ML20114E263
| ML20114E263 | |
| Person / Time | |
|---|---|
| Site: | Summer  |
| Issue date: | 05/12/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Hunter C (301) 415-1394 | |
| References | |
| LER 395-00-006 | |
| Download: ML20114E263 (16) | |
Text
1 Accident Sequence Precursor ProgramOffice of Nuclear Regulatory Research Final Precursor Analysis Summer Turbine-driven emergency feedwater pump discharge valve found isolated Event Date: 9/21/2000 LER: 395/00-006 CDP = 4x10-6 Condition Summary On September 21, 2000, at 0600 hours0.00694 days <br />0.167 hours <br />9.920635e-4 weeks <br />2.283e-4 months <br />, during the performance of a scheduled surveillance test on the turbine-driven emergency feedwater (EFW) pump, the plant staff discovered the pumps discharge manual-operated valve was locked in the closed position. The valve had been locked closed since August 4, 2000 (Refs. 1, 2, and 3). A simplified diagram of the EFW system is provided in Figure 1.
During the period when the turbine-driven EFW was unavailable, emergency diesel generator (EDG) A was removed from service between September 5 and 6, and EDG B between September 19 and 20. (Ref. 1)
Cause. The cause of this event is attributed to human error. First, the valve was not opened, per procedure, prior to placing the locking chain on the valve hand wheel. Second, the independent verification was not properly performed. Therefore, an opportunity to correct the mis-positioning was missed.
Condition duration. The condition rendered the train inoperable for automatic initiation during at-power operations from August 4, 2000, until September 21, 2000, or 48 days. One of the two EDGs was removed from service for a total of 4 days.
Recovery opportunity. In an event requiring the turbine-driven EFW pump to operate, the operators must identify that the pump is not providing flow to the steam generators, diagnose the cause (closed valve), and then open the valve.
Analysis Results Importance1 The risk significance of the turbine-driven EFW pump being unavailable for automatic initiation (plus 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> of concurrent EDG unavailability) is determined by subtracting the total nominal core damage probability from the total conditional core damage probability:
1 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailability.
Conditional core damage probability (CCDP) =
5.1 x 10-6 Nominal core damage probability (CDP) =
- 9.5 x 10-7 Importance (CDP = CCDP - CDP) =
4.2 x 10-6 The estimated importance (CCDP-CDP) for the condition was 4.2 x 10-6. This is an increase of 4.2 x 10-6 over the nominal CDP for the 48-day period when the turbine-driven EFW pump (plus 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> of concurrent EDG unavailability) was not available for automatic initiation.
The Accident Sequence Precursor (ASP) Program acceptance threshold is an importance (CDP) of 1 x 10-6.
Dominant sequence The dominant core damage sequence for this condition is a station blackout sequence (Sequence 18-22). The events and important component failures in this sequence (shown in Sequence 18, Figure 2, and Sequence 22, Figure 3) include:
a loss of offsite power initiating event, successful reactor trip, failure of the emergency power system due to independent and common cause failures of the emergency diesel generators, failure of the auxiliary feedwater system, and failure to recover offsite power in the short term (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />).
Results tables The conditional probability of the dominant sequence is shown in Table 1.
The event tree sequence logic for the dominant sequence is provided in Table 2a.
The conditional cut sets for the dominant sequence are provided in Table 3.
Modeling Assumptions Assessment summary This event was modeled as an at-power conditional assessment with the discharge valve for the turbine-driven EFW pump closed for 44 days (Case 1), plus a 4-day period when a diesel was also inoperable (Case 2). Both cases were analyzed separately and the results (CDP and CCDP) were combined to calculate the total importance for the 48-day period.
The Revision 2QA of the Summer Standardized Plant Analysis Risk (SPAR) model (Ref.
- 6) was used for this assessment. The SPAR Revision 2QA model includes event trees for transients (including loss of feedwater and a transfer tree for anticipated transient without scram or ATWS), loss of offsite power (including a transfer tree for station blackout), small loss-of-coolant accident, and steam generator tube rupture. These event trees were used in the analysis. The discussion below provides the bases for significant changes to the model.
Basic event probability changes
Table 4 provides the basic events that were modified to reflect the event condition being analyzed. The bases for these changes are as follows:
Probability of failure of the turbine-driven EFW pump (AFW-TDP-FC-1X). The probability that the pump would fail to start was set to a failure probability of 1.0 to reflect the failure of the train to provide flow. A value of 1.0 was used instead of TRUE to ensure that all sequences involving the turbine-driven EFW pump were reported and considered in the recovery actions.
Nonrecovery probabilities for the emergency feedwater system. In an event requiring the turbine-driven EFW pump, the operators would know that a problem exists with the pump because there would be no EFW flow to the steam generators.
Examining the local turbine-driven EFW pump flow and discharge pressure indications would indicate that the problem is not with the pump itself. This would prompt them to look at the downstream piping. Downstream of the pump flow indication the recirculation line branches off before a check valve and the manual isolation valve in question (XVG-1036). To open the valve, the operators must first unlock the valve handle.
The human error probability for recovering the turbine-driven EFW pump train for station blackout (SBO) and non-SBO sequences was estimated using ASP Program human reliability analysis methods (Ref. 7). Attachment 1 provides additional details about the human error probability calculations.
Unavailability of emergency diesel generators. To account for the total 4-day period when an EDG was taken out of service, the failure probability for EDG A (EPS-DGN-FC-1A) was set to TRUE (probability of 1.0) and the failure probability for EDG B (EPS-DGN-FC-1B) was modified to remove probability for maintenance out-of-service. No recovery was credited for the 96 hours0.00111 days <br />0.0267 hours <br />1.587302e-4 weeks <br />3.6528e-5 months <br /> (4 days) when an EDG was out-of-service.
Other changes of sequence nonrecovery probabilities. The generic sequence nonrecovery probabilities from the SPAR model were reviewed and modified, as necessary, to appropriately reflect the minimum cut sets of the important dominant sequences. Table 4 shows the sequence nonrecovery probabilities for the dominant sequences. Table 5 provides the bases for those probabilities.
Model update The SPAR model for Summer was updated to account for:
updates of system/component failure probabilities and initiating event frequencies based on recent operating experience, core uncovery times for SBO sequences (Ref. 8), and changes in the reactor coolant pump (RCP) seal loss-of-coolant accident (LOCA) model (Ref. 9). The analysis assumes that high temperature seals were installed on all RCPs at the time of the event.
Bases for these updates are described in the footnotes to Table 4.
Analysts and technical reviewers Charles Mitchell, Analyst, ABS Consulting Erul Chelliah, Technical reviewer, U.S. NRC References 1.
LER 395/00-006, Revision 0, Turbine Driven Emergency Feedwater Pump Discharge Valve Found Isolated, October 18, 2000 (ADAMS Assession Number: ML003762384).
2.
NRC Inspection Report, SDP/EA-00-238, Virgil C. Summer Nuclear Station, NRC Integrated Inspection Report No. 50-395/00-05, October 20, 2000 (ADAMS Assession Number: ML003763975).
3.
L.A. Reyes, Letter to S.A. Byrne, South Carolina Electric & Gas Company, Final Significance Determination for a White Finding and Notice of Violation, December 28, 2000 (ADAMS Assession Number: ML010040154).
4.
Reserved.
5.
Reserved.
6.
J. K. Knudsen, et al., Simplified Plant Analysis Risk (SPAR) Model for Summer, Revision 2QA, Idaho National Engineering and Environmental Laboratory, March 1998.
7.
J. C. Byers, et al., Revision of the 1994 ASP HRA Methodology (Draft), INEEL/EXT 0041, Idaho National Engineering and Environmental Laboratory, January 1999.
8.
P. W. Baranowsky, Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG-1032, U.S. Nuclear Regulatory Commission, Washington, DC, June 1988.
9.
R. G. Neve, et al., Cost/Benefit Analysis for Generic Issue 23: Reactor, Coolant Pump Seal Failure, NUREG/CR-5167, U.S. Nuclear Regulatory Commission, Washington, DC, April 1991.
10.
Memorandum from Ashok C. Thadani to William D. Travers, Closeout of Generic Safety Issue 23: Reactor Coolant Pump Seal Failure, U.S. Nuclear Regulatory Commission, November 8, 1999.
11.
F. M. Marshall, et al., Common-Cause Failure Parameter Estimations, NUREG/CR-5497, U.S. Nuclear Regulatory Commission, Washington, DC, October 1998.
12.
G. M. Grant, et al., Reliability Study: Emergency Diesel Generator Power System, 1987-1993, NUREG/CR-5500, Vol. 5, U.S. Nuclear Regulatory Commission, Washington, DC, September 1999.
13.
J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, U.S. Nuclear Regulatory Commission, Washington, DC, February 1999.
14.
C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:
1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DC, November 1998.
Figure 1. Simplified diagram of the emergency feedwater system at Summer. (Manual valve found locked closed is shown in the circle.)
Figure removed during SUNSI review.
Loss of offsite power Reactor trip Emergency power Auxiliary feed water No PORV's open PORV's close High pressure injection Feed and bleed Offsite power rec in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Offsite power rec in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Secondary cooling recovered Residual heat removal High pressure recirc SEQ number End-State 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 T 19 IE-LOOP RT-L EP AFW-L PORV-L PRVL-RES HPI-L F&B-L OP-2H OP-6H SGCOOL COOLDOWN RHR HPR-L RCS cooldown SGCOOL-L OK OK OK OK CD OK CD OK CD CD OK OK CD OK OK CD CD SBO CD Loop Event Tree Summer Station PWR B HPR HPR HPR Figure 2 Summer loss of offsite power event tree showing sequence 18 transfer to station blackout event tree (Fig. 3)
Transfer branch SBO Auxiliary feed water No PORV's open PORV's close Short-term offsite power recovery No RCP seal LOCA Offsite power rec during seal LOCA AC power recovery before bat depletion High pressure injection Residual heat removal High pressure recirc SEQ number End-State 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 SBO AFW-L PORV-L PRVL-RES ACP-ST SEALLOCA OP-SL OP-BD HPI-L COOLDOWN RHR HPR-L RCS cooldown OK CD OK OK CD OK CD CD CD OK CD OK OK CD OK CD CD CD OK CD OK CD SBO Event Tree Summer Station PWR B HPR HPR HPR HPR HPI HPI Figure 3 Summer station blackout event tree showing sequence 22
Table 1a. Conditional probabilities of dominating sequences Event tree name Sequence no.
Conditional core damage probability (CCDP)
Core damage probability (CDP)
LOOP 18-22A1 2.6E-006 8.2E-008
LOOP 18-22B2 1.5E-006 7.5E-009
Total (all sequences)3 5.1E-006 9.5E-007 4.2E-006 Notes:
1.
Dominating sequence for Case A---44-day period with turbine-driven EFW unavailable and EDGs available.
2.
Dominating sequence for Case B---4-day period with turbine-driven EFW unavailable and one EDG unavailable.
3.
Total CCDP includes all sequences from both cases (including those not shown in this table).
4.
(File names: GEM 395-00-006 5-16-2001 145745.WPD and GEM 395-00-006 5-16-2001 150122.WPD)
Table 2a. Event tree sequence logic for the dominant sequence Event tree name Sequence no.
Logic
(/ denotes success; see Table 2b for top event names)
LOOP 18-22
/RT-L, EP, AFW-L, ACP-ST Table 2b. Definitions of fault trees listed in Table 2a1 ACP-ST OFFSITE POWER RECOVERY IN SHORT TERM AFW-L NO OR INSUFFICIENT AUXILIARY/EMERGENCY FEEDWATER FLOW EP EMERGENCY POWER SYSTEM FAILS RT-L REACTOR FAILS TO TRIP DURING LOSS OF OFFSITE POWER Note:
- 1. In addition to the fault trees listed in this table, modifications to other fault trees were made in accordance with guidance provided in Reference 10. The SPAR model was modified to replace the existing reactor coolant pump (RCP) seal LOCA model with the Rhodes Model (Ref. 9). In order to replace the RCP seal LOCA model without modifying the station blackout event tree, top event OP-SL was set to False (basic event OEP-XHE-NOREC-SL).
To account for offsite power recovery, the nonrecovery probabilities for offsite power AND emergency diesel generators (EDGs) were added to the sequence-specific nonrecovery probabilities for the RCP seal LOCA sequences in the station blackout event tree (see Table 5). Based on the Rhodes Model, the time available to prevent core damage by high-pressure injection if RCP seals fail is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Therefore, the nonrecovery probabilities for EDGs and offsite power were modified to reflect the 4-hour recovery time to avert core damage (see Table 5). Finally, Event Tree Linking Rule Nos. 4 and 5 (Ref. 6, Table 2-1), which are triggered by the success of top event OP-SL, were negated by substituting fault tree HPI for HPI-L in LOOP Sequences 18-08 and 18-17, and HPR for HPR-L in LOOP Sequences 18-05, 18-07, 18-14, and 18-16. High temperature seals were assumed to be installed on all RCPs.
LER 395/00-006 10 Table 3a. Conditional cut sets for dominating sequences CCDP Percent contribution Minimal cut sets1 Event Tree: LOOP, Sequence 18-22A (EFW unavailable for 44 days with EDGs available) 2.0E-006 78.6 EPS-DGN-FC-1A OEP-XHE-NOREC-ST AFW-TDP-FC-1X EPS-DGN-FC-1B LOOP-18-22-NREC 5.4E-007 21.2 EPS-DGN-CF-ALL LOOP-18-22-NREC OEP-XHE-NOREC-ST AFW-TDP-FC-1X 2.6E-006 Total2 Event Tree: LOOP, Sequence 18-22B (EFW unavailable for 4 days with an EDGs unavailable) 1.4E-006 96.2 EPS-DGN-FC-1A OEP-XHE-NOREC-ST AFW-TDP-FC-1X EPS-DGN-FC-1B LOOP-18-22-NREC 4.9E-008 3.4 EPS-DGN-CF-ALL LOOP-18-22-NREC OEP-XHE-NOREC-ST AFW-TDP-FC-1X 1.5E-006 Total2 Notes:
- 1. See Table 4 for definitions and probabilities for the basic events.
- 2. Total CCDP includes all cut sets (including those not shown in this table).
LER 395/00-006 11 Table 4. Definitions and probabilities for modified and dominant basic events Event name Description Probability/
frequency Modified AFW-TDP-FC-1X TURBINE-DRIVEN EMERGENCY FEEDWATER PUMP FAILURE 1.0E+000 YES1 EPS-DGN-CF-ALL COMMON CAUSE FAILURE OF DIESEL GENERATORS 7.0E-004 YES2 EPS-DGN-FC-1A DIESEL GENERATOR A FAILS 5.1E-002 (1.0E-000)
YES3 EPS-DGN-FC-1B DIESEL GENERATOR B FAILS 5.1E-002 (2.0E-002)
YES3 IE-LOOP LOSS OF OFFSITE POWER (LOOP) INITIATING EVENT 5.8E-06/hr YES4 IE-SGTR STEAM GENERATOR TUBE RUPTURE (SGTR)
INITIATING EVENT 8.0E-07/hr YES5 IE-SLOCA SMALL LOSS OF COOLANT ACCIDENT INITIATING EVENT 3.4E-07/hr YES5 IE-TRAN TRANSIENT (TRANS) INITIATING EVENT 1.6E-04/hr YES5 LOOP-17-NREC LOOP SEQUENCE 17 NONRECOVERY PROBABILITY 3.4E-002 YES6 LOOP-18-05-NREC LOOP SEQUENCE 18-05 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-07-NREC LOOP SEQUENCE 18-07 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-08-NREC LOOP SEQUENCE 18-08 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-14-NREC LOOP SEQUENCE 18-14 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-16-NREC LOOP SEQUENCE 18-16 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-17-NREC LOOP SEQUENCE 18-17 NONRECOVERY PROBABILITY 2.4E-002 YES7 LOOP-18-22-NREC LOOP SEQUENCE 18-22 NONRECOVERY PROBABILITY 4.2E-001 YES6 TRANS-20-NREC TRANS SEQUENCE 20 NONRECOVERY PROBABILITY 3.4E-002 YES6 OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE REACTOR COOLANT PUMP (RCP) SEAL LOCA FALSE YES8 OEP-XHE-NOREC-ST OPERATOR FAILS TO RECOVER OFFSITE POWER IN SHORT TERM 3.0E-001 YES9 RCS-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 2.2E-001 YES8 Notes:
1.
Basic event was changed to reflect event being analyzed. Note: A value of 1.0 was used instead of TRUE to ensure that all sequences involving the turbine-driven EFW pump were reported and considered in the recovery actions.
2.
Base case model was update using data from NUREG/CR-5497, Tables 5-2 and 5-5 (Ref. 11). Updated value uses a 4-hour mission time for the diesel generator, which is the 95% probability of recovering offsite power for the weighted average of all LOOP events (Ref. 6, Table 6.1).
3.
Base case model was update using data from NUREG/CR-5500, Vol. 5, Tables C4, C6, and C7 (Ref. 12). See note 2 for additional information. Numbers in parentheses represent Case 2 values. DG1 inoperable set to 1.0 and DG2 modified to remove probability for maintenance out-of-service.
4.
Base case model was update using data from NUREG/CR-5750, Table H3 (Ref. 13) and NUREG/CR 5496 Table B4 (Ref. 14).
5.
Base case model was update using data from NUREG/CR-5750, Table 3-1 (Ref. 13).
6.
Basic event was changed to reflect the nonrecovery of EFW; see Table 5.
7.
Base case model was update based on Rhodes Model. See Table 5 for basis.
8.
Base case model was update based on Rhodes Model. (See Note 1 in Table 2b) 9.
For SBO sequences, core uncoverying is estimated to occur in approximately 1.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Ref. 8, Table 7.1, 5800 sec). The actual time for recovering offsite power is assumed to be 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, which allows approximately 30 minutes (actually 36 minutes or 0.6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />) for the operator to perform the necessary system recovery actions.
The probability of not recovering offsite power, for the weighted average of all types of LOOPs, within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is 0.3 (Ref. 6, Table 6-1). Therefore, OEP-XHE-NOREC-ST is set to 0.3.
LER 395/00-006 12 Table 5. Basis for the probabilities of sequence-specific recovery actions Seq. no. and basic event Failed systems and recovery time1,2 Nonrecovery probability Combined failure probability Modification remarks (also see footnotes) 18-22 LOOP-18-22-NREC EDG (1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />)
AFW-L 0.84 0.503 0.42 Recovery of turbine-driven EFW pump (SBO) 20 TRANS-20-NREC AFW MFW-T F&B 0.0414 1
0.84 0.034 Recovery of turbine-driven EFW pump (non-SBO) 17 LOOP-17-NREC AFW-L F&B-L 0.0414 0.84 0.034 Recovery of turbine-driven EFW pump (non-SBO) 18-05 LOOP-18-05-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model 18-07 LOOP-18-07-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model 18-08 LOOP-18-08-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model 18-14 LOOP-18-14-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model 18-16 LOOP-18-16-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model 18-17 LOOP-18-17-NREC EDG (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />)
Offsite Power (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) 0.5 0.048 0.024 Include Rhodes RCP seal LOCA model Notes:
1.
Based on the SPAR model (Ref. 6), nonrecovery probability for an EDG is exp(-0.173t), where t is recovery time in hours. When multiple EDGs are failed, only one EDG is considered for recovery, since operators would attempt to recover only one EDG.
2.
Recovery times used in the SPAR model are as follows:
1 hour--core uncovery due to loss of heat removal during a station blackout (Ref. 8, Table 7.1) 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s--core uncovery due to RCP seal LOCA (update based on Rhodes Model, Ref. 13) 3.
Based on HRA analysis (see Attachment 1). Note: The additional contribution of the turbine-driven EFW pump failing to start and recovery from failure to start is small (0.03 x 0.5 = 0.015) compared to the human error of (0.5) and is not included here.
4.
Based on HRA analysis (see Attachment 1).
LER 395/00-006 13 - HRA Calculations
- 1. Nonrecovery of Turbine-Driven EFW Pump Train - SBO Conditions To account for potential turbine-driven EFW pump recovery, a revised value of EFW system nonrecovery probability was calculated for SBO and non-SBO sequences (see Table 5). As described in footnote 9 to Table 4, the actual time for recovery is assumed to be 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, which allows an additional 30 minutes (approximate) for the operator to perform the necessary system recovery actions. Recovery of the turbine-driven EFW train entails the following diagnosis and physical action tasks:
Recognize during a postulated SBO that the turbine-driven EFW pump is available and the pump discharge manual-operated valve is locked in the closed position (diagnosis).
Unlock and open the valve (action).
The ASP Program methods for human reliability analysis (HRA) (Ref. 7) were used to estimate EFW nonrecovery probabilities based on actual event conditions. The HRA involves estimating failure probabilities for diagnosis and action portions of the recovery task, including scenario dependency factors, as discussed below.
Recognize that the turbine-driven EFW pump is available and the pump discharge manually operated valve is locked in the closed position (diagnosis)
In an event requiring the turbine-driven EFW pump, the operators would know that a problem exists with the EFW system because they would observe that the turbine-driven pump is running and there would be no EFW flow to the steam generators.
Examining the local turbine-driven EFW pump flow and discharge pressure indications would indicate that the problem is not with the pump itself. This would prompt them to look at the downstream piping. Downstream of the pump flow indication the recirculation line branches off before a check valve and the manual isolation valve in question (XVG-1036).
Stress on the operators. Because this would be an infrequent and emergency situation (SBO) with multiple equipment failures (i.e., both emergency diesel generators) and the only means for providing auxiliary feedwater (turbine-driven EFW pump) is not providing flow to the steam generators, the performance shaping factor (PSF) level for stress is extreme (PSF multiplier is 5).
Ergonomics. The diagnostic would have to be done outside the control room with an SBO in progress. The NRC Inspection Report (Ref. 2) provides the following information about lighting and equipment configuration:
Flashlights would be required for lighting in the area of the discharge valve due to the emergency lighting being located on the opposite side of the mezzanine level. The discharge isolation valve is not located adjacent to the turbine-driven EFW pump but in an overhead mezzanine. The valve is properly labeled; however, the valve is in a congested area with the valves and components in a somewhat remote corner on the mezzanine level. The valve was locked with a colored chain reserved for locked-open valves, which would give some confidence to the operators that the valve was in the correct position.
LER 395/00-006 14 Initially, the operators would see the colored chain that indicates an open valve, and this indication is clearly misleading (PSF multiplier of 50). However, when very likely they find no other cause of the blocked flow, they will take a closer look at the system, checking each valve. During this second check (and subsequent checks, if necessary) they will likely question (and perhaps doubt) or possibly ignore such indications as the colored chain and will begin checking valve positions. During this action there would be no misleading indications, and the PSF could be considered as good as nominal. However, the operators check of the manual valve is limited to observing the rising stem because, at this point, the valve is still locked and the operator cannot manually check the valve position. Preventing the operator from positively checking the valve by turning the handwheel is considered poor ergonomics, and a PSF of 10 was selected.
Procedures. Emergency operating procedures (EOP) direct the operators to check the turbine-driven EFW pump and the discharge flow control valves (Ref. 2). There is no guidance to specifically check the pump discharge valve; however, the procedures have directed operators to the key elements (pump and control valves).
Additional inspections would very likely be conducted locally by skill of the craft.
The procedures are not incorrect or misleading; therefore, no penalty was taken for this PSF, and the nominal PSF (multiplier of 1.0) was selected for procedures.
The nominal failure probability for a cognitive error used in the SPAR model is 0.01. Therefore, the probability of cognitive error for this diagnosis activity is 0.5
(= 0.01 x 5 x 10).
Unlock and open the valve (action)
Given that the operators had properly diagnosed that the pump discharge valve was inadvertently in the closed position, unlocking and opening the valve would not require any special act, except, perhaps, locating the key or bolt cutters. Therefore, nominal failure probability used in the SPAR model of an error to complete a physical action (0.001) was reasonably assumed.
Dependency condition The ASP HRA methodology defines a dependency condition as the failure of a previous task that impacts the successful completion of a second task in a sequence.
The station blackout Sequence 18-22 has three operator actions (recovery of offsite power, an emergency diesel generator, and the turbine-driven EFW discharge valve);
however, these actions are independent of one another. Therefore, the dependency condition is zero.
Total nonrecovery (SBO conditions)
The total EFW system nonrecovery for SBO conditions is the sum of the diagnosis and the action nonrecovery values. Total nonrecovery (SBO) is 0.501 (= 0.5 + 0.001).
LER 395/00-006 15 2.
Nonrecovery of Turbine-Driven EFW Pump Train - Non-SBO Conditions Recovery of the turbine-driven EFW pump train entails the same diagnosis and physical action tasks used for the SBO case. The only differences are the PSF levels for stress and complexity.
Recognize that the turbine-driven EFW pump is available and the pump discharge manual-operated valve is locked in the closed position (diagnosis)
Stress on the operators. Because this would be an infrequent and emergency situation (reactor transient) with multiple equipment failures (i.e., both motor-driven EFW pumps and main feedwater system), the PSF level for stress is high (PSF multiplier is 2).
Complexity of the task. The operators would need to look at both the turbine-driven EFW pump flow and discharge pressure indications and the position of EFW flow control valves to recognize this condition. The operators may also be looking at the other two pumps to determine if the problem is with one of those pumps. This would increase the complexity of the problem. The PSF level for complexity is moderate (PSF multiplier is 2).
The nominal failure probability for a cognitive error used in the SPAR model is 0.01.
Therefore, the probability of cognitive error for this diagnosis activity is 0.04
(= 0.01 x 2 x 2).
Unlock and open the valve (action)
For the same reasons as the SBO case, the nominal human error value of 0.001 was used.
Total nonrecovery (non-SBO conditions)
The total EFW system nonrecovery for non-SBO conditions is the sum of the diagnosis and the action nonrecovery values. Total nonrecovery (non-SBO) is 0.041
(= 0.04 + 0.001)
16 ATTACHMENT 2 - RESPONSE TO SPECIFIC COMMENTS BY THE LICENSEE Comment 1-High temperature seals were installed on two of three reactor coolant pumps (RCPs) at the time of the event. The B RCP seal was changed during the refueling cycle 12 that started in October 2000. High temperature seals had been installed in refueling cycles 10 and in 11 in RCPs C and A respectively prior to the September 2000 event.
Response to comment 1-The licensee stated that new seals were installed in only two of three RCPs in the reactor coolant system prior to the identification of operating condition. Since one old RCP seal would control the probability and the timing of seal failure, we judged that no quantification changes to Loss of Offsite power event tree in the preliminary precursor analysis were necessary.
Comment 2- - Human reliability analysis (HRA) Calculations, Item 1, on page 13, under Unlock and open the valve (action). The NRC analysis assumed that operators would have to locate the key or bolt cutters to unlock and open the discharge valve for the emergency feedwater (EFW) system. The lock is a plastic lock, similar to those on a service meter, that is made to be broken open by hand. The chain is light-weight and is designed to be broken, if necessary, at the valve without cutters. This feature will save the time of locating keys or bolt cutters.
Response to comment 2-The licensee indicated that the lock for the EFW discharge valve was a plastic lock. The chain for the valve was light-weight. Both the lock and the chain could have been broken on demand during the recovery phase at the valve location easily without cutters. This feature would have saved the time of locating keys or bolt cutters. Therefore, the recovery action time required for opening the isolated discharge valve might have been lower than the 30 minute time interval which was assumed in the human reliability analysis portion of the preliminary precursor analysis (PPA). However, the lower time may not be significant enough to credit to the previous nominal performance shaping factor (PSF) level that was assigned to available time PSF in the PPA. Therefore, the final precursor analysis (FPA) assigned the same nominal PSF level (a multiplier of 1) to available time PSF.
The PPA assigned moderate PSF level (a multiplier of 2) to complexity PSF. The licensee indicated that the lock for the isolated discharge valve might have been broken open by hand easily. Therefore, the FPA gave credit to the previous nominal PSF level (a multiplier of 1) to complexity PSF.