Final ASP Analysis - LaSalle 2 (LER 374-01-003)

ML20112J645
Person / Time
Site:	LaSalle
Issue date:	05/12/2020
From:	Christopher Hunter NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 374-01-003
Download: ML20112J645 (34)
v • d • e

Text

)LQDO Precursor Analysis Accident Sequence Precursor Program ---Office of Nuclear Regulatory Research La Salle Unit 2 Reactor scram due to undervoltage protective circuit actuation on Division 1 ESF bus (YHQW'DWH 9/3/2001 /(5 374/01-003 &&'3 1 x 10-5 April 30, 2004 Event Summary The reactor was manually tripped at 100% power due to decreasing reactor pressure vessel (RPV) water level caused by complications with the feedwater pump controllers when power was lost to the 4 kV Division I 241Y Bus. Both B phase fuses opened, activating the 241Y Bus undervoltage relays. The undervoltage relays initiated signals to start the 0" emergency diesel generator (EDG) and energized the 241Y Bus. However, the blown fuses in the undervoltage relay circuitry prevented loading of large loads, but permitted the operation of smaller loads. Large loads not available until the fuses were replaced include

• Low-pressure core spray pump

• 2A residual heat removal/low-pressure coolant injection pump (i.e., suppression pool cooling)

• 2A control rod drive pump

• 2A primary containment water chiller

• Standby liquid control B return isolation Blown fuses in 241Y Bus identified were identified about three hours after the fuses opened.

Some spare undervoltage fuses drawn from inventory were not usable. Eventually, an old fuse was used to restore the 241Y bus to operability 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the reactor tripped.

Other conditions and complications experienced during the event include

• HPCS and RCIC automatically tripped on high water level.

• RHR pump 2A failed to start due to the false undervoltage signal on the 241Y Bus.

• RCIC system suffered a water hammer event.

• RCIC outboard check valve position indication displayed an open indication when the valve was shut.

• Condenser hotwell reject valves did not adequately control condenser hotwell level leading to two small roof ruptures on the CST (25,000 to 45,000 gallons of slightly radioactive water overflowed onto the ground around the tank).

1 For the initiating event assessment, the parameter of interest is the measure of the conditional core damage probability (CCDP). This is the value obtained when calculating the probability of core damage for an initiating event with subsequent failure of one or more components following the initiating event.

1

LER 374/01-003

• Safety relief valve position indication for three safety relief valves was erroneous.

Operator performance weaknesses that were displayed subsequent to the reactor trip include

• Operators allowed HPCS and RCIC to automatically trip on RPV high water level vice attempting to manually control RPV water level at or near the normal operating level band.

• Operators mis-diagnosed the rapid increase in the drywell pressure due to the loss of power to drywell cooling as a small steam leak in drywell.

• Operators did not re-open the MSIVs to re-establish the main condenser as the heat sink

• Operators were not aware that RCIC flow oscillations observed during the transitions between reactor pressure control and RPV level control modes should have been expected.

Details of this event are described in Attachment A (Refs. 1, 2, and 3).

Recovery opportunities. Several systems were affected during this event. Recovery opportunities are described in detail in Attachment C.

Analysis Results

 Conditional core damage probability (CCDP)

This event was modeled as an initiating event loss of reactor feedwater (IE-LOMFW) with complications resulting from component failures and operator actions. The CCDP for this event is 1 X 10-5 (mean value). This CCDP is applicable only to Unit 2. This CCDP exceeds the Accident Sequence Precursor Program acceptance threshold.

5% Mean 95%

CCDP 3 X 10-7 1 X 10-5 4 X 10-5

 Dominant sequences The core damage sequence with the highest CCDP (83%) for this event assessment is LOMFW Sequence 48. This sequence is shown in Figure 1. No other sequence had a CCDP greater than 10%. The events and important component failures for the dominant sequence are listed in Table 2. These events and failures include:

LOMFW Sequence 48

- Reactor shutdown is successful

- Safety relief valves all close

- PCS is unavailable

- HPCS fails to provide sufficient flow to the reactor vessel 2

S

LER 374/01-003

- RCIC and motor-driven (startup) reactor feedwater pump fail to provide sufficient flow to the reactor vessel

- Manual depressurization fails

 Results tables

- The conditional probabilities of the sequences with the highest CCDPs are shown in Table 1.

- The event tree sequence logic for the sequences with the highest CCDPs are provided in Tables 2a and 2b.

- The conditional cut sets for the sequences with the highest CCDPs are provided in Table 3.

- Definitions and probabilities for modified or dominant basic events are provided in Table 4.

Modeling Assumptions

 Analysis type This event was modeled as a loss of reactor feedwater initiating event (IE-LOMFW) using the Standardized Plant Analysis Risk (SPAR) Revision 3.01 model (Reference 4). The loss of reactor feedwater and subsequent reactor trip experienced at the plant is represented by this initiating event. The probability of IE-LOMFW was set to 1.0. The probabilities of the other initiating events were set to 0.0 in the GEM code. Other changes to model the event are described below.

 Modeling assumptions Key modeling assumptions. The key modeling assumptions are listed below and discussed in detail in the following sections. These assumptions are important contributors to the overall results.

- Motor-driven feedwater pump was available for short-term RPV level control (feed only).

- Failure of the fuses to undervoltage relays to 4 kV Division 1 241Y Bus prevented the loading of large loads, such as the RHR Pump 2A; however, the blown fuses did not affect small loads, such as the containment vent valves. Such small loads were credited in the analysis.

- PCS was not credited in the short term (about 30 minutes) due the manual closure of the MSIVs; however, PCS was available in the long term.

Other assumptions. Other assumptions that have negligible impact on the results due to relatively low importance include the following

- RHR Pump 2A and other large loads were not recoverable before 11 hour1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />sthe actual time fuses were replaced and the 241Y Bus energized. See the sensitivity analysis section below for details.

3 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003

- RCIC and HPCS tripped on high RPV level. RCIC was later restarted. Although, the operators may not have allowed RCIC to trip on high RPV level given a postulated failure of HPCS (and turbine-driven reactor feed pumps), the ASP Program models all complications and failures while assigning nominal failure probabilities to successes.

Sensitivity analysis has shown that crediting a nominal failure probability for such postulated sequences has a marginal decrease in overall risk. See the sensitivity analysis section below for details.

- Operator performance weaknesses displayed during the event (see Event Summary, above) do not have a significant impact on short-term or long-term operator actions that would cause a significant increase in the overall risk. See the sensitivity analysis section below for details.

 Modifications to fault tree models

- Motor-driven feedwater pump. The SPAR model was modified to account for the available of the motor-driven feedwater pump as a proceduralized option for high-pressure RPV level control. The RCIC fault tree was modified to AND the motor-driven feedwater pump with the RCIC system. Details of this modification is also described in Attachment B.

- Electrical buses. The SPAR model was modified to account for two sizes of electrical loads on the 4 kV Division I 241Y Bus. During the event, large pump loads, such as the RHR Pump 2A, could not be energized due to the erroneous undervoltage signal on the 241Y Bus caused by the open fuses. Several fault trees were modified to account for the availability of critical small loads (e.g., containment vent valves) but not large loads. Details of these modifications are described in Attachment B.

 Basic event probability changes Table 4 provides the basic events that were modified to reflect the event being analyzed.

The bases for these changes are provided below.

- Probability of failure of 4-kv bus 241Y (ACP-BAC-LP-DI, 4160 V bus hardware failures). This probability was set to TRUE based on the failure of the undervoltage relay circuitry, which prevented large loads from being applied to this bus for approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> following the manual reactor scram. Setting ACP-BAC-LP-DI to TRUE renders all equipment in the SPAR model powered from 241Y Bus inoperable for the duration of this event, except for RCIC and containment venting as discussed in the modification of fault trees. Recovery of power to the bus undervoltage relays was not considered before the actual time when the blown fuses were discovered by the electricians (3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> following the reactor scram). This analysis considered recovery after this time; however, sensitivity analysis shows recovery of power to all loads on the 241Y Bus to be negligible, since the dominating sequence involves the failure/unavailable of high pressure injection and failure to depressurize. See sensitivity analysis section, below.

- Probability of not recovering the PCS in the short term (PCS-XHE-XL-STLMFW).

The nonrecovery probability for PCS in the short term for IE-LOMFW was set to TRUE based on operator actions during the event. The MSIVs were manually closed at 20 4

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 minutes following the reactor scram. Since the MSIVs were not re-opened, the turbine-driven feedwater pumps were not available during the remainder of the event.

The control switch to the motor-driven feedwater pump was placed in the pull-to-lock position in the early minutes of the transient to prevent automatic start on low RPV water level.

- Probability of not recovering the PCS in the long term (PCS-XHE-XL-LTLMFW).

The SPAR model was updated with a new generic nominal probability for PCS-XHE-XL-LTLMFW (1 x 10-3). This nominal value was not changed for this analysis based on (1) PCS was not damaged during the event, and (2) the time required to restore PCS given the postulated loss of suppression pool cooling is on the order of 20 or more hours (prior to containment failure and subsequent core damage). The basis for the new generic probability is provided in the footnote to Table 4.

- Probability of RCIC restart being required (RCI-RESTART). The probability for RCIC restart was set to TRUE. During the event the RCIC system automatically started on Level 2 in the reactor vessel and automatically shut down on Level 8 in the reactor vessel. The operators restarted the RCIC system for reactor water level control and reactor vessel pressure control during the event.

 Other items of interest During the event there were a number of other equipment performance issues noted in the LER (Ref. 1) and in the NRC Special Inspection Report (Ref. 2). These issues, which did not result in changes to the SPAR model, are listed below and discussed in detail in Attachment E.

- Potential common-cause failure implications of the two B phase fuses on bus 241Y.

- RCIC system anomalies: flow oscillations, water hammer event, and erroneous RCIC outboard check valve (2E51-F065) position indication.

- Failure of the condenser hotwell reject valves to control condenser hotwell level, leading to two CST roof ruptures, and some water overflowed onto the ground around the tank.

- Erroneous position indication for three SRVs.

 Sensitivity analyses Sensitivity analyses were performed to determine the effects of model uncertainties on results based on best estimate assumptions. The modeling of each best estimate assumption listed below was adjusted to a reasonable, more conservative value.

- Earlier bus restoration. Best estimate assumption: Undervoltage relays to the 241Y Bus restored no earlier than the actual 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />. Sensitivity assumption: Restoration of 241Y Bus earlier than the actual restoration time of the bus at 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> following the reactor scram. The restoration of the bus would allow the start of large loads, such as the LPCS pump for low pressure injection and the RHR Pump 2A for suppression pool cooling.

5 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Low-pressure injection is important only during total loss of high-pressure injection (i.e., RCIC and HPCS). In order to credit restoration of LPCS injection, the bus must be diagnosed, operable fuses located, and failed fuses replaced within 30 minutes.

Due to the complications experienced during the event, it is highly unlikely that these actions can be completed within the short period of time. Therefore, no credit for bus restoration within 30 minutes is given.

RHR Pump 2B is important during for long-term suppression pool cooling. For sequences where high-pressure injection is successful, the typical time for containment failure and subsequent core damage during the loss of suppression pool cooling is on the order of over 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br />. Containment failure is predicated on the failure to vent the containment. The containment vent valves were not affected by the problem on the 241Y Bus (only large loads). Given the availability of containment venting and long-term recovery of PCS, restoration of an RHR pump was shown to have a negligible effect on risk.

- RCIC trip. Best estimate assumption: RCIC tripped on high RPV level. Sensitivity assumption: RCIC would not trip on high RPV level for cutsets involving postulated failure to start or maintenance out of service of HPCS.

For simplicity, the probability for RCIC restart was set to True in the best estimate analysis. If the basic event RCI-RESTART is set to nominal (8.5 x 10-2) for cutsets involving RCI-RESTART and failure of the HPCS to inject (HCS-MDP-TM-TRAIN, and HCS-MDP-FS-HPCS), the CDP is 8 x 10-6 or a 20% reduction in the best estimate results. Even through crediting nominal probability of RCIC tripping on high level reduces that overall results from the (very low) 10-5 bin to the (high) 10-6 bin, the decrease is marginal in the overall risk.

- Operator weaknesses. Best estimate assumption: Operator weaknesses that were displayed during the event (see Event Summary and Attachment A) do not have an impact to key operator actions modeled in the SPAR loss of feedwater event tree (IE-LOMFW). Sensitivity assumption: Operator weaknesses is an indication of poor work processes for long term actions.

The best estimate assumption is based on human factors review of the complications experienced during the event. This review concluded that operator actions in short term sequences involving total loss of high pressure injection (i.e., PCS, RCIC, and HPCI) would not be affected by complications experienced later in the event. Long term actions may be affected.

Sensitivity analyses were performed for two cases: (1) long term actions in the top 98% of cutsets and (2) all operator actions in the top 98% of cutsets.

Key long term operator actions that are in the top 98% of the cutsets include:

o Failure to initiate and control RHR/suppression pool cooling (RHR-XHE-XM-ERROR).

o Failure to restore PCS in the long term (PCS-XHE-XL-LTLMFW).

o Failure to align alternate low pressure injection (fire water) to the train B LPCI injection line given successful containment vent (OPR-XHE-XM-ALPI9).

6 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Short term actions that are in the top 98% of the cutsets include:

o Failure to manually depressurize the reactor (ADS-XHE-XM-MDEPR).

o Failure to restore PCS in the short term (PCS-XHE-XL-STLMFW), which is set to True in both the best estimate case and sensitivity case.

o Failure to align heater drain pumps for alternative low pressure injection (CDS-XHE-XM-HDOP)

The performance shaping factor level for poor work processes has a multiplier of 5.

The above failure probabilities were increased by a factor of 5 to account for poor work processes. In the first sensitivity case, an increase in failure probabilities of long term actions resulted in a CCDP of 1.3 x 10-5 as compared with the best estimate CCDP of 1.0 x 10-5. In the second case, the increase in all failure probabilities resulted in a CCDP of 4.6 x 10-5. The CCDP for the second case is just outside the 95 percentile of the parameter uncertainty of the best estimate (3.7 x 10-5), where the factor of 5 increase in ADS-XHE-XM-MDEPR contributed to 72% of the increase in CCDP. Given that manual depressurization is a trained and accepted task to perform for complete loss of high pressure injection, the affects of potential poor work processes experienced later into the actual event should not impact this operator action. Therefore, this modeling uncertainty does not have a significant impact on the overall results.

 SPAR model updates The SPAR model for this plant was updated to account for updated failure probabilities and system modeling. These updates have been reviewed by INEEL and may be included in the next revision of the SPAR model for this plant.

- Failure probability of the operator fails to manually depressurize the reactor (ADS-XHE-XM-MDEPR).

- Failure probability of the operator fails to restore PCS in the long term (PCS-XHE-XL-LTLMFW).

Bases for these updates are described in the footnotes to Table 4.

7 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 References

1. LER 374/01-03, Revision 0, Reactor Scram Due to Undervoltage Protective Circuit Actuation on Division 1 ESF Bus, event date September 3, 2001, report date October 25, 2001 (ADAMS Accession Number ML013620348).

2. NRC Special Inspection Report 50-374/01-017 (DRP), October 19, 2001 (ADAMS Accession Number: ML012920746).

3. NRC Inspection Report 50-374/01-16 (DRP), November 1, 2001 (ADAMS Accession Number ML013060565).

4. Robert F. Buell and Richard E. Gregg, Standardized Plant Analysis Risk Model for La Salle Unit 1 & 2 (ASP BWR C), Revision 3.01, Idaho National Engineering and Environmental Laboratory, January 2004.

8 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Table 1. Conditional core damage probabilities associated with the highest probability sequences.

Conditional core damage probability Percentage Event tree name Sequence no. (CCDP)1 contribution LOMFW 48 8.3 X 10-6 83 Total (all sequences)2 1.0 X 10-5 1

Values are point estimates.

2 Total includes all sequences (including those not shown in this table).

(File Name: GEMS LER 374-01-003 04/29/04 132805.wpd)

Table 2a. Event tree sequence logic for top sequences.

Event tree Logic name Sequence no. (/ denotes success; see Table 2b for fault tree names)

LOMFW 48 /RPS /SRV PCS HCS RCI1 DEP Table 2b. Definitions of top events listed in Table 2a.

Fault tree name Description DEP Manual depressurization fails HCS HPCS fails to provide sufficient flow to the reactor vessel PCS Power conversion system is unavailable RCI1 RCIC and motor-driven reactor feedwater pumps fail to provide sufficient flow to the reactor vessel RPS Reactor protection system fails to shut down the reactor SRV One or more safety relief valves fail to close 9

SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Table 3. Conditional cut sets for dominant sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOMFW Sequence 48 2.1E-006 25.3 ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FS-RSTRT RCI-RESTART(See note 4)

RCI-XHE-XL-RSTRT MFW-XHE-MDP1 1.4E-006 17.2 ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 7.6E-007 9.2 ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FS-TRAIN RCI-XHE-XL-START MFW-XHE-MDP1 5.1E-007 6.2 ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR RCI-TDP-FS-TRAIN RCI-XHE-XL-START MFW-XHE-MDP1 3.7E-007 4.5 RCI-TDP-TM-TRAIN ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR MFW-XHE-MDP1 3.0E-007 3.6 ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN MFW-XHE-MDP1 2.9E-007 3.5 ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN RCI-MOV-FC-XFER RCI-XHE-XL-XFER MFW-XHE-MDP1 2.1E-007 2.5 ADS-XHE-XM-MDEPR HCS-MDP-FS-HPCS RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 2.0E-007 2.5 ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN MFW-XHE-MDP1 2.0E-007 2.4 ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR RCI-MOV-FC-XFER RCI-XHE-XL-XFER MFW-XHE-MDP1 2.0E-007 2.4 RCI-MOV-CC-INJECT ADS-XHE-XM-MDEPR HCS-MDP-TM-TRAIN MFW-XHE-MDP1 1.3E-007 1.6 RCI-MOV-CC-INJECT ADS-XHE-XM-MDEPR HCS-MOV-FT-SUCTR MFW-XHE-MDP1 1.3E-007 1.5 SCW-MDP-FS-DG1B ADS-XHE-XM-MDEPR RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 1.3E-007 1.5 HCS-MOV-CC-F004 ADS-XHE-XM-MDEPR RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 8.4E-008 1.0 SCW-MDP-TM-DG1B ADS-XHE-XM-MDEPR RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 8.4E-008 1.0 HCS-FAN-TM-ROOM ADS-XHE-XM-MDEPR RCI-TDP-FS-RSTRT RCI-RESTART RCI-XHE-XL-RSTRT MFW-XHE-MDP1 8.3 x 10-6 Total3 Notes:

1. Values are point estimates.

2. See Table 4 for definitions and probabilities for the basic events.

3. Total includes all sequences (including those not shown in this table).

4. RCIC-SESTART was set to True. This basic event was added to the cutsets for reference only.

10 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description Frequency Modified ACP-BAC-LP-DI Division 1 4160V bus hardware fails TRUE YES1 ACP-BAC-LP-DILOW Division 1 4160V bus hardware fails for small 9.5 X 10-5 YES1 equipment ADS-XHE-XM-MDEPR Operator fails to depressurize the reactor 1.0 X 10-3 YES7 CDS-LOMFW-NOCDS Percent of LOMFW events due to failure of 1.0 X 10-1 YES2 condensate CDS-XHE-XM-HDOP Operator fails to align heater drain pumps early 1.5 X 10-1 YES2 DCP-BAT-CF-ALL Common-cause failures of 125 volt dc batteries 2.3 X 10-6 YES3 (3)

DCP-BAT-LP-1A Failure of Division I 125 volt dc battery 4.0 X 10-4 YES3 DCP-BAT-LP-1B Failure of Division II 125 volt dc battery 4.0 X 10-4 YES3 DCP-BAT-LP-1C Failure of Division III 125 volt dc battery 4.0 X 10-4 YES3 HCS-MDP-FR-HPCS HPCS pump fails to run 1.7 X 10-3 YES4 HCS-MDP-TM-TRAIN HPCS train is unavailable due to test and 5.0 X 10-2 NO maintenance HCS-MOV-FT-SUCTR HPCS suction transfer fails 3.4 X 10-2 NO IE-LOMFW Initiating event - loss of reactor feedwater 1.0 YES5 LOMFW Loss of main feedwater flag TRUE YES2 LOOP-I FLAG - Loss of offsite power to Division 1 TRUE YES1 MFW-XHE-MDP Operator fails to align the motor-driven reactor 4.0 X 10-3 YES1 feedwater pump for injection MFW-XHE-MDP1 Operator fails to align the motor-driven reactor 1.0 YES1 feedwater pump for injection given that the operator fails to depressurize the reactor OPR-XHE-XE-DILOW Operator fails to recover power to 4 kv vital bus 1.0 X 10-1 YES1 241Y PCS-XHE-XL-LTLMFW Operator fails to restore PCS in the long term 1.0 X 10-3 YES8 PCS-XHE-XL-STLMFW Operator fails to restore PCS in the short term TRUE YES1 RCI-RESTART Restart of RCIC is required TRUE YES1 RCI-TDP-FS-RSTRT RCIC pump fails to restart given start and short- 1.1 X 10-1 YES6 term run RCI-TDP-FS-TRAIN RCIC pump fails to start 2.7 X 10-2 NO RCI-XHE-XL-RSTRT Operator fails to recover RCIC failure to restart 3.8 X 10-1 YES6 RCI-XHE-XL-START Operator fails to recover RCIC failure to start 5.6 X 10-1 NO Notes:

1. Basic event changed to reflect event being analyzed. See text and figures.

2. Basic event added by INEEL. See text.

11 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

SENSITIVENOT FOR PUBLIC DISCLOSURE LER 374/01-003 Table 4. Definitions and probabilities for modified or dominant basic events. (contd)

3. Revision 3.01 uses FALSE for this event and internally calculates value based on an estimated mission time for loss of all ac - SBO calculations. This event is not an SBO event. Reverted back to the values used in Revision 3i.

4. Error was found in the model. INEEL indicated this event should be a probability with a value of 1.7 x 10-3.

5. Initiating event frequency set to 1.0 to reflect actual event. All other initiating event frequencies set to 0.0.

6. U. S. Nuclear Regulatory Commission, Reactor Operating Experience Results and Databases, Reliability Study Update - Reactor Core Isolation Cooling, 1987 to 2002.

7. SPAR model update: operator action for manual depressurization was modified to account for increase stress level. The performance shaping factor level for the action was increased from nominal to high. This is a factor of 2 increase in the old failure probability (5E-4 to 1E-3).

8. SPAR model update: using the SPAR HRA method, the baseline failure probability to establish long-term suppression pool heat removal is as follows: Time available is 5 times the time required (x0.1) due to the 10 to 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> before containment failure; stress is high (x2) due to all other pool cooling has failed; complexity is high (x5) due to many local actions required to re-establish condenser vacuum and the condensate and feedwater system; experience and procedures are nominal (x1) = 0.1 x 2 x 5 x 1 x 1 x (1E-3) = 1E-3.

12 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Attachment A Description of Event At 1728 hours0.02 days <br />0.48 hours <br />0.00286 weeks <br />6.57504e-4 months <br /> on September 3, 2001, La Salle Unit 2 was operating at 100% power when the operators manually scrammed the unit after the reactor water level decreased rapidly and unexpectedly. It was later determined that two (both of the B phase fuses) of the four fuses associated with the undervoltage power circuitry for safety-related electrical bus 241Y (Division

1) had failed. Loss of the fuses resulted in an isolation of the bus from its loads, including the feedwater control circuitry for the turbine-driven reactor feedwater pumps. The operators immediately attempted to take manual control of the feedwater control stations, but could not do so because of the loss of power to the turbine-driven reactor feedwater control circuits. Loss of feedwater to the reactor caused decreasing reactor vessel level. The manual scram was initiated approximately 15 seconds after loss of power to bus 241Y. At this time, the reactor water level was approximately 20 inches above the automatic scram setpoint for low reactor vessel water level and within seconds of an automatic scram.

The two B phase fuses that failed provided power to the undervoltage and degraded voltage relays for safety-related electrical bus 241Y. When these relays deenergized, breakers tripped to isolate bus 241Y from station power supplies. The 0 emergency diesel generator (EDG) started, connected to, and reenergized bus 241Y as designed. However, the failure of the two fuses initiated and maintained a constant undervoltage signal on bus 241Y, and none of the large electrical loads could be automatically or manually loaded onto the bus, even though the bus had sufficient voltage supplied to it from the EDG. The failure of the two undervoltage fuses was a condition that was unknown to the control room operators for approximately 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the scram.

Immediately after the fuse failures, certain containment cooling equipment tripped. The most significant containment cooling impact resulted from the trip of three primary containment fans in the drywell.

After the manual scram, reactor water level continued to drop until the low-low level setpoint (Level 2) was reached about 28 seconds after loss of power to bus 241Y. The reactor core isolation cooling (RCIC) and high-pressure core spray (HPCS) systems automatically started.

The emergency operation procedures were entered.

At 1732 hours0.02 days <br />0.481 hours <br />0.00286 weeks <br />6.59026e-4 months <br /> (4 minutes after the scram), RCIC and HPCS automatically tripped when the reactor water level reached +55.5 inches (Level 8). However, the reactor water level continued to increase from injection of control rod drive (CRD) water and expansion of the cold water injected by RCIC and HPCS as it was heated in the reactor core. The Division 2 CRD pump was running at the start of the transient and continued to run throughout the transient. At 1748 hours0.0202 days <br />0.486 hours <br />0.00289 weeks <br />6.65114e-4 months <br /> (20 minutes after the scram), when reactor water level reached +73 inches, the operators closed the main steam isolation valves (MSIVs) per applicable procedures. This closure of the MSIVs eventually led to a loss of main condenser vacuum and degraded the ability of the main condenser to remove reactor decay heat.

At 1734 hours0.0201 days <br />0.482 hours <br />0.00287 weeks <br />6.59787e-4 months <br />, the drywell pressure increased to greater than 0.75 psig. At 1740 hours0.0201 days <br />0.483 hours <br />0.00288 weeks <br />6.6207e-4 months <br /> (12 minutes after the scram), the suppression pool temperature exceeded 105 EF. Based on indications after the scram (low reactor water level, decreasing reactor pressure, high drywell pressure, high suppression pool temperature), the operators believed that a small loss-of-13 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 coolant accident had occurred. The operators attempted to use the 2A residual heat removal (RHR) pump, which is powered from bus 241Y, to initiate suppression pool cooling. The 2A RHR pump would not start and load onto bus 241Y because of the undervoltage signal. The operators declared the 2A RHR pump inoperable and started the 2B RHR pump at 1740 hours0.0201 days <br />0.483 hours <br />0.00288 weeks <br />6.6207e-4 months <br /> (power from Division 2) and aligned the 2B RHR pump in the suppression pool cooling mode where it remained running for the entire event.

At 1756 hours0.0203 days <br />0.488 hours <br />0.0029 weeks <br />6.68158e-4 months <br />, the operators started to use safety relief valves to control reactor pressure by cycling them open and closed. Opening of the safety relief valves with the MSIVs closed caused large swings in reactor water level. Problems with the position indication of the safety relief valves also developed during this time.

At 1820 hours0.0211 days <br />0.506 hours <br />0.00301 weeks <br />6.9251e-4 months <br /> (52 minutes after the scram), the operators started the motor-driven reactor feedwater pump to control reactor vessel water level using the low-flow feedwater regulating valve. Because of difficulties with the motor-driven reactor feedwater pump due to condenser hotwell level being below normal (see below), RCIC was restarted at 1855 hours0.0215 days <br />0.515 hours <br />0.00307 weeks <br />7.058275e-4 months <br />. RCIC continued to run for over 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> in two modes: an injection mode to assist in the control of reactor vessel water level and a recirculation mode using the condensate storage tank (CST) water to control reactor vessel pressure. Flow oscillations and a water hammer were noticed in the RCIC system during this time. However, the RCIC system remained operational throughout the event.

Following the trip of the turbine generator shortly after reactor scram (approximately 1.3 minutes after fuse failure), feedwater cascaded from the feedwater heaters to the main condenser, causing condenser water level to rapidly rise. Condensate reject valves then opened to divert water from the main condenser to the CST. With the CST water level already toward the high end of the operating band, introduction of this large amount of water resulted in a rupture of the CST near its top, spilling 25,000 to 40,000 gallons of slightly radioactive water.

The CST split along the edge of the lid (two 18- to 24-inch splits), resulting in the water spill.

There was also a buckle in the side of the CST. Security personnel notified the control room operators of the overflow of water from the CST at 1820 hours0.0211 days <br />0.506 hours <br />0.00301 weeks <br />6.9251e-4 months <br />. Diversion of water from the condenser hotwell to the CST resulted in a lower-than-normal main condenser level.

At 2000 hours0.0231 days <br />0.556 hours <br />0.00331 weeks <br />7.61e-4 months <br />, reactor building fire alarms annunciated. Light smoke was reported on the 710-foot and 694-foot elevations of the reactor building. The origin of the smoke was never identified.

The cause of the loss of feedwater, failure of both B phase fuses in bus 241Y, was reported to the control room at 2047 hours0.0237 days <br />0.569 hours <br />0.00338 weeks <br />7.788835e-4 months <br />, about 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 20 minutes after the manual scram.

At 2155 hours0.0249 days <br />0.599 hours <br />0.00356 weeks <br />8.199775e-4 months <br />, the main condenser vacuum was decreasing due to the closing of the MSIVs, resulting in loss of the offgas steam jet air ejectors. At 2157 hours0.025 days <br />0.599 hours <br />0.00357 weeks <br />8.207385e-4 months <br />, a Group I isolation on low condenser vacuum actuated. This resulted in the main steam drain lines, previously opened to control reactor pressure vessel (RPV) pressure and transfer some reactor decay heat to the condenser, automatically closing. At 2212 hours0.0256 days <br />0.614 hours <br />0.00366 weeks <br />8.41666e-4 months <br />, condenser vacuum was restored (15 minutes after it was lost) and the main steam drain lines were opened to help reestablish RPV pressure control.

14 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 RCIC was placed in standby at 0118 hours0.00137 days <br />0.0328 hours <br />1.951058e-4 weeks <br />4.4899e-5 months <br /> on September 4, 2001. Bus 241Y was reenergized at 0435 hours0.00503 days <br />0.121 hours <br />7.19246e-4 weeks <br />1.655175e-4 months <br /> on September 4, 2001, following replacement of the failed fuses, about 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the initial failure of the fuses.

Replacement of the failed fuses on bus 241Y was complicated. Four fuses were withdrawn from the storeroom to replace all the fuses on bus 241Y. However, three fuses from the storeroom were tested and found to have high resistance. Therefore, the electricians reinstalled the original A and original C phase fuses, which had not failed during this event, along with one new low-resistance fuse and one new high-resistance fuse from the storeroom.

When voltage was applied to the circuit, the high-resistance fuse opened, requiring replacement of this fuse. The failed fuse was replaced with a fuse that the system engineer had retained after it had been removed from the same circuit during an earlier preventive maintenance activity. Finally, when voltage was reapplied to the circuit, none of the four fuses (original A phase, original C phase, low-resistance fuse from storeroom installed in B phase, fuse from system engineer installed in B phase) opened. The undervoltage protective circuitry powered through these four fuses was then retested and returned to service. All four of the fuses on bus 241Y were subsequently replaced with acceptable replacement fuses.

15 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Attachment B SPAR Model Modifications

 Fault tree modifications

1. Division I ac power fails for small equipment (DIV-1-AC-LOW). A new fault tree called DIV-I-AC-LOW was created (see Figure 5) to allow a new name for the 241Y bus to be used for small equipment powered off the bus (ACP-BAC-LP-DILOW). This new fault tree allowed the Revision 3.01 computer model to be modified such that small electrical loads loaded on the 241Y bus could be successful while allowing ACP-BAC-LP-DI to be set = TRUE. As part of the automatic start and load of equipment on the vital bus, the large electrical load equipment has an anticipatory control circuit that checks the voltage reading of the 241Y bus before starting and loading the large equipment on the bus. Since the bus read zero voltage with the undervoltage fuses failed, this large load equipment could not be started and loaded unto the bus.

2. Reactor core isolation cooling fails (RCI). The fault tree RCI was modified (see Figure 6) by removing all room cooling logic from the RCI fault tree under the gate support failures for non-LOOP events. The removal of room cooling logic from the RCIC fault tree was based on information provided by INEEL personnel that indicated during a loss of all ac electrical power event - SBO, the RCIC room temperature at 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> was up to 155 degrees F and rising at one degree F per hour. The trip of RCIC due to room temperature occurs at 200 degrees F.

3. Division I 125 volt dc power is unavailable for RCIC (DIV-1-DC-LOW),

250 volt dc power is unavailable for RCIC (DCP-250V-LOW). The fault tree RCI was modified (see Figure 6) by creating a new Division I dc power fails for input into OR gate RCI-10 called DIV-I-DC-LOW (see Figure 7). Also, a new 250 volt dc power failure for input into OR gate RCI-3 was created called DCP-250-LOW (see Figure 8).

These changes were made to allow the RCIC system to succeed following the failure of the undervoltage fuses. RCIC does not need motive power from Division I ac electrical power but it does need Division I dc control power. The Division I dc control power depends on the Division I batteries and the dc bus.

4. Suppression pool vent system fails (CVS). The fault tree CVS was modified (see Figure 9) by changing the division I ac power fails (DIV-I-AC-LOW) input to OR gates CVS-2 and CVS-3. This new fault tree allowed the model to power small electrical loads for containment venting (valves) from the 241Y bus while allowing ACP-BAC-LP-DI to be set = TRUE. The Division 1 ac electrical power for opening/closing containment vent valves was available during the event.

5. Diesel generator 0 (zero) fault tree (DG0). The fault tree DG0 was modified (see Figure 10) by deleting the basic event ACP-BAC-LP-DI from the OR gate DG0-1. The failure of the undervoltage fuses on 241Y bus did not impact the ability of diesel generator zero. DG0 was able to start and run and power the 241Y bus for small loads following the failure of the undervoltage fuses.

6. Standby cooling water fails to DG0 (DGN-SCW0). The fault tree DGN-SCW0 was modified (see Figure 11) by deleting the standby service water power failures from the model. DG0 started and ran during the event following the failure of the undervoltage 16 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 fuses. The OR gate DGN-SCW0-1 was eliminated. All other failure modes remained the same.

 Basic events added

1. Probability of failure of 4-kv bus 241Y for small equipment (ACP-BAC-LP-DILOW).

This basic event was created to differentiate what ac electrical power from bus 241Y was available following the undervoltage fuse failures. Large equipment could not be loaded unto the bus but small equipment could be loaded unto the bus. The nominal value for bus failure of 9.5 x 10-5 was used. The creation of this basic event helped to modify the RCIC fault tree and the containment venting fault tree to allow success of Division I ac power to these selected systems. See Fig. 5.

2. Probability of failure of operator to align the motor-driven reactor feedwater pump for injection into the reactor vessel (MFW-XHE-MDP). This basic event was created to allow the operator to use the motor-driven reactor feedwater pump as an injection source given the failure of the HPCS train and the RCIC train. See Fig. 6. Human error probability to start the motor-driven feedwater pump and restore feedwater injection through the low-flow feedwater regulating valves was estimated using Accident Sequence Precursor Program human reliability analysis method. The nominal failure probability for an operator action (1.0 x 10-3) was adjusted to reflect higher than nominal stress that the operators would experience in recovering RPV water level for short-term sequences involving failure of HPCS and RCIC. The performance shaping factor (PSF) for stress was considered high (2x nominal) resulting in an adjusted failure probability of 2.0 x 10-3. All other PSF are nominal. This action requires no diagnosis since the action is included in the emergency operating procedures.

Dependent event (MFW-XHE-MDP1). This dependent event is used in conjunction with dependent pairs MFW-XHE-MDP and ADS-XHE-XM-MDEPR (Operator fails to manually depressurize the reactor). Since these two actions are covered in the emergency operating procedures as one step, MFW-XHE-MDP is set to 1.0 by replacing the basis event with MFW-XHE-MDP1.

17 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Attachment C Recovery Opportunities

 Recovery of the reactor feedwater pumps: To recover reactor feedwater as an injection source of water to the reactor vessel using the motor-driven reactor feedwater pump requires the operators to manually start the pump and feed the reactor vessel using the low-flow feedwater regulating valve. During the event, the operators performed these actions, restoring reactor feedwater to the vessel 52 minutes after the scram. However, it is believed that the operators could not have used the motor-driven reactor feedwater pump within 30 minutes of the scram if both RCIC and high-pressure core spray (HPCS) failed following the scram due to the limited time available and the complications that arose during the event. No credit was taken for short-term recovery of this pump in sequences that postulated both RCIC and HPCS failed after the scram.

To recover reactor feedwater using the turbine-driven reactor feedwater pumps requires the operators to open at least one main steam isolation valve (MSIV) and to manually start a turbine-driven pump and feed water to the reactor vessel. Flow from these pumps could have been fed into the vessel using the low-flow feedwater regulating valves or potentially the main feedwater regulating valves. Control for the reactor feedwater regulating valves was restored when bus 241Y was repowered from the 0" emergency diesel generator, shortly after the two undervoltage fuses failed. No credit was taken for short-term recovery of this pump in sequences that postulated both RCIC and HPCS failed after the scram.

 Power conversion system (PCS) recovery: After the operators closed the MSIVs, the operators had the ability to open the MSIVs, start the motor-driven reactor feedwater pump or the turbine-driven reactor feedwater pumps (procedures exist to do this), and use the main condenser as a heat sink for decay heat removal. As noted in both the NRC and licensee evaluations of the operator response to the event, operator response would have been enhanced if the operators had decided to proceed down this path. However, in the actual event, there was no requirement for the operators to follow this enhancement, and the operators chose not to do so. If there had been additional failures affecting the 2B residual heat removal (RHR) train that was used for suppression pool cooling during the event, the operators would have been directed by the emergency procedures to restore the power conversion system and use the main condenser as a heat sink. This long-term recovery of PCS is credited in the analysis.

 Division 1 4-kv bus (241Y bus): For some equipment, this bus was essentially failed and nonrecoverable for over 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> in this event. Based on information provided by a member of the NRC Special Inspection Team, the undervoltage signal kept significant loads from being powered from the bus for approximately 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br /> after the reactor scram.

The potential for failure of RCIC due to the failure of the 241Y bus undervoltage fuses was investigated and determined not to be of concern. The dc control system powered by bus 241Y was available for equipment needing such dc control. RCIC actually ran for approximately 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> during the event. The potential for failure of RCIC due to failure of room cooling caused by failure of the two undervoltage fuses was investigated and found to be of minimal concern. Analysis (provided by personnel from the Idaho National Engineering and Environmental Laboratory [INEEL]) for the loss of all ac electrical power (station blackout [SBO]) indicated that for SBO, the RCIC room temperature reached 155 degrees F at 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after the start of SBO and the room temperature was rising 18 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 approximately one degree per hour. Trip of RCIC due to high room temperature occurs at 200 degrees F.

Containment venting was potentially available at any time despite the failure of the undervoltage fuses because the Division 1 electrical bus was available for equipment needed for containment venting. Information provided by the licensee indicated that the air-operated dampers and motor-operated valves for the containment venting were functional during the event and could have been powered by the bus because the electrical loads for these items are small. The failure of the undervoltage fuses did not have an impact on the nominal equipment failure rates for containment venting.

 RHR pumps: When the operators attempted to use the 2A RHR pump for suppression pool cooling, the pump failed to start. It would not start because both B phase undervoltage fuses had failed on bus 241Y, and any equipment with a low voltage interlock could not be powered by this bus until the fuses were replaced. The 2A RHR pump was unavailable and not recoverable for over 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />.

The failure of bus 241Y would not affect (preclude) recovery actions following failure of other equipment not powered or controlled by bus 241Y. In this analysis, some of the core damage sequences involve the postulated failure of the 2B RHR pump train. Given the failure of PCS and the failure of the 2B RHR pump train, no effective heat sink exists because suppression pool cooling is failed (both RHR trains unavailable) and the MSIVs are closed. In this situation, the operators must either recover the power conversion system by opening the MSIVs as discussed above or recover RHR suppression pool cooling (by recovering an RHR pump train). No credit was taken for the recovery of RHR pump trains in the analysis.

19 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Attachment D Equipment performance issues which did not result in changes to the SPAR Model

 Potential common-cause failure implications of the two B phase fuses on bus 241Y.

It is not clear whether both B phase fuses failed at the same time due to a common-cause failure or two random failures, or if one fuse failed earlier and the failure was not detected until September 3, 2001. Three of the nine fuses involved in the failure and repair of bus 241Y actually failed, and two more fuses exhibited high resistance readings during preinstallation testing, indicating that they would probably have failed if installed. The actual failures included the two B phase fuses installed on bus 241Y prior to September 3, 2001, and one of the four fuses taken from the plant storeroom.

Consideration was given to modeling the common-cause failure of the Division II 4-kv bus due to the potential for similar fuse failures. However, information provided by the licensee indicated that the Bussmann JCW-1E fuses used for bus 241Y were only installed in this bus 241Y and no other place in the plant. The 241Y line and bus potential transformers are the only plant components that had these particular Bussmann-type fuses installed.

 RCIC system anomalies: flow oscillations, water hammer event, and erroneous RCIC outboard check valve (2E51-F065) position indication (Ref. 2). No changes were made to the RCIC equipment failure rates based on the following complications experienced during the actual event.

 Flow oscillations are expected during RCIC operating mode transitions from RPV pressure control to RPV level control. Although, the operators perceived the flow oscillations as an anomaly, the operator would not take drastic actions to secure RCIC had all other sources of high-pressure injection failed.

 Minutes after the reactor scram, a loud boom was heard when the operators shifted the operating mode of RCIC from pressure control to injection mode. A momentary reverse flow through the RCIC system caused the RCIC pumps suction check valve to slam shut. This initiated a hydraulic transient (water hammer) event and caused the failure of the pumps discharge pressure gauge. The RCIC system functioned normally thereafter. No significant damage was discovered during system walk-down.

 During the event (actual time unknown), the RCIC system outboard and inboard injection check valves indicated open when they should have indicated closed. The operators recognized the problem and took action to fix the position indicators.

Although, this complication was a distraction, it did not affect the function of the RCIC system during injection mode.

20 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003

 Failure of the condenser hotwell reject valves to control condenser hotwell level, leading to two condensate storage tank (CST) roof ruptures, and some water overflowed onto the ground around the tank (Ref. 2). As the water level in CST reached the top of the tank, the increased pressure from the rising water level caused the weld that holds the top of the CST to the sides of the tank to burst in two separate locations. The two openings were approximately eighteen to twenty-four inches long with a two to four inch fishmouth opening. The control room operators were notified by the stations guard force that water was flowing from the CST. Control room operators immediately determined that condenser hotwell level was two inches below the normal setpoint and dispatched a non-licensed operator to shut the reject line manual isolation valve. Approximately 25,000 to 45,000 gallons of slightly radioactive water flowed out the CST tank cracks and the tanks 24 inch vent line before an operator could manually isolate the reject control valves.

The CST structural integrity is the sides and bottom. The top or lid of the tank is designed to keep the water surface covered. The structural strength is the weakest at the top of the tank. During the event, the tank slightly pressurized causing the two openings at the CST rim. The structural integrity of the CST to contain condensate was not impacted or could have been impacted. Therefore, no change was made to the CST failure probability.

 Erroneous position indication for three SRVs. The NRC inspection report (Ref. 3) and the licensee event report (Ref. 1) lacked details about the erroneous position indication for three safety relief valves. Other information provided by the licensee indicated that about 30 minutes into the event the operators commenced using SRVs to control RPV pressure by cycling the SRVs open and closed. Problems with SRV position indication continued while the operators used SRVs for decay heat removal. The operators compensated for these problems by monitoring the tailpipe temperature on a back panel recorder. This complication is a longer term distraction and would not impact on manual depressurization given the postulated complete loss of high pressure injection. Given that a sensitivity showed that an increase in failure probability (by a factor of 5) associated with long term operation actions resulted in negligible change in the overall best estimate results, no change was made to failure probabilities of long term actions from the erroneous position indications.

21 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 Attachment E Event Tree and Fault Tree Additions and Modifications Attachment E contains the following figures:

Figure 1: Loss of main feedwater event tree (IE-LOMFW)

Figure 2: Condensate injection fault tree with feedwater drain pumps available (CDS2)

Figure 3: Condensate pumps are unavailable (CDS-PMPS)

Figure 4: Failure of main feedwater (PCS-MFW)

Figure 5: Division I ac power fails for small equipment (DIV-1-AC-LOW)

Figure 6: Reactor core isolation cooling fails (RCI)

Figure 7: Reactor core isolation cooling fails (with main feedwater recovery) (RCI1)

Figure 8: Division I 125 volt dc power is unavailable for RCIC (DIV-1-DC-LOW)

Figure 9: 250 volt dc power is unavailable for RCIC (DCP-250V-LOW)

Figure 10: Suppression pool vent system fails (CVS)

Figure 11: Diesel generator 0 (zero) fault tree (DG0)

Figure 12: Standby cooling water fails to DG0 (DGN-SCW0) 22 SENSITIVE - NOT FOR PUBLIC DISCLOSURE

LER 374/01-003 LOSS OF REACT OR SRVS POWER H PC S RCIC MAN UAL CON DENSAT E LOW ALTERNATE SUPPRESSION MANUAL SHUTDOWN POWER CONTAINMENT LONG-TERM MAIN PROTECTION CLOSE C ONVERSION REAC TOR PRESSURE LOW PR ESS POOL REACTOR COOLING CONVERSION VENTING LOW PRESS FEEDWATER SYSTEM SYSTEM DEPR ESS INJECTION INJEC TION COOLING DEPRESS SYSTEM INJECTION RECOVERY IE-LOMFW RPS SRV PCS HCS RCI1 DEP CDS2 LPI VA SPC DEP SDC PCSR CVS VA1 # STATE 1 OK 2 OK 3 OK 4 OK 5 OK VA5 6 CD 7 OK VA3 8 CD 9 OK 10 OK VA5 11 CD 12 OK VA3 13 CD 14 OK 15 OK 16 OK 17 OK VA6 18 CD 19 OK VA7 20 CD 21 OK 22 OK VA6 23 CD 24 OK VA7 25 CD 26 OK 27 OK 28 OK 29 OK VA6 30 CD 31 OK VA7 32 CD 33 OK 34 OK 35 OK 36 OK VA6 37 CD 38 OK VA7 39 CD 40 OK 41 OK SP1 42 OK SD1 43 OK VA6 44 CD 45 OK VA7 46 CD 47 CD 48 CD P1 49 T @TRAN-1 P2 50 T TRAN-2 51 T ATWS LOMFW - LOSS OF MAIN FEEDWATER 2004/04/01 Figure 1. Event Tree for Loss of Main Feedwater.

23

LER 374/01-003

& 2 1 '( 1 6 $ 7( ,1 - ( & 7,2 1

) $ 8/ 775 ( ( :,7+

)( ( ':$ 7( 5 '5 $ ,1 3 8 0 3

$ 9 $ ,/ $ %/ (

& '6 

2 3 ( 5 $ 72 5 )$ ,/6 72

& 2 1 '( 1 6 $ 7(

$ /,* 1+( $7( 5 '5 $ ,1 3 80 3 6 ( $ 5 / <

 ( 

& '6 & '6 ; +( ; 0 +' 2 3

& ' 6 & 2 1 '( 1 6$ 7 (,1- ( & 7 ,2 1) $ 8 /775 ( ( : ) : ' 5 $,1 3 8 0 3 $ 9 $ ,/$ %/  3 D JH

Figure 2. Fault Tree for Condensate Injection.

24

LER 374/01-003

) $,/ 8 5( 2) 7+(

& 21'(16$ 7( 6<6 7( 0

& '6 30 36

& 21'( 16 $7 (38 0 36 78 5 % ,1( %8 ,/ ',1* 3( 5& ( 17 2 )/ 20) :

)( (': $7( 5 5 ( *8 / $7,1* &2 1'( 1 6$ 7(3 80 36

$% &'& 20 02 1 &/ 26 ('& 22/ ,1* '8 (72 ) $,/ 8 5 (2) 9 $/ 9( ) $,/ 6 7 2 )$,/

& $ 86 ()$ ,/ 7 2 ) 8 1& 7,2 1  : $7( 56 <6 7(0 &2 1'( 16$7 (

581 ) $,/ 6

(  ( 



& '6 0 '3 & ) 5 8 1 0 ) : $2 9) & ) 5 9 & '6 3 03 6 7% & & '6 30 36 

/ 266 2) 0 $,1 3( 5& ( 1 72)/ 20 ):

5 8 11,1* 38 03 6 7$1'% <& 21' (1 6$ 7(

38 0 36 ) $,/ 72 ) ( (': $7( 5 ) /$ * '8 ( 72) $ ,/8 5 (2 )

) $ ,/6

& 21'(16$ 7(

6 7$5 7

) $/ 6 ( (

& '63 03 6  & '6 30 36  / 20 ) : & '6 /2 0): 1 2 &'6

& 21 '(1 6$ 7( 7 5$ ,16 & 21 '( 16 $7( 75 $,16

& 21'(16$ 7( 0 '3 ',9,6,2 1,$ & 3 80 3 6) $ ,/72

% & '',6& +  % & '& 20 0 21

$ ) $,/ 672 58 1 3 2: (5 )$,/ 6 67$ 5 75 81

& .96 ) $ ,/ 72 & $8 6( ) $,/ 72 23 (1 67 $5 7

(  (  (



& '6 0 '3) 5  $ ' ,9  $& & '6& . 9& ) 3',6 & '6 0'3 & ) 6 7$5 7 & '63 03 6 

& 2 1'( 16 $7 (38 0 3 &2 1'( 1 6$ 7(3 80 3 & 2 1'( 16 $7 (38 0 3

%) $ ,/8 5 (6 & ) $,/ 8 5( 6 ') $,/ 8 5( 6

  

& '6 0'3 % & '60 '3& & '6 0'3 '

& ' 6 3 0 3 6 /$ 6 $/ /( & 2 1' ( 16 $ 7( 38 0 3 6 $ 5 ( 8 1$ 9 $ ,/$ % /(  3 D JH

Figure 3. Fault Tree for Condensate Pumps.

25

) $,/ 85(  2 )0 $,1

) ( ( ': $ 7( 5 3 & 6 0 ):

/2 0) : ) /$

• 2 3 ( 5$ 7 25) $,/ 6 ) $ ,/ 85( 2 )7 +( 23 ( 5 $ 72 5) $,/6 ) ( ( ': $7 ( 5,1 - ( &7 ,2 1

) $ ,/ 85( 2) 7+ ( ) ( ( ': $7 ( 5 3 803 6 ) $ ,/85 ( 2 ) 0) :

72 6 7 $57 & 2 1752 / & 21 '( 16 $ 7 (  %22 6 7( 5 7 20$ ,1 7$,1 +2 7: ( / / &2 1'( 1 6 $ 7( 6 <6 7( 0 $ 5 ( 8 1$ 9 $,/ $% /( 6 83 3 2 576 <6 7( 06 ) /2 : 3 $ 7+6 $5(

+3 ,1- ( &7 ,2 1 6 <67( 0 / ( 9(/ 8 1$9 $ ,/ $ %/(

) $ /6 ( (      

/2 0) : 2 3 5; +( ;( + 3 ,1- & '6 % 3 0 3 6 &' 6 +: & '6 3 03 6 0): 3 03 6 3 & 6 0) :  0): ) 3

)$,/85 ( 2 ) '&

/$ 6 $ / /( ,1 6 75 80( 17 3 /$1 7 6 ( 59,&(

3 2 : ( 5 72 7+(

$ ,56 <6 7 ( 0)$ 8 /7  : $ 7( 5 6 <6 7 ( 0

) ( ( ': $7 ( 55(

• 75 ( ( ) $ ,/ 6 9$ / 9(

 

,$ 6 3 & 6 0) :  3 6:

) $ ,/ 85(  720$ 18 $//<

' ,9 ,6 ,2 1 , '&

&2 17 52 /) 59 *,9 ( 1 3 2 : ( 5) $,/6

$ / 26 6 2 )$ 87 2

& 2 17 52 /

758(



0): ; + ( ; ( ) 59 ',9 '&

3& 6 0 ) : /$ 6 $ //( ) $ ,/ 85 ( 2 ) 0 $ ,1 ) ( (' : $ 7( 5 ) $8 /7 7 5 ( (  3 D JH

Figure 4. Fault Tree for Main Feedwater.

26

DIVISION I AC POWER FAILS FOR SMALL EQUIPMENT DIV-1-AC-LOW 4160 V BUS 142 HARDWARE DIVISION 1 AC SUPPLIES FAILURES FOR SMALL UNAVAILABLE EQUIPMENT 9.0E-5 ACP-BAC-LP-DILOW DIV-1-AC-1LOW OPERATOR FAILS TO DIESEL GENERATOR RESTORE POWER TO 0 FAULTS 241Y BUS 1.0E-1 28 OPR-XHE-XE-DILOW DG0 DIV-1-AC-LOW - LASALLE DIVISION I AC POWER SYSTEM FAULT TREE 2004/02/25 Page 43 Figure 5. Fault Tree for Division 1 AC Power Small Equipment 27

5 & ,&  ) $ /

, 6 7 2 3 5 2 9,'(  6 8 ) ),&,( 1 7

) / 2: 7  2 5  ( $ & 7 25 5 &,

23 ( 5 $ 7 25 ) $,/ 6 5& ,& ,1 -( & 7 5 & ,&  & . 9  )  5 & ,&  3 8 03  7 5$ , 1 68 33 2 5 7 6 < 6 7 ( 06 7 2 6 7 $5 7 & 21 7 5 2/ & . 9  )   ) $ ,

/ 6

)$ ,/ 6 7 2 23 ( 1 6 8 1 $ 9 $ /

, , $ %/ ( )$,/

5& ,& ,1- ( & 7 , 2 1 7 2 2 3 ( 1

 (  (  

 ( 

5 &,; + ( ;2 ( 55 25 5 & ,&. 9 & & )   5&, & .9 & &)   5 & , 5& ,

5& , &  ,1 -( & 7 ,21 5& ,&  3 8 03  7 5 $, 1 5&, & ) $ ,/6  7 2   9 ' &  3 2: ( 5 6 83 3 257  ) $ / , 8 5( 6 5( 6 7 $5 7  2)  5 & , & 5& &

,  3 803  ) $ ,

/ 6 5&&, 3 8 0 3 )  $ ,/6 68 33 2 5 7 ) $ ,/8 5 ( 6 0 29    )$ ,/6

) $ ,/85 (

6  81 $ 9 $

, ,/ $% / ( )$,/ 6 ,

)  5 ( 48 ,5( ' 7 5 $1 6 ) ( 5 '  851 ,

• 7 2 5 8 1 72  67 $ 5 7 ' 8 5,1 * 1 21  / 223 '8 5 ,1 *  /2 23  ( 9( 17 6 7 2 2 3( 1  & $ 8 6 ,1 *

% ( & $ 8 6 ( 2 ) 0$ ,1 7 ( 1 $ 1 & ( 5( & ,5 & 8 / $7,21 ( 9( 1 76

) $,/ 8 5 (  7 2 6 7 $5 7

 (    (  



5& , 7 ' 3 7 0 7 5 $,1 5&,  5 &, 0 29 & & , 1 - ( &7 5 & , 5& ,  5 &, '& 3   9 /2 : 5& , 5& ,

5& ,& ) $ ,/ 6 7 2 5 & ,&  :$ 7 ( 5 6 83 3 /,( 6 5 ( 6 7 $ 5 7  2) 5  &, & 23 ( 5 $ 7 25  )$ ,/6 5 & ,&  )$ ,/6  7 2 2 3( 5 $ 7 25 )  $,/ 6 5 & ,&  3 8 03  ) $, / 6 23 ( 5$ 7 25 ) $ ,/ 6 5&&, 3 8 0 3 )  $ ,/6 23 ( 5 $ 7 25  ) $ , / 6 12 1/ 223  ,1 ,7,$ 7 256 / 26 6  2) 2

 )) 6 ,7 ( ',

9 ,6 ,2 1,  ' &

5( 6 7$57 *  , 9 (1 7 2 5( & 29 ( 5  5 & , & 7 5 $ 1 6 ) ( 5  ' 8 5,1

• 7 2 5 ( & 2 9( 5  5 & ,& 7 2 5 8 1 *,9 ( 1 7 2 5 ( & 29 ( 5  5& ,& 7 2 5 ( & 29 ( 5  5 & ,&

$5 ( 8 1 $ 9 $ /

, $ % /( ,6 5 ( 4 8 ,5( ' 72  67 $ 5 7 3 2: ( 5 3 2: ( 5  ) $ ,/ 6 67 $57$  1 '  6 + 25 77 ( 5 0

) $ ,/85 (  7 2 5 ( 6 7 $ 5 7 5 (& , 5 &8 / $ 7 2 , 1 ) $,/ 85 (  7 2 7 5 $16 )( 5 7 + $ 7 ,7  6 7 $5 7 ( ' ) $,/ 85 (  7 2 5 8 1 ) $,/ 8 5( 7  2 6  7 $5 7 581

 (   (   (   (   (   (   (   (   ( ) $ /6 (



5& , 5 & ,5 ( 6 7 $5 7 5&, 7 '3 ) 6 56 7 5 7 5& ,; +( ;  / 5 6 7 5 7 5 &,02 9) &; ) ( 5 5 &, ; +( ; / ;

 ) (5 5&, 7 ' 3 ) 5 7 5$ 1 , 5 &,; + ( ;/ 5 8 1 5 &,

 7 '3  ) 6 7 5 $ 1, 5& ,; +( ;/ 6 7 $5 7 5 &, /2 23 '

• 1 ' ,9 '&

68 33 5 ( 6 6 ,21 1 $ ' 9 ( 5 7 ( 17

, / 26 6  2) & 2 1 '( 1 6 ( 5 / 26 6  2) 9  ,7 $/ + 28 6 (  ( 9( 1 7 / 26 6  2) ) ( ( ' : $ 7( 5 / 26 6  2)  6( 5 9 ,& ( * ( 1( 5 $ / 7

 5 $ 1 6 ,( 17 ' ,9,6 ,21 ,' &

& 2 1 ' ( 16 $7 (  6 7 25 $* ( 6 0$ / / / 2& $ ,1 ,7 ,$ 7 ,1

• 1 ' ,& $ 7 1

, , * $ 3 2 :( 5  ) $ /, 6 7 $ 1.  ) $,/ 6 3 22/  6 8 & 7 2

, 1 23 ( 1  5 ( /,( ) 9 $ /9 ( + ( $7 6 ,1 .  1

, ,7 ,$7 ,1 * '&  % 8 6  ,1,7 ,$7 ,1* ,1 ,7 ,

$ 7 ,1 * ( 9( 17  : $ 7 (5 ,1 ,7 , $ 7 ,1 * ( 9( 17  +$ 6  2& & 85 5 ( ' ,1, 7 ,$7,1 *  ( 9 ( 1 7

/2 6 6 2)  ,1 6 7 5 8 0( 1 7

) $,/ 6 , 25 9  +$ 6 2  & & 85 5 ( ' ( 9 ( 17  +$6  2& & 85 5 ( ' ( 9( 1 7  + $ 6  2& &8 5 5 ( ' + $ 6  2&& 8 5 5( ' ( 9 ( 1 7  + $ 6 2& & 8 5 5( ' +$ 6 2& & 85 5 ( '

$ ,5  1

, ,7 ,$7 25

 ( 

 )$ / 6( ) $ /6 ( )$ / 6 ( ) $ / 6( )$ / 6( ) $ /6 ( )$ / 6( ) $ /6 ( 

& ' 6 7 1. + : & 6 7 5 & , ,25 9 / 2&+ 6 / 2' & % / 2,$ /20 ) : / 26 : 6 6/ 2& $ 7 5$ 1 ' ,9 ' & / 2:

( && 6 6  83 3 5 ( 6 6 ,21 6 3  6 8 & 7 ,21 9$ / 9 ( & 6 7  ,62 /$ 7 ,21 5 & ,& 6 83 3 5 ( 6 6 ,21 3 22/  6 7 5$,1 ( 56

)   ) $, / 6 7 2 029    ) $,/ 6 3 22 / 6 7 5 $ 1 , (5

)$ ,/ ) 5 20  & 200 21 23 ( 1 7 2 & /2 6( 3/ 8*6

&$8 6 (

 (   (   (   ( 

5 &,  & . 9 && )   5& ,029 22  5& , 6 7 5 3 * 5 & ,& 5 + 5 6 7 5 &) 6 3 22/

5& ,/ $ 6$ / /( 5 & ,& ) $ 8/ 775 ((  3 D JH

Figure 6. Fault Tree for reactor core isolation cooling (RCI) 28

5 & ,& )$ ,/ 6 72 3 5 2 9 ,'( 6 8 ) ) ,& ,( 1 7

) / 2 :72 5( $ & 72 5 5 & ,

2 3 ( 5 $ 72 5 ) $,/6 72 5 & ,& ) $ ,/ 6 72 5 (& 2 9 ( 5 0 ) :0 ' 3 3 5 2 9 ,'( 6 8 )) ,& ,( 1 7

) / 2 :72 5 ( $ & 72 5

(  

0 ) :; + ( 0 ' 3 5&,

5& ,/$ 6 $ //( 5& ,& ) $ 8 /775 ( (  3 D JH

Figure 7. Fault Tree for reactor core isolation cooling (with main feedwater recovery) (RCI1) 29

' ,9 ,6 ,2 1 ,' &

3 2 : ( 5 ) $ ,/ 6

' ,9 ' & / 2 :

) $ ,/ 8 5 ( 2 ) ' ,9 ,6 ,2 1 ) $ ,/ 8 5 ( 2 ) ' ,9 ,6 ,2 1

, 9 ' & % 8 6 ,% $ 7 7( 5 <

$

 ( 

' & 3 % ' & / 3  $ ' ,9 ' & 

& & ) 2 )   9 ' & ) $ ,/ 8 5 ( 2 ) ' ,9 ,6 ,2 1

% $ 7 7( 5 < 6   , 9 ' & % $ 77 ( 5 <

 (   ( 

' & 3 % $ 7& ) $ / / ' & 3 % $ 7/ 3 $

',9 ' & /2 : /$ 6 $ //( ',9 ,6,21 ,9 '& 32 : ( 5 ,6 8 1 $9 $ ,/$ % /( ) 2 5 5 & ,  3 D JH

Figure 8. Fault Tree for Division I 125 volt dc power is unavailable for RCIC.

30

250V DC POWER FAILURE DCP-250V-LOW 250V DC BUS LOSS OF POWER 121Y FAILS TO 250V DC BUS 1

9.0E-5 DCP-BDC-LP-121Y DCP-250V-1 250V BATTERY NORMAL POWER 1 FAILS TO 250V DC BUS 1 UNAVAILABLE 0.0E+0 DCP-BAT-LP-250V DCP-250V-2 250V DC BATTERY LOSS OF OFFSITE DIVISION I AC CHARGER 1 FAILS POWER TO DIVSION POWER FAILS I

0.0E+0 FALSE 43 DCP-BCH-FC-250V LOOP-I DIV-1-AC-LOW DCP-250V-LOW - LASALLE 250 VOLT DC POWER UNAVAILABLE FOR RCI 2004/01/28 Page 21 Figure 9. Fault Tree for 250V DC Power for RCIC .

31

& 2 1 7$,1 0( 17 68 3 35 ( 66 ,2 1 3 2 2 / 9 (1 7,1 *

& 96 9( 1 79$ / 9( 6 2 3( 5 $72 5 ) $,/ 6 9( 1 73$ 7+ 6 $5 ( )$ ,/8 5( 2 ),1 6 75 80( 1 7

& 2 00 2 1 &$ 86 ( 72 9( 1 7& 2 1 7$,1 0(1 7 8 1 $9 $,/ $% / ( $ ,5 72 9( 1 79$ / 9( 6

)$,/  72 2 3 (1

(  ( 

& 96 02 9 & )9 /96 &9 6 ;+ ( ;( 9( 1 7 & 96  &9 6 

&2 1 7$ ,1 0(1 7

& 2 1 7$ ,10( 1 7 ) $,/ 8 5( 2 7 5( & 2 9( 5 / $6 $/ / ( ,1 675 8 0(1 7 63 5$ < +( $' (5 8 33 ( 53 2 2 / 9 (1 7 $,5 6< 6 7(0 )$8 / 7

,1 6 758 0 ( 1 7$,5 9( 17 3$ 7+ ,6 3$ 7+ ,68 1 $9 $,/ $% / ( 75( (

8 1$ 9$,/ $%/ (



& 9 6 & 96  & 96  ,$ 6

' ,9,6 ,2 1 ,$& 3 2 :( 5 ',9 ,6,2 1 ,$ &3 2 : (5

' 5 <: (/ / 9( 17 ' 5< : (/ / 9( 17 ' ,9,6,2 1 ,,  : (7 :( / / 9 (1 7  :( 7: (// 9( 17 ' ,9,6 ,2 1 ,, 2 3( 5 $72 5 ) $,/ 6 / 2 66 2 )2 ) )6 ,7(

)$ ,/ 6) 2 5 60$ / / ) $,/ 6 )2 5 6 0$/ /

9$ / 9( ) $,/6 9$ / 9( )$ ,/ 6 $ & 32 : (5 ) $,/ 6 9 $/9 ( )$,/ 6 9$ / 9( )$ ,/ 6 $& 3 2 :( 5 )$,/ 6 72 5 ( &2 9 (5 $ ,5 3 2 : (5 72 2 3 (1 7 2 2 3( 1 ( 4 8 ,30( 17 72 2 3( 1 7 2 2 3( 1 (4 8 ,3 0(1 7 ) 2 59 (1 7,1 *

 ( (  (  (  (  ) $/6 (

    

& 9 602 9& & ' :9  & 96 0 2 9 && ' : 9 ' ,9 $& / 2 : ' ,9 $ & & 96 02 9 && : : 9 & 96 02 9 & & :: 9 ',9 $ & / 2 : ' ,9 $& & 96 ; +( ;( 5 ( & /2 2 3

& 9 6 /$ 6 $ //( 6 83 5 (6 6 ,21 3 2 2/9 ( 17 6 < 6 7( 0 ) $8 /7 7 5( (  3 D JH

Figure 10. Fault Tree for Containment Venting.

32

' ,( 6 ( /* ( 1( 5$ 72 5

)$ 8 /7 6

'* 

' ,( 6 ( /* ( 1( 5$7 2 5 && ) 2)  $//) 28 5 & & )2) ',( 6 ( / && )2) )2 85 & &) 2)  ',( 6 ( / )$ ,/85 ( 6 2 ) 6 7 $1' % <& 2 2 /,1 *

 ( /( & 75,& $/ ',( 6 ( /*( 1 ( 5$7 25 6 * ( 1( 5 $72 56 7 2 ',( 6 ( /*( 1 ( 5$7 25 6 * ( 1( 5$ 72 56 72 ',( 6 ( /*( 1( 5 $ 72 5  : $ 7( 5 / 22 3  72

) $ 8/7 6 72 6 7$5 7 6 7$ 5 7 72581 581  '* ) $,/6

  (  (   (    (  

'*  ( 3 6 '* 1&) 6  ( 3 6 ' *1 & ) 6  ( 3 6 '* 1&) 5 ( 3 6 '* 1& )5  '*  '* 16 & : 

' ,( 6 ( / * ( 1( 5$ 7 2 5

& & ) 2 )  9 '& )$ ,/85 ( 2 ) ' ,9,6 ,2 1 ) $ ,/8 5( 2) ',9 ,6 ,2 1 ',( 6 ( /*( 1 ( 5$ 725 ',( 6 ( /*( 1 ( 5$7 25 2 3 ( 5$7 25 ) $ ,/6

81$ 9 $,/$% / (

%$ 7 7( 5<6   , 9 ' & % $ 77( 5< , 9 ' & % 86  ) $,/ 6 72 5 81 ) $ ,/ 6 726 7$ 57 72 5( 6 7 25 ( ' *

'8( 7 27 ( 6 7$ 1'

$ $)7 ( 5 0$,1 7( 1 $ 1& (

0$,17 ( 1$ 1&(

  (  (  (  (    (    (   ( 

'& 3 %$ 7& ) $// '& 3 % $ 7/ 3 $ '&3 % '& /3 $ ( 3 6 '* 1)5 '*  ( 3 6 '* 1) 6 '*  ( 3 6 '* 17 0'*  ( 3 6 ' *1 ;5'* 

'* /$ 6 $ //( ' ,( 6 ( /* ( 1 (5 $ 725 ) $ 8/ 775 ( (  3 D JH

Figure 11. Fault Tree for Diesel Generator 0 (zero).

33

67$1 ' %<& 22 / ,1*

$7(5 / 22 372

'* ) $,/ 6

'* 16& :

&& ) 2)   6&:

6&: 0' 372 ' *  && ) 2 ) $// 6 &: & &)  2) 6 &: 0' 36 & &)  2) 6 &: 0' 36 & & ) 2)  $// 6& : 6& : 0' 372 ' * & &)  2) $/ / ' *& : 3 6&:  72 '*  0'3 D QG  36: 675 $,1( 56

' ,6& +$5 *( &. 9 0'3 ',6 &+ $5* ( 72 5 81 72 67 $57 67 5$,1 (56 '8 ( ) $,/ 85 (6 6& : 675 $,1(5 6 ' ,6& +$5 *( 675 $,1( 5

' 8( 72 3/ 8* * ,1*

) $,/ 672 2 3(1 &. 9672 2 3(1 72 3/ 8 ** ,1 * '8 (72 3/ 8 ** ,1

• 3/ 8* 6

) 5 20 36$

( ( ( (  (  (  (  (

6& : & .9 && ' * 6& : & .9& )  $// 6& :0'3 & )5 81 6& : 0'3 & ) 67 57 6& :675 & ) $/ / '* 16& :  6 &: 6 75&) $/ / 6&: 675 & ) ' *& : 3 6& : 67 5 3* ' *

67$1 '%< &2 2 /,1

• 6 7$1' %<& 2 2/ ,1

• 6&: 0' 372 ' * 

$7(5 0'3 72  : $7( 50' 372 8 1$9$,/ $%/ ( '8 (

' *  ) $,/6 72 ' *) $,/ 6 72 72 7(6 7$1' 0$,1 7(1 $1& (

5 81 6 7$57

( (  ( 

6& : 0' 3) 5'*  6& :0' 3) 6' * 6&: 0'370'* 

'* 16 & :  /$ 6 $ //( 6 7$ 1' % <& 2 2 / ,1* : $7 (5 ) $ ,/ 6 7 2 '*   3 D JH

Figure 12. Fault Tree for Standby Cooling Water 34