Final ASP Analysis - Millstone 2 (LER 336-01-005)

ML20113E936
Person / Time
Site:	Millstone
Issue date:	05/12/2020
From:	Christopher Hunter NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 336-01-005
Download: ML20113E936 (14)
v • d • e

Text

Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Millstone Unit 2 Failure of the turbine-driven auxiliary feedwater pump during a routine surveillance test Event Date: 08/23/2000 LER: 336/01-005 CDP = 2x10-6 July 14, 2003 Condition Summary On August 23, 2000, during a routine surveillance test, while raising the turbine-driven auxiliary feedwater (TDAFW) pump speed from approximately 1400 rpm to its rated speed of 4400 rpm, the control room noted that the turbine speed would at times not respond to motion of the speed control switch and at other times rise in spurts. Also during the start, a senior reactor operator in the pump room noted that at times the speed control servo motor was turning without any corresponding motion of the turbine governor steam valve. Engineering personnel and the Shift Manager evaluated the condition and concluded that the observed governor valve response was consistent with expected response in that, at certain points, substantial motion of the speed control servo motor is necessary to cause a perceptible change in governor steam valve position.

The next operation of the TDAFW pump was a regularly scheduled surveillance test performed on September 20, 2000. During the test, the turbine was started and warmed at its minimum operating speed of approximately 1400 rpm. Following the warm-up, control room operators were unable to increase turbine speed above its starting speed through operation of the TDAFW pump speed control switch. The discharge pressure of the pump at that speed was less than 200 psig, which was insufficient pressure for the pump to provide feedwater to the steam generators. (References 1, 2, and 3)

Concurrent with this condition, the C High Pressure Safety Injection pump had a low oil level from July 6 to August 3, 2000. Information from the pump vendor indicated that the as-found oil level would have allowed the pump to operate for an estimated 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> before failure.

Because this time to failure exceeds the modeled mission time for high pressure safety injection of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, this additional condition was not included in the condition assessment. (Reference 4)

Cause. Following the surveillance test failure, the licensee disassembled the speed control servo motor and the associated coupling. The mechanic performing the disassembly found the self-locking nut loose and the outward bend in the clutch spring sheared off. The spring in the coupling that joined the servo-motor provides remote operation of the governor to the turbine governor. The cause of the spring failure has not been conclusively established.

Condition duration. The licensee contracted with a third party to perform a failure analysis of the TDAFW pump governor spring. The report concluded that the spring failed while the governor speed control was moving in the decreasing direction (i.e., return to standby condition). This would indicate that the TDAFW pump had been inoperable from August 23, 2000, until it was restored to service on September 20, 2000. The licensee determined that the actual unavailable time was 29 days, 7.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> (Reference 5).

1

Recovery opportunity. Because of the lack of engagement between the manual speed control knob and the governor shaft, the servo motor could not turn the governor shaft.

Reference 2 concluded that this failure mechanism would not readily allow recovery of the pump by local manipulation of the speed control knob.

Analysis Results

 Importance1 The risk significance of the TDAFW pump being unavailable is determined by subtracting the nominal core damage probability from the conditional core damage probability:

Conditional core damage probability (CCDP) = 2.2x10-6 Nominal core damage probability (CDP) = -4.3x10-7 Importance ( CDP = CCDP - CDP) = 1.8x10-6 The estimated importance (CCDP-CDP) for the condition was 1.8x10-6. This is an increase of 1.8x10-6 over the nominal CDP for the ~703-hour period when the TDAFW pump was not available.

The Accident Sequence Precursor Program acceptance threshold is an importance

( CDP) of 1x10-6.

 Dominant sequence The dominant core damage sequence for this condition is a station blackout sequence (Sequence 23-28). The events and important component failures in this sequence (shown in Sequence 23, Figure 1, and Sequence 28, Figure 2) include:

- a loss of offsite power initiating event,

- successful reactor trip,

- failure of the emergency power system due to independent and common cause failures of the emergency diesel generators,

- failure of the auxiliary feedwater system, and

- failure to recover offsite power in the short term (1-hour).

 Results tables

- The conditional probability of the dominant sequence is shown in Table 1.

- The event tree sequence logic for the dominant sequence is provided in Table 2a.

- The conditional cut sets for the dominant sequence are provided in Table 3.

Modeling Assumptions

 Assessment summary 1

Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.

2

This event was modeled as an at-power condition assessment with the TDAFW pump unavailable for 703.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. The Rev. 2QA of the Millstone Simplified Plant Analysis Risk (SPAR) model (Reference 6) was used for this assessment. The SPAR Rev. 2QA model includes event trees for transients (including loss of feedwater and a transfer tree for anticipated transient without scram), loss of offsite power (including a transfer tree for station blackout), small loss-of-coolant accident, and steam generator tube rupture.

These event trees were used in the analysis. The discussion below provides the bases for significant changes to the model.

In addition, this condition was analyzed using the SPAR Rev. 3i model (Reference 7).

The Rev. 3i model includes development of initiating events not included in the Rev. 2QA model, as well as modeling of the effect of failure of various support systems on important safety systems. The results of this analysis showed the dominant sequence to involve a loss of dc bus sequence and to have an importance of 5.6E-6. (Note: The Rev. 3i model has not been approved for use by the NRC; therefore, significant changes to the model

[e.g., event trees, fault trees, component failure data, human error probabilities] could occur in the approval process.) The events and important component failures in this sequence are:

- a loss of dc bus initiating event,

- successful reactor trip,

- failure of the auxiliary feedwater system, and

- failure of the bleed portion of feed and bleed cooling.

Failure of a dc bus was added to the 3i model as an initiating event to include various support systems. This sequence becomes dominant in the Rev. 3i model due to the need for AFW.

The sequence that is dominant in the Rev. 2QA model (Sequence 23-28) is of lesser importance in the Rev. 3i model because the model credits a station blackout diesel that is not included in the Rev. 2QA model. The Rev. 2QA model was modified to include the station blackout diesel as described under Model Update.

We agree with the results of the Rev. 3i model. However, the Rev. 2QA models will continue to be used until the Rev. 3i models have been approved by the NRC for use.

Therefore, the results presented in this report reflect the Rev. 2QA model results, and our estimate of the importance of this condition is 1.8E-6.

 Basic event probability changes Table 4 provides the basic events that were modified to reflect the event condition being analyzed. The bases for these changes are as follows:

- Probability of failure of the TDAFW pump (AFW-TDP-FC-TDP). The probability that the pump would fail to start was set to TRUE (failure probability of 1.0) to reflect the failure of the train to provide flow.

- Nonrecovery probabilities for the auxiliary feedwater system. Based on the failure cause (speed control mechanism), the TDAFW pump was not considered recoverable within the time period available for a station blackout event (dominant sequence). The sequence nonrecovery probabilities for the dominant sequences were modified to account for the nonrecovery of the AFW system during a station blackout (see Table 5).

3

- Other changes of sequence nonrecovery probabilities. The generic sequence nonrecovery probabilities from the SPAR model were reviewed and modified, as necessary, to appropriately reflect the minimum cut sets of the important dominant sequences. Table 4 shows the sequence nonrecovery probabilities for the dominant sequences. Table 5 provides the bases for those probabilities.

 Model update The SPAR model for Millstone 2 was updated to account for:

- updates of system/component failure probabilities and initiating event frequencies based on recent operating experience,

- changes in the probability of failing to recover offsite power in the short term to account for estimated core uncovery times for station blackout sequences (Reference 8),

- changes in the reactor coolant pump seal loss-of-coolant accident model (Reference 9), and

- changes were made in the EPS-DGA and EPS-DGB fault trees to include modeling of the station blackout diesel (see Figures 3 and 4).

Bases for these updates are described in the footnotes to Table 4.

References

1. LER 336/01-005, Turbine Driven Auxiliary Feedwater Pump Inoperable Without Meeting Action Statement Requirements, August 23, 2001 (ADAMS Accession No. ML012050371).

2. NRC Inspection Report 50-336/2000-011, 50-423/2000-011, October 30, 2000 (ADAMS Accession No. ML003764492).

3. EA-00-236, Final Significance Determination for a White Finding and Notice of Violation at Millstone 2, NRC Inspection Report No. 05000336/2000-011, December 6, 2000 (ADAMS Accession No. ML003774806).

4. NRC Inspection Report 50-336/2001-003, March 19, 2001 (ADAMS Accession No. ML010790130).

5. 50-336, B18477, Comments on the Nuclear Regulatory Comission Preliminary Accident Sequence Precursor Analysis, Millstone Power Station, Unit 2, August 31, 2001 (ADAMS Accession No. ML012490043).

6. M. B. Sattison, et al., Simplified Plant Analysis Risk Model for Millstone Unit 2 (ASP PWR G), Revision 2QA , Idaho National Engineering and Environmental Laboratory, Idaho Falls, ID, December 1997.

7. James K. Knudsen, Standardized Plant Analysis Risk Model for Millstone Unit 2 (ASP PWR G), Revision 3i (Interim), Idaho National Engineering and Environmental Laboratory, Idaho Falls, ID, September 2000.

4

8. P. W. Baranowsky, Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, U.S. Nuclear Regulatory Commission, Washington, DC, June 1988.

9. R. G. Neve, et al., Cost/Benefit Analysis for Generic Issue 23: Reactor, Coolant Pump Seal Failure, NUREG/CR-5167, U.S. Nuclear Regulatory Commission, Washington, DC, April 1991.

10. Memorandum from Ashok C. Thadani to William D. Travers, Closeout of Generic Safety Issue 23: Reactor Coolant Pump Seal Failure, U.S. Nuclear Regulatory Commission, Washington, DC, November 8, 1999.

11. F. M. Marshall, et al., Common-Cause Failure Parameter Estimations, NUREG/CR-5497, U.S. Nuclear Regulatory Commission, Washington, DC, October 1998.

12. G. M. Grant, et al., Reliability Study: Emergency Diesel Generator Power System, 1987-1993, NUREG/CR-5500, Vol. 5, U.S. Nuclear Regulatory Commission, Washington, DC, September 1999.

13. J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.

14. C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:

1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.

5

Table 1. Conditional probabilities associated with the highest probability sequences1 Conditional core Event tree Sequence damage probability Core damage probability Importance name no. (CCDP) (CDP) (CCDP - CDP)3 LOOP 23-28 1.4E-006 2.3E-008 2

Total (all sequences) 2.2E-006 4.3E-007 1.8E-006 Notes:

1. (File name: GEM 336-01-005 11-19-2001 143823.WPD)

2. Total CCDP and CDP includes all sequences (including those not shown in this table).

3. Importance is calculated using the total CDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2a. Event tree sequence logic for dominant sequence Logic Event tree name Sequence no. (/ denotes success; see Table 2b for top event names)

LOOP 23-28 /RT-L, EP, AFW-L, ACP-ST Table 2b. Definitions of fault trees listed in Table 2a1 ACP-ST OFFSITE POWER RECOVERY IN SHORT TERM AFW-L NO OR INSUFFICIENT AUXILIARY/EMERGENCY FEEDWATER FLOW EP EMERGENCY POWER SYSTEM FAILS RT-L REACTOR FAILS TO TRIP DURING LOSS OF OFFSITE POWER Note:

1. Modifications to other fault trees not listed in this table were made in accordance with guidance provided in Reference 10. The SPAR model was modified to replace the existing reactor coolant pump seal loss of coolant accident (LOCA) model with the Rhodes Model (Reference 9). In order to replace the reactor coolant pump seal LOCA model without modifying the station blackout event tree, top event OP-SL was set to False (basic event OEP-XHE-NOREC-SL). To account for offsite power recovery, the nonrecovery probabilities for offsite power AND emergency diesel generators (EDGs) were added to the sequence-specific nonrecovery probabilities for the reactor coolant pump seal LOCA sequences in the station blackout event tree (see Table 5). Based on the Rhodes Model, the time available to prevent core damage by high-pressure injection if reactor coolant pump seals fail is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Therefore, the nonrecovery probabilities for EDGs and offsite power were modified to reflect the 4-hour recovery time to avert core damage (see Table 5). Finally, Event Tree Linking Rule Nos. 4 and 5 (Reference 6, Table 2-1), which are triggered by the success of top event OP-SL, were negated by substituting fault tree HPI for HPI-L in LOOP Sequences 23-11 and 23-23 and HPR for HPR-L in LOOP Sequences 23-06, 23-09, 23-18, and 23-21. High temperature seals were assumed to be installed on all reactor coolant pumps.

6

Table 3. Conditional cut sets for Sequence 23-28 Percent CCDP contribution Minimal cut sets1 Event Tree: LOOP, Sequence 23-28 8.4E-007 59.0 EPS-DGN-CF-AB OEP-XHE-NOREC-ST LOOP-23-28-NREC 3.7E-007 25.9 EPS-DGN-FC-DGA EPS-DGN-FC-DGB EPS-DGN-FC-SBO OEP-XHE-NOREC-ST LOOP-23-28-NREC 2.1E-007 15.0 EPS-DGN-FC-DGA EPS-DGN-FC-DGB OEP-XHE-NOREC-ST SBO-DGN-XFER-DIVAB LOOP-23-28-NREC 1.4E-006 Total2 Notes:

1. See Table 4 for definitions and probabilities for the basic events.

2. Total CCDP includes all cut sets (including those not shown in this table).

7

Table 4. Definitions and probabilities for modified and dominant basic events Probability/

Event name Description Frequency Modified AFW-TDP-FC-TDP AFW TURBINE-DRIVEN PUMP FAILURE TRUE YES1 EPS-DGN-CF-AB COMMON-CAUSE FAILURE OF DIESEL GENERATORS 7.5E-004 YES2 EPS-DGN-FC-DGA DIESEL GENERATOR A FAILS 6.9E-002 YES3 EPS-DGN-FC-DGB DIESEL GENERATOR B FAILS 6.9E-002 YES3 EPS-DGN-FC-SBO SBO DIESEL GENERATOR FAILS 6.9E-002 YES3 IE-LOOP LOSS OF OFFSITE POWER (LOOP) INITIATING EVENT 9.9E-06/hr YES4 IE-SGTR STEAM GENERATOR TUBE RUPTURE (SGTR) 8.0E-07/hr YES5 INITIATING EVENT IE-SLOCA SMALL LOSS OF COOLANT ACCIDENT INITIATING 3.4E-07/hr YES5 EVENT IE-TRAN TRANSIENT (TRANS) INITIATING EVENT 1.6E-04/hr YES5 LOOP-22-NREC LOOP SEQUENCE 22 NONRECOVERY PROBABILITY 8.4E-001 YES6 LOOP-23-06-NREC LOOP SEQUENCE 23-06 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-09-NREC LOOP SEQUENCE 23-09 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-11-NREC LOOP SEQUENCE 23-11 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-18-NREC LOOP SEQUENCE 23-18 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-21-NREC LOOP SEQUENCE 23-21 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-23-NREC LOOP SEQUENCE 23-23 NONRECOVERY PROBABILITY 5.0E-002 YES7 LOOP-23-28-NREC LOOP SEQUENCE 23-28 NONRECOVERY PROBABILITY 8.0E-001 YES6 OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER FALSE YES8 BEFORE REACTOR COOLANT PUMP (RCP) SEAL LOCA OEP-XHE-NOREC-ST OPERATOR FAILS TO RECOVER OFFSITE POWER IN 2.0E-001 YES9 SHORT TERM RCS-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 2.2E-001 YES8 Notes:

1. Basic event was changed to reflect condition being analyzed. TRUE has a failure probability of 1.0.

2. Base case model was updated using data from NUREG/CR-5497, Tables 5-2 and 5-5 (Reference 11). Updated value is based on three diesels and uses an 8-hour mission time for the diesel generator, which is the 95%

probability of recovering offsite power, for the weighted average of all LOOP events (Reference 6, Figure 6.1).

3. Base case model was updated using data from NUREG/CR-5500, Vol. 5, Tables C4, C6, and C7 (Reference 12). See note 2 for additional information.

4. Base case model was updated using data from NUREG/CR-5750, Table H3 (Reference 13) and NUREG/CR 5496 Table B4 (Reference 14).

5. Base case model was updated using data from NUREG/CR-5750, Table 3-1 (Reference 13).

6. Basic event was changed to reflect condition being analyzed. Sequence nonrecovery probabilities were modified to reflect the nonrecovery of AFW; see Table 5.

7. Base case model was updated. See Table 5 for basis.

8. Base case model was updated to reflect the Rhodes Model. (See foot note to Table 2b.)

9. Base case model was updated to reflect the nonrecovery of offsite power within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />; from SPAR 2QA model, Table 6-1 (Reference 6). For the condition assessment evaluated in this event, TDAFW pump unavailable, the dominating core damage sequence is a station blackout with no auxiliary feedwater. For this sequence, core uncoverying is estimated to occur in approximately 1.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> (Reference 8, Table 7.1, 6200 sec). The actual time for recovering offsite power is reduced 30 minutes to 1.2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, to allow sufficient time for the operator to perform the necessary system recovery actions. The probability of not recovering offsite power, for the weighted average of all types of LOOPs, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is 0.2 (Reference 6, Figure 6-1). Therefore, OEP-XHE-NOREC-ST is set to 0.2.

Table 5. Basis for the probabilities of sequence-specific recovery actions 8

Failed systems Combined Modification Seq. no. and Nonrecovery and recovery failure remarks basic event probability time1,2 probability (also see footnotes) 22 AFW-L 1.0 0.84 TDAFW pump is LOOP-22-NREC F&B-L 0.84 nonrecoverable 23-28 EP 0.8 0.8 TDAFW pump is LOOP-23-28-NREC AFW-L 1.0 nonrecoverable ACP-ST n/a 23-06 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-06-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model 23-09 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-09-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model 23-11 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-11-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model 23-18 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-18-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model 23-21 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-21-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model 23-23 EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.05 Include Rhodes reactor LOOP-23-23-NREC Offsite Power 0.1 coolant pump seal LOCA (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) model Notes:

1. Based on the SPAR model (Reference 6), nonrecovery probability for an EDG is exp(-0.173t), where t is recovery time in hours. When multiple EDGs are failed, only one EDG is considered for recovery, since operators would attempt to recover only one EDG.

2. Recovery times used in the SPAR model are as follows:

- 1 hour--core uncovery due to loss of heat removal during a station blackout (Reference 8, Table 7.1).

Table 7.1 shows 6200 sec for a Combustion Engineering plant with AFW failure. About 0.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> is deducted from this to allow for operator action following diagnosis, leaving about 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.

- 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s--core uncovery due to reactor coolant pump seal LOCA (update based on Rhodes Model, Reference 10) 9

LER 336/01-005 Emergency High Offsite Offsite Secondary Residual Decay heat High Loss of Reactor trip Auxillary No PORVs PORVs Feed and RCS power pressure power rec. power rec. cooling heat removal pressure offsite power (LOOP) feedwater open reseat bleed cooldown system injection w/in 2 hrs w/in 6 hrs recovered removal using CSR recirc. SEQ number State Notes IE-LOOP RT-L EP AFW-L PORV-L PRVL-RES HPI-L F&B-L OP-2H OP-6H SGCOOL Cooldown RHR CSR-L HPR-L 1 OK 2 OK 3 OK 4 OK HPR 5 CD CSR 6 CD 7 OK HPR 8 CD CSR 9 CD 10 OK 11 CD 12 CD 13 CD 14 OK 15 OK HPR 16 CD CSR 17 CD 18 OK 19 OK SGCOOL-L 20 CD 21 CD 22 CD 23 T SBO 24 CD Figure 1 Millstone 2 Loss of Offsite Power Event Tree Showing Sequence 23 10

LER 336/01-005 Short-term Offsite Offsite Cross-tie High Residual Decay heat High Transfer Auxillary No PORVs PORVs offsite No RCP power rec. power rec. RCS AC power pressure heat removal pressure branch SBO feedwater open reseat power seal LOCA during before bat cooldown SEQ from unit 1 injection removal using CSR recirc. State Notes recovery SEALLOCA depl number SBO AFW-L PORV-L PRVL-RES ACP-ST SEALLOCA OP-SL ACP-LT OP-BD HPI-L Cooldown RHR CSR-L HPR-L 1 OK 2 OK 3 CD 4 OK 5 OK HPR 6 CD CSR 7 CD 8 OK HPR CD 9

CSR CD 10 HPI CD 11 12 CD 13 OK 14 OK 15 CD 16 OK 17 OK HPR 18 CD CSR 19 CD 20 OK HPR 21 CD PORV-SBO CSR 22 CD HPI CD 23 24 CD see footnote a. 25 OK 26 CD see footnote b. 27 OK 28 CD

a. Core cooling is required but not modeled at this time.

However, if modeling is required, the mitigating systems to be used are those used in SLOCA sequences 2-9.

b. Feed & Bleed cooling could be used, therefore, the remaining sequences should be similar to TRANS 21-25.

W:\Projects\1999\499-99.NRC ASP\Graphics\Millstone Event Tree.vsd Figure 2 Millstone 2 Station Blackout Event Tree Showing Sequence 28 11

LER 336/01-005 Diesel generator A failures EPS-DGA Division A ac Loss of power to power 4160V bus division A fails 4160V bus 9.0E-5 ACP-BAC-LP-DIVA EPS-DGA-1 Loss of div A offsite Diesel generator A Failure of alignment to cross-power flag fails tie diesel False 6.9E-2 LOSP-A EPS-DGN-FC-DGA EPS-DGA-2 Failure to transfer SBO diesel cross-tie diesel to generator fails div A or div B bus 4.0E-2 6.9E-2 SBO-DGN-XFER-DIVAB EPS-DGN-FC-SBO Figure 3 Millstone 2 Diesel Generator A Fault Tree 12

LER 336/01-005 Diesel generator B failures EPS-DGB Division B ac Loss of power to power 4160V bus division B fails 4160V bus 9.0E-5 ACP-BAC-LP-DIVB EPS-DGB-1 Loss of div B offsite Diesel generator B Failure of alignment to cross-power flag fails tie diesel False 6.9E-2 LOSP-B EPS-DGN-FC-DGB EPS-DGB-2 Failure to transfer SBO diesel cross-tie diesel to generator fails div A or div B bus 4.0E-2 6.9E-2 SBO-DGN-XFER-DIVAB EPS-DGN-FC-SBO W:\Projects\1999\499-99.NRC ASP\Graphics\Millstone 2 Fault Trees.vsd Figure 4 Millstone 2 Diesel Generator B Fault Tree 13

LER 336/01-005 - Resolution of Comments A letter from Dominion Nuclear Connecticut, Inc. (DNC) to NRC dated August 31, 2001 (Ref.

15), describes DNCs review of and comment on the Preliminary Precursor Analysis of the condition reported in Licensee Event Report (LER) No. 336/01-005. The NRC has reviewed these comments and has made the following changes to the precursor analysis report:

Licensees comment: A detailed failure analysis of the TDAFW pump determined the actual time of failure of the spring. The actual unavailable hours for the pump were determined to be 703.25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />.

Response: The NRC agrees with this comment and has revised the analysis to reflect the new condition duration. This change reduces the overall importance; however, it does not reduce the importance below the ASP program acceptance threshold ( CDP) of 1x10-6.

In the process of reviewing this analysis, we realized that credit for recovery of the EDGs was being taken in two places. The basic events for the EDGs had elements for failure to recover from fails to start and failure to recover from fails to run. In addition, the sequence nonrecovery probabilities had an element representing recovery of the emergency power system. This double-counting was eliminated, resulting in an increase in the overall importance for this condition. This increase in importance was larger than the decrease in importance from revising the condition duration, resulting in a slight increase overall in the importance of this condition.

14