3-1, Cue Table for HPR for identification of symptoms for establishing high pressure cold leg recirculation.
See Table 3.3-2, Subtask Analysis for HPR for identification of critical or relevant recovery j
actions associated with cold leg recirculation.
3.3.6 Assumptions See sections 3.3.8, 3.3.9 and 3.3.10.
3.3.7 Significant Operator Interview Findings i
1.
Switchover to recirculation takes top priority above all other actions. Whenever the RWST level reaches 32%, they will stop what they are doing and immediately go to ES-1.3. The unit supervisor and Rx0 will not be interrupted with other tasks, and 3.3-3
o others in the control room know to not get in the way.
4 l
2.
The unit supervisor, who is reading the procedure, will watch each step performed by l
the RxO, and wait until completion of the step (i.e., until valves have transferred to l
correct position) before going on to the next step.
3.
There will be at least two others in the comrol room who will be going through the i
procedure and ensuring that the steps are carried out completely (i.e., the extra US l
and the STA). The SS, ASS and BOPO may also be watching.
4.
Whenever the operators start a pump or close a suction valve, they will watch the pump amps and discharge flow. This is second nature to the operators.
1 5.
Most unit supervisors will actually start switchover before the RWST has reached i
32%, so they have do not have to hurry, and will not have to deal with the confusion 4
of the RHR pumps tripping on low-low RWST level.' They are encouraged to start early.
l 3.3.8 Calculation of Connitive Error l
A cognitive model was used to address diagnosis type errors (Reference 21). Tables 3.3-3 i
and 3.3-4 contain the calculation of the cognitive human error probability, pc, that the
]'
operators fail to recognize the need for switchover to high pressure recirculation. Pc was calculated in Table 3.3-3 to be 3.lE-03, without recovery. The recovered value of pc was i
i calculated in Table 3.3-4 to be 1.5E-04.
l 3.3.9 Calculation of Execution Error For the calculation of execution errors, the tables from Chapter 20 of Reference 2 were used.
{
(T20-x refers to Table 20-x of Reference 2.) The critical actions identified in Table 3.3-2 were reviewed to determine the dominant critical actions to be quantified. Critical actions are j
not dominant if they are recovered by other procedure steps or if they follow a mechanical l
failure because the human error probability would be multiplied by another human error probability or a mechanical failure probability. Attachment HPR is a copy of the relevant 1
portion of ES-1.3, with dominant critical steps circled. The reasons why the other critical
{
steps (identified in Table 3.3-2) are not dominant are also included.
3.3.9.1 Steo 4. Alinn West RHR Pumo for Recirculation:
4a Stoo & lockout W RHR PP Errors of Omission:
Omit step /page:
1.3E-03 (T20-7 #3, Assumption G)
Step 4 of procedure Errors of Commission:
3.3-4
Select wrong control when it is dissimilar to adjacent controls:
negligible (Table 20-12, #1 A (Item 1 A has been added by Swain since i
The RHR trains are delineated, the ammeter is directly above the control, and no similar ammeters are on the West RHR panel.
4_q open recirc sumo to W RHR/ CTS oumo valve Errors of Omission:
l Omit step /page:
]
1.3E-03 (T20-7 #3, Assumption G)
Step 4 of procedure Errors of Commission:
i Select wrong control when it is dissimilar to adjacent controls:
i negligible (Table 20-12, #1 A (Item 1 A has been adde ( > Swain since NUREG/CR-1278))
This control is different from adjacent controls because it is metal and has a key in it.
i Dral error orobability for Steos 4a & c:
1.3E-03 + 1.3E-03 = 2.6E-03 M
Start W RHR PP Errors of Omission:
Omit step:
1.3E-03 (T20-7 #3, Assumption G)
Step 4 of procedure Errors of Commission:
negligible, see Errors of Commission for Step 4a 3.3-5
i
)
3.3.9.2 Steo 5. Alien SI Pumos and CCPs for Recirculation S
open SI oumo suction from west RHR HX valve and j
S open SI oumo suction crosstie to CCP valves 1
These two steps were considered as one perceptual unit. These are adjacent procedure steps and the valve controls are all right next to each other (i.e., these actions are not I
separated by time or location).
i Errors of Omission:
Omit step /page:
1.3E-03 (T20-7 #3, Assumption G) 4 1
~
Step 5 of procedure Errors of Commission:
Select wrong control on panel from array of similar appearing controls:
1.3E-03 (T20-12 #3)
All safety injection suction and discharge valves are in one area on SI control panel.
Total error erobability for Steo 5:
2.6E-03 3.3.9.3 Steo 6. Alien East RHR Pumo for Recirculation:
6h Stoo & lockout East RHR PP Errors of Omission:
Omit step /page:
1.3E-03 (T20-7 #3, Assumption G)
Step 6 of procedure 4
Errors of Commission:
Select wrong control when it is cissimilar to adjacent controls:
negligible (Table 20-17, #1 A (Item 1 A has been added by Swain since NUREG/CR-1278))
The RHR trains are delineated, the ammeter is directly above the control, and no similar 2"uneters are on the East RHR panel.
3.3-6 l
i 6d open recirc sumo to East RHR/ CTS oumo valve Errors of Omission:
Omit step:
1.3E-03 (T20-7 #3, Assumption G)
Step 6 of procedure i
l Errors of Commission:
Select wrong control when it is dissimilar to adjacent controls:
negligible (Table 20-12, #1A (Item 1A has been added by Swain since NUREG/CR-1278))
This control is different from adjacent controls because it is metal and has c key in it.
Total error probability for Steos 6b & d:
1.3E-03 + 1.3E-03 = 2.6E-03 Start East RHR PP 6e Erron of Omission:
Omit step:
1.3E-03 (T20-7 #3, Assumption G)
Step 6 of procedure Errors of Commission:
negligible, see Errors of Commission for Step 6b 6[
Open CCP suction from East RHR HX valve Errors of Omission:
Omit step:
1.3E-03 (T20-7 #3, Assumption G)
Step 6 of procedure Errors of Conunission:
Select wrong control on panel from array of similar appearing controls:
3.3-7
i r
1.3E-03 (T20-12 #3)
It is clearly labeled on the boric acid charging and letdown panel. It is at the bottom left of the panel.
l i
3.3.10 Calculation of Total Human Error Probability for Failure to Switchover to HPR The cognitive and execution error probabilities were calculated in sections 3.3.8 and 3.3.9 to be:
I pc'(HPRA) = 1.5E-04 pe(steps 4a&c) = 2.6E-03 (without stress, dependence or recovery) pe(step 4d) = 1.3E-03 (without stress, dependence or recovery) pe(step 5) = 2.6E-03 (without stress, dependence or recovery) pe(steps 6 bad) = 2.6E-03 (without stress, dependence or recovery) pe(step 6e) = 1.3E-03 (without stress, dependence or recovery) pe(step 6f) = 2.6E-03 (without stress, dependence or recovery)
In order for alignment of the east RHR train (step 6) to recover for an error in aligning the west train (step 4), the operators must recognize that there is not adequate flow from the west RHR pump train before aligning the high head pumps (step 5). The high head pumps are expected to fail quickly without a suction source (per operator interviews). A high level of dependence is assumed, therefore, for the operators recognizing that there is a problem with the east RHR train before they align the high head pumps in step 5. This was modelled by a high dependence failure of noticing failed step 4, so performing step 6 before step 5 (i.e.,
human error probability = 0.5). A high level of dependence is conservative, however, as the operator and unit supervisor will be watching pump amperes when suction sources are closed (e.g., for the high head pumps) and when the RHR pumps are started (per operator interviews). The ammeters are right above the pump controls in the control room. Also, the unit supervisor watches what the operator is doing, and waits for completion of one step before moving on to another (which can be significant, as it takes about 30 seconds for the RWST suction valves to close).
A moderate level of dependence was assumed between failure of step 4 and the initial tasks in step 6. Although steps 4 and 6 are similar, they are different procedure steps, on different pages, and unless the operators realize they failed step 4, step 5 will be performed between j
them. An extremely high level of stress is assigned to all step 6 actions, though, as these actions are only critical if the operators failed in step 4.
Per operator interviews, a minimum of two people will be watching the unit supervisor and operator go through the switchover using a copy of the procedure. Whenever switchover is occurring, it is top priority, and almost everything else has come to a stop. The STA does not want to get in the way, so he will be going through the procedure and watching what is going on, as well as the extra unit supervisor. The unit supervisor is not interrupted during switchover, therefore, the extra unit supervisor will be free to watch the switchover. Several more people may also be watching, but this is conservatively not credited. If it is under an hour after event initiation, the shift supervisor may still be busy with his E-plan duties. The assistant shift supervisor may be busy in his role as contingency director, and the BOPO nuy not be paying close enough attention to catch a mistake.
3.3-8 1
.. ~. - ~.
i Only one recovery was given to the extra unit supervisor and STA. A low level of dependence was assumed between them and the unit supervisor and RxO because they are not interacting at all with the US and RxO; they are standing back and fulfilling a supervisory type role. This combined effort was equated to that of the shift supervisor in Table 20-4, Reference 2.
~
Per table 20-16, HEPs should be muitiplied by two for moderately high stress for step-by-step i
tasks, and by 5 for extremely high stress for step-by-step tasks. Per Table 20-17, if the basic human error probability (BHEP) is greater than.01, the equations to use for low, moderate, and high dependence are: (1+19N)/20, (1+6N)/7, and (1+N)/2, respectively. Per Table 20-21, if the BHEP is less than or equal to.01, HEPs of.05,.15 and.5 should be used for low, moderate, and high dependence, respectively.
Recovery due to extra unit supervisor and STA following procedure and actions = 0.05 l
These parameters and assumptions are used below to determine the total human error probability for failure to switchover for high pressure recirculation under different conditions.
HPRA: Switchover to high oressure recirculation upon a small LOCA and successful AFW (AF4)
(CSI status is not addressed. If CSI failed, operators would have even more time to perform HPR, and it would not be required until much later into the event. The corresponding decrease in stress would be negated by the added stress the operators experience if they notice CSI has failed.)
j A moderately high level of stress was assumed for steps 4 and 5. This is a procedure that is well known and practiced by the operators, and they are not concentrating on doing anything I
else during this procedure, as it takes top priority, pc'(HPRA) = 1.5E-04 (HPRA-LPR-CSRHE) pe'(steps 4a&c) = 2.6E-03
- 2 = 5.2E-03 (REC--4A&C-MHHE) pe'(step 4d) = 1.3E-03
- 2 = 2.6E-03 (REC----4D-MHHE) pe'(step 5) = 2.6E-03
- 2 = 5.2E-03 (REC----S-MHHE) pe'(steps 6b&d) = 2.6E-03
- 5 with MD (REC--6B&D-EHHE-M)
= (1 + 6*1.3E-02)/7 = 1.5E-01 pe'(step 6e) = 1.3E-03
- 5 = 6.5E-03 (REC-6E-EHHE) pe'(step 6f) = 2.6E-03
- 5 = 1.3E-02 (REC--6F-EHHE) pe'(recognize to do step 6 before step 5) = HD = 0.5 (REC-6 THENS-HE-H)
Recovery, execution errors (extra US and STA) = 0.05 (REC-US-STA--HE-L)
The total human error probability (THEP) for failing to switchover to high pressure recirculation upon a small LOCA and successful AFW (AFW) is calculated as shown in fault tree HPRl:
THEP(HPRA) = pc' + [pe'(step 4)
- pe'(step 6) + pe'(step 5)]
- recovery (extra US or STA) 3.3-9
J THEP(HPRA) = 1.5E-04 + [(5.2E-03 + 2.6E-03) * (0.5 + 1.4E-01 + 6.5E-03 + 1.3E-02)
+ 5.2E-03)
- 5.0E-02 THEP(HPRA) = 6.7E-04 i
HERB: Switchover to high pressure recirculation upon a small LOCA. failure of AFW (AF4). and success of orimary bleed and feed (PBF1)
(CSI status is not addressed. If CSI failed, operators would have even more time to perform HPR, and it would not be required until much later into the event. The corresponding decrease in stress would be negated by the added stress the operators experience if they notice I
CSI has failed.)
For this scenario, the operators will transition from Step 18 of E-0 to FR-H.1 to complete PBF. Due to adverse containment conditions, the operators will immediately go to step 18 of FR-H.l. They should still be in FR-H.1 when RWST level reaches 32% ' The caution statement after step 25 of FR-H.1 will be their cue to monitor the RWST level, with cognitive recovery provided by the alarm. It is assumed that the RxO monitoring the RWST level will have a high work load, as they will be busy with PBF and subsequent actions in FR-H.l.
The only change in pc' from pc'(HPRA) will be to tree b. The new end path will be I due to the higli work load, which is not recovered.
pc'(HPRB) = 7.5E-04 + 3.0E-07 pc'(HPRB) = 7.5E-04 (HPRB LPR-CSRHE)
The extremely high level of stress from primary bleed and feed is conservatively assumed to still exist. Otherwise, the actions have the same failure probabilities as HPRA.
pe'(steps 4a&c) = 2.6E-03
- 5 = 1.3E-02 (REC--4A&C-EHHE) pe'(step 4d) = 1.3E-03
- 5 = 6.5E-03 (REC iD-EHHE) pe'(step 5) = 2.6E-03
- 5 = 1.3E-02 (REC--5-EHHE) pe'(steps 6b&d) = 2.6E-03
- 5 with MD (REC-6B&D-EHHE-M)
= (1 + 6*l.3E-02)/7 = 1.5E-01 pe'(step 6e) = 1.3E-03
- 5 = 6.5E-03 (REC-6E-EHHE) pe'(step 6f) = 2.6E-03
- 5 = 1.3E-02 (REC-6F-EHHE) pe'(recognize to do step 6 before step 5) = HD = 0.5 (REC-6 THENS-HE-H)
Recovery, execution errors (extra US and STA) = 0.05 (REC-US-STA-HE-L)
The total human error probability (THEP) for failing to switchover to high pressure recirculation upon a small LOCA, failure of AFW (AF4), and success of PBF is calculated as shown in fault tree HPR2:
THEP(HPRB) = pc' + [pe'(step 4)
- pe'(step 6) + pe'(step 5)]
- recovery (extra US or STA)
THEP(HPRB) = 7.5E-04 + [(1.3E-02 + 6.5E-03) * (0.5 + 1.4E-01 + 6.5E-03 + 1.3E-02)
+ 1.3E-02]
- 5.0E-02 THEP(HPRB) = 2.0E-03 3.3-10
l HPRC: Switchover to high oressure recirculation upon a medium LOCA and successful j'
AFW (AF4) j j
(CSI status is not addressed. If CSI failed, operators would have even more time to perform 1
HPR, and it would not be required until much later into the event. The corresponding 1'
decrease in stress would be negated by the added stress the operators experience if they notice i
CSI has failed.)
{
This is the exact same scenario as HPRA, except for the size of the LOCA. For this event, 4
however, this difference in LOCA size is irrelevani, as the timing and flow through the j
procedures should be the same.
The total human error probability (THEP) for failing to switchover to high pressure recirculation upon a medium LOCA and successful AFW (AFW) is the same as HPRA:
THEP(HPRC) = THEP(HPRA) = 6.7E-04 l
HPRD. Switchover to 1.igh pressure recirculation after a transient with steam conversion systems available (TRA), followed by loss of auxiliary feedwater (AF1), a loss of alternate secondary cooling sources (AFW from the other Unit and main feedwater-MF1, and SG depressurization combined with condensate-OAS), and success of primary feed and bleed (PBT). In this scenario, the operator initiates a LOCA when primary feed and bleed is i
started. Because of this, switchover to recirculation will occur approximately 30 minutes aflg i
j Containment Spray Injection actuates. Containment Spray Injection actuates a short time after
]
the rupture disk on the prLnary pressure relief tank blows out. This timing is similar to the development in the small LOCA event tree (SLO) on the path where high pressure injection (HP2) succeeds and auxiliary feedwater (AF4) succeeds, leading to high pressure recirculation l
about a half hour later. Thus, equation HPRD equals HPRA, and fault tree HPRI is used.
l i;'
For the branch where primary bleed and feed succeeds, but containment spray injection fails, HPRD is also assigned because the development is similar to that described above, only the containment spray injection fails to actuate extending the timing.
i j
HPRE Switchover to high pressure recirculation after a transient with failure of steam j
conversion systems (TRS), followed by loss of auxiliary feedwater (AF1), and success of primary feed and bleed (PBT). In this scenario, the operator initiates a LOCA when primary feed and bleed is started. Because of this, switchover to recirculation will occur approximately 30 minutes aftg Containment Spray Injection actuates. Containment Spray Injection actuates a short time after the rupture disk on the primary pressure relief tank blows out. This timing is similar to the development in the small LOCA event tree (SLO) on the path where high pressure injection (HP2) succeeds and auxiliary feedwater (AF4) succeeds, leading to high pressure recirculation about a half hour later. Thus, equation HPRE equals HPRA, and fault tree HPRI is used.
For the branch where primary bleed and feed succeeds, but containment spray injection fails, 4
IIPRE is also assigned because the development is similar to that described above, only the containment spray injection fails to actuate extending the timing.
l i
3.3-11 i
s
op w
-4
+3ru-st M+---
.+-wT!
-$m?
is'-'-'=
1 l
HPRF: Switchover to high pressure recirculation after a large steam /feedwater line break j
(SLB), followed by successful high pressure injection (HP3) and successful isolation of the I
faulted SG (MSI) but loss of auxiliary feedwater (AFS), countered by success of primary feed -
{
and bleed (PBS). In this scenario, the operator initiates a LOCA when primary feed and i
bleed is started. Because of this, switchover to recirculation will occur approximately 30 i
' minutes 3Rgr Containment Spray Injection actuates. Containment Spray Injection actuates a short time after the rupture disk on the primary pressure relief tank blows out. This timing is similar to the development in the small LOCA event tree (SLO) on the path where high
(
pressure injection (HP2) succeeds and auxiliary feedwater (AF4) succeeds, leading to high pressure recirculation about a half hour later. Thus, equation HPRF equals HPRA, and fault t-
}
tree HPRI is used, For the branch where primary bleed and feed succeeds, but containment spray injection fails, l-HPRF is also assigned because the development is similar to that described above, only the containment spray injection fails to actuate extending the timing.
[
HPRG: Switchover to high pressure recirculation after a transient loss of offsite power i
j-(LSP), followed by loss of auxiliary feedwater (AF1), and success of primary feed and bieed (PBL). In this scenario, the operator initiates a LOCA when primary feed and bleed is started. Because of this, switchover to recirculation will occur approximately 30 minutes aficI j
Containment Spray Injection actuates. Containment Spray Injection actuates a short time after the rupture disk on the primary pressure relief tank blows out. This timing is similar to the development in the small LOCA event tree (SLO) on the path where high pressure injection (HP2) succeedt and auxiliary feedwater (AF4) succeeds, leading to high pressure recirculation about a half hour later. However, there may be one train equipment unavailable depending 1
on the diesel generator (DG) response. If two diesel generators succeed, then HPR equals j
HPRA. If only one diesel generator succeeds, then HPR equals HPRA (in timing) but with only one train available. Although the case for the two DG success is more likely (~95%),
the case of success of only one DG (~5%) leads to more restrictive modeling and has conservatively been applied. Thus, equation HPRG equals HPRA Steps 4 and 5, as calculated in fault tree HPR4.
l For the branch where primary bleed and feed succeeds, but containment spray injection fails, HPRG is also assigned because the development is similar to that described above, only the containment spray injection fails to actuate extending the timing.
HPRH: Switchover to high pressure recirculation after a steam generator tube rupture (SGR),
followed by loss of all auxiliary feedwater (AF2 and AF3), and success of primary feed and bleed (PBG). In this scenario, the operator initiates a LOCA inside of containment when primary feed and bleed is started. Because of this, switchover to recirculation will occur approximately 30 minutes afifI Containment Spray Injection actuates. Containment Spray Injection actuates a short time after the rupture disk on the primary pressure relief tank blows out. This timing is similar to the development in the small LOCA event tree (SLO) on the path where high pressure injection (HP2) succeeds and auxiliary feedwater (AF4) succeeds, leading to high pressure recirculation about a half hour later. Thus, HPRH equals HPRA, and fault tree HPRI is used.
3.3-12
HPRS: Switchover to high oressure recirculation uoon a SBO and success of AFT. success or failure of RCC. success of AFC. XHR. CNU. RRI. and AFl. and success or failure of CSI Dependency upon CSI failure is not evaluated, because THEP for CSI is mostly due to errors of omission, which are independent for steps on different pages, with the remainder due to cognitive failures. If the operators failed to actuate CSI, switchover to recirculation is not necessary for 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after this CSI failure. In this time, there are no other system failures.
This amount of time, with no other major operator tasks, negates any cognitive dependency.
Early failure of RCS cooldown (RCC) is not addressed separately, as this action was performed several hours earlier (long before power restoration), errors of commission were due to the AEO (who will not be involved in HPR), and there have been numerous successes since this time. This early failure should not cause a higher level of stress at this time. RCC failure just mandated cadier power restoration, which was successful.
Per the Event Tree Notebook (Reference 1), with the containment spray and high head ECCS pumps injecting, there is 17 minutes available for switchover, and switchover will not be -
required until at least 30 minutes following completion RRI and CSI.
For this scenario, everything has been successful following power restoration, and at least 30 1
minutes have elapsed since operators finished RRI and CSI. Power has been back for an hour, and things are under control. The operators will transfer to E-1 (LOSS OF REACTOR OR SECONDARY COOLANT) at the end of ECA-0.2 (i.e., step 14).
The cue for the operators to monitor RWST level will be Step 15 of E-1. A low work load can be assumed at this time and recovery with the alarm can also be credited. This results in a value for pc' equal to that for HPRA. (The end state for tree e is all that changes (from b to c), but the value remains the same (3.0E-03).)
pc'(HPRS) = pc'(HPRA)
As things are under control, recovery due to the extra US/STA can be credited.
Therefore, the total human error probability for failing to switchover to high pressure recirculation upon a SBO and success of AFT, success or failure of RCC, success of AFC, XHR, CNU, RRI, and AF1, and success or failure of CSI is the same as that from HPRA.
THEP(HPRS) = THEP(HPRA)
Fault tree HPR1 is used.
HPRT: Switchover to high oressure recirculation uoon a SBO and success of AFT. success or failure of RCC. success of AFC. XHR. CNU. and RRI. failure of AFl. success of PBB.
and success or failure of CSI Although the event tree displays PBB occurring before CSI, the operators must complete CSI before they transfer to any FRPs (i.e., PBF). Therefore, as these paths include success of PBF, there is no dependence to consider.
3.3-13
i Failure of the containment spray system is not addressed separately. If CTS failed, operators would have even more time to perform HPR, and it would not be required until much later into the event (i.e.,2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following power recovery). The corresponding decrease in stress j
would be negated by the added stress the operators experience if they notice CTS has failed.
Early failure of RCS cooldown (RCC) is not addressed separately, as this action was performed several hours earlier (long before power restoration), errors of commission'were j
due to the AEO (who will not be involved in HPR), and there have been numerous successes since this time. This early failure should not cause a higher level of stress at this time. RCC 4
failure just mandated earlier power restoration, which was successful.
For this scenario, the operators will transition to FR-H.1 following completion of Step 10 of ECA-0.2. For hydrogen control, the operators may transfer to FR-Z.1 (per caution statement before step 27 of FR-H.1) and then retum e FR-H.1. Eventually, the operators will leave i
FR-H.1 to transfer E-1 or to switchover to recirculation (ES-1.3). The caution statement in
)
FR-H.1 (before step 26) should be their cue to monitor RWST level, with cognitive recovery provided by the alarm. It is assumed that the operator monitoring RWST level will have a high work load, as they will be busy with FR-H.1 and FR-Z.1. This results in a pc' equal to that for HPRB:
pc'(HPRT) = pc'(HPRB)
The extremely high level of stress from primary bleed and feed is conservatively assumed to still exist, i
Therefore, the THEP for failing to switchover to high pressure recirculation upon a SBO and success of AFT, success or failure of RCC, success of AFC, XHR, CNU, and RRI, and i
failure of AF1, success of PBB, and success or failure of CSI is the same as HPRB.
THEP(HPRT) = THEP(HPRB)
Fault tree HPR2 is used.
HPRU: Switchover to hiah oressure recirculation uoon a SBO. success of AFT. Success or failure of RCC. failure of AFC. success of XHR and CNU. success of PBB. and succes or failure of CSI See writeup for HPRT. Fault tree HPR2 is used.
This is the same scenario as described in HPRT. AFW has been lost (worse case scenario) for a couple hours before power recovery, and PBB must be initiated right after completion of CSI (i.e., step 10 of ECA-0.2).
Early failure of RCS cooldown (RCC) is not addressed separately, as this action was performed several hours earlier (long before power restoration), errors of conunission were due to the AEO (who will not be involved in HPR), and there have been numerous successes since this time. This early failure should not cause a higher level of stress at this time. RCC failure just mandated earlier power restoration, which was successful.
3.3-14
s 4
HPRV: Switchover to hiah oressure recirculation uoon a SBO. failure of AFT. sucess of XHR and CNU. success of PBB. and success or failure of CSI Although the event tree displays PBB occurring before CSI, the operators must complete CSI before they transfer to any FRPs (i.e., PBF). Therefore, as this path includes success of PBF, there is no dependence to consider.
Failure of the containment spray system is not addressed separately. If CTS failed, operators would have even more time to perform HPR, and it would not be required until much later into the event (i.e.,2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> following power recovery). The corresponding decrease in stress would be negated by the added stress the operators experience if they notice CTS has failed.
An extemely high level of stress is assumed, as a blackout with failure of the TDAFP is a severe incident for the operators, and switchover is required fairly early in the accident (about 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> from loss of power). (This level of stress is also assumed because it follows PBB.)
As described in HPRT, a high work load is assumed for the RxO for calculation of pc'.
Therefore, the THEP for failing to switchover to high pressure recirculation upon a SBO, failure of AFT, success of XHR and CNU, success of PBB, and success or failure of CSI is the same as HPRT.
THEP(HPRV) = THEP(HPRT) = THEP(HPRB)
Fault tree HPR2 is used.
HPRW: Switchover to high oressure recirculation upon a loss of CCW or ESW and succes of RCP and RR2 (CSI status is not addressed. If CSI failed, operators would have even more time to perform HPR, and it would not be required until much later into the event. The corresponding decrease in stress would be negated by the added stress the operators experience if they retice CSI has failed.)
HPR will not be required until very late into the event. Since the RCPs were tripped, seal failure is not actually expected until an hour or two into the event (see RCP, Section 3.25.2),
at which time the containment sprays will be actuated. With both containment spray pumps operating, it takes at least 35 more minutes to reach the RWST low level. A charging pump is started (i.e., RR2A) within 30 minutes of the restoration of CCW/ESW. As a result, HPR is expected after a charging pump has been started in RR2A.
At this point, things are well under control. The small LOCA through the seals is under control and CCW/ESW has been restored. A low work load is considered for the operators by the time HPR is needed. The operators will probably still be in OHP 4022.016.004 when HPR is required, since they will not leave it until after the RCS is cooled and depressurized enough to start RHR. There is not a procedure step to warn the operators to monitor RWST level, but the operators know to monitor this. Only cognitive tree b applies (data not attended
'to) to this situation. End path I from tree b results in a cognitive value of 7 5E-04. No recovery is applied to this value. (Note: the path for high work load was conservatively followed, so this cognitive failure probability can be used for other scenarios.)
3.3-15
1 pc(HPRW) = 7.5E-04 (HPRW-CSR-COGHE)
It is assumed that only one train of CCW/ESW has been restored, so HPR recovery with the second train is not credible. The operators will go to Attachment A or B of ES-1.3 via step 2 or 3, since both trains of RHR/CCW are not available. The steps in these attachments are i
similar to the main procedure, except they will align the high head pumps to the one available train of RHR. The critical actions are still the same, with only the step numbers being different. Therefore, for simplicity, the same identifiers are used as before. (Steps 2 and 3 do not need to be evaluated because the operators would be well aware that both trains are not available, and an EOM of step 2 would be recovered by step 3 (as they are on different pages).) Due to the low work load and since things are under control, recovery with the extra US or STA is warranted.
pc(HPRW) = 7.5E-04 (HPRW-CSR-COGHE) pe'(steps 4a&c) = 2.6E-03
- 2 = 5.2E-03 (REC--4A&C-MHHE) pe'(step 4d) = 1.3E-03
- 2 = 2.6E-03 (REC----4D-MHHE) pe'(step 5) = 2.6E-03
- 2 = 5,2E-03 (REC-5-MHHE)
Recovery, execution errors (extra US and STA) = 0.05 (REC-US STA-HE-L)
I The total human error probability for failing to switchover to high pressure recirculation upon a loss of CCW or ESW and success of RCP and RR2 is calculated as shown in fault tree HPR3:
THEP(HPRW) = pc' + [pe'(step 4) + pe*(step 5)]
- recovery (extra US or STA)
THEP(HPRW) = 7.5E-04 + [(5.2E-03 + 2.6E-03) + 5.2E-03]
- 5.0E-02 THEP(HPRW) = 1,4E-03 3.3.11 HPR Fault Trees Summary The basic events and cutsets (with support system failures (i.e., SUBS) set equal to 1.0E-03) for the HPR fault trees are listed below.
3.3-16
Fault tree FIPRI (used for HPRA, HPRC, HPRD, HPRE, HPRF, HPRH, HPRS)
]
VER 1.6 hpr1. cut Ver. 1.71 7/25/95 9:07:40 10 11 1.670E 03 0.000E+00 1.000E 09 4
1 HPRA-LPR-CSRHE 1.5000E 04 0.0000E+00 I
2 REC-US-STA -HE L 5.0000E 02 0.0000E+00 3 REC 4A&C-MHHE 5.2000E 03 0.0000E+00 i
i 4 REC--
40 MHME 2.6000E 03 0.0000E+00 5 REC-- MHHE 5.2000E 03 0.0000E+00 6 REC 6 THENS HE-H 5.0000E 01 0.0000E+00 7 REC--68&D EHHE-M 1.5000E 01 0.0000E+00 8 REC
-6E EHHE 6.5000E 03 0.0000E+00 1
9 REC ---6F-EHHE 1.3000E 02 0.0000E+00 10 SUS HPR 1.0000E-03 0.0000E+00 1.
1.00E-03 1
SUS-HPR l
2.
2.60E-04 2
REC-US STA -HE L REC * --S-MHHE 1
3.
1.50E-04 1
HPRA LPR-CSRHE j
4.
1.30E 04 3
REC-US-STA-HE-L REC--4A&C MHHE REC-6 THENS HE-H l
5.
6.50E-05 3
REC-US-STA-HE-L REC-- -40 MHHE REC-6THEN5 HE-H 6.
3.90E-05 3
REC-US-STA -HE L REC--4A&C MHHE REC-68&D ENHE-M 7.
1.95E 05 3
REC US STA -hE L REC 4D MHHE REC 68&D-EHHE-M 8.
3.38E-06 3
REC US STA--HE-L REC -4A&C-MHHE REC ---6F-ENHE 9.
1.69E 06 3
REC-US-STA HE L REC - 40 MHHE REC --6F-EHHE d
10.
1.69E-06 3
REC US STA--ME L REC--4A&C-MHHE REC 6E-EHHE l
11.
8.45E 07 3
REC-US STA -HE L REC 40 MHHE REC- --6E-ENHE Fault tree HPR2 used for HPRB, HPRT, HPRU, HPRV 4
VER 1.6 i
hpr2. cut Ver. 1.71 7/25/95 9:07:41 10 11 3.049E-03 0.000E+00 1.000E-09 1 HPRB LPR CSRHE 7.5000E 04 0.0000E+00 2 REC-US-STA HE-L 5.0000E 02 0.0000E+00 i
3 REC--4A&C-EHHE 1.3000E-02 0.0000E+00
)
4 ' REC--- 4D-EMME 6.5000E-03 0.0000E+00 j
5 REC--- -5 EHHE 1.3000E-02 0.0000E+00 j
~
6 REC-6THEN5-HE H 5.0000E-01 0.0000E+00 7 REC--68&D EHHE M 1.5000E-01 0.0000E+00 8 REC----6E-EHME 6.5000E-03 0.0000E+00
- 9. REC - -6F-EHHE 1.3000E 02 0.0000E+00 10 Sus HPR 1.0000E 03 0.0000E+00 1.
1.00E-03 1
$U8 HPR 2.
7.50E 04 1
HPRB LPR-CSRHE i
3.
6.50E-04 2
REC-US STA-HE-L REC- ---S-EHHE 4.
3.25E-04 3
REC-US STA HE L REC-4A&C-EHHE REC-6THEN5 HE H 5.
1.63E-04 3
REC-US STA-HE L REC 4D EHHE REC 6 THENS HE H 6.
9.75E 05 3
REC-US-STA--HE L REC-4A&C-EHHE REC 68&D-EHHE M 7.
4.88E-05 3
REC-US STA-HE L REC----4D-EHHE REC--68&D EHHE M i
8.
8.45E-06 3
REC-US STA--HE L REC-4A&C-EHHE REC 6F-EHHE 9.
4.23E 06 3
REC-US STA--HE-L REC ---4D EHHE REC --6F-EHHE 10.
4.23E-06 3
REC-US STA--HE L REC--4A&C-EHHE REC- --6E ENHE 11.
2.11E 06 3
REC-US STA -HE-L REC-- EHHE REC-- -6E EHHE i
3.3-17
Fault tree HPR3 used for HPRW VER 1.6 hpr3. cut Ver. 1.71 7/25/95 9:07:41 6
5 2.398E-03 0.000E+00 1.000E-09 1 SUS HPR 1.0000E 03 0.0000E+00 2 HPRW CSR COGHE 7.5000E-04 0.0000E+00 3 REC-US-51A HE-L 5.0000E-02 0.0000E+00 4 REC -4A&C MMME 5.2000E 03 0.0000E+00 5
REC-- MMME
- 2.6000E 03 0.0000E+00 6 REC--
-5 MHHE 5.2000E 03 0.0000E+00 1.
1.00E 03 1
SUB-HPR 2.
7.50E-04 1
HPRW CSR-COGHE 3.
2.60E-04 2
REC-US-STA--HE-L REC MHME 4.
2.60E-04 2
REC-US-STA -HE-L REC -4A&C MHHE 5.
1.30E-04 2
REC-US-STA-NE-L REC MHHE Fault tree HPR4 used for HPRG VER 1.6 hpr4. cut Ver. 1.71 7/25/95 9:07:42 6
5 1.799E-03 0.000E+00 1.000E-09 1 SUS HPR 1.0000E 03 0.0000E+00 2 HPRA-LPR CSRHE 1.5000E-04 0.0000E+00 3 REC-US STA HE-L 5.0000E-02 0.0000E+00 4 REC 4A&C-MHHE 5.2000E 03 0.0000E+00 5
REC----40 MHHE 2.6000E 03 0.0000E+00 6 REC-MHHE 5.2000E-03 0.0000E+00 1.
1.00E-03 1
Sue HPR 2.
2.60E-04 2
REC-US-STA HE-L REC- ---5 MHHE 3.
2.60E-04 2
REC-US-STA -HE-L REC -4A&C-MMME 4.
1.50E-04 1
HPRA-LPR-CSRHE 5.
1.30E 04 2
REC-US-STA-HE L REC 40 MHHE l
1 3.3-18
TABLE 3.3 CUE TABLE FOR HPR (High Pressure Cold Leg Recirculation)- SLO unemm-imummmmme-DIAGNOSIS -
CUE l SUCCESS LOCATION
- CRITERIA Respond to RWST low Alarm annunciator light Respond to 1 of I Control level alarm alarm room - SPY t
panel i
Monitor RWST level RWST level < 32%
Recognize Control f
symptoms room - SPY requiring paneland transfer to cold BA panel le, recirenistion i
I t
f i
i I
3.3-19 l
1 l
L
L TABLE 3.3. SUBTASK ANALYSIS FOR HPR'
' (High Pressure Coki Leg Recirculation) - MLO, SLO, SGR, TRA, TRS, SLB, LSP, SBO, SSW, CCW PROCEDURE' ACTION '
INDICATION /
LOCATION POTENTIAL -
FEEDBACK ERRORS i
NUMBER STEP.
EOP 1
Reset SI SI status Control Omit action j
ES-lJ, room Rev.2 Select wrong control for SI reset button EOP 4a Stop I of I west RHR pump Pump status Control Omit action ES-lJ, room l
Rev. 2 Select wrong controls for west RHR pump EOP 4b Close 1 of I west RHR pump suction valve Valve position Control Omit actions ES-13, (1-lMO-320) room t
Rev.2 Close 1 of I west RHR pump discharge Select wrong valve crosstic valve (1-lMO-324) controls i
EOP 4c Open 1 of I recire sump valve to west Valve position Control Omit action i
ES-13, RHR pump room Rev. 2 Select wrong controls for recirc sump valve E
3.3-20 I
w
TABLE 3.3 SUEFASK ANALYSIS FOR HPR (Higin Pressure Cold Leg Recirrulation) - MLO, SLO, SGR, TRA, TRS, SLB, LSP, SBO, SSW, ccw l
PROCEDURE ACTION INDICATION /.
LOCATION
. POTENTIAL '.
FEEDBACK -
ERRORS-NUMBER STEP EOP 4d Start 1 of I west RHR pump Pump status Control Omit action i
ES-1.3, room i
Rev.2 Select wrong controls j
for west RHR pump f
EOP Sa, c Reset and close 2 of 2 CCP miniflow Valve switches Control Omit actions ES-1.3, valves room Rev.2 Select wrong controls for CCP miniflow valves t
f EOP Sd Verify 2 of 2 No.7h SI pump isolation Vstve switches Control Omit actions ES-1.3, valves open (1-ICM-260,1-lMO-316) room Rev. 2 Check wrong status j
lights j
EOP 5e Verify 2 of 2 south SI pump isolation Valve switches Control Omit actions ES-1.3, valves open (I-ICM-265,1-lMO-326) room i
Rev.2 Check wrong status lights
(
EOP Sf Close 2 of 2 Si pump discharge crosstic Pump status Control Omit action l
ES-1.3, valves (1-1MO-270,1-1MO-275) room Rev. 2 Select wrong controls j
for crosstie valves 3.3-21
l i
i l
' TABLE 3.3 SUBTASK ANALYSIS FOR HPR (High Pressure Cold Leg Recirculation) - MLO, SLO, SGR,.TRA,.Td, SLB, LSP, SBO, SSW, l
CCW 1
t
. PROCEDURE-MCTION INDICATION /
. LOCATION POTENTIAL l
FEEDBACK
. ERRORS f
NUMBER STEP l
EOP Sh Close 2 of 2 SI pump recirculation valves Valve switches Control Omit actions l
ES-1.3, to RWST (1-IMO-262,1-IMO-263) room Rev. 2 Select wrong controls for SI pump recire valves EOP Si Open 1 of 1 SI pump suction valve from Valve switches Control Om't actions
[
ES-1.3, west RilR III (1-lMO-350) room Rev.2 Select wrong controls for SI pump suction l
valve
{
EOP Sj Open 2 of 2 SI pump suction crosstie Valve switches Control Omit actions ES-1.3, valves to CCP (1-lMO-361,1-lMO-362) room Rev. 2 Select wrong controls for SI pump suction valves EOP 51 Close 1 of I SI pump suction valve from Valve switch Control Omit action ES-1.3, RWST (1-lMO-261) room l
Rev. 2 Select wrong controls
[
for SI pump suction l
valve
[
f 3.3-22 i
i I
i
i t
I TABLE 3.3-21-:' SUBTASK ANALYSIS FOR HPR'-
t (H.igh Puissure Cold Leg Recirculation) - MLO, SLO, SG.R, TRA, TRS, SLB, LSP, SBO, SSW, t
i l
l
! INDICATION /.
h
+
. PROCEDURE
.- ACTION LOCATION
,l fU(ENTIAL =
l i
FEEDBACK
-ERRORS' l
NUMBER
-STEP
[
l l
EOP Sm Close 2 of 2 CCP suction valves from Valve switches Control Omit 1 of 2 actions l
ES-13, RWST (1-IMO-910, I-IMO-911) room Rev.2 Select wrong controls i
for CCP suction i
valves i
EOP Sn Verify 1 of 2 CCPs running in recire mode Pump status Control Omit 2 of 2 actions
(
ES-13, room Rev.2 Select wrong controls for CCPs i
EOP So Verify I of 2 SI pumps running in recire Pump status Control Omit 2 of 2 actions i
l j
ES-13, mode room Rev.2 Select wrong controls i
for SI pump l
EOP 6b Stop 1 of I cast RHR pump Pump status Control Omit action I
ES-13, room i
Rev. 2 Select wrong contmis l
i for cast RHR pump
{
l l
i I
l
\\
l l
3.3-23 f
TABLE 3.3 SUBTASK ANALYSIS FOR HPR (High Pressure Cokl Leg Recirentation) - MLO, SLO, SGR, TRA, TRS, SLB, LSP, SBO, SSW, CCW j
PROCEDURE ACTION INDICATION /
LOCATION POTENTIAL
' FEEDBACK ERRORS NUMBER STEP y EOP 6e Close I of I east RHR pump suction valve Valve position Control Omit actions ES-13, (i-lMO-310) room
" E **
- Close 1 of I cast RHR pump discharge crosstic valve (1-lMO-314)
EOP 6d Open 1 of I recirc sump valve to east Valve position Control Omit action ES-13, RHR/ CTS pump (1-ICM-305) room Rev.2 Select wrong controls for recire sump valve EOP 6e Start I of I cast RHR pump Pump status Centrol Omit action ES-13, room Rev.2 Select wrong controls
,l for east RHR pump EOP 6f Open I of I CCP suction valve from east Valve position Control Omit action ES-13, RHR Hz (1-lMO-340) room Rev. 2 Select wrong controls for CCP suction valve 3.3-24
1 TABLE 3.3-3 WORKSHEET FOR CALCULATION OF pc Scenario:
Small LOCA with success of ECCS hich oressure iniection (HP2).
success of RCS cooldown usine AFW (AF4). and success of containment sorav iniection (CSI)
HI:
HPR - Switchover to hich pressure cold lec recirculation Cue (s):
RWST at low level (alarm)
Duration of time window available for action (Tg):
340 Seconds.
17 min - 680 see - 340 see (per Reference 26, actions take 680 sec)
Approximate start time for T :
30 min W
Procedure and step governing HI: _ Caution statement at becinnine of ES-1.2 A.
Initial Estimate of pc pc Failure Mechanism Branch HEP pe : Availability of information
_ pfb._.
nec.
a pc :
Failure of attention d
1.5E It b
The Rx0 should not have much distracting him at this point following a small LOCA (per operator interviews).
pe : Misread /miscommunicate data n/a n/a c
no data communicated - just instruction to watch level ped:
Information mislecding a
ner.
pce:
Skip a step in procedure b
3.0E-3 Caution statement is italicized and in all CAPS.
pcf: Misinterpret instruction a
nec.
peg: }".sinterpret decision logic k
net.
h pe : Deliberate violation a
net.
Sum of pca through peh - Initial pc 3.1E-3 Total reduction in Tg -
min.
Effective Tg min.
Check here if recovery credit claimed on page 2:
xx Notes:
There are two RWST level indicators for the operators to use. a chart recorder and an indicator that is very easy to read.
3.3-25 i
TABLE 3.3-4 WORKSHEET FOR CALCULATION OF pc RECOVERY FACTORS Scenario:
Small LOCA with success of ECCS high oressure iniection (HP2).
success of RCS cooldown usine AFW (AF4). and success of containment sorav iniection (CSI)
HI:
HPR - Switchover to high pressure cold ler recirculation B.
Recovery Factors Identified:
Alarm at low RWST level (did not credit this for b. because credit for alarm already in tree C.
Recovery Factors Applied to pc pc Failure Initial Multiply Final Mechanism HEP Recovery Factor bv Value Pea pcb 1.5E-4 1.5E-4 Pcc Pcd pee 3.0E-03 alarm T20-23(1)
.0001 3.0E-7 This is probably the only alarm going off, and at time much later than the initial alarms, so it will get more attention. Also, this red dot alarm is trained on as a high priority alarm.
Pcf Pc8 Pch Sum of recovered pca through pch - Recovered pc 1.5E-4 Time at which all recovery factors effective t-30 min i
3.3-26
3.5 QLl_- DEPRESSURIZATION TO ALLOW LOW PRESSURE INJECTION 3.5.1 Aeolication Medium LOCA (MLO) with failure of high pressure injection (HP2) - OLIA (JMR) 3.5.2 Descriotion Following the occurrence of a medium LOCA, if the high head pumps fail to start or fail to provide adequate cooling (HP2), the operators, by following emergency operating procedures, would be directed to depressurize the primary system to below the shutoff head of the RHR pumps to allow the RHR pumps to inject water to the core. The most effective means to perform this action is a rapid secondary depressurization (Reference 4a). If the RCPs are not all running, other actions include starting RCPs to provide forced two-phase flow through the core and/or opening the pressurizer PORVs to depressurize the RCS.
3.5.3 $_uccess Criteria and Timing Analysis
(
Success of this event requires 450 gpm (240x10 PPH per EOPs) of AFW flow for the 3
l duration of the accident. Success criteria of improved core cooling and increasing vessel inventory is achieved by actions of dumping steam from at least two of four steam generators and/or at least two of three pressurizer PORVs. These actions will allow for the start (or verify running) of at least one of two RHR pumps.
l The MLO Event Tree description in the Event Tree Notebook provides a detailed description of the timing analysis assumed for meeting the success criteria of this event. The success criteria is based on the identification of inadequate core cooling (ICC) symptoms (high core exit TC indication) at around 30 minutes following MLO event initiation (Reference 25, MLO-35 example). Upon identification of ICC symptoms, the operators should be ready to perform the rapid cooldown with little time delay and then perform the remaining actions.
Operator actions are provided in EOP FR-C.1.
3.5.4 Procedures The Emergency Operating Procedure used to perform this task is FR-C.1, RESPONSE TO INADEQUATE CORE COOLING, Rev. 4.
FR-C.1 is entered from F-0.2, Core COOLING Critical Safety Function Status Tree on a RED condition.
For this event, entry into FR-C.1 will occur from the STA recognizing the red path from F-0.2. Operators will review the red path summary from the foldout pages when they transfer to E-1 from step 25 of E-0 and when they transfer to ES-1.2 from step 14 of E-1, but this is conservatively not credited.
3.5.5 Critical And Recovery Actions The following are the primary tasks which must be completed for success of the MLO event tree OLI top event:
1.
Recognize core exit TC indications greater than 1200*F on the F-0.2, CORE 3.5-1
1 i
COOLING Critical Safety Function Status Tree or on the red path summary (Item 2b on foldout) (cognitive) 2.
Start RHR pumps (Step 5 of FR-C.1) (Per operator interviews, the RHR pumps will probably still be running, but starting them is conservatively modelled.)
i 3.
Initiate RCS cooldown at maximum rate using SG steam relief valves (conservatively not taking credit for condenser steam dump) (Step 13 of FR-C.1) 1 See Table 3.5-1, Cue Table for OLI for identification of symptoms for OLI actions See Table 3.5-2, Subtask Analysis For OLI for identification of critical or relevant recovery actions for OLI.
3.5.6 Assumptions This action will be required at about the same time that switchover to recirculation will be required. Many factors influence which will come first, therefore, it is conservatively assumed that OLI precedes LPR and CSR. (This is conservative because OLI has a much higher THEP than LPR or CSR.)
3.5.7 Sinnificant Ooerator Interview Findings 1.
The STA will monitor the core exit thermocouple temperatures using the plant process computer, unless conditions are abnormal, upon which they will also monitor indication on the control room back panels.
2.
The RCPs would be running when the operators reach step 12 of FR-C.I. (They will only stop the RCPs upon a medium LOCA if RCS pressure is less than 1250 psig and high head injection is available.) Since the pumps are already running when they reach this step (" Check if RCPs Should Be Started"), they will go on to step 13.
Therefore, they will not open the pressurizer PORVs (RNO column for step 12).
3.
The RHR pumps will probably still be running when the operators enter FR-C.I.
3.5.8 Calculation of Cognitive Error A cognitive model was used to address diagnosis type errors (Reference 21). Table 3.5-3 contains the calculation of the cognitive human error probability, pc, that the STA fails to recognize the red path core cooling conditions. Pc was calculated in Table 3.5-3 to be 6.0E-
- 03. Recovery was not applied to this value.
3.5.9 Calculation of Execution Error For the calculation of execution errors, the tables from Chapter 20 of Reference 2 were used.
(T20-x refers to Table 20-x of Reference 2.) The critical actions identified in Table 3.5-2 were reviewed to determine the dominant critical actions to be quantified. Critical actions are not dominant if they are recovered by other proceduw steps or if they follow a mechanical failure because the human error probability would be multiplied by another human error probability or a mechanical failure probability. Attachment OLI is a copy of the relevant portion of FR-H.1, with dominant critical steps circled. The reasons why the other critical J
steps (identified in Table 3.5-2) are not dominant are also included.
3.5-2 J
._.._.._-_..-___m
-___m Sten 13. Initiate RCS Cooldown to 200"F:
Dh Manually dumo steam from intact SG(s) usina steam relief valves Errors of Omission:
Omit step /page:
4.2E-03 (T20-7 #4, Assumption G)
Step 13 of procedure Errors of Commluion:
Select wrong control when it is dissimilar to adjacent controls:
1.3E-03 (Table 20-12, #3)
The level and relief valve controls for the steam generators are well marked and different from adjacent controls on the steam generator panels. The only truly credible failure would be selecting the level control rather than the relief control.
3.5.10 Calculation of Total Human Error Probability for Failure to Deoressurize (OLI)
The cognitive and execution error probabilities were calculated in sections 3.5.8 and 3.5.9 to be i
pc'(OLIA) = 6.0E-03 pe(OLI) = 5.5E-03 (without stress or dependence)
OLIA: Deoressurize and Start RHR following a medium LOCA An extremely high level of stress is assumed for red path recoveries. Per table 20-16, HEPs should be multiplied by two for moderately high stress for step-by-step tasks, and by 5 for extremely high stress for step-by-step tasks.
pc'(OLIA) = 6.0E-03 (OLI-COG-HE) pe'(OLIA) = 5.5E-03
- 5 = 2.8E-02 (OL1--13B-EHHE) j l
The total human error probability (THEP) for failing to depressurize following a medium LOCA and failure of high pressure injection is:
THEP(OLIA) = pc' + pe' THEP(OLIA) = 6.0E43 + 2.8E-02 = 3.4E-02 The corresponding fault tree is OLII.
3.5-3 i
3.5.11 OLI Fault Trees Summary The basic events and cutsets (with support system failures (i.e., SUBS) set equal to 1.0E-03) for the OLI fault tree are listed below.
Fault Tree OLil used for OLIA VER 1.6 oll1. cut ver. 1.71 7/25/95 9:07:00 2
2 3.383E 02 0.000E+00 1.000E 08 1 OLI -
COG-NE 6.0000E 03 0.0000E+00 2 OLI 138 EMME 2.8000E 02 0.0000E+00 1.
2.80E-02 1
OLI - 138 ENHE 2.
6.00E-03 1
OLI - COG NE l
1 I
1 3.5-4
i I
i t
i TABLE 3.5 CUE TABLE FOR OLI (Depmserization sad Lew Pressure lajection) - MLO
[
l
{
DIAGNOSIS CUE
~ SUCCESS LOCATION J
CRITERIA -
l Identify symptoms of Core exit temperature > 1200*F -
Recognize red Control room inadequate core cooling RED path path for core exit on foldout page or on F-temperature >
f 0.2, Core Cooling Status 1200*F, and l
Tree transfer to I
FR-C.I
[
l i
I i
l i
l
[
r i
1 I
l 3.5-5 i
i
?
~
i
}
i i
f I
TABLE 3.5 SUBTASK ANALYSIS FOR OLI-l (Depressurization and Low Pressure Injection) - MID PROCEDURE ACTION
' INDICATION /
LOCATION POTENTIAL f
FEEDBACK ERRORS NUMBER STEP.
EOP Sa Start RHR pumps pump status Control Omit action FR-C.1, (RNO) room Rev. 4 Select wrong controls f
for RHR pumps i
EOP 13b Dump steam at maximum rate using SG steam relief Control Omit actions j
FR-C.1, (RNO) steam relief valves valve position rmom i
Select wrong controls f
Rev. 4 indication for steam relief valves l
I i
I I
f i
l 3.5-6 l
s
TABLE 3.5-3 WORKSHEET FOR CALCULATION OF pc Scenario: Medium LOCA with success of accumulators and failure of high oressure iniection HI: OLI - Deoressurization to allow low oressure iniection Cue (s):
Red oath conditions - foldout naze or status tree Duration of time window available for action (Tg):
Seconds.
Approximate start time for T :
15 minutes W
Procedure and step governing HI:
F-0.2 Status Tree Red Path (i.e.
STA)
A.
Initial Estimate of pc pc Failure Mechanism Branch HEP p,
- Availability of information n/a n/a b
pe : Failure of attention e
3.0E-3 (assume low workload for STA)
(per interview, STA will be watching computer screen for core.xit thermocouple temperatures until things look abnormal, then they will check indicator on back panel -- per G. Parry, use front panel path for this tree) pe : Misread /miscommunicate data n/a n/a c
pe :
Information misleading n/a n/a d
1 pe :
Skip a step in procedure b
3.0E-3 l
e (Status trees are monitored in particular order, and paths are graphically distinct using different colors and line types.)
pe : Misinterpret instruction a
neg.
f peg: Misinterpret decision logic k/l neg.
pch: Deliberate violation a
neg.
Sum of pca through pch - Initial pc 6.0E-03 Total reduction in Ty -
min.
Effective Tg min.
Check here if recovery credit claimed on phge 2:
Notes:
Due to inconsistent usease of the foldout cares (Der operator interviews).
credit is conservatively not riven to the US recoenizine the red oath from the foldout cares.
3.5-7
. ~ _ _.
ObhW\\k., h)f j
un.
TRANSFER TO COLD LEG RECIRCULATION 1
l STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED I
CAbTION:
't
- THE CONTAINMENT SUMP LEVEL (1-HLA-310/1-NLI-311)
SHOULD BE GREATER THAN 97% OR THE CONTAINMENT LEVEL (1-NLI-320/1-NLI-321) SHOULD BE GREATER THAN 3% TO 1
OPERATE ECCS IN THE RECIRCULATION N00E.
- ANY PUMPS TAKING SUCTION FROM THE RWST SHOULD BE STOPPED UPON RECEIPT OF THE RWST LEVEL LOW-LOW /RHR l
PUMP TRIP ALARN (ANN 105 DROP 24).
t
- F0LLOWING SI RESET, AUTOMATIC REINITIATION 0F SI WILL MOT OCCUR UNTIL REACTOR TRIP BREAKERS ARE CLOSED.
+
- IF 0FFSITE POWER IS LOST AFTER Si RESET, MANUAL ACTION NAY BE REQUIRED TO RESTART SAFEGUARDS EQUIPMENT.
- IF UNIT WAS IN MODE 4 AT THE ONSET OF THE TRANSIENT, THEN 1-RH-104E AND 1-RH-104W SHOULD BE VERIFIED OPEN.
]l e SWITCHOVER TO RECIRCULATION MAY CAUSE HIGH RADIATION J
IN THE AUXILIARY BUILDING.
*\\
NOTE:
- FRPs should not be implemented prior to the completion of step 6.
- Foldout page should be open.
J.
Reset SI M
$k%w3 N
b 2.
Check,RHR Pu TH OPERABLE 1E neither RHR pump is OPERABLE, ItiEH go to ECA-1.1, LOSS OF EMERGENCY COOLANT RECIRCULATION, Step 1.
1E East RHR pump is INOPERABLE, IHEN go to Attachment A.
1E West RHR pump is INOPERABLE, It((H go to Attachment B.
V Page 2 of 35 Rev.
2, cs-g
@R-\\
1 iitlg Number 01-0HP 4023.
TRANSFER TO COLD LEG RECIRCULATION ES-1.3 STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED 3. Check CCW Pumps - BOTH OPERABLE 1E East CCW pump is IN0PERABLE, ItiB:
- a. Stop the East RHR pump and place in PULL-TO-LOCK.
- b. Go to Attachment A.
IE West CCW pump is INOPERABLE, ItiM:
- a. Stop the West RHR pump and place in PULL-TO-LOCK.
- b. Go to Attachment B.
CAUTION: WHEN CONTROL POWER IS RESTORED FOR VALVE OPERATION, THE CONTROL POWER HUST BE LEFT ON SO ASSOCIATED INTERLOCKS WILL BE OPERABLE. h Align West RHR And CTS Pumps For Recirculation: s @Stopthefollowingpumpsand place in PULL-TO-LOCK 0UT position: @WestCTSpump West RHR pump a,
- b. Close the following valves concurrently:
k. 1-IM0-320, West RHR pump M k N C.- h M NCL/C. suction valve = 1-IM0-225, West CTS pump suction valve from RWST (NEMr b
- l-IM0-324, West RHR pump ( N uIA;fu.cuQe discharge crosstie valve s
This Step continued on the next page. Page 3 of 35 Rev. 2 RPR-L
Titt. 01-OHP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1.3 STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED hRestorecontrolpowerandopen
- c. Perform the following:
1-ICM-306, Recirc sump to West RHR/ CTS pump valve
- 1) Open 1-IM0-225, West CTS pump suction valve from RWST.
- 2) E West CTS pump was previously running, IH @
restart the West CTS pump. E NOT, IH M place the West CTS pump in NEUTRAL.
- 3) Go to Attachment B.
Start the West RHR pump
- d. E the West RHR pump.can !L01 l
be started, IE@:
- 1) E West CTS pump was previously running, restart the West CTS pump.
')) f/ E tLQI, IEG place West CTS pump in NEUTRAL.
- 2) Go to Attachment B.
- e. Check West CTS pump status -
- e. Place West CTS pump in NEUTRAL PREVIOUSLY RUNNING
- 1) Restart the West CTS pump
- 2) Verify ESW to/from West CTS heat exchanger valves -
l OPEN: { i = 1-WM0-715 l = 1-WM0-717 i Page 4 of 35 Rev. 2 FPk3
fitto NWr 01-OHP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1.3 'h'.. STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED CAUTION:
- IF THE SI PUMP MINIFLOW VALVES ARE CLOSED, THEN THE SI PUMPS SHOULD BE STOPPED WHENEVER RCS PRESSURE APPROACHES THEIR SHUT 0FF HEAD.
- IF RCS PRESSURE INCREASES TO 2000 PSIG, THEN A PRZ PORV SHOULD BE OPENED, AS NECESSARY, TO REDUCE RCS PRESSURE AND MAINTAIN MINIMUM CCP FLOW.
NOTE: Minimum total BIT flow for CCP cooling is:
- for 1 CCP - 150 gpa (160 gpm for adverse containment)
= for 2 CCPs - 275 gpm (280 gpa for adverse containment) 5. Align SI Pumps And CCPs For Recirculation: ka Reset both CCP miniflow valves: Sc. 1-QM0-225
- l-QM0-226
- b. Check total BIT flow - GREATER
- b. Perform the following:
THAN MINIMUM NEEDED FOR CCP COOLING
- 1) Stop all but one CCP.
- 2) IE total BIT flow is greater than 150 gpm (160 gpm for adverse containment), JJiB go to step Sc.
IE NOT, I_ HEN open the associited CCP miniflow valve and go to step 5d. EllM RCS pressure is less than 1700 psig, THEN close all CCP miniflow valves. 4
- c. Close both CCP miniflow valves:
1-QM0-225 h O = l-QM0-226 M u@ MRC.S f pggea(aA% M% This Step continued on the next page. Page 5 of 35 Rev. 2 h
Titig NutW 01-OHP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1.3
- ) )
1 STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED
- d. Check the following valves for
- d. Manually open valves.
the North SI pump - OPEN
- 1-ICM-260
= l-ICH-260, North SI pump-1-IM0-316 V E either valve remains -AND-closed, IliM stop the North SI pump. 1-IMO-316, RHR and SI to RCS cold 1 valve Go to step 5. 9 b
- e. Check the follo ng valves for
- e. Manually open valves.
the South SI pump - OPEN
- 1-ICM-265 1-ICM-265,. South SI pump 1-IM0-326 e
discharge th cold legs 2 3 MLR-AND f @ E either valve remains closed, JJ18 stop the South SI pump. = l-IM0-326, RHR and SI to RCS cold le val Go to step 5. y 9 Mk a s = 1-IM0-270 ggb.[p 1-IM0-275 g Q,
- g. Check each SI pump flow -
- 9. Stop affected SI pump (s).
GREATER THAN 70 GPM: 1-IFI-260 MHG RCS pressure is less than = 1-IFI-266 1425 psig (1150 psig for adverse containment), TjiB start SI pump (s). Kh.Restorecontrolpowerand b St. OM loh close SI pumps recirc to RWST-Qg Q valves: 4, 1-IM0-262 = 1-IM0-263 hOpen1-IM0-350,SIpump
- i. Locally open 1-IM0-350.
suction from West RHR HX valve D0 H0.I PROCEED UNTIL l-IM0-350 IS OPEN. This Step continued on the next page. / Page 6 of 35 Rev. 2 [ 'd
Title NL ' tr 01-OHP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1.3 STEP ACTION / EXPECTED RESPONSE RESPONSE NOT O8TAINED h0penSIpumpsuctioncrosstie 1 to CCP valves:
- 1-IM0-361 I
- l-IM0-362
- k. Verify 1-IM0-360, SI pump 1
sucti CP
- 1. Restore control power and MNedA-j close 1-IM0-261, SI pump gk g g.
suction from RWST V-%NbW i
- m. Cl CCP suction from RWST g
MVM
- 1-IMb-910 yM b %
= 1,IM0-911
- n. Check CCPs - BOTH RUNNING
- n. E CCPs were stopped because 2
of RWST low-low level, THEN perform the following: i ~,
- 1) Start one CCP.
- 2) Check total BIT flow -
greater than 150 gpm (160 gpm for adverse containment) E N_0T, IH W open 0 associated miniflow valve and go to step So. 1
- 3) Check RCS pressure - less than 1700 psig l
E NOT, elm go to step 50. WHEN RCS pressure is less than 1700 psig, THEN restart all CCPs.
- 4) Start second CCP.
i This Step continued on the next page. 4 Page 7 of 35 Rev. 2 hP'R-(o
.c... Titl9 Ntsnber 01-OHP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1,3 '). STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED
- o. Check SI pumps - BOTH RUNNING
- o. lE SI pumps were stopped because of RWST low-low level, IllEH perform the following:
- 1) Check RCS pressure - less than 1425 psig (1150 psig for adverse containment) 1.E NOT, IllEH go to step 6.
H1 HEN RCS pressure is less than 1425 psig (1150 psig for adverse containment, J11EH do step So. l
- 2) Check SI pump discharge 1
crosstie valves - closed: 1-IM0-270 -0R- = l-IM0-275
- 3) J.E SI pump discharge crosstie is isolated, lHEH start both SI pumps.
IE HOI,11!EH start only one Si pump. i Rev. 2 ~
ri:ie I numtar 01-0HP 4023. TRANSFER TO COLD LEG RECIRCULATION ES-1.3 ~, s' ~ STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED - i 6 Align East RHR And CTS Pumps For Recirculation:
- a. Check RWST Level - LESS THAN
- a. Continue with step 7..
10% i 4 i WHEs RWST level drops to 10% F_O do steps 6b through 6h., { Ob Stopthefollowinf0bK00T um s and place in PULL-TO-position: hastRHRpump +
- East CTS pump c.'Close the following valves 0 East RHR pump 4
suction valve
- 1-IM0-215,EastCTSgump
=$$ 1 $a HR p p" g dischargecrosstievave[pg M b o Odaesterece"tre'aowere"deae" i d aestere ce"trei a ~R pumps er "o 1-ICM-305 Recirc sump to East close 1-IM0-390 RH RHRfCTS pu,mp valve suction from RW$T i Go to step 7. @StarttheEastRHRpump
- e. Go to step 6.
9 @.Open1-IM0-340 + CCP suction from East RHR HX valve
- 9. Check East CTS ump -
- g. Place East CTS pump in NEUTRAL PREVIOUSLY RUNN NG
- 1) Restart the East CTS pump
- 2) Verify ESW to/from East CTS heat exchanger valves - OPEN
= l-WM0-711 1-WM0-713 e
- h. Restore control power and close 1-IM0-390 RHR pumps suction from RW$T l
Page 9 of 35 Rev. 2 I l h 9 HPF6 a
] i ~ h ( IIllO aweer 01-OHP 4023. RESPONSE TO INADEQUATE CORE COOLING FR-C.1 s) s STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED ' Verify ECCS Valve Alignment - Manually align valves as- . 4. PROPER EMERGENCY ALIGNMENT.BY necessary. .s STATUS' LIGHTS. 1-SHL-11 A, B:, C ' ..1-SML-12A, B,C - ~ .~ _ '... _S.- Verify *E'CCS Flow In All Systems: Perforisi the fo' lowing:- l
- BIT. flow - ON SCALE:.
- a. Start all available ECCS pumps:
1,IFI'-51
- CCPs 1-IFI.
St. pumps ' K'.= RHR pumps. k . 1.-IFI-53 . 1-IFI-5'4 4 p 0 .b.,Eitablish BTT fidw from the-t .. SI. ' ump flow .t ~N SCI,LE: .. positive ' dis'p]-acement-: pump 2 1 (PDP): ] 1-IFI-260 .I'-IFI~266 ~.
- 1) locally open PDP suc' tion *..
'I and discharge valve's:'-
- RHR HX outlet flow - ON. SCALE:
i
- 1-CS-304
- 1-IFI :310.or 31'1
- l-CS-306
' 1-IFI-320 or 321
- 2) Start the POP.
- 3) Adjust 1-QRV-251, CCP flow control valve to allow PDP flow to the BIT.
l i l 'N i E/ Page 4 of 16 s Rev. 4, CS-1 LS -L i ow\\
.~, kb nu. wueer /.) 01-OHP 4023. RESPONSE TO INADEQUATE CORE COOLING FR-C.) ..) STEP-ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED NOTE: Nornal conditions are desired but not requir d for starting the RCPs. &w
- lMfha, 12.
Check if RCPs Should Be Started: O D
- a. Core exit TCs - GREATER THAN a.
to Step 13. h 1200*F.
- b. Check if an idle RCS cooling
- b. Perform the following:
loop is available:
- 1) Open all PRZ PORVs and l
- Narrow range SG level -
block valves. GREATER THAN 6% (22% FOR ADVERSE CONTAINMENT)
- 2) If, core exit TCs remain greater than 1200*F, IBIH
- RCP in associated loop -
open other RCS vent paths AVAILABLE AND NOT OPERATING to containment: a) PRZ vent path valves:
- 1-NSO-61 and 1-NS0-62
( ~) -OR- \\ 7 1-NS0-63 and 1-NS0-64 V e N i b) Reactor head vent path valves: 1-NS0-21 and 1-NS0-22 -OR-1-NS0-23 and 1-NS0-24
- 3) Go to Step 13.
- c. Start RCP in one idle RCS cooling loop.
- d. Return to Step 12a.
t s !] Page 9 of 16 Rev. 4, CS-1 ots-A
-.. - -. -. -... -. - -.. - -. -...... ~. -.. - - - _. -.. -. l I Title i wer 8, 01-OHP 4023. RESPONSE TO INADEQUATE CORE COOLING FR-C.1 STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED CAUTION: lxiRING C00LDOWN, STEAM FLOW 0F GREATER THAN 1.42x106 ppy ON TWO OR MORE SGs WILL RESULT IN A STEAMLINE ISOLATION. NOTE:
- Partial uncovering of SG tubes is acceptable in the i
following steps.
- Both staan dump conta ol selector switches should be nonentarily placed in BYPASS INTERLOCK when Tavg decreases to S41*F.
Initiate RCS Cooldown To 200*F:
- a. Transfer condenser steam dump to steam pressure mode
^ b. ump steam to condenser from
- b. Manually or locally dump steam intact SG(s) at maximum rate from intact SG(s) at maximum rate using steam relief valves.
- c. Check RCS hot leg temperatures
- c. Cooldown using faulted or
- DECREASING ruptured SG(s). \\ \\] / (,; Page 10 of to l' c Rev. 4, CS-1 i cs -n OL1-3
TitLO 01-0HP 4023. RESPONSE TO INADEQUATE CORE COOLING FR-C.1 ( 8) STEP ACTION / EXPECTED RESPONSE RESPONSE NOT OBTAINED
- 14.
- Verify ECCS Flow:
- Continue efforts to establish ECCS. flow..
a BIT flow - ON SCALE ' IE BI'T flow.is HQI'on scale. 8MQ ',
- 1-IFI-51'.
' core ex.it T/Cs:are greater than. 1-IF.1-52 1200*F, IEEH perfoper the * . 1-IFI-53, - fol.l.owing: 1-IF.I,'54 '
- a. Request an tiime'diate ' Unit 2
-OR-shutdown.
- SI pump ~ flow - ON SCALE -
- b. Request Unit
- 2 establish
. charging pump operitibn with.
- 1-IFI-260 suction from the RWST. -
. 1-IF.I-266 ~
- c. WHEN' Unit'2 charging is
-OR , a.vailable and-aligned toc the *.. RWST,' Nest'ablish' BIT ' flow'
- 4,.RHR NX outlet flow - ON SCALE from Unit 2.
'~ ~ Refer to Attachment A. 1 k_.,**
- 1-I 320 l'32
(-. s-1 l
- \\
Page 11 of 16 (s. Rev. 4, CS-1 A rt OL1+
a_J--w_ A__h_wa-._=Jae-4a j__..shsu,-,-_ae,,.me# -m._ Aea s -W,- w ,w., w-a-a,ae.mm. I FIGURE E-8 IIPRI FAULT TREE -}O 5 - s O 1 w - $ O wK -la - t O 0 3 -jC j = y g - tO m - d O E - ? O -}G 5 - 30 a .}g I - t O a 1 - TO a --jG V - V O a E-9
,.agea, a 34 m es _v1 -s'.- &Ma. e .AJ-'* MN" - "' -'"'"^ " " - * "'"'
- FIGURE E-9 HPR2 FAULT TREE i
- s O i .E i ? - a O 9 O 5 l I T O ~ i -JG 1 i E - t O V X - 4 O w k T O 1 -le I - 3 O 3 Ic= 7 . go a 1 - T O \\a n ~ b Y - y O a E-10
FIGURE E-10 HPR3 FAULT TREE l HPR3 Fault free lHPA1000tI 9 i I @R30C04 J0 HPR lHPRWCSRCOM] O lHPR300051 iEC US STA 4 ll i c.. .mi i c.. .mi i c.. .mi i l i ) E-11
y l FIGURE E-11 HPR4 FAULT TREE IFR4 Fault free l@n4000tl e IHpn400041 sue.wpn Ispar. ten.csnwl W o In4000si inec.us.sn..+.tI we.. .-l 1,c.. uc.. E-12 )
ATTACHMENT 1 TO AEP:NRC:10820 Donald C. Cook Nuclear Plant Individual Plant Examination Individual Plant Examination Revision 1 i
,. - ~ k E' k h% t COOK NUCLEAR PLANT Bridgrnan. p/lichigan -7;' E " ' ~ s' ?
- 4 =
'~,,as~ 1NmytouALMSMNMPM g UNgr10N ZT24d?@4ms$;w$ek .e ~ - > - f. sw Q17*5&. w %.e.:n. - ' m- ..;G . & ~.:. W < ~ .,. W*Y..hT4&..s%**W$' h. '4 ~ .y ' t '$ ", T f+ ?.,9?.Th! w"- ~ ~ ~ " a
- n. -
c+x e:~ s e~ n - ~* 3,gg*ta, w, p,su. a.w4 m j w ~ . f.. . ~ - .y,,,.,. s#4 , s, srF '# V ...M4* %' vs;.rgy. i . r. ., s.
- ,6
/ f:. ps., ,,*F< ~ / a g- ,g s.. em m . A he y 'W a e' i g j s, e l) 4 e ~ i ^ f e .-.. - - - --- -^}}