Text

Final ASP Analysis - Point Beach 1 and 2 (LER 266-02-003-01)
	ML20114E142
Person / Time
Site:	Point Beach
Issue date:	05/12/2020
From:	Christopher Hunter; NRC/RES/DRA/PRB
To:	;
	Hunter C (301) 415-1394
References
	IR 2002003, LER 266-02-003-01
	Download: ML20114E142 (70)
	v • d • e

1 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SENSITIVE - NOT FOR PUBLIC DISCLOSURE Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Point Beach 1 and 2 Potential Common Mode Failure of All Auxiliary Feedwater Pumps Due to Clogging of Recirculation Orifices Event Date: 10/29/2002 LER: 266/02-003 CDP = 6x10-5 (Unit 1)

CDP = 4x10-4 (Unit 2)

June 28, 2004 Condition Summary Description. This condition assessment evaluates a design deficiency involving the flow-restricting orifices in the auxiliary feedwater (AFW) pumps recirculation lines. Due to a design deficiency, the orifices are vulnerable to debris plugging when the AFW pumps suction supply is switched to its safety-related water supply, the service water system. Blocked flow in the AFW pumps recirculation lines, combined with inadequacies in plant emergency operating procedures, could potentially lead to pump deadhead conditions and a common mode, nonrecoverable failure of the pumps (Refs. 1 and 2).

Point Beach Nuclear Plant is a two-unit site. Each unit has a turbine-driven AFW pump (pumps 1P29 and 2P29), which can supply water to both steam generators. In addition, both units shares two motor-driven AFW pumps (pumps P38A and P38B), each of which can be aligned to supply water to one steam generator in each unit (see Figure 1). Each AFW pump has a recirculation line with an air-operated valve that automatically opens, as necessary, to ensure minimum flow through the pump. To help prevent excessive flow through the recirculation lines (under certain accident conditions), each recirculation line includes an orifice to restrict the flow being returned to the condensate storage tanks (CSTs).

During some plant upset conditions, the AFW system actuates automatically to provide feedwater flow to the steam generators for decay heat removal. As the reactor is cooled and the decay heat load decreases, the AFW flow requirements also decrease. To control level in the steam generators and prevent overfeeding, operators must reduce the AFW flow. One preferred method used at Point Beach for reducing AFW flow is to throttle or close the AFW pumps' discharge or flow control valves rather than securing the pumps. To prevent pump deadheading conditions, the pumps recirculation lines provide a flow path back to the CSTs. If a pumps recirculation orifice became plugged while the pumps discharge or injection valve is closed, the pump would experience insufficient flow, resulting in pump overheating and damage, possibly within minutes.

Cause. This condition is the result of a design deficiency involving the flow-restricting orifices in the AFW pumps recirculation lines. To address cavitation problems associated with the orifices in the recirculation lines, the licensee installed a new-style orifice that uses a multistage anti-cavitation trim package in the body of a globe valve to restrict flow. This type of flow restrictor uses very small channel-shaped holes in each stage, along with a tortuous path to limit flow and prevent cavitation. Because the holes in the orifices stages are much finer than the strainer mesh for the service water supply, the orifices could be plugged by debris in the water supply when the AFW pumps suction supply is switched to the service water system (and service water flows through the recirculation lines). The same vulnerability exists when firewater is used as a suction supply source.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 1 The Accident Sequence Precursor Program limits the conditional assessment of risk to a 1-year period. For the time period selected, Unit 1 was critical for 7,989.6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and Unit 2 was critical for 7,974.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

2 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Condition duration. New-style flow-restricting orifices were installed for both motor-driven AFW pumps (P-38A and P-38B) in November 2000. New-style orifices were installed on the Unit 2 turbine-driven AFW pump (2P-29) on May 11, 2002, and on the Unit 1 turbine-driven AFW pump (1P-29) on October 14, 2002 (Refs. 1, 2, and 3). Because this condition has existed for more than 1 year, the time for the condition assessment is 1 year. The period selected for the analysis is from October 30, 2001, to October 29, 2002, the date of discovery.1 Attachment 1 includes a timeline for this event.

Recovery opportunities. Recovery opportunities examined in this analysis included the following:

Restoring sufficient AFW flow to prevent deadhead damage to the pumps prior to damaging all AFW pumps Replenishing the CSTs inventory, preventing the need to use service water or firewater as a suction supply for the AFW pumps Providing additional time to the operators to initiate feed and bleed cooling or to recover main feedwater, given that the AFW system was initially successful at providing cooling to the steam generators Other conditions, failures, and unavailable equipment. Prior to the discovery of this condition, the utility discovered a design deficiency involving the air-operated valves in the AFW pumps recirculation lines. (This design deficiency was reported in LER 266/01-005 [Ref. 4].) The recirculation valves fail closed on loss of instrument air. Similarl to a plugged orifice, closure of the recirculation valve while a pumps discharge or injection valve is also closed, would result in the pump experiencing insufficient flow, leading to pump deadhead conditions and nonrecoverable failure. Both of these design deficiencies involve the AFW pumps recirculation lines and overlap in time. The timeline given in Attachment 1 includes dates for both events and shows the overlapping time periods. Although both of these events involve common cause failure of the AFW pumps due to loss of recirculation flow, the timing of pump failure differs. The design deficiency reported in LER 266/01-005 involves failure of the AFW pumps shortly after a loss of instrument air event occurs. The design deficiency analyzed in this condition assessment (for LER 266/02-003) involves failure of the AFW pumps much later (several hours following the initiating event).

Because of the timing differences and the different causes for loss of recirculation flow, the issues reported in LERs 266/01-005 and 266/02-003 are addressed in separate Accident Sequence Precursor (ASP) analyses. See the ASP analysis for LER 266/01-005 for analysis details and risk results for the design deficiency involving the air-operated recirculation valves.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 2 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP.

3 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Analysis Results Importance2 For each unit, the risk significance of the design deficiency for the AFW pumps flow-restricting orifice is determined by subtracting the nominal core damage probability (CDP) from the conditional core damage probability (CCDP).

Unit 1 Unit 2 Conditional core damage probability (CCDP) 8.8 x 10-5 3.9 x 10-4 Nominal core damage probability (CDP) 2.8 x 10-5 2.7 x 10-5 Importance (CDP) 6.0 x 10-5 3.6 x 10-4 Dominant sequences The top sequence is a seismic event.

Seismic event: The simplified event tree, shown in Figure 2, was added to the model.

A seismic event results in nonrecoverable damage to the nonseismically qualified instrument air system serving both units, resulting in:

reactor trip on both units, the inability to initiate feed and bleed cooling (due to loss of instrument air to the pressurizer power-operated relief valves [PORVs]), and the inability to initiate secondary cooling via the main feedwater system (due to loss of instrument air to a steam generator atmospheric dump valve and a feedwater regulating bypass valve).

The AFW system successfully provides cooling water to the steam generators until the inventory in the CSTs is depleted (at about 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ). Because instrument air is lost, the water treatment system (which requires instrument air) cannot be used to refill the CSTs. The suction supply for the AFW pumps is switched to the service water system, resulting in plugging of the AFW pumps recirculation orifices and failure of the pumps.

Results tables The conditional probabilities of the dominant sequences are shown in Table 1 The event tree sequence logic for the dominant sequences is provided in Table 2a Definitions of TOP events are provided in Table 2b

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 4

SENSITIVE - NOT FOR PUBLIC DISCLOSURE The conditional cut sets for the dominant sequences are provided in Table 3 Table 4 provides the definitions and probabilities for selected events Modeling Details Assessment summary The design deficiency was modeled as an at-power condition assessment for 1 year with the recirculation orifices plugged.

The model used for this assessment was the Revision 3 standardized plant analysis risk (SPAR) model for Point Beach (Ref. 5), updated for the ASP analysis of LER 266/01-005.

(Attachment 5 to the ASP analysis for LER 266/01-005 includes the SPAR model addendum, which describes the model updates.) Event trees and associated fault trees, basic event probabilities, and initiating event frequencies were modified to reflect the condition being analyzed. These condition modifications include the following:

Selection of initiators that could involve use of service water or firewater as the water source for the AFW pumps (leading to plugging of the recirculation orifices), including development of a simplified event tree for a seismic event Modification of the LOOP initiating event frequencies to allow analysis of both dual unit LOOPs and single unit LOOPs Modification of the AFW system fault tree to include basic events representing failure of (1) the recirculation orifices due to plugging and (2) the operator to refill the CSTs from the water treatment system Two analyses were performed - one for Unit 1 and one for Unit 2 - due to differences in the time period when orifices were installed in the recirculation lines for their turbine-driven AFW pumps.

Sequences of interest S

Initiating events. For an initiating event in which AFW system flow is demanded, the AFW pumps provide flow to the steam generators until the main feedwater system is recovered or the reactor reaches conditions (temperature and pressure) at which residual heat removal (RHR) cooling can be initiated. The AFW pumps normally take suction from the CSTs, but are switched to an alternate water source (service water or firewater) if the tanks inventory is depleted and cannot be replenished or if the CSTs are not available.

Because the AFW pumps recirculation orifices are vulnerable to plugging from debris in service water or firewater, those initiating events that could result in the use of service water or firewater as a suction source for the AFW pumps are of interest. Initiating events of interest are:

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 5

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Loss of instrument air (LOIA)

Loss of offsite power to both units (dual unit LOOP)

Loss of offsite power to only one unit (single unit LOOP)

Loss of service water system (LOSWS)

Transient (TRANS) with successful reactor scram Loss of component cooling water system (LOCCW)

Loss of a dc bus (LDC01)

Seismic event (LOIASEISMIC)

The following initiating events were screened from this analysis because either (1) the associated sequences do not rely on AFW flow, (2) the mission time for the AFW system is short and the inventory in CSTs will not be depleted, or (3) the reactor will reach conditions for initiation of RHR cooling before the CSTs inventory is depleted.

Large break loss of coolant accidents (LLOCAs) and intersystem LOCAs. These initiating events do not rely on AFW flow Medium break loss of coolant accidents (MLOCAs). As described in the utilitys analysis, the mission time for MLOCAs is only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (Ref. 6). Therefore, the CSTs will not reach low level, and switch over to service water as a source of water for the AFW pumps will not occur Small break loss of coolant accidents (SLOCAs). As described in the utilitys analysis, following initial success of the AFW system, safety injection or charging (with release through the break) is sufficient to cool down the reactor to conditions where RHR could be placed into service and prevent core damage (Ref. 6)

Steam generator tube rupture (SGTR). As described in the utilitys analysis, following initial success of the AFW system, safety injection or charging (with release through the ruptured tube) is sufficient to cool down the reactor to conditions where RHR could be placed into service and prevent core damage (Ref.

6)

Anticipated transient without scram (ATWS). An ATWS event (failure to scram the reactor following a transient) has a low probability of occurrence. The min cut upper bound for the RT (reactor trip) tree is 2.0E-6. In an ATWS event, the AFW system must provide cooling to the steam generators (at a higher flow rate than a transient with a successful reactor scram), and injection of borated water to bring the reactor to a subcritical state must occur quickly to prevent reactor overpressurization.

ATWS events were screened from this analysis because (1) of the low probability of occurrence and (2) the emergency boration step must be successfully completed before the inventory of the CSTs would be depleted (requiring switchover to service water as a suction supply). For this analysis, the ATWS branch was removed from the TRANS event tree S

Sequence of events. For the initiating events LOIA, LOOP, LOSWS, TRANS, LOCCW, LODC01, and LOIASEISMIC, the following sequence of events leads to deadhead and failure of the AFW pumps and core damage:

Initiating event occurs that results in a manual or automatic reactor trip

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 6

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Secondary cooling is lost following the reactor scram. (For those initiating events that result in the loss of a support system [e.g., loss of instrument air, loss of electric power, loss of service water cooling, or seismic damage to nonseismic qualified instrument air components], the main feedwater system cannot be recovered until the support system is recovered)

All AFW pumps feeding the unit (two motor-driven pumps and one turbine-driven pump) automatically start on low-low steam generator level, providing flow to the steam generators Operators fail to replenish the water inventory in the CSTs. (For those initiating events that result in the loss of a support system [e.g., loss of instrument air, loss of electric power, loss of dc power to bus D02], the water treatment system cannot be used to refill the CSTs)

The AFW pumps suction supply is switched to the service water system (or the firewater system if service water is unavailable) on low level in the CSTs. Debris in the service water (or firewater) supply plugs the AFW pumps recirculation orifices To control water level in the steam generators (and prevent steam generator overfilling), operators choose to throttle or close the discharge valves or flow control valves for all of the AFW pumps, resulting in deadhead of the AFW pumps All AFW pumps fail within minutes due to deadhead conditions. (The pumps are not recoverable)

Operators fail to recover main feedwater or support systems needed to initiate feed and bleed cooling or high pressure recirculation Complete details concerning the initiating events analyzed for this event, their dominant sequences, and assumptions made are included in Attachment 2.

Plant-specific system and operational considerations (facts)

Details of plant-specific system design and operational considerations are provided in. These are the facts upon which assumption and model modifications are based. Details are provided for the following:

AFW system design Feed and bleed cooling design AFW flow control Recovery of main feedwater Important assumptions Details of these assumptions are provided in Attachment 4.

Orifices in the AFW pumps recirculation lines will plug immediately when the pumps suction supply is switched to service water or firewater Operators fail to recognize that the recirculation orifices are plugged when service water or firewater is used as a suction supply for the AFW pumps

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 7

SENSITIVE - NOT FOR PUBLIC DISCLOSURE Operators close the discharge valves for all of the AFW pumps, resulting in deadheading of the AFW pumps No credit for operators detecting pump deadhead conditions (i.e., plugged recirculation orifices) and taking corrective actions to protect one or more AFW pumps No credit for leakage past either the closed recirculation valves or the closed discharge valves providing adequate flow through the AFW pumps to prevent pump damage No credit for the recovery of AFW pumps given failure due to deadheading conditions No credit for the recovery of nitrogen air bottles to the pressurizer PORVs No credit for the recovery of secondary cooling without instrument air or service water No credit for injection of service water through failed AFW pumps Modifications to event trees and fault trees Seismic-induced loss of instrument air. A new event tree (Figure 2) was added to the model to account for the seismic-induced loss of instrument air. For a seismic event, the loss of instrument air results in the loss of air-operated valves, resulting in loss of main feedwater flow and reactor scram of both units (if operating), and loss of the bleed portion (PORVs) of feed and bleed cooling. Without either of these cooling systems, loss of AFW system will result in core damage. The simplified event tree has one TOP event, AFW, representing loss of the AFW system. The tree is based on the assumption that a seismic-induced loss of instrument air event is nonrecoverable. (For simplicity, a TOP event for failure to trip the reactor was not included.)

Anticipated transient without scram (ATWS). An ATWS event (failure to scram the reactor following a transient) has a low probability of occurrence. The min cut upper bound for the RT (reactor trip) tree is 2.0E-6. In an ATWS event, the AFW system must provide cooling to the steam generators (at a higher flow rate than a transient with a successful reactor scram), and injection of borated water to bring the reactor to a subcritical state must occur quickly to prevent reactor overpressurization. ATWS events were screened from this analysis because (1) of the low probability of occurrence and (2) the emergency boration step must be successfully completed before the inventory of the CSTs would be depleted (requiring switchover of the AFW pumps suction supply to service water). For this analysis, the ATWS branch was removed from the TRANS event tree (by editing the end states in SAPHIRE).

Failure of the AFW system. The fault tree for the AFW system was modified to model (1) plugging of the recirculation orifices when service water or firewater is used and (2) failure of the operator to refill the CSTs from the water treatment system. Figure 3 presents the modified fault tree for the AFW system.

In addition, flag sets were modified to appropriately model the ability of the operators to refill the CSTs using the water treatment system. The design deficiency analyzed in this condition assessment, plugging of the recirculation orifices, occurs when the CSTs reach low level and the AFW pumps suction is switched to an alternate water source (service water or firewater). Depending on the initiating event (and whether one or both units are

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 8

SENSITIVE - NOT FOR PUBLIC DISCLOSURE affected), this may occur as soon as 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months following the reactor scram (for dual unit events) or as long as 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (for a single unit LOOP). (See Attachment 2 for a detailed description of each initiating event, including the length of time the CSTs inventory will last.) For initiating events that affect both units, causing a rapid draw down of the CSTs (LOIA, LOSWS, LDCB01, LOIASEISMIC, and dual unit LOOP), it was assumed that support systems affected by these initiating events can not be recovered in time to recover the water treatment system. Therefore, refilling of the CSTs from the water treatment system will not occur. For these initiating events, the flag sets were modified; events AFW-WT-UNAVAIL and AFW-XHE-XM-CST were set to TRUE. For initiating events that affect only one unit (TRANS, LOCCW, and single unit LOOP), it was assumed that operators will have sufficient time to refill the CSTs prior to tank depletion.

Project recovery rules were also modified to appropriately model recovery. The event trees and fault trees in the SPAR model were developed assuming that, if the AFW system fails, the failure occurs immediately when the system is demanded. If the AFW system fails without providing any flow to the steam generators, operators must initiate feed and bleed cooling within 60 minutes of the reactor scram to prevent core damage.

However, if the AFW system is initially successful and provides cooling to the steam generators, decay heat has been removed and additional time is available to the operators to initiate feed and bleed cooling or recover main feedwater. (See Attachment 2 for complete details for each initiating event and the length of time the AFW system would provide flow from the CSTs before switchover to service water, and failure of the AFW pumps would occur.) Depending on the initiating event and the length of time the AFW system can provide cooling before failure, operators will have 4 to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (following the reactor scram) before conditions requiring initiation of feed and bleed cooling (steam generator level <55 inches wide range) would be reached (Ref. 6). The human error worksheets for events HPI-XHE-XM-FB (failure to initiate feed and bleed cooling), MFW-XHE-ERROR (failure to recover main feedwater), and COND-XHE-XM-IA (failure to initiate feedwater injection) were completed assuming the operators will have only 60 minutes following reactor scram to respond. Because additional time is available to the operators, the performance shaping factor (PSF) for item 1, available time was changed from time available equals time required to time available is nominal. This results in a factor of 10 reduction of the human error probability for these events. To properly quantify the sequence cut sets and allow credit for additional time available to the operators, an event, AFW-LATE, was added to the AFW fault tree to tag sequence cut sets in which failure of the AFW system occurs late, due to orifice plugging following switchover to service water. The project recovery rules were modified (as shown below) to apply the factor of 10 reduction to these human error events. (Events LATE1, LATE2, and LATE3 were set to 0.1.)

lFollowing corrections for LER 266-02-003.

lGive credit for extra time for operators to initiate feed & bleed lwhen AFW has initially been successful.

if AFW-LATE * (HPI-XHE-XM-FB + HPI-XHE-XM-FB1 + HPI-XHE-XM-FB2) then AddEvent = LATE1; endif lGive credit for extra time for operators to recover main feedwater lwhen AFW has initially been successful.

if AFW-LATE * (MFW-XHE-ERROR1 + MFW-XHE-ERROR) then

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 9

SENSITIVE - NOT FOR PUBLIC DISCLOSURE AddEvent = LATE2; endif lGive credit for extra time for operators to initiate feed water injection lor recovery MFW when AFW has initially been successful and instrument air lhas been recovered.

if AFW-LATE * (COND-XHE-XM-IA + COND-XHE-XM-IA1) then AddEvent = LATE3; endif Modifications to basic event failure probabilities Table 4 provides the basic event probabilities that were modified for this analysis. Changes are summarized below.

Probability that the recirculation orifice for the motor-driven AFW pumps plugs (AFW-MDP-ORIF). For the motor-driven AFW pumps, a new event was added to the AFW fault tree representing plugging of the recirculation orifices given use of service water or firewater as a water supply. (A single basic event, AFW-MDP-ORIF, was used to represent a plugged recirculation orifice for both motor-driven AFW pumps because the new design orifices were installed at the same time and remained in place for the entire 1-year period for the condition assessment.) Event AFW-MDP-ORIF was set to TRUE for the entire 1-year period of the condition assessment. This event was set to FALSE in the base case.

Probability that the recirculation orifice for the turbine-driven AFW pump plugs (AFW-TDP-ORIF). For the turbine-driven AFW pump, a new event was added to the AFW fault tree representing plugging of the recirculation orifice given use of service water or firewater as a water supply. For the condition assessment of Unit 1, event AFW-TDP-ORIF was set to TRUE for Part 2 (332.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ). For the condition assessment of Unit 2, event AFW-TDP-ORIF was set to TRUE for Part 2 (4,076.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months ). This event was set to FALSE in the base case.

Probability that the water treatment system is unavailable (AFW-WT-UNAVAIL).

A new basic event was added to the AFW fault tree to model failure of the water treatment system (used to replenish the water inventory in the CSTs). The water treatment system was assumed to be available to refill the CSTs for initiating events TRANS, LOCCW, and single unit LOOPs. Event AFW-WT-UNAVAIL, the water treatment system is unavailable, was assigned an unavailability of 5.0E-02 (Ref. 6). For initiating events that affect both units and the support systems needed for the water treatment system (i.e., LOIA, LDC01, LOIASEISMIC, LOSWS, and dual unit LOOPs),

the water treatment system was assumed to not be available for use. Event AFW-WT-UNAVAIL was set to TRUE (in the flag sets) for these initiating events.

Probability that the operator fails to refill the CSTs using the water treatment system (AFW-XHE-XM-CST). A new basic event was added to the AFW fault tree to model failure of the operators to replenish the water inventory in the CSTs using the water treatment system. The water treatment system was assumed to be available for refilling the CSTs for initiating events TRANS, LOCCW, and single unit LOOPs. Event AFW-XHE-XM-CST, operator fails to refill the CSTs using the water treatment system, was assigned a failure probability of 1.0E-02/demand. For initiating events that affect

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 10 SENSITIVE - NOT FOR PUBLIC DISCLOSURE both units and the support systems needed for the water treatment system (i.e., LOIA, LDC01, LOIASEISMIC, LOSWS, and dual unit LOOPs), the water treatment system was assumed to not be available for use. Event AFW-XHE-XM-CST was set to TRUE (in the flag sets) for these initiating events.

Flag event for failure of AFW late (AFW-LATE). Flag event to identify sequence cut sets where failure of the AFW pumps has occurred (late) due to orifice plugging following switch over of the pumps suction to service water or firewater. Because this event is used as a flag and should not affect cut set quantification, the probability of this event is set to 1.0.

Probability that the operator fails to initiate feed and bleed cooling (HPI-XHE-XM-FB, HPI-XHE-XM-FB1, and HPI-XHE-XM-FB2). As previously described, if the AFW system is successful initially and provides cooling until the CSTs inventory is depleted, more time is available to the operators to initiate feed and bleed cooling. The flag event AFW-LATE identifies those sequence cut sets where additional time is available. Using the project recovery rules, the event LATE1 was added to sequence cut sets to allow a modification to the human error action worksheet for PSF 1, available time, from time available equals time required to time available is nominal. The change in PSF 1 results in a factor of 10 reduction to the human error probabilities for event HPI-XHE-XM-FB and its dependent events, HPI-XHE-XM-FB1 and HPI-XHE-XM-FB2.

Probability that the operator fails to recover main feedwater (MFW-XHE-ERROR and MFW-XHE-ERROR1). As previously described, if the AFW system is successful initially and provides cooling until the CSTs inventory is depleted, more time is available to the operators to recover main feedwater cooling. The flag event AFW-LATE identifies those sequence cut sets where additional time is available. Using the project recovery rules, the event LATE2 was added to sequence cut sets to allow a modification to the human error action worksheet for PSF 1, available time, from time available equals time required to time available is nominal. The change in PSF 1 results in a factor of 10 reduction to the human error probabilities for event MFW-XHE-ERROR and its dependent event, MFW-XHE-ERROR1.

Probability that the operator fails to initiate feedwater injection (COND-XHE-XM-IA, COND-XHE-XM-IA1, and COND-XHE-XM-IA2). As previously described, if the AFW system is successful initially and provides cooling until the CSTs inventory is depleted, more time is available to the operators to initiate feedwater injection. The flag event AFW-LATE identifies those sequence cut sets where additional time is available. Using the project recovery rules, the event LATE3 was added to sequence cut sets to allow a modification to the human error action worksheet for PSF 1, available time, from time available equals time required to time available is nominal. The change in PSF 1 results in a factor of 10 reduction to the human error probabilities for event COND-XHE-XM-IA and its dependent events, COND-XHE-XM-IA1 and COND-XHE-XM-IA2.

Modifications to initiating event frequencies Table 4 lists the initiating event frequencies that were modified for this analysis. Changes are summarized below.

Dual unit loss of offsite power initiating event (IE-LOOP). Two LOOP events were of interest for this condition assessment: dual unit LOOPs where offsite electric power is simultaneously lost to both units; and single unit LOOPs where offsite electric power

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 11 SENSITIVE - NOT FOR PUBLIC DISCLOSURE is lost to only one unit. During a LOOP event, until offsite power is restored, feed and bleed cooling is the only alternative for short-term cooling should the AFW system fail.

Because of the design of the instrument air and service air systems at Point Beach (redundant compressors and diverse power sources), loss of all four compressors due to a LOOP would only occur if power were lost to both units. (In addition, the instrument air and service air compressors do not automatically load onto emergency power following a LOOP; operators must manually load a compressor onto emergency power.)

Without instrument air, the PORVs, needed for feed and bleed cooling, are not available because of insufficient instrument air pressure to operate the valves. Types of LOOPs that would involve both units include dual unit, plant-centered LOOP; grid-related LOOP; and severe weather-related LOOP. Operating experience data were reviewed to determine the frequency of plant-centered, dual unit LOOP; grid-related LOOP; and severe weather-related LOOP. The mean frequency used for the condition assessment for a dual unit LOOP is 8.8E-3/year (1.0E-6/hour). Details of the frequency calculation and the data used in the estimate are provided in Attachment 5.

Single-unit loss of offsite power initiating event (IE-LOOP). Because Unit 2 balance of plant sources provides electric power to the water treatment system equipment, a LOOP on Unit 2 would prevent the operators from using the water treatment system to refill the CSTs unless offsite power is restored. The frequency of a single unit LOOP (single unit, plant-centered LOOP) is estimated to be approximately 80% of the frequency given in NUREG/CR-5750 for LOOPs (Ref. 7). The mean frequency used for the condition assessment for a single unit LOOP is 4.2E-06/hour.

Seismically induced loss of instrument air (IE-SEISMIC). A seismically induced loss of instrument air was also considered as a contributor to core damage. A simplified event tree was created for this purpose (see Figure 2). The safe shutdown earthquake for Point Beach is 0.12 g, and the operating basis earthquake is 0.06 g. Because the instrument air system piping design is less robust than ANSI B31.1 piping design, the instrument air system cannot be assumed to withstand any seismic event greater than 0.06 g without either performing a seismic analysis of the piping design or conducting visual inspections of the piping to determine seismic tolerance. Therefore, the return frequency for seismic events that would result in a loss of instrument air is conservatively estimated at 3.1E-4/yr (3.5E-8/hour) based on the lowest estimated ground acceleration value (50 cm/sec2 or 0.05 g) at Point Beach from NUREG/CR-1488, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains (Ref. 8). The mean frequency for this acceleration is 3.1E-4/yr. As the lowest site-specific value found in NUREG/CR-1488, this frequency is more appropriate than arbitrarily selecting the design basis earthquake because no design value exists for instrument air system piping.

Initiating event frequency changes to eliminate unaffected sequences. Initiating events IE-LLOCA, IE-MLOCA, IE-SLOCA, IE-RHR-DIS-V, IE-RHR-SUC-V, IE-SI-CLDIS-V, and IE-SI-HLDIS-V were set to FALSE in the base case and the change case to reflect the condition being analyzed. As previously discussed, these initiating events were screened from the analysis because either (1) the sequences associated with these initiating events do not rely on AFW flow, (2) the mission time for AFW system is short and the CSTs inventory will not be depleted, or (3) the reactor will reach conditions for initiation of RHR cooling before the CSTs inventory is depleted.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 12 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Other considerations The final risk results provided by the utility (Ref. 9), include increased core damage risks due internal events and external events, including seismic events and fires. The utility estimated that the increased core damage probability due to fires ranged from 1.1 x 10-4 to 2.2 x 10-4 per year. This condition assessment estimates the increased core damage risks due to internal events and seismic events but does not evaluate the effects of fires or any other external event on core damage probability.

Sensitivity study Sensitivity studies were not performed for this condition assessment.

References 1.

LER 266/02-003, Rev. 1, Possible Common Mode Failure of AFW Due to Partial Clogging of Recirculation Orifices, October 29, 2002 (ADAMS Accession No. ML0328901150).

2.

NRC Inspection Report No. 50-266/02-015 and 50-301/02-015, April 2, 2003 (ADAMS Accession No. ML030920128).

3.

Docket Number 50-301; License No. DPR-27, Point Beach Nuclear Plant, Unit 2, Submittal of the Auxiliary Feedwater Orifice Issue Regulatory Slide Presentation, letter from A. J. Cayia, Site Vice President, Nuclear Management Company, LLC, to the U.S. Nuclear Regulatory Commission, dated June 10, 2003 (ADAMS Accession No. ML0318207440).

4.

LER 266/01-005, PRA Assessment of Auxiliary Feedwater System Reveals Procedural Vulnerability Related to Loss of Instrument Air, November 29, 2001 (ADAMS Accession No. ML020560352).

5.

Scott T. Beck and Robert F. Buell, Standardized Plant Analysis Risk Model for Point Beach Units 1 and 2, Revision 3, Idaho National Engineering and Environmental Laboratory, September 2001.

6.

Docket Numbers 50-266 and 50-301, Point Beach Nuclear Plant, Units 1 and 2, Submittal of Additional Information Concerning Auxiliary Feedwater Orifices Regulatory Conference, letter from A. J. Cayia, Site Vice President, Nuclear Management Company, LLC, to the U.S.

Nuclear Regulatory Commission, dated June 27, 2003 (ADAMS Accession No. ML031820744).

7.

J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987 - 1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.

8.

P. Sobal, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains, NUREG-1488, U.S. Nuclear Regulatory Commission, Washington, DC, April 1994.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 13 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 9.

Docket Numbers 50-266 and 50-301, Point Beach Nuclear Plant, Units 1 and 2, Submittal of Additional Information Concerning Auxiliary Feedwater Orifices Regulatory Conference, letter from A. J. Cayia, Site Vice President, Nuclear Management Company, LLC, to the U.S.

Nuclear Regulatory Commission, dated September 18, 2003 (ADAMS Accession No. ML0328100210).

10.

Wisconsin Electric Power Company, Point Beach Nuclear Plant, Individual Plant Examination of External Events for Sever Accident Vulnerabilities, Summary Report, 1997.

11.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of October 2001), November 8, 2001 (ADAMS Accession No. ML020030423).

12.

Dockets 50-266 and 50-301, Operating Licenses DPR-24 and DPR-27, Point Beach Nuclear Power Plant, Units 1 and 2, Monthly Operating Reports (for the calendar month of November 2001), December 7, 2001 (ADAMS Accession No. ML020150475).

13.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of December 2001), January 7, 2002 (ADAMS Accession No. ML020350452).

14.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of January 2002), February 15, 2002 (ADAMS Accession No. ML020590444).

15.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of February 2002), March 15, 2002 (ADAMS Accession No. ML020860506).

16.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of March 2002), April 15, 2002 (ADAMS Accession No. ML021160318).

17.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of April 2002), May 3, 2002 (ADAMS Accession No. ML021340524).

18.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of May 2002), June 5, 2002 (ADAMS Accession No. ML021690137).

19.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of June 2002), July 9, 2002 (ADAMS Accession No. ML22000017).

20.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of July 2002), August 12, 2002 (ADAMS Accession No. ML022330300).

21.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of August 2002), September 9, 2002 (ADAMS Accession No. ML022630562).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 14 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 22.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of September 2002), October 2, 2002 (ADAMS Accession No. ML022900006).

23.

Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of October 2002), November 15, 2002 (ADAMS Accession No. ML023260282).

24.

Updated Final Safety Analysis Report for Point Beach.

25.

Wisconsin Electric Power Company, Point Beach Nuclear Plant Abnormal Operating Procedure, AOP-23, Establishing Alternate AFW Suction Supply, Rev. 4 (Unit 1), 1/5/2004.

26.

NRC Inspection Reports No. 50-266/01-17 and No. 50-301/01-17, February 21, 2002 (ADAMS Accession No. ML020950889).

27.

Wisconsin Electric Power Company, Point Beach Nuclear Plant Emergency Operating Procedure, EOP-0, Reactor Trip or Safety Injection, Rev. 41 (Unit 1), 10/3/2003.

28.

Wisconsin Electric Power Company, Point Beach Nuclear Plant Critical Safety Procedure, CSP-H.1, Response to Loss of Secondary Heat Sink, Rev. 21 (Unit 1), Rev. 22 (Unit 2),

4/26/2001.

29.

C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:

1980 - 1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.

30.

C. L. Atwood, Constrained Noninformative Priors in Risk Assessment, Journal of Reliability Engineering and System Safety, Vol. 53, Issue 1, pp. 37-46, 1996.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 15 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 1. Conditional probabilities associated with the dominant sequences (Unit 2).1 Event tree and sequence no.

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance (CCDP - CDP)2 PART 13 LOIASEISMIC 2 6.2E-006 1.6E-007

LOSWS 28 1.4E-005 1.1E-005

LOIA 20 2.2E-006 6.6E-008

PART 23 LOIASEISMIC 2 1.4E-004 1.6E-007

LOSWS 28 9.1E-005 1.1E-005

LOIA 20 5.1E-005 6.9E-008

TOTAL (all sequences) 3.9E-004 2.7E-005 3.6E-004 Note:

1. File names:

GEM 266-02-003 U2 Part 1 4-30-2004 105949.wpd GEM 266-02-003 U2 Part 2 4-30-2004 105725.wpd GEM 266-02-003 U2 Part 1 Single Unit LOOP 5-27-2004 133146.wpd GEM 266-02-003 U2 Part 2 Single Unit LOOP 5-27-2004 133250.wpd

2. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

3-see Attachment 1 Table 2a. Event tree sequence logic for the dominant sequences.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for TOP event names)

LOIASEISMIC 2

AFW LOSWS 28 AIR-REC-SW-ST, /RT, /RCPSL-SWS, AFW, AIR-REC-SW-MT, AIR-REC-SW-LT LOIA 20 AIR-REC-ST, /RT, AFW, AIR-REC-MT, AIR-REC-LT Table 2b. Definitions of fault trees listed in Table 2a.

AIR-REC-LT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN LONG TERM AIR-REC-MT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN MEDIUM TERM AIR-REC-ST OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN SHORT TERM AIR-REC-SW-LT OPERATOR FAILS TO RECOVER SERVICE WATER (SW) TO INSTRUMENT AIR IN LONG TERM AIR-REC-SW-MT OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN MEDIUM TERM AIR-REC-SW-ST OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN SHORT TERM AFW NO OR INSUFFICIENT AUXILIARY FEEDWATER FLOW RCPSL-SWS REACTOR COOLANT PUMP SEALS INTACT GIVEN LOSS OF SERVICE WATER RT REACTOR FAILS TO TRIP DURING TRANSIENT

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 16 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 3. Conditional cut sets for dominant sequences (Unit 2).

CCDP Percent contribution Minimal cut sets1 Event Tree: LOIASEISMIC, Sequence 2 Part 1 3.9E-06 62.3 AFW-TDP-FR-TDP AFW-LATE2 1.1E-06 17.7 AFW-TDP-TM-TDP AFW-LATE2 9.4E-07 15.1 AFW-TDP-FS-TDP AFW-LATE2 Part 2 1.4E-04 100 AFW-LATE2 Event Tree: LOSWS, Sequence 28 Part 1 1.1E-05 73.2 FWS-XHE-XM-FWSCST AIR-XHE-RECOVERY-SW-MT AFW-LATE2 AIR-XHE-RECOVERY-SW-ST AIR-XHE-RECOVERY-SW-LT 2.5E-06 17.2 AFW-TDP-FR-TDP AIR-XHE-RECOVERY-SW-MT AFW-LATE2 AIR-XHE-RECOVERY-SW-ST AIR-XHE-RECOVERY-SW-LT Part 2 9.1E-05 100 AIR-XHE-RECOVERY-SW-ST AIR-XHE-RECOVERY-SW-LT AIR-XHE-RECOVERY-SW-MT AFW-LATE2 Event Tree: LOIA, Sequence 20 Part 1 1.4E-06 61.2 AIR-XHE-RECOVERY-ST AIR-XHE-RECOVERY-LT AFW-LATE2 AIR-XHE-RECOVERY-MT AFW-TDP-FR-TDP 3.9E-07 17.4 AIR-XHE-RECOVERY-ST AIR-XHE-RECOVERY-LT AFW-LATE2 AIR-XHE-RECOVERY-MT AFW-TDP-TM-TDP 3.3E-07 14.8 AIR-XHE-RECOVERY-ST AIR-XHE-RECOVERY-LT AFW-LATE2 AIR-XHE-RECOVERY-MT AFW-TDP-FS-TDP Part 2 4.9E-05 99.9 AIR-XHE-RECOVERY-ST AIR-XHE-RECOVERY-LT AIR-XHE-RECOVERY-MT AFW-LATE2 Note :

1. See Table 4 for definitions and probabilities for the basic events.

2. Event AFW-LATE is a flag event used to identify sequence cut sets where failure of the AFW pumps has occurred (late) due to orifice plugging following switchover of the pumps suction to service water or firewater. AFW-LATE should not be interpreted as an event that must occur for the sequence to occur.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 17 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 4. Definitions and probabilities for modified or dominant basic events.

Event name Description Probability/

frequency Modified AFW-LATE FLAG FOR FAILURE OF AFW LATE 1.0 YES1 AFW-MDP-ORIF RECIRCULATION ORIFICE FOR MDP PLUGS GIVEN USE OF SW OR FW TRUE YES2 AFW-TDP-FR-TDP AFW TURBINE DRIVEN PUMP P29 FAILS TO RUN 2.8E-02 NO AFW-TDP-FS-TDP AFW TURBINE DRIVEN PUMP P29 FAILS TO START 6.8E-03 NO AFW-TDP-ORIF RECIRCULATION ORIFICE FOR TDP PLUGS GIVEN USE OF SW OR FW TRUE YES2 AFW-TDP-TM-TDP AFW TDP P29 UNAVAILABLE DUE TO TEST AND MAINTENANCE 8.0E-03 NO AFW-XHE-XM-CST OPERATOR FAILS TO REFILL CST USING WATER TREATMENT (for single unit events) 1.0E-02 YES3 AFW-XHE-XM-CST OPERATOR FAILS TO REFILL CST USING WATER TREATMENT (for dual unit events)

TRUE YES3 AFW-WT-UNAVAIL WATER TREATMENT SYSTEM IS UNAVAILABLE (for single unit events) 5.0E-02 YES3 AFW-WT-UNAVAIL WATER TREATMENT SYSTEM IS UNAVAILABLE (for dual unit events)

TRUE YES3 AIR-XHE-RECOVERY-LT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN LONG TERM GIVEN FAILURE TO RECOVER IN MEDIUM TERM 0.14 NO AIR-XHE-RECOVERY-MT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN MEDIUM TERM GIVEN FAILURE TO RECOVER IN SHORT TERM 0.17 NO AIR-XHE-RECOVERY-ST OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN SHORT TERM 0.58 NO AIR-XHE-RECOVERY-SW-LT OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN LONG TERM GIVEN FAILURE TO RECOVER IN MEDIUM TERM 0.68 NO AIR-XHE-RECOVERY-SW-MT OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN MEDIUM TERM GIVEN FAILURE TO RECOVER IN SHORT TERM 0.83 NO AIR-XHE-RECOVERY-SW-ST OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN SHORT TERM 0.88 NO COND-XHE-XM-IA OPERATOR FAILS TO INITIATE FEEDWATER INJECTION 4.0E-02 NO COND-XHE-XM-IA with LATE3 OPERATOR FAILS TO INITIATE FEEDWATER INJECTION (with modified PSF 1, time available is nominal) 4.0E-03 YES1 COND-XHE-XM-IA1 OPERATOR FAILS TO INITIATE FEEDWATER INJECTION (DEPENDENT EVENT) 8.8E-0 NO

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 18 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 4. Definitions and probabilities for modified or dominant basic events (contd).

Event name Description Probability/

frequency Modified COND-XHE-XM-IA1 with LATE3 OPERATOR FAILS TO INITIATE FEEDWATER INJECTION (DEPENDENT EVENT) (with modified PSF 1, time available is nominal) 8.8E-03 YES1 COND-XHE-XM-IA2 OPERATOR FAILS TO INITIATE FEEDWATER INJECTION (DEPENDENT EVENT) 1.8E-01 NO COND-XHE-XM-IA2 with LATE3 OPERATOR FAILS TO INITIATE FEEDWATER INJECTION (DEPENDENT EVENT) (with modified PSF 1, time available is nominal) 1.8E-02 YES1 FWS-XHE-XM-FWSCST OPERATOR FAILS TO ALIGN Firewater TO REFILL THE CSTs 1.2E-01 NO HPI-XHE-XM-FB OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING 2.0E-02 NO HPI-XHE-XM-FB with LATE1 OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING (with modified PSF 1, time available is nominal) 2.0E-03 YES1 HPI-XHE-XM-FB1 OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING (DEPENDENT EVENT) 6.9E-02 NO HPI-XHE-XM-FB1 with LATE1 OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING (DEPENDENT EVENT) (with modified PSF 1, time available is nominal) 6.9E-03 YES1 HPI-XHE-XM-FB2 OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING (DEPENDENT EVENT) 1.6E-01 NO HPI-XHE-XM-FB2 with LATE1 OPERATOR FAILS TO INITIATE FEED AND BLEED COOLING (DEPENDENT EVENT) (with modified PSF 1, time available is nominal) 1.6E-02 YES1 IE-LDC01 LOSS OF DC BUS INITIATING EVENT 2.4E-07/hr NO IE-LLOCA LARGE LOSS-OF-COOLANT ACCIDENT (LOCA)

INITIATING EVENT FALSE YES4 IE-LOCCW LOSS OF COMPONENT COOLING WATER (LOCCW) INITIATING EVENT 1.1E-07/hr NO IE-LOIA LOSS OF INSTRUMENT AIR INITIATING EVENT 9.0E-07/hr NO IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT (Dual-unit LOOP) 1.0E-06/hr YES5 IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT (Single-unit LOOP) 4.2E-06/hr YES5 IE-LOSWS LOSS OF SERVICE WATER INITIATING EVENT 4.5E-08/hr NO IE-MLOCA MEDIUM LOCA INITIATING EVENT FALSE YES4 IE-RHR-DIS-V RHR DISCHARGE VALVE INTERSYSTEM LOCA (ISLOCA) INITIATING EVENT FALSE YES4 IE-RHR-SUC-V RHR SUCTION VALVE ISLOCA INITIATING EVENT FALSE YES4

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 19 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 4. Definitions and probabilities for modified or dominant basic events (contd).

Event name Description Probability/

frequency Modified IE-SI-CLDIS-V SAFETY INJECTION (SI) COLD LEG ISLOCA INITIATING EVENT FALSE YES4 IE-SI-HLDIS-V SI HOT LEG ISLOCA INITIATING EVENT FALSE YES4 IE-SEISMIC SEISMICALLY INDUCED LOSS OF INSTRUMENT AIR 3.5E-08/hr YES6 IE-SLOCA SMALL LOCA INITIATING EVENT FALSE YES4 IE-STGR STEAM GENERATOR TUBE RUPTURE INITIATING EVENT FALSE YES4 IE-TRANS TRANSIENT INITIATING EVENT 1.4E-04/hr NO MFW-XHE-ERROR OPERATOR FAILS TO RESTORE MFW FLOW 4.0E-02 NO MFW-XHE-ERROR with LATE2 OPERATOR FAILS TO RESTORE MFW FLOW (with modified PSF 1, time available is nominal) 4.0E-03 YES MFW-XHE-ERROR1 OPERATOR FAILS TO RESTORE MFW FLOW (DEPENDENT EVENT) 8.8E-02 NO MFW-XHE-ERROR1 with LATE2 OPERATOR FAILS TO RESTORE MFW FLOW (DEPENDENT EVENT) (with modified PSF 1, time available is nominal) 8.8E-03 YES Notes:

1. Flag event AFW-LATE was added to AFW fault tree to tag sequence cut sets for applying recovery credit when AFW system failure has occurred late (due to orifice plugging). Events LATE1, LATE2, and LATE3 were added by project recovery rules to allow a modification to the human error action worksheet for PSF 1, available time, from time available equals time required to time available is nominal. The change in PSF 1 results in a factor of 10 reduction to the human error probabilities for events (and their dependent events) HPI-XHE-XM-FB (failure to initiate feed and bleed cooling), COND-XHE-XM-IA (failure to initiate feedwater injection), and MFW-XHE-ERROR (failure to recovery main feedwater). See text describing modifications to event trees and fault trees and Attachment 2 for details.

2. Events added to AFW fault tree to model AFW pumps recirculation orifices. Events AFW-MDP-ORIF and AFW-TDP-ORIF were set to FALSE in the base case and TRUE in the change case.

3. Events added to AFW fault tree to model ability of operators to refill the CSTs using the water treatment system. The probability that the water treatment system was unavailable when demanded was estimated by the utility (Ref. 6).

The probability that the operator fails to refill the CSTs using the water treatment system was estimated using a human error worksheet. See Attachment 6 for the completed worksheet. The water treatment system assumed to be available to refill the CSTs for TRANS, LOCCW, and single unit LOOPs. The water treatment system was assumed to not be available for LOIA, LOIASEISMIC, LOSWS, and dual unit LOOPs. See Attachment 2 for details.

4. Initiating event frequencies were set to FALSE in the base case and the change case to reflect the condition being analyzed. See the text for details concerning screened initiating events.

5. Initiating event frequency updated for event being analyzed. See Attachment 5 for event analysis and frequency calculation for dual unit LOOPs. The frequency of a single unit LOOP (single unit, plant-centered LOOP) is estimated to be approximately 80% of the frequency given in NUREG/CR-5750 for LOOPs (Ref. 7).

6. Initiating event frequency updated for event being analyzed. The return frequency for seismic events that would result in a nonrecoverable loss of instrument air is conservatively estimated at 3.1E-4/yr based on the lowest estimated ground acceleration value (50 cm/sec2) at Point Beach from NUREG/CR-1488, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains (Ref. 8).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 20 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Figure 1 AFW System Simplified Diagram Figure removed during SUNSI review

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 21 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW LOSS OF AFW IE-SEISMIC LOSS OF IA DUE TO SEISMIC END-STATE-NAMES 1

OK 2

CD LOIASEISMIC - Point Beach 1&2 Loss of Instrument Air due to Seismic Event 2004/06/08 Figure 2 Seismically Induced Loss of Instrument Air Event Tree

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 22 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW AFW-TRAIN-F AFW-FLOW-SGENA-F AFW-FLOW-SG1-F AFW-MDPA-PATH-F 7

AFW -M DP38A 3.0E-3 AFW-MOV-CC-4023 1.0E-4 AFW -CKV-CC-102 AFW-TDP-PATH1-F 17 AFW -TDP 1.0E-4 AFW-CKV-CC-106 1.0E-4 AFW-CKV-CC-SG A AFW -FLOW-SGENB-F AFW-FLOW-SG2-F AFW-MDPB-PATH-F 11 AFW-MDP38B 3.0E-3 AFW-MOV-CC-4021 1.0E-4 AFW-CKV-CC-104 AFW -TDP-PATH2-F 17 AFW-TDP 1.0E-4 AFW-CKV-CC-107 1.0E-4 AFW-CKV-CC-SGB 3.8E-5 AFW-PMP-CF-ALL 1.0E-5 AFW -CKV-CF-SGAB F AIL URE OF FLOW INTO STEA M GENERA TORS F LOW PAT H FROM TUR BIN E DR IVE N PU M P FAILS FLO WPA TH F R OM TURBINE D RIV EN PUM P F A ILS F LOW PA TH FROM MOTOR DRIVEN PUMP B FAILS FAILU RES OF AF W MDP P38B F AIL URES OF AFW MDP P38A F LOWP ATH FR OM MOTOR DR IVEN PU MP A FAILS AF W F LOW IN TO S TE AM GEN ER ATOR B F A IL S AFW FLOW INTO STEAM GE NERATOR A F AIL S F AIL URE OF FLO W INTO S TEAM GEN ERAT OR B

F AIL UR E OF FLOW INTO ST EAM GENERA TOR A AFW T DP F AIL URES AFW T DP F AIL U RES N O OR INSUFF ICIE NT AF W FL OW A F W MD P D ISCHA RGE C HEC K VALV E TO SG B F AIL S T O OPEN AFW MDP DISC HARGE CHE CK V ALVE TO SG A F AILS T O OP EN AF W TD P D ISCHA RGE CHEC K V AL VE TO SG B FAILS TO OPEN AFW TDP DISC HARGE CHE CK VALVE TO SG A F AILS TO OP EN CCF OF D ISC HARGE CHECK VAVLE S INT O SG A AND B

FAILURE OF STEAM GE NE RATOR B CHECK V ALVE FAILUR E OF STEA M GENERA TOR A CHE CK VALV E COM MON CAUSE F AIL URE OF AFW P UMPS MOV 40 23 F LOW ISOLATION FROM P38 A TO SG A F AILS MOV 4 021 F LOW ISOLATION F ROM P3 8B TO S G B FA ILS AFW - Point Beach 1 & 2 PWR B no or insufficient AFW flow 2004/06/08 Page 4 Figure 3 Modified Fault Tree for AFW System

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 23 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-CST 1.3E-6 AFW-TNK-FC-CST1 1.3E-6 AFW-TNK-FC-CST2 FAILURE OF CSTs TO SUPPLY WATER AFW CST 2 FAILS TO PROVIDE WATER FAILURE OF CONDENSATE STORAGE TANK CST1 AFW-CST - FAILURE OF CSTs TO SUPPLY WATER 2004/04/27 Page 6 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 24 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-MDP38A AFW-MDP38A-FR 7.5E-1 AFW-XHE-XL-MDPFR 7.9E-3 AFW-MDP-FR-P38A AFW-MDP38A-FS 2.1E-1 AFW-XHE-XL-MDPFS 4.0E-3 AFW-MDP-FS-P38A 37 DIV-1A-AC 39 DIV-1A-DC 1.0E-3 AFW-AOV-CC-4007 1.0E-4 AFW-CKV-CC-P38ADIS 1.0E-4 AFW-CKV-CC-P38ASUC 1.0E-3 AFW-AOV-CC-4012 5.0E-4 AFW-MDP-CF-MDPS 1.1E-3 AFW-MDP-TM-P38A 9.0E-5 ACP-BAC-LP-1B03 AFW-MDP38A-SUCT 9

AFW-MDP38A-EARLY 10 AFW-MDP38A-LATE FAILURES OF AFW MDP P38A DIVISION 1A DC POW ER FAILS DIVISION 1A AC POWER FAILS FAILURE OF AFW MDP P38A TO START FAILURE OF AFW MDP P38 A TO R UN UNIT 1 480V AC BUS 1B03 FAILS AFW MOTOR DRIVEN PUMP P38A FAILS TO STAR T AFW MOTOR DRIVEN PUMP P38A FAILS TO RUN OPER ATOR FAILS TO RECOVER AFW MDP (FAILS TO START)

OPERATOR FAILS TO RECOVER AFW MDP (FAILS TO RUN)

AFW MDP P38A UNAVAILABLE DUE TO TEST AND MAINTENANC E CCF OF AFW MO TOR-DRIVEN PUMPS INSUFFICIENT SUCTION SUPPLY TO MDP P38A FAILURE OF AFW AOV AF-4012 TO OPEN FAILURE OF AFW MDP-P38A SUCTION CHECK VALVE FAILURE OF AFW MDP-P38A DISCHARGE CHECK VALVE INSUFFICIENT SUCTION FLOW TO AFW PUMP P38A (EARLY)

INSUFFICIENT SUCTION SUPPLY TO MDP38A (LATE)

FAIL URE O F AFW MDP 38A RECIRC AOV AF-4007 TO OPEN AFW-MDP38A - Point Beach 1 & 2 PWR B AFW MDP P38A failures 2004/06/08 Page 7 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 25 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-MDP38A-COOL-SUCT AFW-MDP38A-COOL-FWS 56 FWS 1.2E-1 FWS-XHE-XM-FWSCST AFW-MDP38A-COOL-SW 121 SWS 3.0E-3 AFW-MOV-CC-4009 Point Beach 1 & 2 PWR B service water system failure FAILURE OF SW COOLING/SUCTION TO AFW MDP 38A FAILURE OF FWS COOLING/SUCTION TO AFW MDP 38A FAILURE OF SUCTION TO AFW MDP P38A Point Beach 1 & 2 PWR B Fire Protection System MOV 4009 FROM ALTERNATE WATER SUPPLY FAILS OPERATOR FAILS TO ALIGN FIRE WATER TO REFILL CST AFW-MDP38A-COOL-SUCT - FAILURE OF SUCTION TO AFW MDP P38A 2004/06/08 Page 8 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 26 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 6

AFW-CST AFW-MDP38A-EARLY-1 AFW-MDP38A-EARLY FALSE AFW-MDP-ORIF 8

AFW-MDP38A-COOL-SUCT 1.0E-3 AFW-XHE-XA-PSW CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY FAILURE OF CSTs TO SUPPLY WATER INSUFFICIENT SUCTION FLOW TO AFW PUMP P38A (EARLY)

NO ALTERNATE SOURCE OF WATER PROVIDED TO MDP38A OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN USE OF SW OR FW FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW MDP P38A AFW-MDP38A-EARLY - INSUFFICIENT SUCTION FLOW TO AFW PUMP P38A (EARLY) 2004/04/27 Page 9 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 27 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 15 AFW-REFILL-CST AFW-MDP38A-LATE-1 AFW-MDP38A-LATE FALSE AFW-MDP-ORIF 8

AFW-MDP38A-COOL-SUCT 1.0E-3 AFW-XHE-XA-PSW 1.0E+0 AFW-LATE CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY OPERATOR FAILS TO REFILL THE CSTs USING WATER TREATMENT INSUFFICIENT SUCTION SUPPLY TO MDP38A (LATE)

NO ALTERNATE SOURCE OF WATER PROVIDED TO MDP38A OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN NO REFILL OF CST FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW MDP P38A FLAG FOR AFW LATE AFW-MDP38A-LATE - AFW FAILS TO PROVIDE SUFFICIENT FLOW (LATE) 2004/04/27 Page 10 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 28 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-MDP38B AFW-MD P38B-ALIGNU2 AFW -MDP38B-ALI GN-2 AFW-TDP-2P29-FR 2.8E-2 AFW -TDP-FR-TDP2 TRUE AFW-XHE-XL-TDPFR2 AFW -TDP-2P2 9-FS 6.8E-2 AFW -TDP-FS-TDP2 TRUE AFW-XHE-XL-TDPFS2 7.6 E-3 AFW-TD P-TM-TDP2 1.0E+0 AFW-FLAG-2P29-U2 FALSE LOOP AFW-MDP38B-FS

2. 1E-1 AFW -XHE-XL-MDPFS 4.0E-3 AFW-MDP-FS-P3 8B AFW -MDP38B-FR 7.5E-1 AFW -XHE-XL-MD PFR 7.9E-3 AFW-MDP-FR -P38B 46 DIV-2B-AC 48 DIV-2B-DC

1. 0E-3 AFW-AOV-CC -4014 1.0E-4 AFW-CKV-CC -P38BSUC

1. 0E-4 AFW -CKV-C C-P38 BDIS 1.0E-3 AFW -AOV-CC-4019 5.0E-4 AFW-MDP-CF-MDPS 1.1E-3 AFW-MDP-TM-P38B 2.0E-2 AFW-XHE-XM-MD P3 8B 9.0 E-5 ACP-BAC-LP-2 B04 AFW -MDP38B-SUCT 13 AFW-MDP38B-EAR LY 14 AFW -MDP38B-LATE D IVISIO N 2B DC POWER FAILS DIVISION 2B AC POWER FAILS FAILURES OF AFW MDP P38B FAILURE OF AFW MDP P38B TO RUN FAILUR E OF AF W MDP P 38B TO START FAILURE OF TDP 2P29 FAILS TO S TART FAILURE OF TDP 2P29 FAILS TO RUN MDP 38B ALIGNED TO U2 DURING A LOO P MDP38B ALIGNED TO U2 DURING A LO OP DUE TO F AILURE OF 2-P29 AFW MOTOR DRIVEN PUMP P38B F AILS TO RUN UNIT 2 480V AC BUS 2B04 FAILS LOSS OF POWER INITIATING EVENT O PERATOR FAILS TO CROSS-TIE U NIT 2 AFW MDP -38B AFW MO TOR DRIVEN P UMP P39B FAILS TO START AFW MDP P38B UNAVAILABLE DUE TO TEST AN D MAINTENANCE OPE RATOR FAILS TO RECOVER AFW MDP (FAILS TO START)

OPERATOR FAILS TO RE COVER AF W MDP (FAILS TO RUN)

FAILURE OF AFW MDP 38B RE CIRC AOV AF-4014 TO OPEN CCF OF AFW MOTOR-DRIV EN P UMPS FAILURE OF AFW AOV AF -4019 TO OPEN FAILURE O F U2 TDP PRECLUDE S ALIGNMEN T OF P38B TO UNIT 1

OPE RATOR FAILS TO RECO VER AFW TDP 2P29 (FAILS TO START)

OPERATOR FAILS TO RECOVE R AFW TDP 2P 29 ( FAILS TO RUN)

AFW TDP 2P 29 UNAVAILABLE DUE TO TEST AND MAINTENA NCE AFW TUR BINE DR IVEN P UMP 2P29 FAILS TO START AFW TURBINE DRIVEN P UMP 2P29 FAILS TO RUN FAILURE OF AFW MDP-P 38B DISCHARGE C HECK VALVE FAILU RE OF AFW MDP -P38B SUCTION CHE CK VA LV E INS UFFICIE NT SUCTION FLOW TO AFW P UMP P38B INSUFFICIENT SUCTION FLOW TO AFW P UMP P38B (EARLY)

INS UFFICIE NT S UCTION SUP PLY TO AFW MDP P38B (LA TE )

AFW-MDP38B - Point Beach 1 & 2 PWR B AFW MDP P38B failures 2004/06/08 Page 11 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 29 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-MDP38B-COOL-SUCT AFW-MDP38B-COOL-FWS 56 FWS 1.2E-1 FWS-XHE-XM-FWSCST AFW-MDP38B-COOL-SW 121 SWS 3.0E-3 AFW-MOV-CC-4016 Point Beach 1 & 2 PWR B service water system failure FAILURE OF SW SUCTION TO AFW MDP 38A FAILURE OF FWS SUCTION TO AFW MDP 38B FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW MDP P38B Point Beach 1 & 2 PWR B Fire Protection System MOV 4016 FROM ALTERNATE WATER SUPPLY FAILS OPERATOR FAILS TO ALIGN FIRE WATER TO REFILL CST AFW-MDP38B-COOL-SUCT - FAILURE OF COOLING OR SUCTION TO AFW MDP P38B 2004/06/08 Page 12 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 30 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 6

AFW-CST AFW-MDP38B-EARLY-1 AFW-MDP38B-EARLY FALSE AFW-MDP-ORIF 12 AFW-MDP38B-COOL-SUCT 1.0E-3 AFW-XHE-XA-PSW CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY FAILURE OF CSTs TO SUPPLY WATER INSUFFICIENT SUCTION FLOW TO AFW PUMP P38B (EARLY)

NO ALTERNATE SOURCE OF WATER PROVIDED TO MDP38B OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN USE OF SW OR FW FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW MDP P38B AFW-MDP38B-EARLY - INSUFFICIENT SUCTION FLOW TO AFW PUMP P38B (EARLY) 2004/04/27 Page 13 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 31 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 15 AFW-REFILL-CST AFW-MDP38B-LATE-1 AFW-MDP38B-LATE FALSE AFW-MDP-ORIF 12 AFW-MDP38B-COOL-SUCT 1.0E-3 AFW-XHE-XA-PSW 1.0E+0 AFW-LATE CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY OPERATOR FAILS TO REFILL THE CSTs USING WATER TREATMENT INSUFFICIENT SUCTION SUPPLY TO MDP38B (LATE)

NO ALTERNATE SOURCE OF WATER PROVIDED TO MDP38B OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN NO REFILL OF CST FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW MDP P38B FLAG FOR AFW LATE AFW-MDP38B-LATE - INSUFFICIENT SUCTION SUPPLY TO AFW MDP P38B (LATE) 2004/04/27 Page 14 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 32 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-REFILL-CST 5.0E-2 AFW-WT-UNAVAIL 1.0E-2 AFW-XHE-XM-CST OPERATOR FAILS TO REFILL THE CSTs USING WATER TREATMENT WATER TREATMENT SYSTEM IS UNAVAILABLE OPERATOR FAILS TO REFILL CST USING WATER TREATMENT AFW-REFILL-CST - OPERATOR FAILS TO REFILL THE CSTs USING WATER TREATMENT 2004/04/27 Page 15 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 33 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-TDP AFW-TDP29-FR 2.8E-2 AFW-TDP-FR-TDP TRUE AFW -XHE-XL-TDPFR AFW-TDP29-FS 6.8E-3 AFW -TDP-FS-TDP TRUE AFW-XHE-XL-TDPFS AFW -TDP29-RECIRC AFW -TDP29-RECIRC1 FALSE HE-DC01 1.0E-3 AFW -XHE-XM-RECIRC 1.0E-3 AFW-AOV-CC-4002 AFW -TDP-SBO 2.5E-2 AFW -XHE-XO-TDP FALSE HE-SBO 1.0E-4 AFW-CKV-CC-TDSUC 1.0E-4 AFW-CKV-CC-TDDIS 8.0E-3 AFW-TDP-TM-TDP 21 AFW-TDP-STM-F 18 AFW-TDP-COOL AFW-TDP-COOL-SUCT 19 AFW-TDP-EARLY 20 AFW -TDP-LATE OP E RAT OR C ONTRO LS A F W TDP DUR ING SB O FA ILURE OF A FW TDP 29 RECIRC V A LV E DU RIN G LOD C01 EV E N T FA ILUR E S OF A FW T DP 2 9 R E CIRC VA LV E A OV 4002 FA ILURE O F A F W T DP P 29 TO S TA RT FA ILUR E O F A FW T DP P 29 TO RU N AF W TDP FA ILURE S OP ER A TOR F AIL S TO RE COVE R A FW TDP (F A ILS TO S TA RT)

OP E RATO R FA ILS TO RE C OV ER A F W T D P ( FA ILS TO RU N)

A FW TD P P 29 UNA V AIL AB LE DU E TO T ES T AN D M AIN TE NA NCE A FW TU RB INE D RIV E N P UM P P2 9 F AILS T O RUN A FW T UR BINE D RIVE N P UMP P 29 F AIL S T O S TA RT LO S S OF 1 25 VDC B U S D 01 HO US E E VE NT SB O HO US E EV E NT OPE R A TOR FA ILS TO CO NTRO L AF W TDP DURING S B O F AILURE OF AF W TD P P2 9 RE CIRC A OV A F-4 002 T O OP E N O P E R A TOR FA ILS TO RE -E S TA B LIS H A FW RE CIR C FA ILURE OF A F W T D P DIS CH A RGE CH E CK V AL VE FA ILUR E O F AF W TDP S UCT ION CHE CK V A LV E FA ILU RE OF T DP S TE A M S UPP LY F RO M ST EA M GEN E RA TORS F AILUR E O F C OOLING TO A FW TDP P2 9 INS U FFICIE NT S U CTIO N S UP P LY TO T D P 1 P2 9 IN SUF FICIEN T SU CTIO N F LO W T O A FW P UMP 1P 29 (E AR LY )

INSUF FICIEN T SU CTIO N S UP P LY TO A FW PUM P 1P 29 (LA TE )

AFW-TDP - Point Beach 1 & 2 PWR B AFW TDP failures 2004/04/27 Page 17 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 34 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-TDP-COOL AFW-TDP-COOL-SW 121 SWS 1.0E-4 SWS-CKV-CC-135A AFW-TDP-COOL-FWS 56 FWS 1.0E-4 FWS-CKV-CC-304A 1.0E-3 FWS-AOV-CC-3771 Point Beach 1 & 2 PWR B service water system failure FAILURE OF FWS COOLING/SUCTION TO AFW TDP P29 FAILURE OF SW COOLING TO AFW TDP P29 FAILURE OF COOLING TO AFW TDP P29 Point Beach 1 & 2 PWR B Fire Protection System FAILURE OF FWS-AFW PRESSURE CONTROL AOV AF-3771 TO OPEN FAILURE OF FWS COOLING TO AFW TDP-29 CHECK VALVE SWS COOLING TO AFW TDP P29 CHECK VALVE FAILS TO OPEN AFW-TDP-COOL - FAILURE OF COOLING TO AFW TDP P29 2004/04/26 Page 18 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 35 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 6

AFW-CST AFW-TDP-EARLY-1 AFW-TDP-EARLY FALSE AFW-TDP-ORIF 22 AFW-TDP-SUCT 1.0E-3 AFW-XHE-XA-PSW CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY FAILURE OF CSTs TO SUPPLY WATER INSUFFICIENT SUCTION FLOW TO AFW PUMP 1P29 (EARLY)

NO ALTERNATE SOURCE OF WATER PROVIDED TO TDP 1P29 OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN NO REFILL OF CST FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW TDP P29 AFW-TDP-EARLY - INSUFFICIENT SUCTION FLOW TO AFW PUMP 1P29 (EARLY) 2004/04/27 Page 19 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 36 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5.6E-5 AFW-MOV-CF-ALTWS 15 AFW-REFILL-CST AFW-TDP-LATE-1 AFW-TDP-LATE FALSE AFW-TDP-ORIF 22 AFW-TDP-SUCT 1.0E-3 AFW-XHE-XA-PSW 1.0E+0 AFW-LATE CCF OF MOVs FROM AFW ALTERNATE WATER SUPPLY OPERATOR FAILS TO REFILL THE CSTs USING WATER TREATMENT INSUFFICIENT SUCTION SUPPLY TO AFW PUMP 1P29 (LATE)

NO ALTERNATE SOURCE OF WATER PROVIDED TO TDP 1P29 OPERATOR FAILS TO ALIGN BACKUP WATER SOURCE RECIRCULATION ORIFICE PLUGS GIVEN NO REFILL OF CST FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW TDP P29 FLAG FOR AFW LATE AFW-TDP-LATE - INSUFFICIENT SUCTION SUPPLY TO AFW PUMP 1P29 (LATE) 2004/04/27 Page 20 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 37 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-TDP-STM-F AFW-TDP-STMAB-F AFW-TDP-STMA 42 DIV-1B-DC 3.0E-3 AFW-TDP-CC-STMA AFW-TDP-STMB 39 DIV-1A-DC FALSE HE-SGTR 3.0E-3 AFW-TDP-CC-STMB 1.0E-4 AFW-MOV-CF-STM AFW TDP P29 STEAM INLET VALVE 1MO-2019 FAILS TO OPEN AFW TDP P29 STEAM INLET VALVE 1MO-2020 FAILS TO OPEN FAILURE OF STEAM SUPPLY TRAINS TO TDP FAILURE OF TDP STEAM SUPPLY FROM STEAM GENERATORS DIVISION 1A DC POWER FAILS DIVISION 1B DC POWER FAILS STEAM SUPPLY MOV LINE B FAILS TO OPEN STEAM SUPPLY MOV LINE A FAILS TO OPEN CCF OF TDP STEAM SUPPLY LINE MOVs TO OPEN SGTR HOUSE EVENT AFW-TDP-STM-F - FAILURE OF TDP STEAM SUPPLY FROM STEAM GENERATORS 2004/04/26 Page 21 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 38 SENSITIVE - NOT FOR PUBLIC DISCLOSURE AFW-TDP-SUCT AFW-TDP-SUCT-SW 121 SWS 3.0E-3 AFW-MOV-CC-4006 AFW-TDP-SUCT-FWS 56 FWS 1.2E-1 FWS-XHE-XM-FWSCST Point Beach 1 & 2 PWR B service water system failure FAILURE OF FWS SUCTION SUPPLY TO AFW TDP P29 FAILURE OF SW SUCTION SUPPLY TO AFW TDP P29 FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW TDP P29 Point Beach 1 & 2 PWR B Fire Protection System MOV 4006 FROM ALTERNATE WATER SUPPLY FAILS OPERATOR FAILS TO ALIGN FIRE WATER TO REFILL CST AFW-TDP-SUCT - FAILURE OF ALTERNATE SUCTION SUPPLY TO AFW TDP P29 2004/04/26 Page 22 Figure 3 Modified Fault Tree for AFW System (continued)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 39 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Timeline for Events in Condition Assessment The time period for the condition assessment is 1 year. The period selected for the analysis is from October 30, 2001, to October 29, 2002, the date of discovery. The following is a timeline for events associated with the new design recirculation orifices (Refs. 1, 2, and 3). Although the design deficiency associated with the air-operated recirculation valves for the AFW pumps (described in LER 266/01-005) is analyzed separately from this event, important dates are also included in the timeline below to show how these events overlap.

November 2, 2000 - New design orifice installed in the recirculation line for motor-driven AFW pump P-38A November 10, 2000 - New design orifice installed in the recirculation line for motor-driven AFW pump P-38B November 30, 2000 - Begin condition assessment period for event described in LER 266/01-005 November 29, 2001 - Discover vulnerability associated with air-operated valves in the AFW pumps recirculation lines. End condition assessment period for event described in LER 266/01-005 February 2002 -

Nitrogen accumulators installed on the air-operated valves in the AFW pumps recirculation lines, providing a backup source of gas for operation of the valves May 11, 2002 -

New design orifice installed in the recirculation line for turbine-driven AFW pump 2P-29 for Unit 2 October 14, 2002 -

New design orifice installed in the recirculation line for turbine-driven AFW pump 1P-29 for Unit 1 October 24, 2002 -

Utility discovers plugging problem with new design orifices for pump P-38A October 29, 2002 -

Utility discovers potential common cause failure of new design orifices involving plugging when service water or firewater is used as the alternate water supply to the AFW pumps The following describes the bases for the durations of the equipment unavailabilities, based on the above timeline.

Condition duration for plugged orifices for AFW pumps P-38A and P-38B. As shown in Figure 3, the fault tree for the AFW system was modified to include basic events for plugging of the recirculation orifices. For both of the motor-driven AFW pumps, the new design recirculation orifices were installed in November 2000, nearly 2 years prior to discovery of the orifices vulnerability to plugging from debris. These orifices were assumed to be degraded (vulnerable to debris plugging) for the entire 1-year period for the condition assessment.

Condition duration for plugged orifice for AFW pump 2P-29. For the turbine-driven AFW pump for Unit 2, 2P-29, the new design recirculation orifice was installed on May 11, 2002, about 193 days prior to discovery of the orifices vulnerability to plugging from debris.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 40 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Condition duration for plugged orifice for AFW pump 1P-29. For the turbine-driven AFW pump for Unit 1, 1P-29, the new design recirculation orifice was installed on October 14, 2002, only 15 days prior to discovery of the orifices vulnerability to plugging from debris.

To appropriately model the various component unavailabilities, the condition assessment for each unit was performed in two parts. The following describes the time period for the two parts that make up the 1-year condition assessment for each unit. Data for reactor critical hours were taken from the monthly operating reports (Refs. 11 through 23).

Time period for Part 1 of the condition assessment for Unit 1. Part 1 of the condition assessment is 350 days. This corresponds to the time period from October 30, 2001, to October 13, 2002. During this time period Unit 1 was critical for 7,657.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

Time period for Part 2 of the condition assessment for Unit 1. Part 2 of the condition assessment is 15 days. This corresponds to the time period from October 14, 2001, the date the new design orifice was installed on AFW pump 1P-29, to October 29, 2002, the date of discovery. During this time period Unit 1 was critical for 332.1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Time period for Part 1 of the condition assessment for Unit 2. Part 1 of the condition assessment is 193 days. This corresponds to the time period from October 30, 2001, to May 10, 2002. During this time period Unit 2 was critical for 3,897.9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months .

Time period for Part 2 of the condition assessment for Unit 2. Part 2 of the condition assessment is 172 days. This corresponds to the time period from May 11, 2002, the date the new design orifice was installed on AFW pump 2P-29, to October 29, 2002, the date of discovery. During this time period Unit 2 was critical for 4,076.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 41 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Details for Initiating Events Analyzed The design deficiency analyzed in this condition assessment involves plugging of the flow-restricting orifices in the AFW pumps recirculation lines. The orifices are vulnerable to debris plugging when the AFW suction supply is switched to its safety-related water supply, the service water system. Blocked flow in the AFW pumps recirculation lines, combined with inadequacies in plant emergency operating procedures, could potentially lead to pump deadhead conditions and a common mode, nonrecoverable failure of the pumps (Refs. 1 and 2).

For an initiating event in which AFW system flow is demanded, the AFW pumps provide flow to the steam generators until the main feedwater system is recovered or the reactor reaches conditions (temperature and pressure) at which residual heat removal (RHR) cooling can be initiated. The AFW pumps normally take suction from the CSTs, but are switched to an alternate water source (service water or firewater) if the tanks inventory is depleted and cannot be replenished, or if the CSTs are not available. Because the AFW pumps recirculation orifices are vulnerable to plugging from debris in service water or firewater, those initiating events that could result in the use of service water or firewater as a suction source for the AFW pumps are of interest. Initiating events of interest are listed below.

Seismic event (LOIASEISMIC)

Loss of service water system (LOSWS)

Loss of a dc bus (LDC01)

Loss of instrument air (LOIA)

Loss of offsite power to both units (dual unit LOOP)

Loss of offsite power to only one unit (single unit LOOP)

Transient (TRANS) with successful reactor scram Loss of component cooling water system (LOCCW)

The following initiating events were screened from this analysis because either (1) the associated sequences do not rely on AFW flow, (2) the mission time for the AFW system is short and the inventory in CSTs will not be depleted, or (3) the reactor will reach conditions for initiation of RHR cooling before the CSTs inventory is depleted.

Large break loss of coolant accidents (LLOCAs)

Medium break loss of coolant accidents (MLOCAs)

Small break loss of coolant accidents (SLOCAs)

Intersystem LOCAs (IE-RHR-DIS-V, IE-RHR-SUC-V, IE-SI-CLDIS-V, and IE-SI-HLDIS-V)

Steam generator tube rupture (SGTR)

Anticipated transient without scram (ATWS)

Details for each individual initiating event evaluated in this condition assessment are as follows.

Some of the initiating events (e.g., loss of instrument air, loss of service water) will affect both units, if both units are operating at the time the event occurs. These initiating events are labeled dual unit event. Other initiating events (e.g., loss of component cooling water) will affect only one unit.

These initiating events are labeled single unit event. Tables 2.1 and 2.2 (located at the end of this attachment) provide risk results by initiating event for Units 1 and 2, respectively.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 42 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Seismic event (dual unit event)

Seismic event occurs, causing failure of the nonseismically qualified instrument air system and loss of instrument air pressure to both units Successful reactor trip occurs AFW system actuates and provides feedwater to steam generators in both units at nominal flow rates Because a seismic-induced loss of instrument air is a dual unit event (requiring that the AFW system provide flow to both units), the utility estimates that the CSTs will reach low level (8-ft level) at 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram (Ref. 6). If the CSTs inventory is not replenished before the tanks reach low level, switch over to service water will occur. The water treatment system, used to refill the CSTs, requires instrument air for operation.

Failure of the instrument air system due to a seismic event is assumed to not be recoverable. Thus, the water treatment system cannot be used to refill the CSTs.

Therefore, the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed, and are not recoverable. The AFW system is unavailable To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. Because instrument air pressure is needed to recover main feedwater and to initiate feed and bleed cooling (the PORVs are air-operated) and cannot be recovered, no alternate means of cooling the core is available Loss of service water (dual unit event)

LOSWS to both units occurs Successful reactor trip occurs AFW system actuates and provides feedwater to the steam generators in both units at nominal flow rates Because LOSWS is a dual unit event (requiring that the AFW system provide flow to both units), the utility estimates that the CSTs will reach low level (8-ft level) at 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram (Ref. 6). If the CSTs inventory is not replenished before the tanks reach low level, switch over to service water will occur. The water treatment system, used to refill the CSTs, requires instrument air for operation. Because the instrument air and service air compressors are cooled by service water, instrument air pressure is lost until service water flow to the compressors is recovered. If instrument air pressure is not recovered, then makeup to the CSTs cannot be accomplished. For this initiating event, instrument air pressure was conservatively assumed to not be recovered in time to recover the water treatment system. Therefore, the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices If service water is recovered, service water provides supply water for the AFW system.

If service water is not recovered, firewater provides supply water to the AFW system.

Either source has sufficient debris to result in plugging of the recirculation orifices In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed, and are not recoverable. The AFW system is unavailable To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. If service water and instrument air are

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 43 SENSITIVE - NOT FOR PUBLIC DISCLOSURE recovered, operators can initiate feed and bleed. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after the reactor scram and core damage can be avoided Loss of dc bus (dual unit event)

Loss of dc power to bus 02 occurs, resulting in trip of equipment in both units Successful reactor trip occurs AFW system actuates and provides feedwater to steam generators in both units at nominal flow rates Based on the utilitys analysis, the CSTs will reach low level (8-ft level) at 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram, at which time switchover to service water occurs. The water treatment system requires dc power from bus 02 for operation. For this initiating event, it was assumed that the dc bus is not recovered, and makeup to the CSTs is not accomplished.

Therefore, the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed, and are not recoverable. The AFW system is unavailable To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. If service water and instrument air are recovered, operators can initiate feed and bleed. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after the reactor scram and core damage can be avoided Loss of instrument air (dual unit event)

LOIA to both units occurs due to failures in the instrument air system (e.g., compressor failure, line rupture). LOIA results in trip of air-operated valves and equipment, including the main feedwater system Successful reactor trip occurs AFW system successfully actuates and provides feedwater to steam generators in both units at nominal flow rates Because LOIA is a dual unit event (requiring that the AFW system provide flow to both units), the utility estimates that the CSTs will reach low level (8-ft level) at 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram (Ref. 6). If the CSTs inventory is not replenished before the tanks reach low level, switch over to service water will occur. The water treatment system, used to refill the CSTs, requires instrument air for operation. If instrument air pressure is not recovered, then makeup to the CSTs cannot be accomplished. For this initiating event, instrument air pressure was conservatively assumed to not be recovered in time to recover the water treatment system. Therefore, the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed, and are not recoverable. The AFW system is unavailable To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. If instrument air pressure is recovered, operators can initiate feed and bleed. Based on the utilitys analysis (Ref. 6), initiation of

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 44 SENSITIVE - NOT FOR PUBLIC DISCLOSURE feed and bleed can be delayed up to 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after the reactor scram and core damage can be avoided, if the AFW system was initially successful and provided cooling to the steam generators for 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months If instrument air pressure is recovered, operators can recover main feedwater flow or initiate feedwater injection Loss of offsite power (dual unit event)

LOOP to both units occurs, resulting in loss of electric power to equipment in numerous systems, including main feedwater Successful reactor trip occurs Emergency power is successfully provided AFW system actuates and provides feedwater to steam generators in both units at nominal flow rates For LOOPs, which are dual unit events (requiring the AFW system to provide flow to both units), the utility estimates that the CSTs will reach low level (8-ft level) at 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after reactor scram (Ref. 6). If the CSTs inventory is not replenished before the tanks reach low level, switch over to service water will occur. The water treatment system, used to refill the CSTs, requires electric power from Unit 2 balance of plant sources for operation. If offsite power to Unit 2 is not recovered, then makeup to the CSTs cannot be accomplished. The utility estimates that it can take up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to recover the water treatment system following restoration of electric power. For this initiating event, offsite power was conservatively assumed to not be recovered in time to recover the water treatment system.

Therefore, the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices Instrument air and service air compressors trip on loss of electric power. Instrument air pressure is lost until compressor can be manually loaded onto emergency power Operators must successfully start the instrument air compressors and initiate feed and bleed. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after the reactor scram and core damage can be avoided Loss of offsite power (single unit event)

LOOP occurs on one unit only, resulting in loss of electric power to equipment in numerous systems, including main feedwater Successful reactor trip occurs Emergency power is successfully provided AFW system actuates and provides feedwater to steam generators in both units at nominal flow rates For LOOPs, which are single unit events (requiring the AFW system provide flow to only the affected unit), the utility estimates that the CSTs will reach low level (8-ft level) at 4.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after reactor scram (Ref. 6). If the CSTs inventory is not replenished before the tanks reach low level, switchover to service water will occur. The water treatment system, used to refill the CSTs, requires electric power from Unit 2 balance of plant sources for operation. The utility estimates that it can take up to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months to recover the water treatment system following restoration of electric power. If offsite power to Unit 2 is recovered within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , then the water treatment system can be recovered and makeup to the CSTs can be accomplished. For this initiating event, the probability for failure to recover offsite power by 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months was included in unavailability for the water treatment system. If offsite power

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 45 SENSITIVE - NOT FOR PUBLIC DISCLOSURE cannot be recovered within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the AFW pumps suction is switched over to the service water system. Debris in the service water results in plugging of the pumps recirculation orifices Instrument air and service air compressors trip on loss of electric power. Because electric power is lost to only one unit, instrument air pressure is not lost Operators must successfully initiate feed and bleed. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 8.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months after the reactor scram and core damage can be avoided Transient (single unit event)

Transient occurs Successful reactor trip occurs AFW system actuates and provides feedwater to the steam generators in the affected unit at nominal flow rates If the main condenser and water treatment system are available, then the CSTs inventory will be replenished through normal makeup. The CSTs will not reach a low level and the AFW pumps suction will not be switched to service water If the main condenser and water treatment system are NOT available or the operator fails to refill the CSTs, then based on the utilitys analysis, the CSTs will reach low level (8-ft level) at 2.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after reactor scram, at which time switchover to service water occurs (Ref. 6)

In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed and are not recoverable. The AFW system is unavailable To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 5.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months after the reactor scram and core damage can be avoided Loss of component cooling water (single unit event)

LOCCW to a single unit occurs Successful reactor trip occurs AFW system actuates and provides feedwater to steam generators in the affected unit at nominal flow rates The utility did not provide an analysis for LOCCW, but screened this initiating event because of its low risk. Although the utility did not state how long the CSTs inventory will last following LOCCW, we can assume that LOCCW is no worse than a transient event.

Therefore, we assume that the condensate storage tanks will reach low level (8-ft level) at 2.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after reactor scram if the tanks inventory is not replenished. Normal makeup to the CSTs should be available, including the water treatment system If the operator fails to refill the CSTs, then based on the utilitys analysis, the CSTs will reach low level (8-ft level) at 2.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after reactor scram, at which time switchover to service water occurs (Ref. 6)

In an attempt to control steam generator level, the operators close or throttle the AFW pumps discharge or flow control valves, putting the pumps in recirculation. The pumps fail due to being dead headed and are not recoverable. The AFW system is unavailable

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 46 SENSITIVE - NOT FOR PUBLIC DISCLOSURE To recover cooling and prevent core damage, the operators must either initiate feed and bleed cooling or recover main feedwater. Based on the utilitys analysis, initiation of feed and bleed can be delayed up to 5.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months after the reactor scram and core damage can be avoided If feed and bleed cooling is initiated, CCW must be recovered to initiate high pressure recirculation (following the injection phase)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 47 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 2.1. Conditional probabilities by initiating event (Unit 1).1 Event tree (all sequences)

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance2 (CCDP - CDP)

SEISMIC 2.4E-005 3.3E-007

LOSWS 3.5E-005 2.3E-005

LDC01 1.0E-005 4.9E-007

LOIA 8.8E-006 1.6E-007

Dual-unit LOOP 3.2E-006 7.2E-007

Single-unit LOOP 4.1E-006 2.6E-006

TRANS 1.9E-006 7.2E-007

LOCCW 7.1E-007 7.0E-007

Total (all sequences) 8.8E-005 2.8E-005 6.0E-005 Note:

1. File names:

GEM 266-02-003 U1 Part 1 5-14-2004 145206.wpd GEM 266-02-003 U1 Part 2 5-14-2004 145350.wpd GEM 266-02-003 U1 Part 1 Single Unit LOOP 5-27-2004 132845.wpd GEM 266-02-003 U1 Part 2 Single Unit LOOP 5-27-2004 133049.wpd

2. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

Table 2.2. Conditional probabilities by initiating event (Unit 2).1 Event tree (all sequences)

Conditional core damage probability (CCDP)

Core damage probability (CDP)

Importance2 (CCDP - CDP)

SEISMIC 1.5E-004 3.2E-007

LOSWS 1.1E-004 2.2E-005

LDC01 5.7E-005 4.9E-007

LOIA 5.4E-005 1.6E-007

Dual-unit LOOP 1.6E-005 7.2E-007

Single-unit LOOP 1.3E-005 2.6E-006

TRANS 8.5E-006 7.1E-007

LOCCW 8.4E-007 6.9E-007

Total (all sequences) 3.9E-004 2.7E-005 3.6E-004 Note:

1. File names:

GEM 266-02-003 U2 Part 1 4-30-2004 105949.wpd GEM 266-02-003 U2 Part 2 4-30-2004 105725.wpd GEM 266-02-003 U2 Part 1 Single Unit LOOP 5-27-2004 133146.wpd GEM 266-02-003 U2 Part 2 Single Unit LOOP 5-27-2004 133250.wpd

2. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 48 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 2.3 Utility results for Unit 2.

Initiating Event Importance1 Loss of service water 2.5E-05 Dual unit loss of offsite power 1.6E-05 Loss of instrument air 4.9E-07 Loss of dc bus D02 1.5E-05 Transient with loss of heat sink 6.3E-06 Transient with heat sink 2.7E-07 Single unit LOOP 1.3E-05 Loss of component cooling water

<1% of total Steam generator tube rupture

<1% of total Large LOCA AFW not required Medium LOCA AFW required for only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Small LOCA Can reach RHR temp and pressure with SI Intersystem LOCAs AFW not required Station blackout

<1% of total Feedwater or main steam line break

<1% of total Total for all internal events 7.7E-05 Seismic events 9.1E-06 Fire events 1.1E-04 to 2.2E-04 Note:

1. Utilitys risk results were taken from Reference 9.

The major differences between the utilitys results and the risk results obtained using the SPAR model may include the following:

Differences in initiating event frequencies The utility included credit for charging feed and bleed if normal feed and bleed has failed (e.g.,

for loss of instrument air events). The charging feed and bleed involves operators depressurizing the steam generators and injecting service water through the failed AFW pumps into the steam generators, and using charging as makeup to the reactor coolant system. This alternate cooling mode is not included in the SPAR model The utility assumed that the operators might identify the cause of an AFW pumps failure (i.e.,

that the pump had been placed in a deadhead condition, causing its failure) before all of the AFW pumps had been failed. During the time period for this condition assessment, operators were made aware of the problems associated with loss of instrument air, causing failure of the

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 49 SENSITIVE - NOT FOR PUBLIC DISCLOSURE air-operated recirculation valves and the need to maintain pump recirculation flow. The operators had received instructions to start and stop the AFW pumps to control AFW flow rather than close the pumps discharge valves, should instrument air be lost. No credit was given in the SPAR model for operators identifying the cause of an AFW pumps failure prior to deadheading all of the pumps.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 50 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Plant-specific System and Operational Considerations The information on plant-specific system and operational characteristics was removed during the SUNSI review.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 51 SENSITIVE - NOT FOR PUBLIC DISCLOSURE This page is intentionally blank

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 52 SENSITIVE - NOT FOR PUBLIC DISCLOSURE This page is intentionally blank

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 53 SENSITIVE - NOT FOR PUBLIC DISCLOSURE This page is intentionally blank

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 54 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Details of Important Assumptions This analysis includes several important assumptions. The assumptions and the bases for making these assumptions are described below.

! Operators fail to recognize that the recirculation orifices are plugged. This assumption is based on the following:

EOP-0, Reactor Trip or Safety Injection, and EOP-0.1, Reactor Trip Response, do not provide any steps to caution the operator about the damage to AFW pumps during deadheading conditions pumps recirculation orifices plugged due to debris and the closure of the AFW flow control valves.

! Operators close the discharge valves for all of the AFW pumps, resulting in deadheading of all AFW pumps. This assumption is based on the following:

The EOPs did not provide guidance on how to control AFW flow. Based on discussions between the NRC and licensee personnel, as documented in the inspection report (Ref. 2),

the preferred method for controlling AFW flow was by throttling or closing the AFW flow control valves (for the motor-driven AFW pumps) or discharge valves (for the turbine-driven AFW pumps) rather than securing the pumps. Section 14.1.12, Loss of All AC Power to the Station Auxiliaries, of the original Final Facility Description and Safety Analysis Report (FFDSAR) stated, The reactor operator in the control room can monitor the steam generator water level and control the feedwater flow with remote-operated AFW control valves. The FFDSAR did not discuss securing AFW pumps as a means to control steam generator levels.

Operators may initially be successful when putting the AFW pumps into recirculation.

Operators may need to control AFW flow soon after a reactor scram. If the operators close the pumps discharge valves, placing the pumps in recirculation before the CSTs inventory has been depleted, the recirculation orifices will not be exposed to debris and will not plug.

Later in the event when service water is used to supply the AFW pumps, operators will not expect pump recirculation to be lost.

Operating experience demonstrated that operators controlled AFW flow by closing the pumps discharge valves, putting the pumps in recirculation.

For example, on June 27, 2001, the Unit 2 reactor was manually tripped due to low and decreasing water level in the Unit 2 circulating water pump bay (reported in LER 301/2001-002-00). Due to subsequent low steam generator water levels, the Unit 2 turbine-driven AFW pump and both motor-driven AFW pumps initiated and began feeding the Unit 2 steam generators. Only one steam generator in a unit nominally requires 200-gpm feedwater flow for decay heat removal. However, with three AFW pumps running, approximately 800 gpm of feedwater flow (approximately four times the required flow) was provided to the Unit 2 steam generators. Consequently, the reactor coolant system was cooled down at an excessive rate. Approximately 3 minutes after the reactor was tripped, operators closed either the flow control valves or the discharge valves to stop flow from the motor-driven AFW pumps. Approximately 4 minutes after the reactor was tripped, operators closed the discharge valves from the Unit 2 turbine-driven AFW pump, stopping all AFW flow to the steam generators. The AFW pumps were not secured until approximately 8 minutes after the reactor was tripped when feed flow using main feedwater

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 55 SENSITIVE - NOT FOR PUBLIC DISCLOSURE was partially restored. In this particular event, had the AFW recirculation lines been plugged, all AFW pumps could have been damaged (Ref. 26).

! No credit for operators detecting pump deadhead conditions (i.e., plugged recirculation orifices) and taking corrective actions to protect one or more AFW pumps. This assumption is based on the following:

Following discovery of the potential common cause failure of all AFW pumps on loss of instrument air to the pumps recirculation valves (reported in LER 266/01-005), the utility modified 4 procedures in November 2001: EOP-0, Reactor Trip or Safety Injection; EOP-0.1, Reactor Trip Response; Emergency Contingency Action (ECA) 0.1, Loss of All AC (Alternating Current); and AOP-5B, Loss of Instrument Air. These procedure revisions were made to help prevent deadhead of the AFW pumps when loss of instrument air to the recirculation valves occurs. These procedure revisions may not help operators prevent deadhead of the AFW pumps when the recirculation orifices are plugged because (1) the cause of loss of pump recirculation does not involve the air-operated valves and (2) the events that lead to orifice plugging (switchover of the AFW pumps suction to service water) can occur following many different initiating events, not just from loss of instrument air.

Operators have no indication of flow in the AFW pumps recirculation lines. Indication is provided for AFW flow to individual steam generators and flow from each AFW pump.

However, the flow element for each AFW pump is located downstream of where the recirculation line branches off from the pumps discharge line. Therefore, indications of little or no flow for the AFW pumps would be expected with the pumps discharge or flow control valves throttled or closed (Ref. 26).

! No credit for leakage past either the closed discharge or flow control valves providing adequate flow through the AFW pumps to prevent pump damage.

In 1988, NMC installed modifications to increase the design minimum recirculation flow for the AFW pumps to 70 gallons per minute (gpm) for the motor-driven pumps and 100 gpm for the turbine-driven pumps. Previously, the minimum recirculation flow was 30 gpm, which the AFW pump vendor, Byron Jackson, indicated would be sufficient to prevent pump damage, based on pump heatup when on recirculation flow (Ref. 26). Leakage past the AFW pumps closed discharge or flow control valve could provide enough flow to prevent pump damage. However, inclusion of component failures as success logic in a risk model is typically not done. The failure probability for an air-operated valve failing to close on demand is 1.0E-3; the failure probability for a motor-operated valve failing to close on demand is 3.0E-3. The likelihood that the air-operated flow control valve or air-operated recirculation valve for one of the motor-driven AFW pumps fails to close on demand or the motor-operated discharge valve for the turbine-driven pump fails to close is 8.0E-3. Unless leakage past these valves, sufficient to prevent pump damage, normally occurs, the likelihood that the valves close when demanded, resulting in pump deadhead conditions, is 0.992.

! No credit for recovery of AFW pumps given failure due to deadheading conditions. This assumption is based on the following:

The AFW recirculation lines were installed as part of original construction to ensure the pumps would have a flow path to prevent deadheading the pump, which would damage the pump. As previously identified in the ASP analysis of LER 266/01-005, discussions with

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 56 SENSITIVE - NOT FOR PUBLIC DISCLOSURE licensee engineering staff indicated that an AFW pump could be damaged within minutes under insufficient flow condition due to lack of cooling.

Damage to the pump and pump seals would be catastrophic.

! No credit for the recovery of nitrogen air bottles to the pressurizer PORVs. This assumption is based on the following:

The pressurizer PORVs are air-operated valves with a backup nitrogen supply. However, since 1979, the backup nitrogen supply has been isolated, by procedure, during power operation. A containment entry is required to restore the backup nitrogen supply.

Consequently, upon a loss of instrument air, the PORVs would not be available (Ref. 24).

Containment entry during any event that results in loss of instrument air pressure would not be a normal plant evolution (would be considered a heroic action). Further, EOP-0.1 and Critical Safety Procedure (CSP) - H.1, Response to Loss of Secondary Heat Sink, do not provide the steps and cautions for such action.

! No credit for recovery of secondary cooling without instrument air or service water. This assumptions is based on the following:

CSP - H.1 provides instructions for restoring secondary heat sink (Ref. 28). Because several valves in the secondary side system are air-operated and because specific procedural guidance for restoring secondary side cooling when instrument air is not available is NOT provided in CSP-H.1, no credit for recovery of secondary cooling is taken when instrument air (or service water cooling to the instrument air or service air compressors) is not available.

! No credit for injection of service water or firewater through failed AFW pumps. This assumption is based on the following:

The utility credited injection of service water through the failed AFW pumps as a source of secondary cooling when feed and bleed cooling could not be established. Because the service water pressure at the AFW pump suction lines is about 68 psig, the operators must manually depressurize the steam generators to inject service water into them. In addition to service water injection, charging flow must be maximized for adequate core cooling.

Operator actions to accomplish this are directed by CSP-H.1, step 19 and actions 2 and 3 under the response not obtained column for step 38. The utility based the effectiveness of service water injection (combined with additional charging flow) to provide adequate core cooling on Modular Accident Analysis Program (MAAP) runs. Although operators would certainly attempt to provide any source of water to the steam generators during a critical situation, there is no assurance that operators will initiate service water injection in time or that the steam generators will be sufficiently depressurized so that an adequate flow of service water can be injected. Therefore, the use of service water injection was not credited in this analysis.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 57 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Dual-Unit LOOP Initiating Event Frequency Estimate Two LOOP events were of interest for this condition assessment: (1) dual unit LOOPs, where offsite electric power is simultaneously lost to both units and (2) single unit LOOPs, where offsite electric power is lost to only one unit. This attachment provides details for estimating the frequency of a dual unit LOOP occurring at Point Beach.

During a LOOP event, until offsite power is restored, feed and bleed cooling is the only alternative for short-term cooling should the AFW system fail. At Point Beach, the instrument air and service air compressors do not automatically load onto emergency power following a LOOP; operators must manually load a compressor onto emergency power. A dual unit LOOP can result in total loss of instrument air pressure unless an instrument air or service air compressor is manually loaded onto emergency power. Without instrument air, the PORVs, needed for feed and bleed cooling, are not available because of insufficient instrument air pressure to operate the valves.

Data sources. For this condition assessment, a frequency estimate for dual unit LOOP events was developed that is based on events identified in NUREG/CR-5496, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980 - 1996 (Ref. 29), and updated to include LER data through 2002. A search of the Sequence Coding and Search System database was conducted to select LERs involving failures in the instrument air system for the years 1997 through 2002. The total time period reviewed is 1987-2002.

Review criteria. Because of the design for the instrument air and service air systems at Point Beach (redundant compressors and diverse power sources), loss of all four compressors due to a LOOP will only occur if power is lost to both units. The types of LOOP events that would involve both units include dual unit, plant-centered LOOPs; grid-related LOOPs; and severe weather-related LOOPs. Other review criteria include the following:

Causes of weather-related and grid-related LOOP events are independent of plant mode; therefore, both operating and shutdown experience were included.

LOOP events that occurred when all units at the site were shut down were not included.

LOOP events caused by outage maintenance activity on one shutdown unit (even though the activity is not performed while the plant is operating) were included. This type of LOOP will be used to calculate a dual unit, plant-centered LOOP frequency for the fraction of time that one unit at Point Beach is shut down.

Hurricane-related LOOP events were not included ( Because of the location of plants).

Results. The results of the review of LOOP events during the 1987-2002 period are given in Table 5.1.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 58 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 5.1. Events selected for dual unit LOOP frequency assessment.

LOOP type No. events LER Grid-related 1

395/89-012

Weather-related 5

333/88-011, 282/96-012, 346/98-006 302/93-002, 325/93-008 Dual-unit, plant-centered Both units operating 2

317/87-012, 327/92-027 One unit shut down 1

334/93-013

Exclude: Pilgrim (outlier from NUREG/CR-5496); 2 of 3 events at Crystal River (302/93-002) caused by the same storm; hurricane events when plant was shut down prior to the hurricane-induced LOOP.

Industry frequency calculation. The LOOP frequency is estimated by:

FLOOP = FGrid + FSevere weather + FDual

Where, FGrid = frequency of grid-related LOOPs FSevere weather = frequency of weather-related LOOPs FDual = frequency of plant-centered, dual unit LOOPs The total operating and shutdown time for all sites (single and multiunit sites) during 1987-2002 is 1,080 site calendar years, as shown in Table 5.2. The operating and shutdown time for only multiunit sites during the same time is 570.9 site calendar years. Using the criticality factor calculated in Table 5.3 of 0.78, the multiunit critical time is 0.78 x 570.9 calendar years = 445 critical years. Therefore, the mean frequency is:

FGrid = 1/(1,018 yr) = 9.8E-4/yr or 1.1E-7/hr FSevere weather = 5/(1,018 yr) = 4.9E-3/yr or 5.6E-7/hr FDual = 3/(445 yr) = 6.7E-3/yr or 7.7E-7/hr The industry LOOP frequency (per site calendar year) is:

FLOOP = 1.1E-7/hr + 5.6E-7/hr +7.7E-7/hr = 1.4E-6/hr or 1.2E-2/yr Point Beach plant-specific frequency calculation. In order to obtain a rigorous probability distribution for FLOOP, a numeric analysis of each parameter would be required. Since the number of events controls the uncertainty bounds, a reasonable distribution can be created from an approximate analysis for the purpose of ASP uncertainty analysis. The number of LOOP events (nine) and the industry LOOP frequency (1.2E-2/yr) are used to estimate a

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 59 SENSITIVE - NOT FOR PUBLIC DISCLOSURE pseudo-exposure (732 years) so that a probability distribution can be created to express the uncertainty in the estimate.

The constrained noninformative prior distribution (Ref. 30) was used. The distribution is given by:

(

)

Gamma Gamma F

=

05 1 2

Grid reliability and severe weather frequency vary between plants, so the more diffuse prior distribution is appropriate. The Gamma distribution parameters (in years) of the prior are =0.5 and =41. Performing a Bayesian update on the above distribution with Point Beachs 16 operating years without a LOOP event, the mean LOOP frequency for Point Beach is 8.8E-3/yr or 1.0E-6/hr. The Gamma distribution parameters of the posterior are =0.5 and =57. The 5th percentile of this distribution is 3.5E-5/yr and the 95th percentile is 3.4E-2/yr.

Operating history at Point Beach for the time period from October 29, 2001, to October 30, 2002 (approximates the condition duration), shows that Unit 1 was critical for a total of 7,989.6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (for a criticality factor of 0.91) and shut down for a total of 770.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ; and Unit 2 was critical for a total of 7,974.2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (for a criticality factor of 0.91) and shut down for a total of 785.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months (Refs. 11 through 23).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 60 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 5.2. Commercial site calendar years - calendar years 1987-2002.1 PLANT NAME Multiunit sites 2 (site calendar years)

All sites 3 (site calendar years) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 1987-1995 (9 yrs) 1996-2002 (7 yrs)

ARKANSAS 1 9

7 ARKANSAS 2 9

7 BEAVER VALLEY 1 9

7 BEAVER VALLEY 2 8.4 7

BIG ROCK POINT 9

2 BRAIDWOOD 1 8.6 7

BRAIDWOOD 2 7.8 7

BROWNS FERRY 1 BROWNS FERRY 2 9

7 BROWNS FERRY 3 9

7 BRUNSWICK 1 9

7 BRUNSWICK 2 9

7 BYRON 1 9

7 BYRON 2 9

7 CALLAWAY 9

7 CALVERT CLIFFS 1 9

7 CALVERT CLIFFS 2 9

7 CATAWBA 1 9

7 CATAWBA 2 9

7 CLINTON 1 8.8 7

COLUMBIA 9

7 COMANCHE PEAK 1 5.8 7

COMANCHE PEAK 2 2.8 7

COOK 1 9

7 COOK 2 9

7 COOPER STATION 9

7 CRYSTAL RIVER 3 6

7 DAVIS-BESSE 9

7

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 Table 5.2. Commercial site calendar years - calendar years 1987-2002 (contd).1 PLANT NAME Multiunit sites 2 (site calendar years)

All sites 3 (site calendar years) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 61 SENSITIVE - NOT FOR PUBLIC DISCLOSURE DIABLO CANYON 1 9

7 DIABLO CANYON 2 9

7 DRESDEN 2 9

7 DRESDEN 3 9

7 DUANE ARNOLD 9

7 FARLEY 1 9

7 FARLEY 2 9

7 FERMI 2 9

7 FITZPATRICK 9

7 FORT CALHOUN 9

7 FORT ST. VRAIN 2.7 0

GINNA 9

7 GRAND GULF 9

7 HADDAM NECK 9

1.2 HARRIS 9

7 HATCH 1 9

7 HATCH 2 9

7 HOPE CREEK 9

7 INDIAN POINT 2 9

7 INDIAN POINT 3 9

7 KEWAUNEE 9

7 LA CROSSE 0.4 0

LASALLE 1 9

7 LASALLE 2 9

7 LIMERICK 1 9

7 LIMERICK 2 6.4 7

MAINE YANKEE 9

1.7 MCGUIRE 1 9

7 MCGUIRE 2 9

7 MILLSTONE 1

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 Table 5.2. Commercial site calendar years - calendar years 1987-2002 (contd).1 PLANT NAME Multiunit sites 2 (site calendar years)

All sites 3 (site calendar years) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 62 SENSITIVE - NOT FOR PUBLIC DISCLOSURE MILLSTONE 2 9

7 MILLSTONE 3 9

7 MONTICELLO 9

7 NINE MILE PT. 1 9

7 NINE MILE PT. 2 8.6 7

NORTH ANNA 1 9

7 NORTH ANNA 2 9

7 OCONEE 1 9

7 OCONEE 2 OCONEE 3 9

7 OYSTER CREEK 9

7 PALISADES 9

7 PALO VERDE 1 9

7 PALO VERDE 2 9

7 PALO VERDE 3 PEACH BOTTOM 2 9

7 PEACH BOTTOM 3 9

7 PERRY 9

7 PILGRIM 9

7 POINT BEACH 1 9

7 POINT BEACH 2 9

7 PRAIRIE ISLAND 1 9

7 PRAIRIE ISLAND 2 9

7 QUAD CITIES 1 9

7 QUAD CITIES 2 9

7 RANCHO SECO 2.4 0

RIVER BEND 9

7 ROBINSON 2 9

7 SALEM 1 9

7 SALEM 2 9

7

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 Table 5.2. Commercial site calendar years - calendar years 1987-2002 (contd).1 PLANT NAME Multiunit sites 2 (site calendar years)

All sites 3 (site calendar years) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 63 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SAN ONOFRE 1 SAN ONOFRE 2 9

7 SAN ONOFRE 3 9

7 SEABROOK 6.6 7

SEQUOYAH 1 9

7 SEQUOYAH 2 9

7 SOUTH TEXAS 1 7.8 7

SOUTH TEXAS 2 6.5 7

ST. LUCIE 1 9

7 ST. LUCIE 2 9

7 SUMMER 9

7 SURRY 1 9

7 SURRY 2 9

7 SUSQUEHANNA 1 9

7 SUSQUEHANNA 2 9

7 THREE MILE ISL 1 9

7 TROJAN 6

0 TURKEY POINT 3 9

7 TURKEY POINT 4 9

7 VERMONT YANKEE 9

7 VOGTLE 1 8.8 7

VOGTLE 2 6.8 7

WATERFORD 3 9

7 WATTS BAR 1 0

6.6 WOLF CREEK 9

7 YANKEE-ROWE 5.2 0

ZION 1 9

2.4 ZION 2 9

1.6 SUBTOTALS 317.3 253.6 618.1 461.9

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/02-003 Table 5.2. Commercial site calendar years - calendar years 1987-2002 (contd).1 PLANT NAME Multiunit sites 2 (site calendar years)

All sites 3 (site calendar years) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 1987-1995 (9 yrs) 1996-2002 (7 yrs) 64 SENSITIVE - NOT FOR PUBLIC DISCLOSURE TOTALS (site calendar years)

Multiunit sites 570.9 All sites 1080 Notes:

1.

Sources: CY 1987 - 1995 from NUREG/CR-5750 (Ref. 7); CY 1996-2002 from Precursors to Potential Severe Core Damage Accidents---Fiscal Year 1999, Appendix C, ADAMS Accession No. ML0216801631. CY 1996-2002 see Table 5.4.

2.

For site calendar years for multiunit sites, only sites having more than one operating unit were included (single unit sites were excluded). Site calendar time was based on time when second unit began operations.

3.

For all site calendar years, each site is counted once. For multiunit sites, site calendar time is based on time when first unit began operations.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/01-005 65 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 5.3. Industry average criticality factor - calendar years 1987-2001.

Year 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 Critical Hours1, 2 PWR 417775.7 466182.3 461652.3 474942.9 504981.8 512763.6 491488.7 518225.2 518681.1 515809.3 463214.3 499729.5 529114.5 538829.8 546269.5 BWR 197489.5 199293.3 204484.8 231608.8 230335.2 221641.0 234735.5 233389.0 259566.2 249177.9 236965.5 239544.1 265672.3 277399.2 276843.9 TOTAL 615265.2 665475.6 666137.1 706551.7 735317.0 734404.6 726224.2 751614.2 778247.3 764987.2 700179.8 739273.6 794786.8 816229.0 823113.4 Critical Years1, 2 PWR 47.69 53.07 52.70 54.22 57.65 58.37 56.11 59.16 59.21 58.72 52.88 57.05 60.40 61.34 62.36 BWR 22.54 22.69 23.34 26.44 26.29 25.23 26.80 26.64 29.63 28.37 27.05 27.35 30.33 31.58 31.60 TOTAL 70.24 75.76 76.04 80.66 83.94 83.61 82.90 85.80 88.84 87.09 79.93 84.39 90.73 92.92 93.96 Calendar Years2, 3 TOTAL 105.34 108.34 110.40 111.89 112.00 111.37 109.91 110.00 110.00 108.50 106.50 104.20 104.00 104.00 104.00 Criticality factor TOTAL 0.67 0.70 0.69 0.72 0.75 0.75 0.75 0.78 0.81 0.80 0.75 0.81 0.87 0.89 0.90 Totals Critical Years Calender Years Criticality Factor TOTAL 1256.81 1620.45 0.78 Notes:

1.

Data from Idaho National Engineering and Environmental Laboratorys database (MORP1.DBF) which is based on licensees monthly operating reports as of December 2002.

2.

Data are included from critical date until permanent shutdown. Ft. St. Vrain critical hours are excluded.

3.

Data from NUREG/CR-5750 for CY 1987-1995 (Ref. 7). Data calculated for CY 1996-2001; see Table 5.4.)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/01-005 66 SENSITIVE - NOT FOR PUBLIC DISCLOSURE Table 5.4. Data used to calculate reactor calendar years (CY 1996-2002).

Calendar Days 1996 1997 1998 1999 2000 2001 2002 Decommissioned PWRs Defuel Date1 San Onofre 1 11/30/92 0

0 0

Trojan 11/09/92 0

0 0

Haddam Neck 12/5/96 339 0

0 0

0 Maine Yankee 6/23/97 365 174 0

0 0

Zion 1 4/28/97 365 118 0

0 0

Zion 2 2/26/98 365 365 57 0

0 0

0 Initial Startup-PWRs Startup Date1 Comanche Peak 2 8/3/93 365 365 365 365 365 365 365 Watts Bar 1 5/27/96 147 365 365 365 365 365 365 Operating-PWRs2 67 units x 365 days =

24455 24455 24455 24455 24455 24455 24455 Total PWR (reactor calendar years) 72.33 70.80 69.16 69.00 69.00 69.00 69.00 Decommissioned BWRs Defuel Date1 Big Rock 9/22/97 365 264 0

0 0

Millstone 1 11/19/95 50 0

0 0

0 Operating-BWRs 35 units x 365 days =

12775 12775 12775 12775 12775 12775 12775 Total BWR (reactor calendar years) 36.14 35.72 35.00 35.00 35.00 35.00 35.00 TOTAL (PWR + BWR) 108.5 106.5 104.2 104.0 104.0 104.0 104.0 Notes:

1.

Startup date from NUREG-1350, Information Digest. Defuel date from the NRC Status Reports. Dates for San Onofre 1 and Trojan are shutdown dates from NUREG-1350. Defuel date for Millstone 1 from letter---Northeast Nuclear Energy to NRC dated 7/21/98.

2.

Number of plants in operation (not shut down for decommissioning) during the end of FY-02 minus new plants that were started during the period.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 266/01-005 67 SENSITIVE - NOT FOR PUBLIC DISCLOSURE - Human Error Worksheet

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 68 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SPAR Model Human Error Worksheet (Page 1 of 3)

Plant: Point Beach Units 1 and 2 Event Name: AFW-XHE-XM-CST Task Error

Description:

Operator fails to refill CSTs using water treatment Does this task contain a significant amount of diagnosis activity ? YES NO X If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2.

Table 1. Diagnosis worksheet.

PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal. 30 m 1

Extra > 60 m 0.1 Expansive > 24 h 0.01

2. Stress Extreme 5

High 2

Nominal 1

3. Complexity Highly 5

Moderately 2

Nominal 1

4. Experience/

Training Low 10 Nominal 1

High 0.5

5. Procedures Not available 50 Available, but poor 5

Nominal 1

Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

8. Work Processes Poor 2

Nominal 1

Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 69 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SPAR Model Human Error Worksheet (Page 2 of 3)

Table 2. Action worksheet.

PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Time available is assumed to be equal to time required.

Time available. time required 10U Nominal 1

Available > 5x time required 0.1 Available > 50x time required 0.01

2. Stress Extreme 5

High 2

Nominal 1U

3. Complexity Highly 5

Moderately 2

Nominal 1U

4. Experience/

Training Low 3

Nominal 1U High 0.5

5. Procedures Not available 50 Available, but poor 5

Nominal 1U

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1U Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1U

8. Work Processes Poor 2

Nominal 1U Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet.

Task Portion Nom.

Prob.

Time Stress Compl.

Exper./

Train.

Proced Ergon.

Fitness Work Process Prob.

Diag.

1.0E-2 na Action 1.0E-3 10 1

1 1

1.0E-2 Total 1.0E-2

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 70 SENSITIVE - NOT FOR PUBLIC DISCLOSURE SPAR Model Human Error Worksheet (Page 3 of 3)

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence.

Table 4. Dependency condition worksheet.

Condition Number Crew (same or different)

Location (same or different)

Time (close in time or not close in time)

Cues (additional or not additional)

Dependency Number of Human Action Failures Rule 1

s s

c complete If this error is the 3rd error in the sequence, then the dependency is at least moderate.

If this error is the 4th error in the sequence, then the dependency is at least high.

This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks.

2 s

s nc na high 3

s s

nc a

moderate 4

s d

c high 5

s d

nc na moderate 6

s d

nc a

low 7

d s

c moderate 8

d s

nc na low 9

d s

nc a

low 10 d

d c

moderate 11 d

d nc na low 12 d

d nc a

low 13 zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2):

For Complete Dependence the probability of failure

= 1.0 For High Dependence the probability of failure

= (1 + P)/2 For Moderate Dependence the probability of failure

= (1 +6P)/7 For Low Dependence the probability of failure

= (1 + 19P)/20 UFor Zero Dependence the probability of failure

P Task Failure Probability With Formal Dependence = (1 + ( * )) /

Additional Notes:

ML20114E142

Text

Description:

P Task Failure Probability With Formal Dependence = (1 + ( * )) /

Navigation menu

Search