Final ASP Analysis - Shearon Harris (LER 400-01-003)

ML20114E215
Person / Time
Site:	Harris
Issue date:	05/12/2020
From:	Christopher Hunter NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 400-01-003
Download: ML20114E215 (24)
v • d • e

Text

{{#Wiki_filter:1 The Accident Sequence Precursor Program limits the conditional assessment of risk to a 1-year period. 1 Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Shearon Harris 1 Debris in Suction Lines to an RHR Pump and a Containment Spray Pump Event Date: 10/8/2001 LER: 400/01-003 CDP = 6x10-6 April 25, 2003 Condition Summary This analysis involves the potential failure of the residual heat removal (RHR) pump A during safety injection/recirculation due to debris in the pumps suction lines. The licensee discovered several pieces of rubber debris (largest was 20" x 5" x 3/16") and a plastic cable tie (6.5" x 5/16") in the line from the containment sump to the A RHR pump. Other debris were discovered in the suction line from the RWST to the A RHR pump (one piece of rubber debris that was 5" x 2.5" x 3/16") and in the suction line from the containment sump to the A containment spray pump (pieces of steel and elastic). The most recent time the debris could have been introduced into the lines is 1998; it is possible the debris has been in the lines since plant construction (References 1, 2, and 3). Condition duration. The licensee identified several situations when maintenance personnel could have introduced the debris in the lines, the earliest being original construction and the most recent being in 1998. Because this condition has existed for more than 1 year; the time for the condition assessment is 1 year (8,760 hours)1. The period selected for the analysis is from September 23, 2000, to September 22, 2001, the date of discovery of the coincident condition involving valve 1RH-39 that is discussed below. Other conditions, failures, and unavailable equipment. Valve 1RH-39 failed to open on September 22, 2001. This valve is one of two isolation valves between the reactor coolant system (RCS) loop C and the RHR pump B suction header. Failure of the valve to open results in loss of train B RHR circulation from the RCS hot leg. A lug connecting a cable in the valves control circuit to a post in its breaker cabinet had not been properly landed and had worked loose. The actual duration of this condition is unknown; it is assumed to have existed for at least one year. Recovery opportunities. Blockage/damage to the A RHR pump from debris in the pump suction is non-recoverable. Therefore, no recovery opportunity is assumed to exist for the pump. Recovery of valve 1RH-39 is feasible, and was considered in the analysis. Credit was also taken for operators opening cross-tie valves in the emergency service water (ESW) or component cooling water (CCW) system to restore cooling to the B RHR heat exchanger in the event this cooling is lost. These recovery actions are discussed in more detail later in this report.

LER 400/01-003 2 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability. 2 Analysis Results
Importance2 The risk significance of the condition is determined by subtracting the nominal core damage probability from the conditional core damage probability for the condition. Conditional core damage probability (CCDP) - mean 4.1E-05 Nominal core damage probability (CDP) - mean 3.6E-05 Importance ( CDP = CCDP - CDP) 95th percentile 9.3E-06 mean 5.7E-06 5th percentile 2.8E-06 This is an increase of 5.7E-06 over the nominal CDP over a calendar year due to the failure of the A RHR pump for injection from the RWST or recirculation from the containment sump and the failure of the RHR suction valve from the C RCS loop to the B RHR pump. The Accident Sequence Precursor Program acceptance threshold is an importance ( CDP) of 1.0E-06.
Dominant sequences The dominant core damage sequences for this assessment are medium loss of coolant accident (MLOCA) Sequence 2, steam generator tube rupture (SGTR) Sequence 3, and loss of offsite power (LOOP) Sequence 9. The MLOCA, SGTR, and LOOP event trees are shown in Figures 1, 2, and 3. The events and important component failures in MLOCA Sequence 2 are:  occurrence of a MLOCA,  success of reactor trip,  success of the high pressure injection (HPI) system,  success of the auxiliary feedwater (AFW) system,  success of reactor coolant system (RCS) cooldown,  failure of the low pressure recirculation system (due in part to failure of the A RHR pump because of debris in the pump suction line).

LER 400/01-003 3 The events and important component failures in SGTR Sequence 3 are:  occurrence of a SGTR,  success of reactor trip,  success of the AFW system,  success of the HPI system,  success of RCS depressurization to less than the SGRV set point,  failure to isolate the steam generator with the ruptured tube,  success of RCS depressurization to RHR entry condition,  failure of the RHR system (due in part to failure of the B RHR train because valve 1RH39 will not open). The events and important component failures in LOOP Sequence 9 are:  occurrence of a LOOP,  success of reactor trip,  success of emergency power,  success of the AFW system,  one or more PORVs open,  one or more PORVs fail to reclose,  success of the HPI system,  failure to recover offsite power within 2 hours,  failure of the high pressure recirculation system (due in part to failure of the A RHR pump because of debris in the pump suction line).
Results tables  Table 1 shows the conditional probabilities of the dominant sequences.  Table 2a shows the event tree sequence logic for the dominant sequences; definitions of the top events are provided in Table 2b.  Table 3 lists the most important cut sets for the dominant sequences. Modeling Assumptions
Assessment summary The event was modeled as an at-power condition assessment with no capability to provide safety injection/recirculation flow from the RWST/containment sump through the A RHR train and no capability to provide suction flow from the RCS hot leg to the B RHR train. The SPAR Rev. 3i model for Shearon Harris, dated 3/20/03, (Reference 4) was used for the analysis. The size and number of debris items in the suction lines from the RWST and containment sump to RHR pump A are assumed to result in blockage of the pumps suction during both injection and recirculation phases of a safety injection (References 1 and 2). The licensees analysis stated that the RHR pump may provide adequate recirculation flow for low flow conditions (e.g., small LOCA). In this analysis, the A RHR pump is assumed to not be operable for safety injection/recirculation regardless of the flow requirements. However, the A RHR pumps availability would not be affected for its normal shutdown cooling function taking suction from the RCS hot leg. This is consistent with the conclusions documented in Reference 3.

LER 400/01-003 4 To model failure of the A RHR pump during injection, failure of motor operated valve (MOV) 1SI-322 to open was set to TRUE. To model failure of the A RHR pump during recirculation, a compound event containing the MOVs in the suction line from the containment sump to the A RHR pump (MOVs 1SI-300 and 1SI-310 failing to open) was set to TRUE. See Figure 1 of Reference 1 for the locations of these valves. In addition, MOV 1RH-39 failing to open was set to TRUE.
Basic event probability and initiating event frequency changes Table 4 lists the basic events that were modified to reflect the condition being analyzed. The bases for these changes are as follows:  Probability of failure of sump 1A to provide water flow (HPR-SMP-VF-SMP1A). This event was set to TRUE. This disables the A RHR train for recirculation from the containment sump. The A RHR train would not be recoverable. HPR-SMP-VF-SMP1A is a compound event that includes failures of MOVs 300 and 310 to open and failure of the sump to provide water.  Probability of failure of the suction valve from the RWST to the A train RHR/LPI pump (LPI-MOV-OC-322). This event was set to TRUE. This disables the A RHR train for injection from the RWST. The A RHR train would not be recoverable.  Probability of common cause failure of the sump isolation valves to open (HPR-MOV-CF-SMP). The SPAR 3i model automatically adjusts the probability of common cause failure events to account for specified out-of-service conditions of equipment. However, because the A train valves are in a compound event and the compound event is not explicitly contained in the associated common cause event, the automatic adjustment does not take place. The probability of this common cause failure was set to 5.9E-3 for this condition assessment consistent with the common cause failure of the hot leg suction isolation valves discussed below.  Probability of failure of the hot leg suction isolation valve 1RH-39 to open (RHR-MOV-CC-RH39). This event was set to TRUE.  Probability of common cause failure of the hot leg isolation valves to open (RHR-MOV-CF-SUCT). The SPAR 3i model automatically adjusted the probability of a common cause failure of the hot leg suction isolation valves to account for the out-of-service condition of the 1RH-39 valve; however, the common cause failure probability was revised to reflect the success criterion for the system. Each RHR train has two normally closed MOVs in series in the suction lines from the hot legs; both valves in a train must open to provide water flow. The stated guidelines for SPAR modeling of common cause failure events (Reference 4, page 5-2) include a recommendation to pool data to the extent possible. Consistent with this guidance, the four hot leg MOVs (1RH-1, 1RH-2, 1RH-39, and 1RH-40) are pooled with the criterion that if any three of the four valves open, success of at least one train (to open a flow path from a hot leg to an RHR pump suction) is guaranteed. This is a reasonable approximation to the real situation in which there are two sets of two valve successes that guarantee success of at least one hot leg suction path. However, when one valve failure

LER 400/01-003 5 QCCF
QT
2 i'1 2 i i
3E3 ( 2 1 9.7E1  2 2 1.5E2)
5.9E3 is set to TRUE, as in this condition assessment, the SPAR 3i model defaults to treating the system as 3-out-of-3 for success compared to the initial 3-out-of-4 for success. The SPAR 3i model generates a probability value of 3.7E-2 for the common cause event when one valve failure is set to TRUE. The actual success criterion for this condition assessment is that 2-out-of-2 valves (MOVs 1RH-1 and 1RH-2) must open. The corresponding common cause failure probability using the alpha-factor model and the data in Appendix E of Reference 4 is: This is the value used for the CCF event in this condition assessment.
Model updates The SPAR Rev 3i model for Shearon Harris was updated to include more recent estimates of failure rates for PORVs failing to reclose. Bases for the update are described in the footnotes to Table 4. This update is independent of the actual event being analyzed. The model was also updated to ignore test/maintenance of the component cooling water heat exchangers since these exchangers are not removed from service for maintenance while the plant is at power. This update is also independent of the actual event being analyzed. The model was updated to include parameter uncertainty distributions for basic events that: (1) are important to the analysis results and (2) do not have assigned parameter uncertainty distributions in the base model. Table 5 lists the events so characterized and presents the parameter uncertainty distribution assigned to each. The model was updated to fix an error discovered in fault tree HPR under gates HPR-ALTRHRA-F and HPR-ALTRHRB-F. The modified version of Page 41 of the fault trees is included in this report as Figure 4. Two recovery events were added to the model that are specific to the event being analyzed. The first is a recovery of 1RH39 from the specific cause of failure that existed in this condition (i.e., a loose lug connecting a control cable in the valves control circuit to a post in its breaker cabinet). Figure 5 shows the modified fault tree containing the new event RHR-RH39-XHE-NOREC combined with RHR-MOV-CC-RH39 in AND gate RHR-RH39. Attachment A includes a SPAR Human Error Model Worksheet for this recovery event. This is a recovery of long-term core cooling; several hours would be available for operators to accomplish this action. The second added recovery action is for operators opening cross-tie valves in the emergency service water or component cooling water system to supply cooling to RHR train B following failure of RHR train A and failure of ESW/CCW train B. Figures 6 and 7 show modified fault trees containing the event ESW-CCW-XHE-NOREC input to gates CCW-BN and ESW-BN, respectively. Attachment A includes a SPAR Human Error Model Worksheet

LER 400/01-003 6 for this event. This is a recovery of long-term core cooling; several hours would be available for operators to accomplish this action.
Analysts Lead analyst - David Campbell Technical consultant - Lee Vanden Heuvel Technical reviewer - Michelle Johnson References 1. LER 400/01-003, 1A-SA Residual Heat Removal Suction Line Debris - Nonconforming Condition, November 27, 2001 (ADAMS Accession No. ML020160375). 2. NRC Inspection Report No. 50-400/01-05, January 28, 2002 (ADAMS Accession No. ML020290013). 3. NRC Inspection Report No. 50-400/02-07; Preliminary White Finding, April 25, 2002 (ADAMS Accession No. ML021150581). 4. Michael B. Calley, James K. Knudson, and Scott T. Beck, Standardized Plant Analysis Risk Model for Shearon Harris (ASP PWR B), Revision 3i, Idaho National Engineering and Environmental Laboratory, March 2003. 5. J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999. 6. T. L. Chu, et at., Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations at Surry Unit 1, NUREG/CR-6144, U.S. Nuclear Regulatory Commission, Washington, DC, 1993.

LER 400/01-003 7 HPR HIGH PRESSURE RECIRCULATION LPR LOW PRESSURE RECIRCULATION LPI LOW PRESSURE INJECTION COOLDOWN RCS COOLDOW N (POST-LOCA) OP-LPI OPERATOR DEPRESS. FOR LPI (PORVs, etc.) AFW AUXILIARY FEEDW ATER SYSTEM ACC ACCUMULATOR 3-OF-3 HPI HIGH PRESSURE INJECTION RT REACTOR PROTECTION SYSTEM IE-MLOCA MEDIUM LOCA END-STATE 1 OK 2 CD 3 OK 4 CD 5 OK 6 CD 7 OK 8 CD 9 CD 10 CD 11 CD 12 CD 13 CD AFW-ATWS MLOCA - Shearon Harris PWR B Medium Loss of Coolant Accident 2000/10/11 Page 7 Figure 1. Event Tree for Medium LOCA.

LER 400/01-003 8 LPR LOW PRESSURE RECIRC RHR RESIDUAL HEAT REMOVAL RCS-DEP DEP RESS RCS TO RHR ENTRY CONDITIONS THROTTLE THROTTLE HP I TO REDUCE PRESSURE S GISOL RUPTURED S G ISOLATED SG-DEP HARDWA RE DE PRESS RCS TO < SGRV DEP-REC OPERATOR DEPRE SS AFTER SGRV LIFT RCS-SG DEPRESS RCS TO <SG RELIEF SETPOINTS HPI HIGH PRESSURE INJE CTION BLEED BLEED PORTION OF F&B COOLING MFW-NT MAIN FEEDW ATER DURING NON-TRANS AFW-SG TR AUXILIARY FEEDWATER SYSTEM RT REACTOR TRIP IE-SG TR SG TUBE RUPTURE END-STATE 1 OK 2 OK 3 CD 4 CD 5 CD 6 OK 7 OK 8 CD 9 CD 10 CD 11 CD 12 OK 13 CD 14 CD 15 OK 16 CD 17 CD 18 CD 19 OK 20 OK 21 CD 22 CD 23 CD 24 OK 25 OK 26 CD 27 CD 28 CD 29 CD 30 OK 31 CD 32 CD 33 OK 34 CD 35 CD 36 CD 37 OK 38 OK 39 CD 40 OK 41 CD 42 CD 43 CD 44 CD 45 CD SGISOL1 SGISOL1 SGISOL1 SGISOL1 RCS-SG1 RCS-SG1 SGTR - Shearon Harris PWR B Steam Generator Tube Rupture 2003/04/24 Page 9 Figure 2. Event Tree for Steam Generator Tube Rupture.

LER 400/01-003 9 HPR HIGH PRESSURE RECIRCULATION RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN SGCOOL SECONDARY COOLING RECOVERED OP-6H OFFSITE POWER REC IN 6 HRS OP-2H OFFSITE POWER REC IN 2 HRS HPI HIGH PRESSURE INJECTION BLE ED BLEED PORTION OF F&B COOLING P ORV-RES PORVs CLOSE PORV-L NO PORVs OPEN AFW AUXILIARY FEEDWATER SYSTEM EP EMERGENCY POWER RT-L REACTOR TRIP IE-LOOP LOSS OF OFFSITE POWER E ND-STATE 1 OK 2 OK 3 OK 4 OK 5 CD 6 OK 7 CD 8 OK 9 CD 10 CD 11 OK 12 OK 13 CD 14 OK 15 OK 16 CD 17 CD 18 CD 19 T => 8 S BO 20 CD SGCOOL-L HPI-L HPI-L HPR-L HPR-L LOOP - Shearon Harris PWR B Loss of Offsite Power 2000/10/11 Page 5 Figure 3. Event Tree for LOOP.

LER 400/01-003 10 HPR-ISO52-F HPR-ALT5 2-MDPA-F HPR-ALT-MASUC-F 38 HPI-MDPA 1.0 E-3 HPI-XHE-XA-AL THDR 3.0E-3 HPI-M OV-CC-52 HPR-ALTRHRA-F HPR-ALTRHRB-F 77 RHR-MDPA 21 DIV-A-AC 3.0E-3 HPR-MOV-CC-2 5 1.0E-4 HPR-CKV-CC-775 3.0E-3 RHR-MOV-OO-SI32 2 6.0E-3 HPR-SMP-VF-SMP1A 78 RHR-MDPB 23 DIV-B-AC 3.0E-3 HPR-MOV-CC-63 1.0E-4 HPR-CKV-CC-77 6 3.0E-3 RHR-MOV-OO-SI323 6.0 E-3 HPR-SMP-VF-SMP1B FAILURE OF ALT HEADER FLOW THROUGH MOV SI-52 FAILURE OF FLOW FROM HPI MDP 1A TO ALT HEADER FAILURES OF HPI MDP TRAIN A FAILURE OF HPI MDP 1A SUCTION DURING HPR MOV SI-52 TO ALTERNATE HPI COLD LEG HEADER FAILS OPERATOR FAILS TO INITIATE FLOW THROUGH MOV SI-52 FAILURE OF FLOW FROM RHR TRAIN A TO HPI TRAIN A FAILURE OF FLOW FROM RHR TRAIN B TO HPI TRAIN A RHR MDP TRAIN A FAILS DIVISION 1A AC POWER FAILS RHR TRAIN A DISCHARGE MOV 25 TO HPI SYSTEM FAILS RHR TRAIN A DISCHARGE CKV 775 TO HPI SYSTEM FAILS RHR TRAIN A RWST ISOLATION MOV 322 FAILS TO CLOSE SUMP A FAILS TO PROVIDE W ATER FLOW RHR MDP TRAIN B FAILS DIVISION 1B DC POW ER FAILS RHR TRAIN B DISCHARGE MOV 63 TO HPI SYSTEM FAILS RHR TRAIN B DISCHARGE CKV 776 TO HPI SYSTEM FAILS RHR TRAIN B RW ST ISOLATION MOV 323 FAILS TO CLOSE SUMP B FAILS TO PROVIDE WATER FLOW HPR-ISO52-F - SHEARON HARRIS PWR B ALT HEADER FLOW THROUGH MOV SI-52 2003/04/04 Page 43 Figure 4. Modified Fault Tree Page 43.

LER 400/01-003 11 RHR-SYS-F 5.8E-6 RCS-CKV-CF-ALL RHR-CLEGS-F RHR-CL1-F RHR-CL2-F RHR-CL3-F 1.0E-4 RCS-CKV-CC-81 1.0E-4 RHR-CKV-CC-356 1.0E-4 RCS-CKV-CC-82 1.0E-4 RHR-CKV-CC-357 1.0E-4 RCS-CKV-CC-83 1.0E-4 RHR-CKV-CC-358 5.8E-6 RHR-CKV-CF-DIS2 1.0E-5 RHR-CKV-CF-DIS1 RHR-CLSTRS-F RHR-CL1-TRNA-F RHR-CL1-TRNB-F 1.4E-4 RHR-MOV-OC-DISA 1.0E-4 RHR-CKV-CC-RH34 77 RHR-MDPA 1.4E-4 RHR-MOV-OC-DISB 1.0E-4 RHR-CKV-CC-RH70 78 RHR-MDPB 3.0E-3 RHR-MO V-OO-SI322 3.0E-3 RHR-MOV-OO -SI323 21 DIV-A-AC 23 DIV-B-AC 1.5E-4 RHR-MOV-CF-SUCT RHR 2.0E-3 RHR-XHE-XM 1.0E-4 RHR-MOV-CF-RWST 3.0E-3 RHR-MOV-CC-RH2 3.0E-3 RHR-MOV-CC-RH40 3.0E-3 RHR-MOV-CC-RH39 3.0E-3 RHR-MOV-CC-RH1 1.0E-5 RHR-CKV-CF-PMPS 3.6E-7 RHR-AO V-CF-BYPASS RHR-RH39 5.1E-2 RHR-RH39-XHE-NOREC COMMON CAUSE FAILUR E OF R CS C OLD L EG CK Vs NO OR INSUFFIC IENT R HR FLOW D UR IN G LONG TER M COOLIN G RH R FAIL UR ES INTO RCS C OLD L EGS R HR INJE CTION FLOW TO C OLD LEG 1 FAILS RH R IN JEC TION FLOW TO COL D LEG 2 FAILS R HR INJEC TION FL OW TO COLD LEG 3 FAILS R HR DISC HAR GE CKVs 1SI-356/357/ 35 8 COMMON C AUSE FAILUR E RHR C KVs AFTER X-TIE 1SI-346/347 COMMON CAUS E FAILURE R CS LOOP 1 COLD LEG C HEC K VALVE 81 FAIL S RC S LOOP 2 C OLD LEG CH ECK VALVE 82 FAILS RC S LOOP 3 C OLD L EG CHE CK VALVE 83 FAILS LP I/RH R C OLD LEG DIS CHAR GE CH ECK VALVE 356 FAILS LPI/ RHR C OLD LEG DISC HAR GE CHE CK VALVE 357 FAILS LPI/R HR COLD LEG D ISCH ARGE C HEC K VALVE 358 FAILS FAILU RE OF LP R/R HR TR AINS TO C OLD LEGS FAILUR E OF LPR/R HR MD P TR AIN A D URIN G RHR FAILUR E OF LPR /R HR MDP TRAIN B D URIN G R HR L PI/R HR MD P TRAIN A FAILS LPI/RHR MDP TR AIN B FAILS LPI/R HR COLD LEG DISC HAR GE VALVES FAIL LP I/RH R C OLD LEG D ISCH ARGE VALVES FAIL LPI/RHR D ISCH ARGE CHE CK VALVE 3 4 FAILS LPI/R HR D ISCH AR GE CHE CK VALVE 70 FAILS R HR TRAIN A RW ST IS OLATION MOV 32 2 FAILS TO CLOSE D IVISION 1 A AC POW ER FAILS RHR TR AIN B RW ST ISOLATION MOV 323 FAIL S TO C LOSE D IVISION 1B AC POW ER FAILS C CF OF HOT LEG ISOLATION MOVs TO OPEN NO OR INS UFFICIEN T FLOW D UR ING RHR OPER ATOR FAILS TO IN ITIATE RHR MODE CC F OF RW ST ISOLATION MOVs TO C LOSE RHR HOT LEG SUC TION MOV RH1 FAILS TO OPEN R HR HOT LE G SUC TION MOV R H2 FAILS TO OPE N RH R HOT LE G SU CTION MOV RH 39 FAIL S TO OPEN R HR HOT LE G SU CTION MOV R H40 FAILS TO OPE N COMMON CAUSE FAILUR E OF LPI/RHR MD Ps DIS CK Vs COMMON CAUS E FAILU RE OF R HR HTX BYP AS S VALVES NON-R ECOVER ED FAILUR E OF MOV R H39 OPER ATOR FAIL S TO R ECOVER MOV RH 39 RHR - SHEARON HARRIS PWR B RESIDUAL HEAT REMOVAL 2003/03/28 Page 70 Figure 5. Modified Fault Tree Page 70.

LER 400/01-003 12 CCW-B 2.2E-5 CCW-MDP-CF-RUN 2.0E-4 CCW-MDP-CF-STRT 1.3E-6 CCW-TNK-LK-TNK CCW-P1B-F 1.0E-4 CCW-CKV-CC-50 1.4E-4 CCW-HTX-PG-1B IGNORE CCW-HTX-TM-1B 7.2E-4 CCW-MDP-FR-1B 3.0E-3 CCW-MDP-FS-1B 1.1E-2 CCW-MDP-TM-1B 1.0E-3 CCW-XHE-XR-HTX1B 1.0E-3 CCW-XHE-XR-MDP1B 23 DIV-B-AC 24 DIV-B-DC 31 ESW-TRB CCW-BN 4.0E-2 ESW-CCW-XHE-NOREC DIVISION 1B AC POWER FAILS COMPONENT COOLING WATER SYSTEM LOOP B FAILS TO PROVIDE FLOW DIVISION 1B DC POWER BUS FAILS RECOVERABLE FAILURES OF CCW MDP 1B SERVICE WATER SYSTEM TRAIN B FAILURES CCW HTX 1B UNAVAILABLE DUE TO T&M OPERATOR FAILS TO RESTORE HTX 1B AFTER T&M CCF OF CCW MDPs TO START CCW SURGE TANK FAILS CCW TRAIN B HEAT EXCHANGER 1B-SB PLUGS CCW MDP 1B DISCHARGE CHECK VALVE 1CC-50 FAILS TO OPEN OP FAILS TO RESTORE CCW MDP 1B AFTER T&M CCW MDP 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE CCW MDP 1B FAILS TO START CCW MDP 1B FAILS TO RUN CCF OF CCW MDPS TO RUN (2) NON-RECOVERED CCW LOOP B FAILURES OPERATOR FAILS TO REALIGN THE ESW OR CCW SYSTEM CCW-B - SHEARON HARRIS PWR B COMPONENT COOLING WATER SYS LOOP B 2003/04/21 Page 13 Figure 6. Modified Fault Tree Page 13.

LER 400/01-003 13 ESW-BR 1.0E-4 ESW-CKV-CC-10 2.5E-5 ESW-MDP-CF-RUN 1.1E-4 ESW-MDP-CF-STRT 7.2E-4 ESW-MDP-FR-1B 3.0E-3 ESW-MDP-FS-1B 2.0E-2 ESW-MDP-TM-1B 1.0E-3 ESW-MDP-XR-1B 1.5E-5 ESW-STR-CF-AB 1.2E-4 ESW-STR-PG-1B 23 DIV-B-AC 24 DIV-B-DC ESWB-VLVS-F FALSE LOCA 33 ESWB-VLVS ESW-BN 4.0E-2 ESW-CCW-XHE-NOREC ESW-B DIVISION 1B AC POWER FAILS DIVISION 1B DC POWER BUS FAILS ESW TRAIN B VALVE FAILURES ESW TRAIN B VALVE FAILURES DURING LOCA RECOVERABLE ESW MDP 1B FAILURES CCF OF ESW PUMP STRAINERS CCF OF ESW MDPs TO START (2) CCF OF ESW MDPs TO RUN (2) FLAG LOCA (SET TO TRUE FOR LOCA) ESW TRAIN B STRAINER PLUGS ESW MDP 1B DISCH CHECK VALVE 1SW-10 FAILS TO OPEN OP FAILS TO RESTORE ESW MDP 1B ESW MDP 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE ESW MDP 1B FAILS TO START ESW MDP 1B FAILS TO RUN ESW MDP 1B FAILURES NON-RECOVERED ESW MDP 1B FAILURES OPERATOR FAILS TO REALIGN THE ESW OR CCW SYSTEM ESW-B - SHEARON HARRIS PWR B ESW TRAIN B FAILS TO PROVIDE FLOW 2003/04/21 Page 29 Figure 7. Modified Fault Tree Page 29.

LER 400/01-003 14 Table 1. Conditional probabilities associated with the highest probability sequences.1 Event tree name Sequence no. Conditional core damage probability (CCDP)2 Core damage probability (CDP)2 Importance (CCDP - CDP)2 MLOCA 2 1.7E-06 1.4E-07 1.6E-06 SGTR 3 1.7E-06 1.1E-06 6.3E-07 LOOP 9 5.2E-07 2.4E-08 4.9E-07 Total (all sequences)3 8.0E-05 4.6E-05 3.3E-05 Notes:

1. File name: GEM 400-01-003 3-28-2003 152639.wpd

2. Values are point estimates.

3. Totals include all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for the dominant sequences. Event tree name Sequence no. Logic (/ denotes success; see Table 2b for top event names) MLOCA 2 /RT, /HPI, /AFW, /COOLDOWN, LPR SGTR 3 /RT, /AFW-SGTR, /HPI, /RCS-SG, /SG-DEP, SGISOL, /RCS-DEP, RHR LOOP 9 /RT-L, /EP, /AFW, PORV-L, PORV-RES, /HPI-L, OP-2H, HPR-L Table 2b. Definitions of fault trees listed in Table 2a. AFW NO OR INSUFFICIENT AFW FLOW AFW-SGTR NO OR INSUFFICIENT AFW FLOW DURING SGTR COOLDOWN RCS COOLDOWN TO RHR PRESSURE USING TBVs, ETC. EP EMERGENCY POWER SYSTEM FAILS HPI NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM HPI-L NO OR INSUFFICIENT FLOW FROM THE HPI SYSTEM DURING LOOP HPR-L NO OR INSUFFICIENT HPR FLOW DURING LOOP LPR NO OR INSUFFICIENT LPR FLOW OP-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 2 HRS PORV-L PORVs/SRVs OPEN DURING LOOP PORV-RES PORVs AND BLOCK VALVES OR SRVs FAIL TO RESEAT RCS-DEP FAILURE TO COOLDOWN RCS TO < RHR PRESSURE RCS-SG OPERATOR FAILS TO LOWER RCS PRESSURE TO < SG RV SETPOINT RHR NO OR INSUFFICIENT FLOW DURING RHR RT REACTOR FAILS TO TRIP DURING TRANSIENT RT-L REACTOR FAILS TO TRIP DURING LOOP SG-DEP HARDWARE FAILS TO LOWER RCS PRESSURE TO < SG RV SETPOINT SG-ISOL FAILURE TO ISOLATE RUPTURED SG BEFORE RWST DEPLETION

LER 400/01-003 15 Table 3. Conditional cut sets for dominant sequences. CCDP1 Percent contribution Minimal cut sets2 Event Tree: MLOCA, Sequence 2 3.6E-07 21.1 RHR-MDP-TM-1B 2.5E-07 14.3 HPR-SMP-VF-SMP1B 2.4E-07 14.0 HPR-MOV-CF-SMP 2.2E-07 13.0 RHR-HTX-TM-1B 1.7E-06 Total (all cut sets/this sequence)3 Event Tree: SGTR, Sequence 3 7.3E-07 43.0 MSS-XHE-XM-ERROR RHR-XHE-XM1 4.1E-07 24.4 MSS-VCF-HW-ISOL RHR-MOV-CF-SUCT 1.7E-06 Total (all cut sets/this sequence)3 Event Tree: LOOP, Sequence 9 1.1E-07 19.6 OEP-XHE-NOREC-2H PPR-SRV-OO-PRV2 PPR-SRV-CO-L EPS-DGN-TM-1B 1.1E-07 19.6 OEP-XHE-NOREC-2H PPR-SRV-OO-PRV3 PPR-SRV-CO-L EPS-DGN-TM-1B 6.6E-08 12.7 OEP-XHE-NOREC-2H PPR-SRV-OO-PRV2 PPR-SRV-CO-L ESW-MDP-TM-1B 6.6E-08 12.7 OEP-XHE-NOREC-2H PPR-SRV-OO-PRV3 PPR-SRV-CO-L ESW-MDP-TM-1B 5.2E-07 Total (all cut sets/this sequence)3 2.5E-05 Total (all cut sets/all sequences)3 Notes:

1. See Table 4 for definitions and probabilities for the basic events.

2. Values are point estimates.

3. Totals include all cut sets (including those not shown in this table).

LER 400/01-003 16 Table 4. Definitions and probabilities for modified or dominant basic events. Event name Description Probability/ frequency Modified CCW-HTX-TM-1B CCW HEAT EXCHANGER 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE IGNORE YES1 EPS-DGN-TM-1B DIESEL GENERATOR 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE 3.1E-02 NO ESW-CCW-XHE-NOREC OPERATOR FAILS TO RECOVER ESW/CCW 4.0E-02 YES2 ESW-MDP-TM-1B ESW MDP 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE 2.0E-02 NO HPR-MOV-CF-SMP CCF OF SUMP ISOLATION VALVES TO OPEN 5.9E-03 YES3 HPR-SMP-VF-SMP1A SUMP 1A FAILS TO PROVIDE WATER FLOW TRUE YES3 HPR-SMP-VF-SMP1B SUMP 1B FAILS TO PROVIDE WATER FLOW 6.0E-03 NO LPI-MOV-OC-322 RWST DISCHARGE ISOLATION MOV 322 FAILS TRUE YES3 MSS-VCF-HW-ISOL RUPTURED STEAM GENERATOR ISOLATION FAILURES 1.0E-02 NO MSS-XHE-XM-ERROR OPERATOR FAILS TO ISOLATE FAULTED STEAM GENERATOR 2.0E-03 NO OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN 2 HRS 1.2E-01 NO PPR-SRV-CO-L PORVs/SRVs OPEN DURING LOOP 1.6E-01 NO PPR-SRV-OO-PRV1 PORV 1 FAILS TO RECLOSE AFTER OPENING 3.7E-03 YES4 PPR-SRV-OO-PRV2 PORV 2 FAILS TO RECLOSE AFTER OPENING 3.7E-03 YES4 PPR-SRV-OO-PRV3 PORV 3 FAILS TO RECLOSE AFTER OPENING 3.7E-03 YES4 RHR-HTX-TM-1B RHR HEAT EXCHANGER 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE 5.5E-03 NO RHR-MDP-TM-1B RHR MOTOR-DRIVEN PUMP 1B UNAVAILABLE DUE TO TEST AND MAINTENANCE 8.9E-03 NO RHR-MOV-CC-RH39 RHR HOT LEG SUCTION ISOLATION VALVE 1RH-39 FAILS TO OPEN TRUE YES3 RHR-MOV-CF-SUCT COMMON CAUSE FAILURE OF RHR HOT LEG SUCTION ISOLATION VALVES TO OPEN 5.9E-03 YES3 RHR-RH39-XHE-NOREC OPERATOR FAILS TO RECOVER VALVE RH39 5.1E-02 YES2 RHR-XHE-XM1 OPERATOR FAILS TO INITIATE RHR MODE (dependent event) 5.2E-02 NO Notes:

1. Based on information provided by the NRC.

2. Recovery event added to reflect the condition being analyzed. Refer to Attachment A.

3. Event changed to reflect the condition being analyzed.

4. Model update using data from NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants, Table D-4 (Reference 5).

LER 400/01-003 17 Table 5. Uncertainty data added to the Shearon Harris SPAR database Event name Event parameter Uncertainty Distribution Uncertainty Parameter CCW-XHE-XM-RECIRC1 Probability = 1.0E-03 Log normal 3 ESW-CCW-XHE-NOREC1 Probability = 4.0E-02 Log normal 3 HPI-XHE-XM-THRTL1 Probability = 1.0E-03 Log normal 3 HPR-MOV-CF-SUMP2 Probability = 5.9E-03 Log normal 5 LPR-XHE-XM1 Probability = 1.0E-03 Log normal 3 MSS-AOV-OO-ADV3 Probability = 1.0E-01 Normal 0.1 MSS-VCF-HW-ISOL3 Probability = 1.0E-02 Log normal 3 MSS-XHE-XM-BLK11 Probability = 6.9E-02 Log normal 3 MSS-XHE-XM-ERROR1 Probability = 2.0E-03 Log normal 3 MSS-XHE-XM-ERROR11 Probability = 5.2E-02 Log normal 3 OEP-XHE-NOREC-2H1 Probability = 1.2E-01 Log normal 2 PPR-SRV-CO-L3 Probability = 1.6E-01 Normal 0.05 PPR-SRV-OO-PRV23 Probability = 3.7E-03 Log normal 3 PPR-SRV-OO-PRV33 Probability = 3.7E-03 Log normal 3 RCS-XHE-DIAG1 Probability = 8.0E-03 Log normal 3 RCS-XHE-XM-SG1 Probability = 2.0E-03 Log normal 3 RHR-MOV-CF-SUCT2 Probability = 5.9E-03 Log normal 5 RHR-RH39-XHE-NOREC1 Probability = 5.1E-02 Log normal 3 RHR-XHE-XM1 Probability = 2.0E-03 Log normal 3 RHR-XHE-XM11 Probability = 5.2E-02 Log normal 3 RHR-XHE-XM21 Probability = 1.4E-01 Log normal 2 RHR-XHE-XR-HXIB1 Probability = 1.0E-03 Log normal 3 RHR-XHE-XR-MDP1B1 Probability = 1.0E-03 Log normal 3 SLOCA-XHE-NOREC1 Probability = 4.3E-01 Log normal 2 Notes:

1. Uncertainties on human error probabilities from NUREG/CR-6144, Section 8.3.3.4 (Reference 6).

2. Uncertainty factors on modified common cause failure events are assumed values.

3. Uncertainty distributions and parameters are assumed.

LER 400/01-003 Attachment A HRA Worksheets

LER 400/01-003 SPAR Model Human Error Worksheet (Page 1 of 3) Plant: Shearon Harris Event Name: ESW-CCW-XHE-NOREC Task Error

Description:

Operator fails to recover ESW/CCW by opening cross-tie valves Does this task contain a significant amount of diagnosis activity ? YES NO
If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2. Table 1. Diagnosis worksheet. PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Barely adequate < 20 m 10 Nominal
30 m 1

Extra > 60 m 0.1 Expansive > 24 h 0.01

2. Stress Extreme 5

High 2 Nominal 1

3. Complexity Highly 5

Moderately 2 Nominal 1

4. Experience/

Training Low 10 Nominal 1
High 0.5

5. Procedures Not available 50 Available, but poor 5

Nominal 1
Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

8. Work Processes Poor 2

Nominal 1
Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

LER 400/01-003 SPAR Model Human Error Worksheet (Page 2 of 3) Table 2. Action worksheet. PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Time available is greater than time required, but not significantly (e.g., a factor of 10) greater.

Time available
time required 10
Nominal 1 Available > 50x time required 0.01

2. Stress Extreme 5

Stress is assumed to be higher than nominal. High 2
Nominal 1

3. Complexity Highly 5

The task of isolating non-essential ESW or CCW loads and opening cross-tie valves is moderately complex. Moderately 2
Nominal 1

4. Experience/

Training Low 3 Nominal 1
High 0.5

5. Procedures Not available 50 Available, but poor 5

Nominal 1

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

8. Work Processes Poor 2

Nominal 1
Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet. Task Portion Nom. Prob. Time Stress Compl. Exper./ Train. Proced. Ergon. Fitness Work Process Prob. Diag. NA NA Action 1.0E-3 x 10.0 x 2.0 x 2.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 4.0E-2 Total 4.0E-2

LER 400/01-003 SPAR Model Human Error Worksheet (Page 3 of 3) For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence. Table 4. Dependency condition worksheet. Condition Number Crew (same or different) Location (same or different) Time (close in time or not close in time) Cues (additional or not additional) Dependency Number of Human Action Failures Rule 1 s s c
complete If this error is the 3rd error in the sequence, then the dependency is at least moderate. If this error is the 4th error in the sequence, then the dependency is at least high. This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks. 2 s s nc na high 3 s s nc a moderate 4 s d c
high 5 s d nc na moderate 6 s d nc a low 7 d s c
moderate 8 d s nc na low 9 d s nc a low 10 d d c
moderate 11 d d nc na low 12 d d nc a low 13
zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2): For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20
For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / = 4.0E-2 Additional Notes:

LER 400/01-003 SPAR Model Human Error Worksheet (Page 1 of 3) Plant: Shearon Harris Event Name: RHR-RH39-XHE-NOREC Task Error

Description:

Operator fails to recover/open MOV RH-39 Does this task contain a significant amount of diagnosis activity ? YES
NO If Yes, Use Table 1 below to evaluate the PSFs for the Diagnosis portion of the task before going to Table 2. If No, go directly to Table 2. Table 1. Diagnosis worksheet. PSFs PSF Levels Multiplier for Diagnosis If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Several hours would be available for this recovery action.

Barely adequate < 20 m 10 Nominal
30 m 1 Extra > 60 m 0.1
Expansive > 24 h 0.01

2. Stress Extreme 5

High 2 Nominal 1

3. Complexity Highly 5

Moderately 2 Nominal 1

4. Experience/

Training Low 10 Nominal 1
High 0.5

5. Procedures Not available 50

Diagnostic procedure assumed to not exist. Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

8. Work Processes Poor 2

Nominal 1
Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

LER 400/01-003 SPAR Model Human Error Worksheet (Page 2 of 3) Table 2. Action worksheet. PSFs PSF Levels Multiplier for Action If non-nominal PSF levels are selected, please note specific reasons in this column

1. Available Time Inadequate 1.0a Time available
time required 10 Nominal 1

Available > 50x time required 0.01

2. Stress Extreme 5

High 2 Nominal 1

3. Complexity Highly 5

Moderately 2 Nominal 1

4. Experience/

Training Low 3 Nominal 1
High 0.5

5. Procedures Not available 50 Available, but poor 5

Nominal 1

6. Ergonomics Missing/Misleading 50 Poor 10 Nominal 1

Good 0.5

7. Fitness for Duty Unfit 1.0a Degraded Fitness 5

Nominal 1

8. Work Processes Poor 2

Nominal 1
Good 0.8

a. Task failure probability is 1.0 regardless of other PSFs.

Table 3. Task failure probability without formal dependence worksheet. Task Portion Nom. Prob. Time Stress Compl. Exper./ Train. Proced. Ergon. Fitness Work Process Prob. Diag. 1.0E-2 x 0.1 x 1.0 x 1.0 x 1.0 x 50.0 x 1.0 x 1.0 x 1.0 5.0E-2 Action 1.0E-3 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 x 1.0 1.0E-3 Total 5.1E-2

LER 400/01-003 SPAR Model Human Error Worksheet (Page 3 of 3) For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure Probability With Formal Dependence. Table 4. Dependency condition worksheet. Condition Number Crew (same or different) Location (same or different) Time (close in time or not close in time) Cues (additional or not additional) Dependency Number of Human Action Failures Rule 1 s s c
complete If this error is the 3rd error in the sequence, then the dependency is at least moderate. If this error is the 4th error in the sequence, then the dependency is at least high. This rule may be ignored only if there is compelling evidence for less dependence with the previous tasks. 2 s s nc na high 3 s s nc a moderate 4 s d c
high 5 s d nc na moderate 6 s d nc a low 7 d s c
moderate 8 d s nc na low 9 d s nc a low 10 d d c
moderate 11 d d nc na low 12 d d nc a low 13
zero Using P = Task Failure Probability Without Formal Dependence (calculated on page 2): For Complete Dependence the probability of failure = 1.0 For High Dependence the probability of failure = (1 + P)/2 For Moderate Dependence the probability of failure = (1 +6P)/7 For Low Dependence the probability of failure = (1 + 19P)/20
For Zero Dependence the probability of failure = P Task Failure Probability With Formal Dependence = (1 + ( * )) / = 5.1E-2 Additional Notes:}}