Text

Final ASP Analysis - Quad Cities 2 (LER 265-01-001-01)
	ML20114E200
Person / Time
Site:	Quad Cities
Issue date:	05/12/2020
From:	Christopher Hunter; NRC/RES/DRA/PRB
To:	;
	Hunter C (301) 415-1394
References
	LER 265-01-001-01
	Download: ML20114E200 (48)
	v • d • e

)LQDO Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Quad Cities 2 Loss of offsite power to Unit 2 but not Unit 1 due to failure of Unit 2 main power transformer with the subsequent failure of a switchyard breaker relay Event Date: 08/02/2001 LER: 265/01-001 CCDP = 5x10-6 August 13, 2004 Event Summary On August 2, 2001, at 0813 hours0.00941 days 0.226 hours 0.00134 weeks 3.093465e-4 months , lightning struck a 345-kv line that connected to the Quad Cities switchyard. Both Unit 1 and Unit 2 were at 100% power. The lightning strike caused the Unit 2 main power transformer to rupture and catch fire, leading to an automatic shutdown of the Unit 2 reactor. Subsequently, additional breakers in the switchyard supplying offsite power to the Unit 2 reserve auxiliary transformer (RAT) opened. Consequently, Unit 2 lost all offsite power. Unit 1 remained connected to the offsite grid with a reduced number of offsite power lines. (Ref. 1)

An unusual event was declared following the Unit 2-centered loss of offsite power (LOOP). The swing emergency diesel generator (EDG 1/2) and the Unit 2 emergency diesel generator (EDG 2) automatically started as required and supplied electrical power to the safety-related buses (bus 23-1 and bus 24-1) for Unit 2. The two station blackout EDGs were manually started as required by station procedures but were not manually loaded to any electrical bus since this was not required.

The Unit 1 EDG (EDG 1) was not required to start because bus 14-1 did not lose voltage, as its electrical feed was from Unit 1. An alternate source of offsite power from Unit 1 to Unit 2, using the RAT of Unit 1 feeding through the station emergency bus cross-tie to Unit 2, was available, but this source of offsite power for Unit 2 was not used during the event.

The Unit 2 reactor core isolation cooling (RCIC) system and the safe shutdown makeup pump were manually started and used to maintain reactor vessel water level. Reactor pressure was controlled with the main steam relief valves. All safety systems operated as designed to shut down the Unit 2 reactor and maintain it in a safe shutdown condition. There were no failures of equipment following the Unit 2-centered LOOP that complicated the controlled shutdown of Unit 2.

The fire in the Unit 2 main power transformer was extinguished at approximately 0845 hours0.00978 days 0.235 hours 0.0014 weeks 3.215225e-4 months (approximately 32 minutes after the lightning strike) by (1) the automatic actuation of the transformers fire protection deluge system, (2) actions of the station fire brigade, and (3) actions of the local fire departments. Offsite electrical power to Unit 2 emergency buses (buses 23-1 and 24-1) from the Unit 2 RAT was restored at approximately 1047 hours0.0121 days 0.291 hours 0.00173 weeks 3.983835e-4 months . EDG 1/2 and EDG 2 were then shut down. The Unit 2-centered LOOP lasted approximately 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

Unit 1 power was lowered to approximately 93% following the LOOP at Unit 2. Due to the Unit 2-centered LOOP, Unit 1 was in a 7-day technical specification limiting condition of operation (LCO) from 0813 hours0.00941 days 0.226 hours 0.00134 weeks 3.093465e-4 months to 1047 hours0.0121 days 0.291 hours 0.00173 weeks 3.983835e-4 months due to offsite electrical power not being available from Unit 2. Unit 1 was also in another 7-day LCO because the swing diesel, EDG 1/2, was dedicated for use at Unit 2 and not available for Unit 1 from 0855 hours0.0099 days 0.238 hours 0.00141 weeks 3.253275e-4 months to 1041 hours0.012 days 0.289 hours 0.00172 weeks 3.961005e-4 months .

1

LER 265/01-001 Cause. The cause of the Unit 2 main power transformer failure was original equipment manufacturer design and construction errors that allowed the mechanical failure of the bus bar clamps (due to undersized bus bars and bus bar clamp bolts). After the lightning strike, this mechanical failure of the bus bar clamps created a phase-to-phase fault in the main power transformer, which caused a fire in the transformer. The Unit 2 main power transformer was subjected to multiple electrical faults during its service life, which contributed to its ultimate failure.

Although the licensee knew about the faults, they were not tracking the number of faults or the severity of the faults on the transformer. The cause of the subsequent loss of all offsite power to Unit 2 was a transistor failure due to age degradation in a static breaker failure relay, causing a slow relay reset time (Ref. 1). The age-related degradation was not recognized earlier due to the failure to include completion of the reset function in their relay testing program.

Initiating event. For Unit 2, the event is considered a unit-centered LOOP caused by failure of a switchyard breaker relay to properly respond to failure of the Unit 2 main power transformer.

For Unit 1, there is no initiating event. For approximately 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , Unit 1 had restricted electrical power while offsite power was being restored to Unit 2. The 2.5-hour time period that Unit 1 had restricted electric power is much shorter than the time allowed by the Unit 1 technical specifications.

In addition, a screening evaluation was performed that indicated the risk significance of restricted electrical power at Unit 1 for this event was negligible.

Recovery opportunities. At the time of the Unit 2 scram, offsite power was available from Unit 1 for use at Unit 2. However, the operators chose not to use this Unit 1 source of electric power but rather to use the two emergency diesel generators that automatically started and ran for approximately 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . The actual recovery of offsite power to Unit 2 was accomplished by using Unit 2 offsite power sources at approximately 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

Normal recovery of equipment (default value) was used in the risk analysis for equipment not impacted by the Unit 2 main power transformer fire.

Analysis Results

! CCDP1 Conditional core damage probability (CCDP) is 5.4 x 10-6 (mean).

Point Value Mean 5% 95%

CCDP 5.5 x 10-6 5.4 x 10-6 7.2 x 10-7 1.7 x 10-5 This CCDP exceeds the Accident Sequence Precursor (ASP) program acceptance threshold value for an initiating event. The CCDP is greater than 1.0 X 10-6, and the CCDP is greater than the CCDP for a transient with loss of reactor feedwater and no reactor feedwater recovery, which is 1.2 X 10-6 (point estimate).

1 For the initiating event assessment, the parameter of interest is the absolute value of the CCDP.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 2

LER 265/01-001 It should be noted that this initiating event assessment is equivalent to calculating the conditional core damage probability of Unit 2 for a unit-centered LOOP because there were no other failures in the actual event following the Unit 2-centered LOOP.

! Dominant sequence LOOP Initiating Event: The core damage sequence with the highest CCDP (2.4 x 10-6 or 43.6% of the total) for the Unit 2 initiating event assessment is LOOP Sequence 65 (see Figure 1). Three other significant core damage sequences are LOOP Sequence 62-04-5 (9.3 x 10-7 or 16.9%), LOOP Sequence 09-5 (9.0 x 10-7 or 16.4%), and LOOP Sequence 61 (7.1 x 10-7 or 12.9%). The events and important TOP events for these three sequences are shown in Table 1 and Table 2a. These include:

LOOP Sequence 65 S reactor protection system (RPS) fails LOOP Sequence 62-04-5 S RPS works S emergency electrical power system works S one safety relief valve (SRV) sticks open S safe shutdown makeup system works S suppression pool cooling fails S containment spray system fails S containment venting fails S following containment failure, equipment fails because of survivability concerns LOOP Sequence 09-5 S RPS works S emergency electrical power system works S all SRVs close S RCIC system works S suppression pool cooling fails S manual depressurization works S shutdown cooling fails S containment spray system fails S containment venting fails S following containment failure, equipment fails because of survivability concerns LOOP Sequence 61 S reactor protection system works S emergency electrical power system works S all SRVs close S RCIC system fails S high pressure coolant injection (HPCI) system fails S safe shutdown makeup system is unavailable SENSITIVE - NOT FOR PUBLIC DISCLOSURE 3

LER 265/01-001 S manual depressurization fails S insufficient control rod drive (CRD) flow to the reactor coolant system

! Results tables

- The conditional probabilities of the dominant sequences for the Unit 2-centered LOOP are shown in Table 1.

- The event tree sequence logic for the dominant sequences is provided in Table 2a.

Definitions of TOP events are provided in Table 2b.

- The highest value conditional cut sets are provided in Table 3.

- The definitions and probabilities for certain basic events are provided in Table 4.

Modeling Assumptions

! Assessment summary This event was modeled as a unit-centered LOOP initiating event for Unit 2.

! SPAR model used in the analysis The Standardized Plant Analysis Risk (SPAR) model for Quad Cities 1 & 2 (Rev. 3) was used for this assessment (Ref. 2). The naming convention for event trees, fault trees, and basic events in the model is for Unit 1; however, the model is valid for either unit.

! Unique system and operational considerations None.

! Modifications to event tree models Recovery of long term shutdown cooling. The recovery rules for the LOOP event tree were modified to credit recovery of shutdown cooling late in certain sequences. This was done in a manner similar to the use of a nonrecovery term for the transient (TRANS) event tree. In the TRANS event tree, the nonrecovery term SDC-LTERM-NOREC was added to certain sequences where (1) the reactor protection system successfully tripped the reactor, (2) the power conversion system has failed, (3) no relief valves have stuck open, (4) high pressure injection (RCIC, HPCI, or safe shutdown system) was successful, (5) the reactor has been successfully depressurized, but (6) long-term decay heat removal has failed (suppression pool cooling [SPC], shutdown cooling [SDC], and containment spray system [CSS]). The selected sequences in the LOOP event tree are sequences 8, 9, 22, 23, and 33. The nonrecovery event SDC-LTERM-NOREC2 (Operator fails to recover shutdown cooling long in the long term) was added to selected sequences of the LOOP event tree where (1) the reactor protection system has successful tripped the reactor, (2) the emergency power system has successfully restored power, (3) no relief valves have stuck open, (4) high pressure injection (RCIC, HPCI, or safe shutdown system) was successful, (5) the reactor has been successfully depressurized, but (6) long-term decay heat removal has failed (SDC and CSS).

The recovery rules for the LOOP event tree were modified as follows:

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 4

LER 265/01-001 Long-term recovery of SDC given initial success of injection.

if system(/RPS)

system(/EPS)

system(/SRV) * (system(/RCI2) + system(/HCI) +

system(/SSM))

system(SDC)

system(CSS) then AddEvent = SDC-LTERM-NOREC2; endif The value used for SDC-LTERM-NOREC2 in the LOOP sequences was based on the similarity between a unit-centered LOOP with success of the electrical power system and a transient with loss of the power conversion system. In a unit-centered LOOP with success of the electrical power system and no stuck-open relief valve, the recovery of the decay heat removal systems in the long term should be identical to the recovery of the decay heat removal systems in the long term for TRANS with loss of the power conversion system and with no stuck-open relief valve. There is nothing in the unit-centered LOOP logic that would indicate that the operators would have less time to recover the residual heat removal system (RHR) in the long term, that recovery would be any more complicated, or that the stress level would be any higher. The initial stages of the two events might be different, but the long-term RHR recovery actions or inactions would be the same. However, in order to add some conservatism to the analysis, the value used for SDC-LTERM-NOREC2 (3.2E-2) was taken to be twice the value used for SDC-LTERM-NOREC (1.6E-2).

Treatment of RPS. The dominant sequence for core damage is the failure of RPS. In the event tree for LOOP (see Figure 1), the failure of RPS following LOOP (Sequence 65) leads directly to core damage and not to a transfer to an ATWS event tree as found in the IE-TRANS event tree. No modification to Sequence 65 was made for the analysis. No documentation could be found that would allow a change to the sequence to allow a transfer to an ATWS event tree following LOOP. Also, even though the probability of failure of RPS following IE- LOOP is less than the probability of failure of RPS following IE-TRANS, the same values were used for RPS failure following IE-LOOP as used for RPS failure following IE-TRANS. This treatment of RPS results in a higher CCDP in the analysis than might be calculated with more complete documentation of the response of RPS following IE-LOOP.

! Modifications to fault tree models Changes were made to the fault tree for the LOOP FLAG sets to allow setting loss of power to the various divisions of electric power. These changes are shown in the table below and in Figures 2 through 15. In addition, a basic event was added to the division I and II ac electric power trees to model the ability of the operators to cross-connect the 4160 V buses to Unit 1, which had offsite power (see Figures 5 and 8).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5

LER 265/01-001 Fault Tree Unmodified FLAG Modified FLAG Figure CRD-A LOOP LOOP-I Figure 2 CRD-B LOOP LOOP-II Figure 3 CVS LOOP LOOP-I or LOOP-II Figure 4 DIV-1-AC LOOP-I LOOP-I Figure 5 DIV-1-AC-U2 LOOP-I-U2 LOOP-I-U2 Figure 6

- LOOP-I DIV-1-DC LOOP LOOP-I Figure 7 DIV-2-AC LOOP-II LOOP-II Figure 8 DIV-2-AC-U2 LOOP-II-U2 LOOP-II-U2 Figure 9 DIV-2-DC LOOP LOOP-II Figure 10 SWS-U1A LOOP LOOP-I Figure 11 SWS-U1B LOOP LOOP-II Figure 12 SWS-U2A LOOP LOOP-I-U2 Figure 13 SWS-U2B LOOP LOOP-II-U2 Figure 14 TBC-A LOOP LOOP-I Figure 15

! Initiating event probability changes For this analysis, the frequency for initiating event IE-LOOP was set equal to 1.0 and the frequencies for all the other initiating events were set to zero. The LOOP FLAG sets were changed as follows to make this a unit-centered LOOP.

- LOOP = TRUE

- LOOP-I = TRUE

- LOOP-I-U2 = FALSE

- LOOP-II = TRUE

- LOOP-II-U2 = FALSE

! Basic event probability changes Table 4 provides the basic events that were changed to analyze this event.

Several of the basic events changed involve the recovery of ac electrical power. The values used were based on the assumption that offsite power was available from Unit 1 at time T =

0. A general description of the approach to estimating electric power recovery is contained in Attachment A. One of the important assumptions regarding the recovery of offsite power from the Unit 2 switchyard is that at least 30 minutes is required to restore power to SENSITIVE - NOT FOR PUBLIC DISCLOSURE 6

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 emergency loads with offsite power available at time T = 0.0. As seen in Attachment A and Table 5, the final value used in the analysis is dependent on the performance shaping factor used for the time available.

- Probability that the operator fails to recover ac power in 30 minutes (ACP-XHE-NOREC-30). This probability was changed to 1.0E-1 as shown in Table 5. The performance shaping factor for time was given a value of 10 since the time available to perform the action is approximately equal to the time required to perform the action.

- Probability that the operator fails to recover ac power in 90 minutes (ACP-XHE-NOREC-90). This probability was changed to 1.0E-2 as shown in Table 5. The performance shaping factor for time was given a value of 1.0 since the time available to perform the action is between two and four times the time required to perform the action.

- Probability that the operator fails to recover ac power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (ACP-XHE-NOREC-4H). This probability was changed to 1.0E-3 as shown in Table 5. The performance shaping factor for time was given a value of 0.1 since the time available to perform the action is greater than five times the time required to perform the action.

- Probability that the operator fails to recover ac power before battery depletion - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (ACP-XHE-NOREC-BD). This probability was changed to 1.0E-3 as shown in Table 5. The performance shaping factor for time was given a value of 0.1 since the time available to perform the action is greater than five times the time required to perform the action.

- Probability that the emergency diesel generator fails to run for the medium term (EPS-DGN-FR-FTRM). This probability was changed to 9.0E-4 based on a total mission time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . That is: the value represents 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months at the failure to run/hour of short term and 0.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months at the failure to run/hour of medium term.

- Probability that the operator fails to recover offsite power in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (OEP-XHE-NOREC-1H). This probability was changed to 4.0E-3 as shown in Table 5. The performance shaping factor for time was given a value of 1.0 since the time available to perform the action is between two and four times the time required to perform the action.

- Probability that the operator fails to recover offsite power in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months (OEP-XHE-NOREC-2H). This probability was changed to 4.0E-3 as shown in Table 5. The performance shaping factor for time was given a value of 1.0 since the time available to perform the action is between two and four times the time required to perform the action.

- Probability that the operator fails to recover offsite power in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (OEP-XHE-NOREC-4H). This probability was changed to 4.0E-4 as shown in Table 5. The performance shaping factor for time was given a value of 0.1 since the time available to perform the action is greater than five times the time required to perform the action.

- Probability that the operator fails to recover offsite power in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months (OEP-XHE-NOREC-10H). This probability was changed to 4.0E-4 as shown in Table 5. The performance shaping factor for time was given a value of 0.1 since the time available to perform the action is greater than five times the time required to perform the action.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 7

LER 265/01-001

- Unit 2 cross-tie fails from bus 23-1 (EPS-XHE-BUS-23-1). This event was added to model the ability of operators to cross connect bus 13-1 to Unit 2 bus 23-1 (see Figure 5).

This event is assumed to be similar to event EPS-XHE-XE-SBO1 (operator fails to align Unit 1 SBO diesel generator to dead bus), and the nominal human error probability of 1.0E-3 for an action task was used for this event. This basic event does not depend on the recovery of offsite power to the Unit 2 switchyard.

- Unit 2 cross-tie fails from bus 24-1 (EPS-XHE-BUS-24-1). This event was added to model the ability of operators to cross connect bus 14-1 to Unit 2 bus 24-1 (see Figure 8).

This event is assumed to be similar to event EPS-XHE-XE-SBO2 (operator fails to align Unit 2 SBO diesel generator to dead bus), and the nominal human error probability of 1.0E-3 for an action task was used for this event. This basic event does not depend on the recovery of offsite power to the Unit 2 switchyard.

! Model update Changes to the Rev. 3 SPAR model for Quad Cities are as follows:

- Fault tree logic for the injection valve in the HPCI system was updated. A modification was made to the HCI and HC1 fault trees to address the basic event HCI-MOV-CC-IVFRO, failure of injection valve to reopen. The basis for the modifications is given in the footnotes to Table 2b. (Updated fault trees are presented in Figures 16 and 17.)

- Fault tree logic for the division I and II electric power systems for both units was updated.

The logic for the station blackout (SBO) buses was revised to remove the ability to supply the bus with power from the other units SBO diesel generator. SBO buses 61 and 71 cannot be tied together if either bus is feeding a 4160 V safety bus. (Updated fault trees are presented in Figures 5, 6, 8, and 9.)

- Alpha factors used to calculate the common-cause failure probability for failure to run for the motor-driven service water pumps were updated based on guidance provided by Idaho National Engineering Laboratory. (See Table 6 for the updated alpha factors.)

- Alpha factors used to calculate the common-cause failure probability for failure to run for the RHR motor-driven pumps were updated based on guidance provided by Idaho National Engineering Laboratory. (See Table 6 for the updated alpha factors.)

- Alpha factors used to calculate the common-cause failure probability for the batteries were updated based on guidance provided by Idaho National Engineering Laboratory. (See Table 6 for the updated alpha factors.)

- The failure rate for batteries and battery chargers was updated based on guidance provided by Idaho National Engineering Laboratory. (See Table 4 for the updated failure probabilities.)

These updates are independent of the actual events being analyzed. Bases for the updates are described in the footnotes to Table 2b or 4.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 8

LER 265/01-001

! Related events None

! Sensitivity studies For selected sequences, credit was given for recovery of shutdown cooling in the long term.

For the initiating event assessment, the nonrecovery value used for SDC-LTERM-NOREC2 was 3.2E-2. This value is two times the value used for nonrecovery of shutdown cooling in the long term for transient sequences. A sensitivity study was made using a value of 0.16 for SDC-LTERM-NOREC2. With this change, the CCDP value increases by a factor of 2 to 9.4E-6 (point estimate). Sensitivity results are provided in the following table.

Event tree name Conditional core damage Percentage Sequence no. probability (CCDP)1 contribution LOOP 09-5 4.5 x 10-6 47.9

-6 LOOP 65 2.4 x 10 25.5 LOOP 62-04-5 9.3 x 10-7 9.9

-7 LOOP 61 7.1 x 10 7.6 2 -6 Total (all sequences) 9.4 x 10 N/A Note:

1. Values are point estimates. (File name: GEM 265-01-001 Sensitivity 1-7-2004 134536.wpd).

2. Total CCDP includes all sequences (including those not shown in this table).

! Analysts Lead Analyst - Bob Christie Technical Consultant - Michelle Johnson Technical Reviewer - Leonard Palko References

1. LER 265/01-001, Revision 1, Quad Cities Nuclear Power Station, Unit 2, Reactor Scram due to Failure of Main Power Transformer, April 10, 2002 (ADAMS Accession Number:

ML021190402).

2. J. A. Schroeder, Standardized Plant Analysis Risk Model for Quad Cities 1 & 2 (ASP BWR C), Revision 3, Idaho National Engineering and Environmental Laboratory, February 2002, Internet computer update was March 7, 2002.

3. D. M. Ericson, Jr., et. al., Analysis of Core Damage Frequency: Internal Events Methodology, NUREG/CR-4550, Vol. 1, Rev. 1, Sandia National Laboratories, January 1990.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 9

LER 265/01-001 Table 1. Conditional probabilities associated with the highest probability sequences for the initiating event assessment.

Event tree name Conditional core damage Percentage Sequence no. probability (CCDP)1 contribution LOOP 65 2.4E-0062 43.6 LOOP 62-04-5 9.3E-007 16.9 LOOP 09-5 9.0E-007 16.4 LOOP 61 7.1E-007 12.9 Total (all sequences)3 5.5E-006 N/A Note:

1. Values are point estimates. (File name: GEM 265-01-001 1-7-2004 151731.wpd).

2. No credit was taken for the loss of offsite power deenergizing relays and solenoids.

3. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the initiating event dominant sequences.

Event tree Sequence Logic name no. (/ denotes success; see Table 2b for TOP event names)

LOOP 65 RPS LOOP 62-04-5 /RPS /EPS P1 /SSM SPC CSS CVS SURVIVE LOOP 09-5 /RPS /EPS /SRV /RCI2 SPC /DEP SDC CSS CVS SURVIVE LOOP 61 /RPS /EPS /SRV RCI2 HCI SSM DEP CRD SENSITIVE - NOT FOR PUBLIC DISCLOSURE 10

LER 265/01-001 Table 2b. Definitions of TOP events listed in Table 2a.

TOP event Definition 1

CRD Insufficient CRD flow to RCS CSS Containment spray mode of residual heat removal (RHR) system fails 1

CVS Containment venting fails DEP Manual depressurization fails EPS Emergency EPS fails HCI2 HPCI fails to provide sufficient flow to reactor vessel P1 One SRV fails to close RCI2 RCIC fails to provide sufficient flow to reactor vessel during LOOP RPS Reactor shutdown fails SDC Shutdown cooling mode of residual heat removal system fails SPC Suppression pool cooling mode of residual heat removal system fails SRV One or more safety relief valves fail to close SSM Safe shutdown makeup system is unavailable SURVIVE Following containment failure, equipment survivability fails Notes:

1. Changes were made to the fault tree for the LOOP FLAG sets to allow setting loss of power to the various divisions of electric power.

2. Fault tree logic for the injection valve in the HPCI system was updated. A modification was made to the HCI and HC1 fault trees to address the basic event HCI-MOV-CC-IVFRO, failure of injection valve to reopen. This single basic event in the two fault trees was replaced by an AND gate with three basic events feeding the AND gate.

(See gate HC1-10 in Figure 16 and gate HCI-10 in Figure 17.) This modification was made to consider the possibility of multiple injections of water into the reactor coolant system by the HPCI system.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 11

LER 265/01-001 Table 3. Conditional cut sets for LOOP sequences.

Percent CCDP1 contribution Minimal cut sets2 Event Tree: LOOP Sequence 65 1.7 x 10-6 69.7 RPS-SYS-FC-PSOVS3 3.8 x 10-7 15.6 RPS-SYS-FC-RELAY3 2.5 x 10-7 10.2 RPS-SYS-FC-CRD 2.4 x 10-6 Total4 Event Tree: LOOP Sequence 62-04-5 7.9E-007 84.9 PPR-SRV-OO-1VLV CVS-XHE-XE-VENT2 RHR-XHE-XM-ERROR 9.4 x 10-7 Total4 Event Tree: LOOP Sequence 09-5 7.9E-007 87.3 /SRV CVS-XHE-XE-VENT2 RHR-XHE-XE-ERROR SDC-LTERM-NOREC2 9.0 x 10-7 Total4 Event Tree: LOOP Sequence 61 1.8E-007 25.2 /SRV DCP-BAT-CF-ALL 8.7E-008 12.2 /SRV DCP-XHE-XE-BCH2A DCP-BDC-LP-BUS1A 7.1 x 10-7 Total4 Total all sequences (including those not shown) = 5.5 x 10-6 Notes:

1. Values are point estimates.

2. See Table 4 for definitions and probabilities for the basic events.

3. No credit was taken for the loss of offsite power deenergizing relays and solenoids.

4. Total CCDP includes all cut sets (including those not shown in this table).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 12

LER 265/01-001 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event name Description Frequency Modified ACP-XHE-NOREC-30 Operator fails to recover ac electrical power 1.0E-1 Yes1 before 30 minutes ACP-XHE-NOREC-90 Operator fails to recover ac electrical power 1.0E-2 Yes1 before 90 minutes ACP-XHE-NOREC-4H Operator fails to recover ac electrical power 1.0E-3 Yes1 before 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ACP-XHE-NOREC-BD Operator fails to recover ac electrical power 1.0E-3 Yes1 before battery depletion - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months CVS-XHE-XE-VENT2 Dependent operator action - fails to vent 5.1E-2 No containment given operator fails to start/control RHR DCP-BAT-CF-ALL Batteries fail from common-cause 1.9E-7 Yes2, 3 DCP-BAT-LP-250U1 Unit 1 250 V dc battery fails 2.4E-5 Yes3 DCP-BAT-LP-250U2 Unit 2 250 V dc battery fails 2.4E-5 Yes3 DCP-BAT-LP-U1 Unit 1 125 V dc battery fails 2.4E-5 Yes3 DCP-BAT-LP-U2 Unit 2 125 V dc battery fails 2.4E-5 Yes3 DCP-BCH-CF-250ALL 250 Vdc battery chargers fail from common- 6.6E-8 Yes2 cause DCP-BCH-CF-CHRS Battery chargers fail from common-cause 4.7E-8 Yes2 DCP-BCH-FC-250U1 Unit 1 250 V dc battery charger 1 fails 2.4E-5 Yes3 DCP-BCH-FC-250U12 Unit 1 250 V dc standby battery charger 1/2 2.4E-5 Yes3 fails DCP-BCH-FC-BCH1 Unit 1 125 V dc battery charger 1 fails 2.4E-5 Yes3 DCP-BCH-FC-BCH1A Unit 1 125 V dc standby battery charger fails 2.4E-5 Yes3 DCP-BCH-FC-BCH2 Unit 2 125 V dc battery charger 2 fails 2.4E-5 Yes3 DCP-BCH-FC-BCH2A Unit 2 125 V dc standby battery charger fails 2.4E-5 Yes3 DCP-BDC-LP-BUS1A Division I 125 Vdc bus 1A fails 9.0E-5 No DCP-XHE-XE-BCH2A Operator fails to place standby battery 1.0E-3 No charger in service EPS-DGN-FR-FTRL Diesel generator fails to run, 14 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months 0.0 Yes4 EPS-DGN-FR-FTRM Diesel generator fails to run, 0.5 to 14 hours1.62037e-4 days 0.00389 hours 2.314815e-5 weeks 5.327e-6 months 9.0E-4 Yes4 EPS-XHE-XE-BUS-23-1 Unit 2 cross-tie fails from bus 23-1 1.0E-3 Yes5 EPS-XHE-XE-BUS-24-1 Unit 2 cross-tie fails from bus 24-1 1.0E-3 Yes5 HCI-MOV-IVFRO HPCI injection valve fails to reopen 2.0E-1 Yes6 HCI-MULTIPLE-INJECT Probability of multiple HPCI injections 1.2E-1 Yes6 HCI-XHE-XL-INJECT Operator fails to recover HPCI injection valve 8.3E-1 Yes6 reopening SENSITIVE - NOT FOR PUBLIC DISCLOSURE 13

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 Table 4. Definitions and probabilities for modified or dominant basic events (contd).

Probability/

Event name Description Frequency Modified IE-LOOP Loss of offsite power initiator 1.0 Yes7 OEP-XHE-NOREC-1H Operator fails to recover offsite power in 1 4.0E-3 Yes1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months OEP-XHE-NOREC-2H Operator fails to recover offsite power in 2 4.0E-3 Yes1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months OEP-XHE-NOREC-4H Operator fails to recover offsite power in 4 4.0E-4 Yes1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months OEP-XHE-NOREC-10H Operator fails to recover offsite power in 10 4.0E-4 Yes1 hours1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months PPR-SRV-OO-1VLV One SRV fails to close 3.1E-2 No RHR-XHE-XM-ERROR Operator fails to start/control RHR 5.0E-4 No RPS-SYS-FC-CRD Control rod drive mechanical failure 2.5E-7 No RPS-SYS-FC-PSOVS HCU scram pilot SOVs fail 1.7E-6 No RPS-SYS-FC-RELAY Trip system relays fail 3.8E-7 No SDC-LTERM-NOREC2 Operator fails to recover SDC cooling in the 3.2E-2 Yes8 long term Notes:

1. Based on human factor evaluation, assuming offsite power is available at time = 0.0 from Unit 1. See Table 5 for human error probability calculations.

2. Common-cause probability values automatically calculated by GEMS.

3. Battery and battery charger failure rate was updated to 1.0E-6/hour, based on guidance provided by Idaho National Engineering Laboratory from NUREG/CR-4550, Table 8.2-8. (Ref. 3). Failure probability of 2.4E-5 based on 24-hour mission time.

4. Diesel generator failure to run probability is based on a total mission time of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

5. This event was added to model the ability of operators to cross connect division I bus 13-1 to Unit 2 bus 23-1 and division II bus 14-1 to Unit 2 bus 24-1 (see text and Figure 5 and Figure 8). This event involves different operator action than the operator actions to recover offsite power at Unit 2.

6. Basic events added to fault trees HCI and HC1 to model multiple HPCI injections based on guidance provided by Idaho National Engineering Laboratory.

7. Initiating event frequency changed to model the event being analyzed (see text).

8. Recovery of shutdown cooling in the long term is credited (see text).

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 14

LER 265/01-001 Table 5. Human factor evaluation of recovery of ac electrical power.

Adjusted Recovery event Time Stress Complex Procedure Nominal value LOOP Sequences OEP-XHE-NOREC-1H 1 2 2 1 1.0E-3 4.0E-3 OEP-XHE-NOREC-2H 1 2 2 1 1.0E-3 4.0E-3 OEP-XHE-NOREC-4H 0.1 2 2 1 1.0E-3 4.0E-4 OEP-XHE-NOREC- 0.1 2 2 1 1.0E-3 4.0E-4 10H SBO Sequences ACP-XHE-NOREC-30 10 5 2 1 1.0E-3 1.0E-1 ACP-XHE-NOREC-90 1 5 2 1 1.0E-3 1.0E-2 ACP-XHE-NOREC-4H 0.1 5 2 1 1.0E-3 1.0E-3 ACP-XHE-NOREC- 0.1 5 2 1 1.0E-3 1.0E-3 BD Table 6. Revised alpha factors for common-cause failure events.

Distribution Event name Event description Probability parameter DCP-BAT-LP-02A01 250 Vdc battery alpha factor 1 for 2 0.9901068 1.26E+00 trains DCP-BAT-LP-02A02 250 Vdc battery alpha factor 2 for 2 9.89E-03 1.26E+02 trains DCP-BAT-LP-04A01 125 Vdc battery alpha factor 1 for 4 0.983541 4.61E+00 trains DCP-BAT-LP-04A02 125 Vdc battery alpha factor 2 for 4 1.09E-02 2.77E+02 trains DCP-BAT-LP-04A03 125 Vdc battery alpha factor 3 for 4 4.29E-03 2.79E+02 trains DCP-BAT-LP-04A04 125 Vdc battery alpha factor 4 for 4 1.24E-03 2.79E+02 trains ESW-MDP-FR-03A01 Diesel service water motor-driven pump 0.9676124 2.41E+01 alpha factor 1 for 3 trains (fails to run)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 15

LER 265/01-001 Table 6. Revised alpha factors for common-cause failure events (contd).

Distribution Event name Event description Probability parameter ESW-MDP-FR-03A02 Diesel service water motor-driven pump 1.38E-02 7.34E+02 alpha factor 2 for 3 trains (fails to run)

ESW-MDP-FR-03A03 Diesel service water motor-driven pump 1.86E-02 7.31E+02 alpha factor 3 for 3 trains (fails to run)

MCW-MDP-FR-03A01 Circulating water motor-driven pump 0.9676124 2.41E+01 alpha factor 1 for 3 trains (fails to run)

MCW-MDP-FR-03A02 Circulating water motor-driven pump 1.38E-02 7.34E+02 alpha factor 2 for 3 trains (fails to run)

MCW-MDP-FR-03A03 Circulating water motor-driven pump 1.86E-02 7.31E+02 alpha factor 3 for 3 trains (fails to run)

RHR-MDP-FR-04A01 RHR motor-driven pump alpha factor 1 0.9917641 3.37E+00 for 4 trains (fails to run)

RHR-MDP-FR-04A02 RHR motor-driven pump alpha factor 2 6.70E-03 4.06E+02 for 4 trains (fails to run)

RHR-MDP-FR-04A03 RHR motor-driven pump alpha factor 3 9.90E-04 4.08E+02 for 4 trains (fails to run)

RHR-MDP-FR-04A04 RHR motor-driven pump alpha factor 4 5.45E-04 4.08E+02 for 4 trains (fails to run)

RHR-MDP-FS-04A01 RHR motor-driven pump alpha factor 1 0.9721242 6.89E+00 for 4 trains (fails to start)

RHR-MDP-FS-04A02 RHR motor-driven pump alpha factor 2 2.53E-02 2.41E+02 for 4 trains (fails to start)

RHR-MDP-FS-04A03 RHR motor-driven pump alpha factor 3 1.69E-03 2.47E+02 for 4 trains (fails to start)

RHR-MDP-FS-04A04 RHR motor-driven pump alpha factor 4 9.03E-04 2.47E+02 for 4 trains (fails to start)

SSW-MDP-FR-04A01 RHR service water motor-driven pump 0.9692023 3.07E+01 alpha factor 1 for 4 trains (fails to run)

SSW-MDP-FR-04A02 RHR service water motor-driven pump 1.35E-02 9.83E+02 alpha factor 2 for 4 trains (fails to run)

SSW-MDP-FR-04A03 RHR service water motor-driven pump 4.28E-03 9.92E+02 alpha factor 3 for 4 trains (fails to run)

SSW-MDP-FR-04A04 RHR service water motor-driven pump 1.31E-02 9.83E+02 alpha factor 4 for 4 trains (fails to run)

SWS-MDP-FR-05A01 Service water motor-driven pump alpha 0.9710674 3.64E+01 factor 1 for 5 trains (fails to run)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 16

LER 265/01-001 Table 6. Revised alpha factors for common-cause failure events (contd).

Distribution Event name Event description Probability parameter SWS-MDP-FR-05A02 Service water motor-driven pump alpha 1.19E-02 1.24E+03 factor 2 for 5 trains (fails to run)

SWS-MDP-FR-05A03 Service water motor-driven pump alpha 5.10E-03 1.25E+03 factor 3 for 5 trains (fails to run)

SWS-MDP-FR-05A04 Service water motor-driven pump alpha 1.99E-03 1.25E+03 factor 4 for 5 trains (fails to run)

SWS-MDP-FR-05A05 Service water motor-driven pump alpha 9.99E-03 1.24E+03 factor 5 for 5 trains (fails to run)

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 17

LER 265/01-001 Attachment A Electrical Power Recovery Model

! Background The time required to restore offsite power to plant emergency equipment is a significant factor in modeling the CCDP given a loss of offsite power (LOOP). SPAR models for LOOP and station blackout (SBO) include various sequence-specific ac power recovery factors that are based on the time available to recover power to prevent core damage. For a sequence involving failure of all of the reactor cooling sources, only about 30 minutes would be available to recover power to help avoid reactor core damage. On the other hand, for sequences involving successful early inventory control and decay heat removal, but failure of long-term decay heat removal, several hours to recover ac power prior to reactor core damage would be available.

Failure to recover offsite power to plant safety-related electrical loads (if needed because EDGs fail to supply the loads), given recovery of power to the switchyard, could result from (1) operators failing to restore proper breaker line-ups, (2) breakers failing to close on demand, or (3) a combination of operator and breaker failures. The dominant contributor to failure to recover offsite power to plant safety-related loads in this situation is operators failing to restore proper breaker line-ups. The SPAR human error model was used to estimate nonrecovery probabilities as a function of time following restoration of offsite power to the switchyard. The best estimate analysis assumes that at least 30 minutes is necessary to restore offsite power to emergency buses given offsite power is available at time T = 0.0. .

! Human error modeling The SPAR human error model generally considers the following three factors:

S Probability of failure to diagnose the need for action S Probability of failure to successfully perform the desired action S Dependency on other operator actions involved in the specific sequence of interest This analysis assumes no probability of failure to diagnose the need to recover ac power and no dependency between operator performance of the power recovery task and any other task the operators may need to perform. Thus, each estimated ac power nonrecovery probability is based solely on the probability of failure to successfully perform the desired action.

The probability of failure to perform an action is the product of a nominal failure probability (1.0 x 10-3) and the following eight performance shaping factors (PSFs):

S Available time S Stress S Complexity S Experience/training S Procedures S Ergonomics S Fitness for duty S Work processes SENSITIVE - NOT FOR PUBLIC DISCLOSURE 18

LER 265/01-001 For each ac power nonrecovery probability, the PSF for available time is assigned a value of 10 if the time available to perform the action is approximately equal to the time required to perform the action, 1.0 if the time available is between two and four times the time required, and 0.1 if the time available is greater than or equal to five times the time required. If the time available is inadequate (i.e., less than the time to restoration of power to the switchyard plus 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months for the best estimate case), the ac power nonrecovery probability is 1.0 (TRUE).

The PSF for stress is assigned a value of 5 (corresponding to extreme stress) for all ac power SBO nonrecovery probabilities. The PSF for stress is assigned a value of 2 (corresponding to high stress) for all ac power non-SBO nonrecovery probabilities.

For all of the ac power nonrecovery probabilities, the PSF for complexity is assigned a value of 2 (corresponding to moderately complex) based on the need for multiple breaker alignments and verifications.

For all of the ac power nonrecovery probabilities, the PSFs for experience/training, procedures, ergonomics, fitness for duty, and work processes are assumed to be nominal (i.e., are assigned values of 1.0).

! Results Table 5 presents the calculated values for the ac power nonrecovery probabilities used in the best estimate case analysis.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 19

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 LOSS OF RE ACTOR EM ERGE NCY S RV'S RCI C HPCI SA FE MA NUAL CRD CORE LOW PRE SS A LTERNA TE SUP PRES S ION MA NUAL SHUTDOW N CONTA INME NT CO NT AI NMENT CRD LO NG -T ERM OFFS IT E S HUT DOWN POW ER CLOS E SHUTDOW N REA CTOR INJECTI ON S PRA Y COOLANT LOW P RE S S POO L REA CTOR CO OLING S PRA Y VE NT ING INJE CT ION LO W P RES S POW ER INJECTI ON DEP RES S (2 PUMP S) INJECTI ON I NJE CTIO N CO OLING DEP RES S (1 P UMP) INJECTI ON IE -LOO P RP S EP S S RV RCI 2 HCI SS M DEP CRD LCS LCI VA SP C DEP SDC CSS CV S CR1 VA 1 # S TAT E 1 OK 2 OK 3 OK 4 OK 5 CD 6 OK 7 OK 8 CD 9 T P OST -CT M-INJ 10 OK 11 CD 12 OK 13 CD 14 T P OST -CT M-INJ 15 OK 16 OK 17 OK 18 OK 19 CD 20 OK 21 OK 22 CD 23 T P OST -CT M-INJ 24 OK 25 CD 26 OK 27 CD 28 T P OST -CT M-INJ 29 OK 30 OK 31 OK 32 OK 33 CD 34 OK 35 OK 36 CD 37 OK 38 OK 39 OK 40 OK 41 OK 42 CD 43 CD 44 OK 45 OK 46 OK 47 OK 48 OK 49 CD 50 CD 51 OK 52 OK 53 OK 54 OK 55 CD VA 0 56 CD 57 OK 58 OK 59 OK 60 CD 61 CD P1 62 T LOOP -1 P2 63 T LOOP -2 64 T S BO 65 CD LOOP - LOSS OF OFFSITE POWER 2003/12/23 Figure 1. Quad Cities Units 1 and 2 loss of offsite power event tree.

20

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 INSUFFICIENT CRD FLOW TO RCS CRD-A PUMP FAILS TO CRD PUMP A FAILS TO TURBINE BLDG CLOSED RESTART GIVEN RUN CLG WATER SYSTEM LOOP HAS OCCURED IS UNAVAILABLE 7.2E-4 146 CRD-A-1 CRD-MDP-FR-PUMPA TBC LOSS OF OFFSITE CRD POWER (DIVISION I) RESTART FAILS TRUE LOOP-I CRD-A-2 OPERATOR FAILS TO CRD PUMP A FAILS TO DIVISION I DIVISION I RESTART CRD ON START AC POWER 125 VDC EMERGENCY POWER IS UNAVAILABLE POWER FAILS 1.0E-3 3.0E-3 40 42 CRD-XHE-XM-RSTRT CRD-MDP-FS-PUMPA DIV-1-AC DIV-1-DC CRD-A - QUAD CITIES 1 & 2 CONTROL ROD DRIVE SYSTEM FAULT TREE 2003/12/22 Page 21 Figure 2. Control rod drive system fault tree (CRD-A).

21

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 CR D PUMP TRAIN B IS UNAVAILABLE CRD-B CRD PUMP FAILS TO TURBINE BLDG CLOSED PUMP TRAIN B START GIVEN LOOP C LG WATER IS UNAVAILABLE HAS OCCURED IS UNAVAILABLE A 146 CRD -B-1 CRD -B-2 TBC OPER ATOR FAILS TO TRAIN B UNAVAILABLE OP FAILS TO C RD PUMP B FAILS TO CR D PUMP B CR D PUMP B FAIL S TO START THE STANDBY D UE TO TEST AND R ESTORE TRAIN START DISCHARGE CKV RUN CRD PUMP MAINTENANCE B FAILS TO OPEN 1.0E-3 1.3E-2 1.0E-3 3.0E-3 1.0E-4 7.2E-4 CRD-XH E-XM-PUMP CRD-MDP-TM-TR NB CRD-MDP-XR-TRNB CRD-MDP-FS-PU MPB CRD-CKV-CC-PCKVB CR D-MDP-FR-PUMPB PUMP FAILS TO START GIVEN LOOP HAS OCCURED A

CRD -B-2 LOSS OF OFFSITE CRD POWER (DIVISION II) RESTART FAILS TRUE LOOP-II CRD-B-3 OPERATOR FAILS TO DIVISION II DIVISION II RESTART CRD ON AC POWER 125 VD C POWER EMERGENCY POWER IS UNAVAILABLE IS UNAVAILABLE 1.0E-3 43 45 CRD -XHE-XM-RSTRT DIV-2-AC DIV-2-DC CRD-B - QUAD CITIES 1 & 2 CONTROL ROD DRIVE SYSTEM FAULT TREE 2003/12/22 Page 22 Figure 3. Control rod drive system fault tree (CRD-B).

22

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 CONTAINMENT VENTING CVS CONTAIN MENT CONTAINMENT FAILURE TO RESTART OPERATOR FAILS LOSS OF INSTRUMENT CONTAINMENT INSTRUMENT AIR DAMPER 1-1601-24 DAMPER 1-16 99-6 TO VENT CONTAINMENT AIR INITIATOR VENT LINES FAIL FAILS TO OPEN FAILS TO OPEN COMPR ESSORS AFTER LOOP 1 .0E-3 1.0E-3 1.0E-3 FALSE C VS-AOV-CC-STACK1 CVS-AOV-CC-STACK2 CVS-XHE-XE-VENT HE-LOIA CVS-1 CVS-2 CONTAINMENT CONTAINMENT FAILURE TO RESTART LOSS OF OFFSITE DRYWELL VENT WETWELL VENT INSTRUMENT AIR POWER TO 1 OF 2 FAILS TO OPEN FAIL S TO OPEN COMPRESSORS AFTER DIVISIONS LOOP 1.0E-3 1.0E-3 1.0E-3 CVS-AOV-CC-DWVNT CVS-AOV-CC-WWVNT CVS-XH E-XE-IAC LOOP-12 LOSS OF OFFSITE LOSS OF OFFSITE POWER (DIVISION I) POWER (D IVISION II)

TRUE TRUE LOOP-I LOOP-II CVS - QUAD CIT IES 1 & 2 SUPRESSION POOL VENT SYSTEM F AULT TREE 2003/12/22 Page 26 Figure 4. Supression pool vent system fault tree (CVS).

23

SENSITIVE - NOT FOR PUBLIC DISCLOSUR LER 265/01-001 D IVISION I AC POW ER IS U NAVAILABLE DIV-1-AC DIVISION I AC LOSS OF POW ER POW ER BU SSES TO 4160 VAC BUS FAIL 13-1

9. 0E-5 AC P-BAC -L P-D I D IV-1-AC-1 OFFSITE POW ER DIVISION I EMERGEN CY IS UN AVAILABLE POWER IS UN AVAILABLE DIV-1-AC-2 DIV-1 -AC -3 LOSS OF OFFSITE OFFSITE POWER SBO BU S 61 IS UNIT 2 C ROSSTIE D IESEL GENER ATOR POWER (D IVISION I) IS U NAVAILABLE U NAVAILABLE FAILS FR OM BUS 2 3-1 1/2 IS UNAVAILABL E T RU E 1 22 1. 0E-3 36 LOOP-I R OOP DIV-1-AC -6 EPS-XHE-BUS-23-1 D G12 SBO BUS 61 FAILS UN IT 1 BL ACKOUT GENERATOR IS U NAVAILABLE 9.0 E-5 38 AC P-BAC -LP-B61 D GSBO1 DIV-1-AC - QUAD CITIES 1 & 2 DIVISION I AC POWER SYSTEM FAULT TREE 2004/01/05 Page 40 Figure 5. Unit 1 division I ac power system fault tree (DIV-1-AC).

24

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 QUAD CITIES 1 & 2 UN IT 2 DIVISION I POWER SYSTEM FAULT TR EE DIV-1-AC -U 2 UN IT 2 DIVISION LOSS OF POW ER I AC POW ER IS TO 4160 VAC BUS UN AVAIL ABL E 23-1 FALSE AC P-BAC -L P-U 2DI D IV-1-AC-U2 -1 OFFISTE POW ER U2 D IVISION IS UN AVAILABLE I EMER GENC Y POW ER IS UN AVAIL ABLE DIV-1-AC-U2-2 D IV-1-AC-U2-3 LOSS OF OFFSITE OFFSITE POWER SBO BU S 71 IS POWER FROM EDGs POW ER TO U2 DIV I IS U NAVAILABLE U NAVAILABLE TO U 2 DIV I IS U NAVAILABLE FALSE 1 22 LOOP-I-U2 R OOP DIV-1-AC -U 2-6 DIV-1-AC-U2-7 D IESEL 1/2 IS ALIGN ED TO SBO BUS 71 FAILS UN IT 2 BL ACKOUT D IESEL GENER ATOR U NIT 1 D UE TO LOSS OF GENERATOR IS 1/2 IS UN AVAIL ABLE OFFSITE POW ER TO U1 U NAVAILABLE DIV I 9.0 E-5 39 36 TRUE AC P-BAC -LP-B71 D GSBO2 D G12 LOOP-I DIV-1-AC-U2 - QUAD CITIES 1 & 2 UNIT 2 DIVISION I POW ER SYSTEM FAULT TREE 2004/01/05 Page 41 Figure 6. Unit 2 division I ac power system fault tree (DIV-I-AC-U2).

25

SITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 DIVISION I 125 VDC POWER IS UNAVAILABLE DIV- 1-DC POWER SUPPLIES DIVISION I 12 5 POWER SUPPLIES FAIL DURING LOCAs VDC BUS 1A FAILS FAIL OR LOO P

9. 0E-5 DCP- BDC- LP-BUS1A DIV- 1-DC-1 DIV-1 -DC-9 UNIT 1 BATTERY UNIT 1 BATTERY FAIL S CHARGERS FAIL DIV-1 -DC-2 DIV- 1-DC-3 BATTERIES FAIL UNIT 1 125 VDC NORMAL AC PO WER BACKUP AC POW ER FRO M CO MMON CAUSE BATTERIES FAIL SUPPLY FAILS SUPPLY FAILS

1. 9E-7 DCP-BAT-CF-ALL DIV-1-DC-4 DIV-1 -DC-5 DIV DC- 6 O PERATO R FAIL S STANDBY BATTERY BATTERY CHARGERS UNIT 1 BATTERY DIVISION II DIVISIO N I AC UNIT 1 STANDBY TO PLACE STANDBY IS UNAVAIL ABL E FAIL FROM COMMO N CHARGER 1 FAIL S AC POWER IS UNAVAILABLE POWER IS UNAVAILABLE BATTERY CHARGER BATTERY IN SERVICE CAUSE 1A FAILS 2.4E- 5 4. 7E-8 2.4 E- 5 43 40 DCP-BAT- LP-U1 DIV DC- 7 DCP- BCH-CF-CHRS DCP-BCH-FC-BCH1 DIV AC DIV- 1-AC DIV-1 -DC-8 UNIT 1 BATTERY BATTERY CHARG ERS UNIT 1 STBY OPERATOR FAILS UNIT 1 STANDBY TO PLACE STBY BATTERY FAIL S FAIL S FAIL FROM COMMON BATTERY CHARGER CAUSE 1A FAILS BATTERY CHARG ER IN SERVICE 1.0 E+0 TRUE POWER SUPPLIES 4.7 E-8 2.4E- 5 1 .0E-3 FAIL DURING LOCAs OR LOO P DCP- BAT-LP-U1 A DCP-XHE-XE-U1A DCP- BCH- CF-CHRS DCP-BCH-FC-BCH1A DCP-XHE-XE-BCH1A DIV-1 -DC-9 LOCA O R LOOP POW ER SUPPL IES INITIATOR FAIL DIV- 1-DC-10 DIV DC- 11 HO USE EVENT LOSS O F OFFSITE BATTERY CHARGING UNIT 1 BATTERY FO R LOSS OF COO LANT POW ER (DIVISION I) UNAVAILABLE FAIL S EVENTS FALSE TRUE HE-L OCA LOO P- I DIV- 1-DC-1 2 DIV-1 -DC-2 HOUSE EVENT UNIT 1 BATTERY FOR STATION BLACKOUT CHARGERS FAIL EVENTS TRUE HE-SBO DIV DC- 3 DIV-1-DC - QUAD CITIES 1 & 2 DIVISION I DC POW ER SYSTEM FAULT TREE 2004/05/13 Page 42 Figure 7. Unit 1 division I dc power system fault tree (DIV-1-DC).

26

- NOT FOR PUBLIC DISCLOSURE LER 265/01-001 DIVISION II AC POWER IS UNAVAILABLE DIV-2-AC DIVISION II LOSS OF POWER AC POWER BUSSES TO 4160 VAC BUS FAIL 14-1 9.0E-5 ACP-BAC-LP-DII DIV-2-AC-1 OFFSITE POWER LOSS OF DIVISION IS UNAVAILABLE II EMERGENCY POW ER DIV-2-AC-2 DIV-2-AC-3 LOSS OF OFFSITE OFFSITE POWER SBO BUS 61 IS UNIT 2 CROSSTIE DIESEL GENERATOR POWER (DIVISION II) IS UNAVAILABLE UNAVAILABLE FAILS FROM BUS 24-1 1 IS UNAVAILABLE TRUE 122 1.0E-3 35 LOOP-II ROOP DIV-2-AC-4 EPS-XHE-BUS-24-1 DG1 SBO BUS 61 FAILS UNIT 1 BLACKOUT GENERATOR IS UNAVAILABLE 9.0E-5 38 ACP-BAC-LP-B61 DGSBO1 DIV-2-AC - QUAD CITIES 1 & 2 DIVISION II AC POWER SYSTEM FAULT TREE 2004/01/05 Page 43 Figure 8. Unit 1 division II ac power system fault tree (DIV-2-AC).

27

ENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 QUAD CITIES 1 & 2 UNIT 2 DIVISION II POWER SYSTEM FAULT TREE DIV-2-AC-U2 DIVISION II LOSS OF POWER AC POWER BUSSES TO 4160 VAC BUS FAIL 24-1 9.0E-5 ACP-BAC-LP-DII DIV-2-AC-U2-1 DIESEL GENERATOR OFFISTE POWER LOSS OF U2 DIVISION 2 IS UNAVAILABLE IS UNAVAILABLE II EMERGENCY POWER 37 DG2 DIV-2-AC-U2-2 DIV-2-AC-U2-3 LOSS OF OFFSITE OFFSITE POWER SBO BUS 71 IS DIVISION II POWER TO U2 DIV IS UNAVAILABLE UNAVAILABLE CROSS TIE FAILS II (U2 - U1)

FALSE 122 1.0E+0 LOOP-II-U2 ROOP DIV-2-AC-U2-4 DIV-2-AC-U2-7 SBO BUS 71 FAILS UNIT 2 BLACKOUT GENERATOR IS UNAVAILABLE 9.0E-5 39 ACP-BAC-LP-B71 DGSBO2 DIV-2-AC-U2 - QUAD CITIES 1 & 2 UNIT 2 DIVISION II POW ER SYSTEM FAULT TREE 2003/12/22 Page 44 Figure 9. Unit 2 division II ac power system fault tree (DIV-2-AC-U2).

28

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 DIVISION II 125 VDC POWER IS UNAVAIL ABL E DIV- 2-DC DIVISION II POWER SUPPLIES POWER SUPPLIES FAIL DURING L OCA 12 5 VDC BUS 1B FAIL FAILS OR L OOP

9. 0E-5 DCP- BDC- LP-BUS1B DIV- 2-DC-1 DIV-2 -DC-9 UNIT 2 BATTERY UNIT 2 BATTERY FAILS CHARGERS FAIL DIV-2 -DC-2 DIV- 2-DC-3 BATTERIES FAIL UNIT 2 125 VDC NORMAL AC PO WER BACKUP AC POW ER FRO M CO MMON CAUSE BATTERIES FAIL SUPPLY FAILS SUPPLY FAILS

1. 9E-7 DCP-BAT-CF-ALL DIV-2-DC-4 DIV-2 -DC-5 DIV DC- 6 BATTERY CHARGERS QUAD CITIES QUAD CITIES UNIT 2 STANDBY UNIT 2 BATTERY STANDBY BATTERY UNIT 2 BATTERY 1 & 2 UNIT 2 1 & 2 UNIT 2 FAILS IS UNAVAIL ABL E FAIL FROM COMMO N CHARGER 2 FAIL S BATTERY CHARGER CAUSE DIVISION I PO WER DIVISIO N II POWER 2A FAILS SYSTEM FAUL T SYSTEM FAUL T TREE TREE 2.4E- 5 4. 7E-8 2.4 E- 5 41 44 DCP-BAT- LP-U2 DIV DC- 7 DCP- BCH-CF-CHRS DCP-BCH-FC-BCH2 DIV AC- U2 DIV- 2-AC-U2 DIV-2 -DC-8 O PERATOR FAIL S BATTERY CHARG ERS UNIT 2 STBY OPERATOR FAILS UNIT 2 STANDBY TO PLACE STBY BATTERY FAIL S TO PLACE STANDBY FAIL FROM COMMON BATTERY CHARGER BATTERY IN SERVICE CAUSE 2A FAILS BATTERY CHARG ER IN SERVICE 1.0 E+0 TRUE POW ER SUPPLIES 4.7 E-8 2.4E- 5 1 .0E-3 FAIL DURING L OCA OR LOOP DCP- BAT-LP-U2 A DCP-XHE-XE-U2A DCP- BCH- CF-CHRS DCP-BCH-FC-BCH2A DCP-XHE-XE-BCH2A DIV DC- 9 L OCA OR LOOP POWER SUPPLIES EVENTS FAIL DIV- 2-DC-10 DIV- 2-DC-1 1 HOUSE EVENT L OSS OF OFFSITE BATTERY CHARGERS UNIT 2 BATTERY FOR L OSS OF COOL ANT POW ER (DIVISION II) UNAVAIL ABL E FAILS EVENTS FALSE TRUE HE-L OCA LOO P- II DIV-2 -DC-12 DIV DC- 2 HOUSE EVENT UNIT 2 BATTERY FO R STATION BL ACKO UT CHARGERS FAIL EVENTS TRUE HE-SBO DIV- 2-DC-3 DIV-2-DC - QUAD CITIES 1 & 2 DIVISION II DC POW ER SYSTEM FAULT TREE 2004/05/13 Page 45 Figure 10. Unit 1 division II dc power system fault tree (DIV-2-DC).

29

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 UNIT 1 PUMP TR AIN 1A IS UNAVAILABLE SWS-U1A FAILURES OF SERVICE WATER D IVISION I SWS MD P 1A D URING MDP 1A FAILS AC POWER LOOP TO R UN IS UNAVAILABLE 7.2E-4 40 SWS-U1A-1 SWS-MDP-FR-U1A DIV-1-AC LOSS OF OFFSITE FAILURES OF POWER (DIVISION I) SWS MDP 1A DURING LOOP TRUE LOOP-I SWS-U1A-2 OPERATOR FAILS SERVIC E WATER SWS PU MPS PU MP 1A DISCHARGE PUMP D ISCH CKVS D IVISION I TO START A SERVICE MD P 1A FAILS FAIL FROM C OMMON CKV 1-3999-4 FAIL FROM C OMMON 125 VDC POWER WATER PUMP TO START CAUSE TO START FAILS TO OPEN C AUSE TO OPEN IS UNAVAILABLE 1.0E-3 3.0E-3 1.8E-5 1.0E-4 3.2E-6 42 SWS-XHE-XM-PUMPS SWS-MDP-FS-U1A SWS-MDP-C F-STAR T SWS-CKV-CC -PCKV1A SWS-CKV-CF-PCKVS DIV-1-DC SWS-U1A - QUAD CITIES 1 & 2 SERVICE W ATER SYSTEM FAULT TREE 2003/12/22 Page 141 Figure 11. Unit 1 service water system fault tree (SWS-U1A).

30

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 UN IT 1 PUMP TR AIN 1B IS UNAVAILABLE SWS-U1B FAILURES OF SERVICE WATER D IVISION II SWS MD P 1B D URING MDP 1B FAILS AC POWER LOOP TO R UN IS UNAVAILABLE 7.2E-4 43 SWS-U1B-1 SWS-MDP-FR-U1B DIV-2-AC LOSS OF OFFSITE FAILURES OF POWER (DIVISION II) SWS MDP 1B DURING LOOP TRUE LOOP-II SWS-U1B-2 OPERATOR FAILS SERVIC E WATER SWS PUMPS FAIL PU MP 1B DISCHARGE PUMP D ISCH CKVS D IVISION II TO START A SERVICE MD P 1B FAILS FROM COMMON CKV 1-3999-2 FAIL FROM C OMMON 125 VDC POWER WATER PUMP TO START CAUSE TO START FAILS TO OPEN C AUSE TO OPEN IS UNAVAILABLE 1.0E-3 3.0E-3 1.8E-5 1.0E-4 3.2E-6 45 SWS-XHE-XM-PUMPS SWS-MDP-FS-U1B SWS-MDP-C F-STAR T SWS-CKV-CC -PCKV1B SWS-CKV-CF-PCKVS DIV-2-DC SWS-U1B - QUAD CITIES 1 & 2 SERVICE W ATER SYSTEM FAULT TREE 2003/12/22 Page 142 Figure 12. Unit 1 service water system fault tree (SWS-U1B).

31

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 UNIT 2 PUMP TRAIN 2A IS UNAVAILABLE SWS-U2A QUAD C ITIES SERVICE WATER FAILURES OF 1 & 2 UNIT 2 MDP 2A FAILS SWS MDP 2A D URING DIVISION I POWER TO RUN LOOP SYSTEM FAULT TR EE 7.2E-4 41 SWS-MDP-FR-U2A DIV-1-AC -U2 SWS-U2A-1 LOSS OF OFFSITE FAILURES OF POWER (UNIT 2 SWS MDP 2A DURING DIVISION I) LOOP FALSE LOOP-I-U2 SWS-U2A-2 UNIT 2 D IVISION PUMP 2A D ISCH AR GE PU MP D ISCH CKVS SWS PUMPS FAIL SERVICE WATER OPERATOR FAILS I 125 VDC POWER CKV 2-3999-4 FAIL FROM C OMMON FR OM COMMON CAUSE MDP 2A FAILS TO START A SERVICE IS U NAVAILABLE FAILS TO OPEN CAUSE TO OPEN TO START TO STAR T WATER PUMP 9.0E-5 1.0E-4 3.2E-6 1.8E-5 3.0E-3 1.0E-3 DCP-BDC -LP-U2DI SWS-CKV-CC -PCKV2A SWS-CKV-CF-PCKVS SWS-MDP-C F-STAR T SWS-MDP-FS-U2A SWS-XHE-XM-PUMPS SWS-U2A - QUAD CITIES 1 & 2 SERVICE W ATER SYSTEM FAULT TREE 2003/12/22 Page 143 Figure 13. Unit 2 service water system fault tree (SWS-U2A).

32

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 UNIT 2 PUMP TRAIN 2B IS UNAVAILABLE SWS-U2B QUAD C ITIES SERVICE WATER FAILURES OF 1 & 2 UNIT 2 MDP 2B FAILS SWS MD P 2B D URING DIVISION II POWER TO RUN LOOP SYSTEM FAULT TR EE 7.2E-4 44 SWS-MDP-FR-U2B DIV-2-AC -U2 SWS-U2B-1 LOSS OF OFFSITE FAILURES OF POWER (UNIT 2 SWS MDP 2B DURING DIVISION II) LOOP FALSE LOOP-II-U2 SWS-U2B-2 UNIT 2 DIVISION RHRSW PUMP DISCHG SWS MDP 2B DISCHAGE SWS PUMPS FAIL SERVICE WATER OPERATOR FAILS II 1 25 VD C POWER CKVS FAIL FROM CHECK VAL VE FAILS FR OM COMMON CAUSE MDP 2B FAILS TO START A SERVICE IS UNAVAILABLE COMMON CAUSE TO OPEN TO START TO STAR T WATER PUMP TO OPEN 9.0E-5 4.2E-6 1.0E-4 1.8E-5 3.0E-3 1.0E-3 DCP-BDC -LP-U2DII SSW-CKV-CF-PCKVS SWS-CKV-CC -PCKV2B SWS-MDP-C F-STAR T SWS-MDP-FS-U2B SWS-XHE-XM-PUMPS SWS-U2B - QUAD CITIES 1 & 2 SERVICE W ATER SYSTEM FAULT TREE 2003/12/22 Page 144 Figure 14. Unit 2 service water system fault tree (SWS-U2B).

33

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 FAILURE OF TBCCW MDP 1A TBC-A FAILURE OF TBCCW TBCCW MDP 1A DIVISION I MDP 1A DURING FAILS TO RUN AC POWER LOOP IS UNAVAILABLE 7.2E-4 40 TBC-A-1 TBC-MDP-FR-PUMPA DIV-1-AC LOSS OF OFFSITE FAILURES OF POWER (DIVISION I) TBCCW MDP 1A DURING LOOP TRUE LOOP-I TBC-A-2 OPERATOR FAILS TO TBCCW MDP 1A MDP 1A DISCH DIVISION I START A TBCCW FAILS TO START CKV 1-3899-11 125 VDC POWER PUMP FAILS TO OPEN IS UNAVAILABLE 1.0E-3 3.0E-3 1.0E-4 42 TBC-XHE-XM-ERROR TBC-MDP-FS-PUMPA TBC-CKV-CC-PCKVA DIV-1-DC TBC-A - QUAD CITIES 1 & 2 TBCCW SYSTEM FAULT TREE 2003/12/22 Page 147 Figure 15. TBCCW system fault tree (TBC-A).

34

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 HPCI F AILS TO PROVIDE SUF FICIENT FLOW TO RX VESSEL HC1 FEEDWATER TRAIN F EEDWATER CHECK HPCI WATER SUPPLIES OPERATORF AILS HPCI SUPPORT HPCI PUMP TRAIN B INJECTION CKVS VALVES FAIL FROM TO START/CONTROL IS UNAVAILABLE ARE UNAVAILABLE SYSTEM S ARE UNAVAILABLE FAIL TO OPEN COMMON CAUSE HPCI INJECTION 2.0E-4 1.3E-5 1.0E-3 MFW-CKV-CC-TRNB M FW-CKV-CF-FEED HC1-1 HCI-XHE-XO-ERROR HC1-3 HC1-2 DIVISION I 250 DIVISION II CONDENSATE STORAGE TORUS SUCTION ROOM COOLING VDC POWER IS 125 VDC POWER TANK IS UNAVAILABLE F AILS FAILS UNAVAILABLE IS UNAVAILABLE 2.0E-5 27 45 CDS-TNK-HW-CST HC1-4 DCP-250A DIV-2-DC HC1-5 SUPPRESSION OPERATOR FAILS TORUS SUCTION TORUS SUCTION TORUS SUCTION CST ISOLATION HPCI SUPPRESSION TO ESTABLISH DIESEL COOLING VALVE 1-2301-36 VALVE 1-2301-35 VALVE 1-2301-36 VALVE 1-2301-20 POOL SUCTION POOL STRAINERS ROOM COOLING WATERIS UNAVAILABLE FAILS TO OPEN FAILS TO OPEN FAILS TO OPEN FAILS TO CLOSE STRAINERPLUGS FAIL FROM COMMON CAUSE WITHOUT ESW 1.0E-4 3.0E-3 3.0E-3 3.0E-3 1.2E-4 3.3E-6 1.0E-3 47 HCI-CKV-CC-F039 HCI-MOV-CC-F035 HCI-MOV-CC-F036 HCI-MOV-OO-F006 HCI-STR-PG-HPCI RHR-STR-CF -SPOOL HCI-XHE-XM-RCOOL ESW HPCI PUM P TRAIN IS UNAVAILABLE HC1-2 HPCI PUMP TRAIN HPCI INJECTION HPCI DIS CHARGE HPCI F AILS TO HPCI FAILS TO IS UNAVAILABLE MOV F AILS TO CKV 1-2301-7 START RUN BECAUSE OF MAINTENANCE REOPEN F AILS TO OPEN 2.3E-2 1.0E-4 HCI-TDP-TM-TRAIN HC1-10 HCI-CKV-CC-F007 HC1-6 HC1-7 HPCI INJECTION M ULTIPLE HPCI OPERATOR F AILS OPERATOR FAILS HPCI FAILS TO HPCI PUMP TRAIN OPERATOR FAILS VALVE FAILS TO INJECTIONS REQUIRED TO RECOVER HPCI TO RECOVER HPCI START FAILS TO RUN TO RECOVER HPCI REOPEN INJECT MOV FAILURE FAILURE TO START GIVEN IT STARTED F AILURE TO RUN TO REOPEN 2.0E-1 1.2E-1 8.3E-1 8.3E-2 4.1E-2 6.3E-1 HCI-MOV-CC-IVFRO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT HCI-XHE-XL-START HC1-8 HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN HPCI INJECTION HPCI PUMP FAILS VALVE CAUSES TO START FAILURE TO START 2.5E-2 1.2E-1 HCI-MOV-CC-INJEC HCI-TDP-FS-TRAIN HC1 - QUAD CITIES 1 & 2 HPCI SYSTEM FAULT TREE 2004/05/13 Page 58 Figure 16. HPCI system fault tree (HC1).

35

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 265/01-001 HPCI F AILS TO PROVIDE SUF FICIENT FLOW TO RX VESSEL HCI FEEDW ATER TRAIN F EEDWATER CHECK HPCI WATER SUPPLIES OPERATOR F AILS HPCI SUPPORT HPCI PUMP TRAIN B INJECTION CKVS VALVES FAIL FROM ARE UNAVAI LABLE TO START/CONTROL SYSTEMS ARE UNAVAILABLE IS UNAVAILABLE F AIL TO OPEN COMM ON CAUSE HPCI INJECTION 2.0E-4 1.3E-5 1.0E-3 MFW -CKV-CC-TRNB MFW -CKV-CF-FEED HCI-1 HCI-XHE-XO-ERROR HCI-3 HCI-2 CONDENSATE STORAGE TORUS SUCTION DIVISION I 250 DI VISION I 125 ROOM COOLING TANK IS UNAVAILABLE FAILS VDC POWER IS VDC POW ER IS FAI LS UNAVAILABLE UNAVAILABLE

2. 0E-5 27 42 CDS-TNK-HW -CST HCI-4 DCP-250A DIV-1-DC HCI-5 TORUS SUCTION TORUS SUCTION TORUS SUCTION CST ISOLATION HPCI SUPPRESSION SUPPRESSION OPERATOR FAILS DI ESEL COOLING VALVE 1-2301-36 VALVE 1-2301-35 VALVE 1-2301-36 VALVE 1-2301-20 POOL SUCTION POOL STRAINERS TO ESTABLISH W ATER IS UNAVAILABLE FAILS TO OPEN FAILS TO OPEN FAILS TO OPEN FAILS TO CLOSE STRAINER PLUGS FAIL FROM COMMON ROOM COOLING CAUSE WITHOUT ESW 1.0E-4 3.0E-3 3.0E-3 3.0E-3 1.2E-4 3.3E-6 1.0E-3 47 HCI-CKV-CC-F039 HCI-M OV-CC-F035 HCI-M OV-CC-F 036 HCI-MOV-OO-F 006 HCI-STR-PG-HPCI RHR-STR-CF-SPOOL HCI-XHE-XM-RCOOL ESW HPCI PUMP TRAIN IS UNAVAILABLE HCI-2 HPCI PUMP TRAIN HPCI INJECTION HPCI DISCHARGE HPCI FAILS TO HPCI F AI LS TO IS UNAVAILABLE MOV FAI LS TO CKV 1-2301-7 START RUN BECAUSE OF MAINTENANCE REOPEN FAILS TO OPEN 2.3E-2 1.0E-4 HCI-TDP-TM-TRAIN HCI-10 HCI-CKV-CC-F007 HCI-6 HCI-7 OPERATOR FAILS HPCI INJECTION MULTIPLE HPCI OPERATOR FAILS HPCI FAILS TO HPCI PUM P TRAIN OPERATOR FAILS TO RECOVER HPCI VALVE F AILS TO INJECTIONS REQUIRED TO RECOVER HPCI START F AI LS TO RUN TO RECOVER HPCI INJECT MOV FAILURE REOPEN FAILURE TO START GIVEN IT STARTED FAILURE TO RUN TO REOPEN 2.0E-1 1.2E-1 8.3E-1 8.3E-2 4. 1E-2 6.3E-1 HCI-MOV-CC-IVF RO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT HCI-XHE-XL-START HCI-8 HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN HPCI INJECTION HPCI PUMP F AILS VALVE CAUSES TO START F AILURE TO START 2.5E-2 1.2E-1 HCI-MOV-CC-INJEC HCI-TDP-FS-TRAIN HCI - QUAD CITIES 1 & 2 HPCI SYSTEM FAULT TREE 2004/05/13 Page 59 Figure 17. HPCI system fault tree (HCI).

36

Attachment B - Resolution of Comments Region III Comments on Accident Sequence Precursor Report for Quad Cities Unit 2 LOOP and Transformer Fire on August 2, 2001 Region III Comment 1: Page 1, Paragraph 1 - Last sentence states (per the LER) that all offsite power sources to Unit 1 remained normal. This statement is somewhat misleading. While Unit 1 remained connected to the grid, the switchyard breakers which opened due to the lightening strike, transformer failure, and switchyard breaker protective relaying malfunctions resulted in 2 of 5 offsite lines being unavailable to both units. In addition, if switchyard breaker 7-8 would have opened Unit 1 would have scrammed since this breaker was the only one allowing power from the Unit 1 main generator to be supplied to the switchyard.

Response: Text changed to state: Unit 1 remained connected to the offsite grid with a reduced number of offsite power lines.

Region III Comment 2: Page 1, Paragraph 2 - First sentence states that an Unusual Event was declared due to the Unit 2-centered loss of offsite power. I am unsure how this determination was made. Please consider that although the transformer exploded, this event was not what caused the loss of offsite power (LOOP). The LOOP was caused due to a subsequent failure of a switchyard protective relaying reset function. The failure of this relay to properly reset resulted in the switchyard breakers on each side of the relay to open. This is what actually caused the LOOP.

Response: Title changed to Loss of offsite power to Unit 2 but not Unit 1 due to failure of Unit 2 main power transformer with the subsequent failure of a switchyard breaker relay. Text changed to state: An unusual event was declared following the Unit 2-centered loss of offsite power (LOOP).

Region III Comment 3: Page 1, Paragraph 2 - At the bottom of the paragraph, references are made to the Unit 1 EDG and to bus 14-1. The reason for including this information is not clear to me. We may want to better explain that Quad Cities had an opportunity to supply Unit 2 using the grid using the cross tie breaker between bus 14-1 (Unit 1) and bus 24-1 (Unit 2).

However, this is not an easy task. To complete this task, the droop setting on the EDG has to be lowered, the EDG has to be paralleled with the grid, the bus tie breaker has to be closed, and several other actions must be done. The licensee chose not to pursue this route since there was no damage to the Unit 2 reserve auxiliary transformer (RAT). The licensee believed it was a better choice to restore the Unit 2 RAT than complete the actions to cross tie busses 14-1 and 24-1.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 1

Response: This paragraph describes the state of all the emergency buses and emergency diesel generators at the site, including the station blackout diesels. The Unit 1 emergency diesel generator and bus 14-1 are described for completeness. Text changed to state: The Unit 1 EDG (EDG 1) was not required to start ...

Region III Comment 4: Page 1, Paragraph 3 - Second sentence states that reactor pressure was controlled using the main steam relief valves. Do we mean the safety relief valves or the main steam safety valves? Both types of valves exist at Quad Cities. Based on my plant knowledge, I believe we mean the safety relief valves.

Response: Text unchanged. Text is taken verbatim from the LER. It appears that main steam relief valves and safety relief valves are interchangeable nomenclature.

Region III Comment 5: Page 1, Paragraph 4 - Multiple local fire departments were called in to combat the transformer fire.

Response: Text changed to state: ...and (3) actions of the local fire departments.

Region III Comment 6: Page 1, Paragraph 5 - Unit 1 did not continue to operate at 100 percent power throughout the event. As stated in Inspection Report 2001012, Unit 1 reactor power was lowered to approximately 93 percent during the Unit 2 transformer fire to recover service water system pressure.

Response: Text changed to state: Unit 1 power was lowered to approximately 93% following the LOOP at Unit 2.

Region III Comment 7: Page 2, Paragraph 1 - While we do not disagree with the information in this paragraph, more is known. Specifically, the Unit 2 main power transformer was subjected to multiple electrical faults during its service life. Although the licensee knew about the faults, they were not tracking the number of faults or the severity of the faults on the transformer. The licensee now states that repeatedly subjecting the undersized bus bar and bus bar clamps to faults caused these components to loosen to the point that a phase-to-phase fault occurred in the transformer.

Response: Text changed to state: ...caused a fire in the transformer. The Unit 2 main power transformer was subjected to multiple electrical faults during its service life, which contributed to its ultimate failure. Although the licensee knew about the faults, they were not tracking the number of faults or the severity of the faults on the transformer.

Region III Comment 8: Page 2, Paragraph 1 - In their LER, the licensee stated that age related degradation of a transistor led to slow reset time of the static breaker failure relay. Again, this is a true statement. However, the licensee failed to state that the age related degradation was not recognized earlier due to the failure to include completion of the reset function in their relay testing program.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 2

Response: Text changed to state: ...causing a slow relay reset time (Ref. 1). The age-related degradation was not recognized earlier due to the failure to include completion of the reset function in their relay testing program.

Region III Comment 9: Page 2, Paragraph 2 - The LOOP was not caused by the transformer failure. It was a direct result of the static breaker failure relay malfunction.

Response: Text changed to state: For Unit 2, the event is considered a unit-centered LOOP caused by failure of a switchyard breaker relay to properly respond to failure of the Unit 2 main power transformer.

Region III Comment 10: Page 2, Paragraph 3 - This paragraph mentions that Unit 1 had restricted electrical power while offsite power was being restored to Unit 2. This contradicts Page 1, Paragraph 5 which states that Unit 1 remained at full power. Also, electrical power was restricted to recover service water pressure rather than to restore power to Unit 2.

Response: Text unchanged. The text on page 1, paragraph 5 was changed as noted above.

Region III Comment 11: Page 2, Paragraph 4 - Please consider including the information mentioned on the previous page to explain why the licensee chose not to restore offsite power to Unit 2 using the Unit 1 cross tie. If a decision is made not to include this information, please consider explaining why the NRC feels this would have been a better course of action.

Response: Text unchanged. The ASP analysis is based on what occurred. No judgment is being made as to which action is better. The decision concerning when to restore offsite power must be made by the operators on site depending on the existing conditions.

Region III Comment 12: Page 2, Paragraph 6 - Under the CCDP analysis results section, please consider including the precursor threshold value for an initiating event to provide the reader with a baseline initiating events value.

Response: Text changed to state: This CCDP exceeds the Accident Sequence Precursor (ASP) acceptance threshold. The CCDP is greater than 1.0 x 10-6, and the CCDP is greater than the CCDP for a transient with loss of reactor feedwater and no reactor feedwater recovery, which is 1.2 x 10-6 (point estimate).

Region III Comment 13: General Comments - You may want to consider looking at the inspection reports in addition to the licensees LER. I have found that the licensee tends to only include what is required while providing as little information as possible to the reader. You may find that the inspection reports include more detail on what happened during a specific event and why.

Response: Review of inspection reports has always been a part of the Accident Sequence Precursor program.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 3

A memo from Peter J. Habighorst, Acting Section Chief, Probabilistic Safety Assessment Branch, Division of Systems Safety and Analysis, Office of Nuclear Reactor Regulation to Larry Rossbach, Project Manager, Division of Licensing Project Management, Office of Nuclear Reactor Regulation, dated July 7, 2004, Review of Preliminary ASP Analysis of a Loss of Off-Site Power Event at Quad Cities in August 2001.

SPSB Comment 1: Generic Comment - In the event summary, the lightning strike caused the Unit 2 main transformer failure, leading to an automatic shutdown of the Unit 2 reactor.

Subsequently, additional breakers in the switchyard supplying offsite power to the Unit 2 reserve auxiliary transformer (RAT) opened, and an unusual event was declared due to the Unit 2 loss of offsite power (LOOP). If the above two events concurred or the breaker openings followed the weather-initiated transformer fire instantly, the event was initiated due to severe weather (lightning strike), leading to a partial LOOP (or transient) and followed by the total loss of offsite power due to the subsequent failures of the breakers.

Response: Analysis was performed as a unit-centered LOOP on Unit 2; that is, only Unit 2 lost offsite power while Unit 1 remained tied to offsite power. Modifications were made to the SPAR Revision 3 models to perform the analysis as a Unit 2-centered LOOP. The nominal SPAR Revision 3 initiating events do not apply to this event. In particular, the SPAR Revision 3 plant-centered LOOP model does not apply because not all units at the site lost offsite power due to problems in the switchyard.

SPSB Comment 2: Generic Comment - The PSFs for recovery actions have been changed.

The assignment of either an overly conservative stress level (such as extreme stress) or a too optimistic value may not be desirable, depending on the PSFs and type of precursor events.

Two PSFs, stress and complex for LOOP sequences have been changed from nominal to high and nominal to moderately complex, respectively. These adjusted recovery actions raised the CDP contribution by a factor of four. For a routine LOOP event with a well defined plant evolution, normal stress level may be more appropriate. The PSFs for this event should be set to nominal values.

Response: Based on a number of evaluations of LOOPs over the last 3 years, including the grid-related LOOPs on August 14, 2003, the Accident Sequence Precursor program reviewed its treatment of recovery of electrical power following LOOP and made some changes to the methods used for the analysis. For LOOPs and partial LOOPs, recovery of electrical power is now generally treated as a human factor evaluation rather than allowing the SPAR Revision 3 models to automatically recalculate recovery based on what kind of LOOP was specified in the computer input. The ASP analysis for Quad Cities Unit 2 represents an event where Unit 2 lost offsite power but Unit 1 did not. The ability to recover electric power at Unit 2 using Unit 1 electrical power existed from time t = 0.0 seconds. The performance shaping factors used in the analysis are consistent with other LOOP evaluations, including evaluations of the grid-related LOOPs on August 14, 2003. These performance shaping factors used in LOOP analyses have been approved by human factors personnel at INEEL.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 4

SPSB Comment 3: Generic Comment - For SBO sequences, PSF values were changed from nominal to either more-than enough or inadequate for the PSF element, time, and to extreme for the PSF stress. These changes appear to be too extreme, compared with the changes for the recovery actions during the LOOP sequences. Again, these changes may not be appropriate.

Response: The analysis represents an event where Unit 2 lost offsite power but Unit 1 did not.

The performance shaping factors used in the analysis are those appropriate to the event and use assumptions consistent with other LOOP evaluations. These performance shaping factors have been approved by human factors personnel at INEEL.

SPSB Comment 4: Generic Comment - The reviewer employed the Quad Cities SPAR-3 model for initiation and condition evaluation of this ASP event and all of the initial availability numbers were set to nominal values without changing or adjusting PSFs and basic event availability numbers. The availability values of the reactor protection system (RPS) and other successful systems were set as nominal values (not False or 0"). This resulted in: CDP Point Estimate 4.6 x 10-5 Mean 5.4 x 10-5 5th Percentile 3.4 x 10-5 Median 4.3 x 10-5 95th Percentile 1.0 x 10-4 Standard Deviation 6.6 x 10-6

The analyses were based on a truncation level of 10-11 with the third and fourth moments indicating relatively high uncertainty.

Response: In general, the SPSB results appear to result in a CCDP an order of magnitude higher than the ASP results. The differences are due to a number of considerations, but the major reasons for the differences are believed to be: (1) the nominal SPAR Revision 3 initiating events are not applicable to the event at Quad Cities and (2) the SPSB analysis does not take credit for the ability of the operators to restore electrical power in ways not treated in the nominal SPAR Revision 3 models.

SPSB Comment 5: Specific Comment - The Quad Cities event in August 2001 appeared to be a severe weather related partial LOOP or transient event, unless a plant centered LOOP can be justified. Using nominal values without adjusting the PSF values (Table 5, page 15) and without any credits to successes (zero maintenance model), a plant centered LOOP resulted in a CDP point estimate of 1.1 x 10-4. Event tree sequence 09-5 is the dominant sequence, followed by sequences 61 and 65. However, the CCDP of sequence 65 remains as 2.4 x 10-6, since the sequence involves only the reactor protection system (RPS-SYS-FC-PSOVS, RPSSYS- FC-RELAY, and RPS-SYS-FC CRD). If the lightning strike and severe weather related LOOP (not partial LOOP nor Transient) is employed, a CDP point estimate of 4.6 x 10-5 would result. The dominant sequence would be 09-5, followed by sequences 64-02 and 62-34. Sequence 65 would not register in the severe weather related LOOP evaluation as one of the top sequences.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 5

Response: The event is not a plant-centered LOOP. Unit 1 did not lose offsite power. The event is a unit-centered LOOP at Unit 2 and is modeled as such in the ASP analysis using the latest techniques for LOOP analysis.

SPSB Comment 6: Specific Comment - The event summary description indicated that the Unit 2 LOOP lasted approximately 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . A more realistic approach of recovery actions could benefit the ASP program. The use of actual offsite power (OSP) restoration time to a safety bus should be more realistic, rather than using a recovery time of more than four hours, which is too conservative.

Response: Offsite power was available to Unit 2 from Unit 1 from time t = 0.0 seconds. The operators chose to allow the emergency diesel generators to continue to power the Unit 2 emergency buses rather than restore electrical power to the Unit 2 emergency buses using Unit 1 electrical power. There were no failures to start or to run of either emergency diesel generator used to power the Unit 2 emergency buses during the event. When the Unit 2 offsite power was restored, the operators restored offsite power to the Unit 2 emergency buses and stopped the emergency diesel generators.

Assuming that an emergency diesel generator powering a Unit 2 emergency bus failed, with a nominal probability, the ASP analysis modeled those operator actions necessary to recover electric power to the emergency bus. Models were created that considered that electric power was available to supply Unit 2 from Unit 1 at time t = 0.0 seconds if a Unit 2 emergency diesel generator were postulated to fail. Probabilities were generated for recovery of electrical power at various recovery times (30 minutes, 60 minutes, 90 minutes, etc.) using techniques applicable to human error analysis. The actual recovery of Unit 2 offsite power at 2.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months is not significant to the analysis and is not included in the ASP analysis.

SPSB Comment 7: Specific Comment - In the modeling assumptions and assessment summary, the event description employed a term, a unit-centered LOOP initiating event. To be consistent with the nomenclature used in the reports for individual plant SPAR models, the term plant centered may be more appropriate instead of the unit-centered term.

Response: The event is not a plant-centered LOOP. Unit 1 remained tied to the offsite power grid. The SPAR Revision 3 model was modified to fit the conditions where Unit 2 lost offsite power but Unit 1 remained tied to the offsite grid.

SPSB Comment 8: Specific Comment - Changes to basic event probability and common cause failure events were made as documented in Tables 4 through 6. The performance shaping factors (PFSs) were revised to elevate operators stress and complex for both LOOP and SBO. Why not assign them normal or nominal numbers?

Response: See response to SPSB Comment #2 and SPSB Comment #3.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 6

SPSB Comment 9: Specific Comment - Headings in Table 6 appeared to be misleading. The first column heading in Table 6 should be Alpha Identifier instead of Alpha Factor. Also, it would be beneficial to insert Alpha Distribution Parameter in the last column with the beta factor. These changes will make Table 6 more consistent with the other SPAR reports.

Response: The headings in Table 6 have been revised to be consistent with Table B-1 in the documentation of the SPAR Model for Quad Cities 1 & 2 (ASP BWR C).

SPSB Comment 10: Specific Comment - The switching over to the alpha factor from the beta factor was not clearly defined in the report. The rationale of the change should be documented and included. As an example, the change may be needed for the uncertainty analysis. Also, both probability and the beta numbers were changed and different from the numbers listed in the SPAR 3i report. The changes were based on the upgrading of the numbers by INEEL.

However, it would be helpful for readers to include a short explanation of the technical bases for changing the values.

Response: For certain basic events, the latest values recommended by INEEL were used in the analysis. Documentation of the changes will be included in the next revision of the SPAR report published by INEEL. In the meantime, questions concerning the changes should be addressed to the NRC Office of Research.

SPSB Comment 11: Specific Comment - The sensitivity study of non recovery probability is summarized on page 9. It may help to explain the objective of this study and the reason for assuming the non recovery probability could be 10 times greater.

Response: The sensitivity study is not an uncertainty analysis. The study did not mean to imply that the nonrecovery factor could actually be 10 times greater. The sensitivity study just indicates that the CCDP would change by the amount indicated if the basic event were changed to a factor of 10 higher. The text has been changed to state: ... A sensitivity study was made using a value of 1.6E-1 for SDC -LTERM-NOREC2. With this change, the CCDP value ...

A letter from Patrick R. Simpson, Exelon Nuclear, to the NRC, dated July 9, 2004, Quad Cities Nuclear Power Station, Unit 2, Response to Review of Preliminary Accident Sequence Precursor Analysis of August 2, 2001, Operational Event Licensees Comment 4.1: As calculated by the EGC PRA for QCNPS Unit 2, the CCDP for single-unit loss of offsite power is 4.7 x 10-6. Therefore, the QCNPS PRA supports the NRC Staff conclusion that this event qualifies as an ASP.

Response: No response is required.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 7

Licensees Comment 4.2: It is interesting to observe that none of the dominant cutsets for the LOOP initiator have anything to do with failure of AC power. This points out the strength of the QCNPS AC power system. What makes the LOOP much worse than an ordinary turbine trip, however, is the loss of power to turbine building systems such as feedwater and turbine bypass valves.

Response: No response is required.

Licensees Comment 4.3: Because QCNPS is a two-unit station that shares several non-safety-related support systems between the units, and because Unit 1 remained online with its normal source of offsite power, the impact of the LOOP is smaller than would be true for a single-unit station. For example, instrument air remained available and non-essential service water remained available. Therefore, motive air remained available for containment vent valves and did not need to be re-started after EDGs energized the safety buses (dash buses). However, inclusion of this information in the SPAR model would not change the dominant sequences and, therefore, would not affect the conclusion that the event is an ASP.

Response: No response is required.

Licensees Comment 4.4: Because of the QCNPS electrical design, condensate pumps can be backed from the EDGs. Therefore, given failure of normal Emergency Core Cooling Systems (ECCS), and given the availability of instrument air and service water, the combination of condensate for injection and standby coolant supply for condenser makeup could be used for reactor makeup. Again, however, inclusion of this information in the SPAR model would not change the dominant sequences and, therefore, would not affect the conclusion that the event is an ASP.

Response: No response is required.

Licensees Comment 4.5: While the CCDPS calculated by the SPAR model and by the EGC PRA are comparable, the sequences and cutsets dominating those CCDPs are significant different.

Specific explanations and suggestions are provided in subsequent comments.

Response: No response is required.

Licensees Comment 4.6: 44% of the SPAR model risk comes from Anticipated Transient Without Scram (ATWS). It is surprising that ATWS would be such a large fraction of LOOP risk, and more surprising that it would be the dominant source. It appears that the size of this contribution is not realistic, and it appears that the reason is a modeling decision to take no credit, for the LOOP initiator, for the ordinary Emergency Operating Procedure actions to respond to an ATWS. To accurately represent risk, the SPAR model should be improved to give that credit. Doing so would reduce the ATWS contribution to LOOP by between one and two orders of magnitude. The Exelon PRA does give that credit, and the top corresponding LOOP/ATWS cutset (LOOP frequency set to 1.0) has a probability of 3.8 x 10-8.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 8

Response: Exelon is correct in noting that the reason why failure of the reactor protection system (RPS) is such a large fraction of the SPAR model CCDP comes from the modeling assumption to take no credit for the transfer to ATWS event tree following a LOOP with subsequent failure of RPS.

The NRC is considering adding logic to the SPAR models to credit the transfer to the ATWS event tree at Quad Cities following a LOOP and failure of RPS. The NRC would like to make the SPAR models for Quad Cities more realistic with respect to this assumption. However, the SPAR model cannot be changed without documentation verifying the change is appropriate and technically correct. The NRC presently does not have such documentation.

The NRC appreciates your effort to improve the SPAR model for Quad Cities, but the model will remain as stated in the precursor report unless Quad Cities can provide the NRC with the appropriate documentation for changing the model. We would appreciate Quad Cities forwarding to the NRC documentation of the analysis (neutronic and thermal hydraulic) that permits Quad Cities to take credit for the transfer to ATWS event tree following a LOOP and failure of RPS. The NRC would also appreciate copies of the plant-specific emergency operating procedures that guide the Quad Cities operators through the event - LOOP followed by failure of RPS.

Licensees Comment 4.7: ATWS probabilities for QCNPS are based on NUREG/CR-5500, volume III. The mechanical ATWS probability is 2.1 x 10-6 and the electrical is 3.7 x 10-6. It is interesting to observe that the SPAR probabilities appear to be significantly smaller. The SPAR event RPS-SYS-FC-CRD, Control rod drive mechanical failure, has a probability of 2.5 x 10-7. The sum of two electrical SPAR events, RPS-SYS-FC-PSOVS, HCU scram pilot SOVs fail, and RPS-SYS-FC-RELAY, Trip system relays fail, is (1.7 x 10-6 + 3.8 x 10-7) = 2.1 x 10-6. EGC requests that the NRC Staff please provide the bases for the SPAR ATWS probabilities.

Response: The basis for the SPAR ATWS probabilities is NUREG/CR-5500, Volume 3. This can be seen in a comparison of LOOP Sequence 65 in Table 3 of the SPAR analysis to Tables 5 and 6 on pages 23 and 24, respectively, of NUREG/CR-5500, Volume 3.

Minimal cut sets SPAR General Electric SPAR Contribution from CCF Unavailability with Events with Credit for CCDP Credit for Manual % of CCDP Manual Scram by Scram by Operator Operator (NUREG/CR-Table 3 (NUREG/CR-5500, Table 3 5500, Volume 3, Table Volume 3, Table 5) 6)

RPS-SYS-FC-PSOVS 1.7 x 10-6 1.9 x 10-6 69.7% 71%

Hydraulic control unit scram pilot SOVs fail in SPAR - HCU in NUREG/CR-5500 RPS-SYS-FC-RELAY 3.8 x 10-7 3.8 x 10-7 15.6% 14%

Trip system relays fail in SPAR - Trip system in NUREG/CR-5500 RPS-SYS-FC-CRD 2.5 x 10-7 2.5 x 10-7 10.2% 10%

Control rod drive mechanical failure in SPAR - Rod in NUREG/CR-5500 Total 2.4 x 10-6 2.6 x 10-6 SENSITIVE - NOT FOR PUBLIC DISCLOSURE 9

Licensees Comment 4.8: 17% of SPAR model risk comes from a sequence involving a stuck-open SRV, failure to cool the containment or to cool the suppression pool, and failure to vent containment. Only one cutset dominates this sequence, and the failures beyond the stuck-open valve involve two operator actions, lining up RHR and venting containment. They are modeled as dependent operator actions (RHR-XHE-XM-ERROR, CVS-XHE-XE-VENT2), and the combination results in a combined operator failure of (5 x 10-4)(3.1 x 10-2) = 1.6 x 10-5. A similar combination of failures in the EGC PRA is assigned a failure probability of 5 x 10-7. The EGC QC HRA (Human Reliability Analysis) Notebook states that the actions to cool the suppression pool and to vent containment have completely different symptoms and QGA instructions to initiate them. The time frames are completely different, and there likely will be different crews involved in making the decisions. Torus cooling is aligned in the first 30 minutes, while containment venting is not required until 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months into the event. As a result, it is concluded that there is a low dependence, and EGC assigns a floor value for combined operator actions of 5 x 10-7. It appears that a smaller dependent operator action probability should be used in the SPAR model.

The NRC response is for both Licensee Comment 4.8 and 4.9 Licensees Comment 4.9:16% of SPAR model risk comes from a sequence that is analogous to the above sequence, but involves successful SRV operation. Again, only one cutset represents this sequence. It involves the same dependent operator actions as above, but it also includes some credit for recovery of suppression pool cooling. With this credit, the overall combined operator action probability is reduced to 5 x 10-7, which, by coincidence, is the same as the Exelon probability with no recovery of suppression pool cooling. This supports the comment in Paragraph 4.8.

Response: The value used in the SPAR analysis for CVS-XHE-XE-VENT2, as given in Table 4 of the report, is 5.1 x 10-2 not 3.1 x 10-2. If this correction is made, the combination of operator errors in comment 4.8 is increased to (5 x 10-4)(5.1 x 10-2) = 2.6 x 10-5. If this correction is made, the combinations of operator errors in comment 4.9 is increased to 8.1 x 10-7. However, the Exelon observation is correct in that there is a difference in the treatment of operator actions for the case of LOOP with a stuck-open relief valve versus the LOOP without a stuck-open relief valve. Credit was given for operator recovery of RHR for LOOP with no stuck-open relief valve.

It is believed that a stuck-open relief valve will make the actions of the operators a little more complex and difficult following a LOOP. At the minimum, more mass and energy will be released from the reactor vessel to the suppression pool in a shorter time. Efforts to shut the stuck-open relief valve will also occupy some of the operators attention and resources. In recognition of such factors, no credit was given for operator recovery of decay heat removal if human error were to fail the RHR system following a LOOP with stuck-open relief valve. This was considered a conservative assumption.

The NRC would like to make the SPAR models for Quad Cities more realistic with respect to this assumption. However, the SPAR model cannot be changed without documentation verifying that the change is appropriate and technically correct. The NRC presently does not have such documentation.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 10

The NRC appreciates your effort to improve the SPAR model for Quad Cities, but the model will remain as stated in the precursor report until Quad Cities can provide the NRC with the appropriate documentation for changing the model. The NRC would appreciate Quad Cities forwarding to the NRC the plant-specific emergency operating procedures that guide the Quad Cities operators through the event - LOOP followed by stuck-open relief valve followed by failure of the RHR system.

Hopefully, Quad Cities personnel would be able to add additional explanation to these operating procedures that would demonstrate that operators would perform the same actions, within the same approximate time frame, for both LOOP without a stuck-open relief valve and failure of the RHR system and LOOP with a stuck-open relief valve and failure of the RHR system.

Licensees Comment 4.10: 13% of SPAR model risk comes from a sequence with failure of all high-pressure injection and failure of manual reactor depressurization. The top two cutsets from this sequence involve loss of DC power on both divisions. The next two comments deal with this sequence.

Response: No response is required.

Licensees Comment 4.11: The first of these cutsets consists of the LOOP initiator and common cause failure of both batteries. Note that this cutset has nothing to do, specifically, with a LOOP.

This failure can happen for any initiator, including ordinary turbine trip, and many initiators are far more likely than a LOOP. In fact, the EGC QCNPS PRA models a loss-of-both-DC-buses initiating event. EGC recognized that, since both DC buses are normally energized, losing both of them at once is likely to be an initiator rather than a dependent failure. Consequently, for EGC, combinations of LOOP and common-cause failure of both DC trains are covered by the loss-of-both-DC-buses initiating event and they are not counted separately for loss of offsite power. If the SPAR model has such an initiator, consider removing these kinds of cutsets from the LOOP logic.

Response: The Quad Cities SPAR model does not have an initiator for dual failure of both dc buses. However, the Quad Cities SPAR model includes a loss-of-dc bus (single) initiator with a initiating event frequency of 2.4 x 10-7/hour. In addition, the SPAR models do include the failure of one or both buses (either by independent failure or common-cause failure) for other initiating events. The probability of both dc buses failing is very small but cannot be discounted. For an actual LOOP, the failure of both of the dc batteries following the LOOP must be calculated as leading to a reactor core damage event.

Licensees Comment 4.12: The second of these cutsets appears to be invalid. It involves the initiator, bus failure for Division I DC, and failure of the operator to align the standby charger for Division II. The logic appears to fail to give credit for the normal supply to Division II DC. This appears to be a logic error.

Response: The SPAR model cut set addressed by this comment is due to incomplete modeling of the dc power system. The current Quad Cities SPAR model does not include alternate dc power supplies to the emergency diesel generators. These alternate dc power supplies will be added to the next revision of the Quad Cities SPAR model, thus eliminating this cut set and similar related cut sets. Inclusion of this change in the SPAR model would not significantly change the dominant SENSITIVE - NOT FOR PUBLIC DISCLOSURE 11

sequences and, therefore, would not affect the conclusion that the event is an accident sequence precursor.

Licensees Comment 4.13: The SPAR model should probably be revised to recognize dependency of more combinations of independent operator actions. Response to LOOP requires quite a few actions by operators. Of the top nine EGC PRA cutsets, eight of them involve various combinations of failure of two or more potentially dependent operator actions. Those cutsets represent a CCDP of 2.8 x 10-6. It appears that the reason that the EGC model yields a CCDP as large as the SPAR model, after consideration of the comments above, is because it includes many combinations of dependent operator actions not included in the SPAR model. Consider searching for, and then modeling, more such dependencies in the SPAR cutsets.

Response: The SPAR model with respect to dependency of multiple operator action is undergoing review and possible revision.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE 12

ML20114E200

Text

Navigation menu

Search