Forwards Final Accident Sequence Precursor Analysis of Operational Condition at Unit 2,as Reported in LER 96-002. Encl 2 Contains NRC Responses to Util Specific Comments

ML20203C536
Person / Time
Site:	Mcguire
Issue date:	12/08/1997
From:	Rinaldi F NRC (Affiliation Not Assigned)
To:	Barron H DUKE POWER CO.
References
NUDOCS 9712150335
Download: ML20203C536 (21)
v • d • e

Text

.

Mr. H. B. 8:rron December 8, 1997 Vice Pr:sident, McGuira Sita Duk3 Energy Corporction 12700 Hagers Ferry Road Huntersville, North Carolina 28078

SUBJECT:

REVIEW OF PRELIMINARY ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF CONDITION AT MCGUIRE NUCLEAR STATION, UNIT 2

Dear Mr. Barron:

Enclosed for your information is a copy of the final Accident Sequence Precursor analysis of the operational condition at McGuire Nuclear Station, Unit 2 reported in Licensee Event Report (LER) No.370/96-002. This final analysis (Enclosure 1) was prepared by our contractor at the Oak Ridge National Laboratory, based on review and evaluation of your comments on the preliminary analysis and comments received from the NRC staff and from our independent contractor, Sandia National Laboratories Enclosure 2 contains our responses to your specific comments. Our review of your comments employed the criteria contained in the material which accompanied the preliminary analysis. The resu!ts of the final analysis indicate that this event is a precursor for 1996.

Please contact me at 301-4151447 if you have any questions regarding the enclosure. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the pr%minary analysis.

Sincerely, ORIGINAL SIGNED BY:

Frank Rinaldi, Project Manager Project Directorate ll 2 Division of Reactor Projects - l/ll Office of Nuclear Reactor Regulation Docket No. 50-370

Enclosures:

As stated (2) cc w/encis: See next page Q \\

Distribution:

h l )

easehet Filey HBerkow ACRS PO'Reilly, AEOD PUBLIC LBerry JJohnson, Ril PD ll 2 Rdg.

FRinaldi COgle, Rll BBoger OGC GMays, AEOD To receive a copy of this document, Indicate in the box:"C" = Copy without attachment / enclosure "E" = Cop with attachment / enclosure "N" = No copy OFFICE P M:l b,1 % 4 LA:PDilR p DJ)D/l2 NAME FRinaldiM "

LBerry \\/b I;W%fkhw OATE N f/97 W/S/97 7 it/ d97

/ /97

/ /97

/ /97 DOCUMENT NAME: G:\\MCGulRE%SPSTDF6.MGS OFFICIAL RECORD COPY il.l!lll1.hlllll 1

!.I 1.1 v,

9712150335 9h1208

"" ~"" 0" W "9iM"'pM PDR ADOCK 05000370 E

S PDR

s @ *tou a

po UNITED STATES g

,j NUCLEAR REGULATORY COMMISSION WASHIN0foN D.C. 3066H001 k[...../

December 8, 1997 Mr. H. B. Barron Vice President, McGuire Site i

Duke Energy Corporation 12700 Hagers Ferry Road Huntersville, North Carolina 28078

SUBJECT:

REVIEW OF PRELIMINARY ACCIDENT SEQUENCE PRECURSOR ANALYSIS OF CONDITION AT MCGUIRE NUCLEAR STATION, UNIT 2

Dear Mr. Barron:

Enclosed for your information is a copy of the final Accident Sequence Precursor analysis of the operational condition at McGuire Nuclear Stailon, Unit 2, reported in Licensee Event Report (LER) No.370/96-002. This final analysis (Enclosure 1) was prepared by our contractor at the Oak Ridge National Laboratory, based on review and evaluation of your comments on the preliminary analysis and comments received from the NRC staff and from our independent contractor, Sandia National Laboratories. Enclosure 2 contains our responses to your specific comments. Our review of your comments employed the criteria contained in the material which accompanied the preliminary analysis. The results of the final analysis indicate that this event is a precursor for 1996.

Please contact me at 301-4151447 if you have any questions regarding the enclosure. We recognize and appreciate the effort expended by you and your staff in reviewing and providing comments on the preliminary analysis.

Sincerely, hwh d#

Frank Rinaldi, Project Manager Project Directorate 11-2 Division of Reactor Projects -l/Il Office of Nuclear Reactor Regulation Docket No. 50-370

Enclosures:

As stated (2) c0 w/encis: See next page

McGuire Nuclear Station ec:

Mr. Paul R. Newton Ms. Karen E. Long Legal Department (PBOSE)

Assistant Attorney Ger'eral

]

Duke Energy Corporation North Corolina Department of 422 South Church Street Justice Charlotte, North Carolina 28242 P. O. Box 629 Raleigh, North Carolina 27602 County Manager of Mecklenburg County Mr. G. A. Copp 720 East Fourth Street Licensing - EC050 Charlotte, North Carolina 28202 Duke Energy Corporation 526 South Church Street Michael T. Cash Charlotte, North Carolina 28242 Regulatory Compliance Manager Duke Energy Corporation Regional Administrator, Region ll McGuire Nuclear Site U.S. Nuclear Regulatory Commission 12700 Hagers Ferry Road Atlanta Federal Center Huntersvlile, North Carolina 28078 61 Foisyth Street, S.W., Suite 23T85 Atlanta, Georgia 30303 J. Michael McGarry, Ill, Esquire Winston and Strawn Elaine Wathan, Lead REP Planner 1400 L Street, NW.

Division of Emergency Management Washington, DC 20005 116 West Jones Street Raleigh, North Carolina 27603-1335 Senior Resident inspector clo U.S. Nuclear Regulatory Mr. Richard M. Fry, Director Commission Division of Radiation Protection 12700 Hagers Ferry Road North Carolina Department of Huntersville, North Carolina 28078 Environment, Health and Natural Resources Mr. Peter R. Harden, IV 3825 Barrett Drive l

Account Sales Manager Raleigh, North Carolina 27609-7721 Westinghouse Electric Corporation Power Systems Field Sales Mr. T. Richard Puryear P. O. Box 7288 Owners Group (NCEMC)

Charlotte, North Carolina 28241 Duke Energy Corporation 4800 Ctacord Road Dr. John M. Barry York, South Carolina 29745 Mecklenberg County Department of Environmental Protection 700 N. Tryon Street Charlotte, North Carolina 28202 i

i

LER No. 370/96-002 LER No. 370/96-002 Event

Description:

20 cmergency diesel generator inoperable due to slow instrumentation response Date of Event: March 6,1996 Plant: McGuire Unit 2 Event Summary McGuire Unit 2 was at 100% power when the 2B Emergency Diesel Generator (EDG),,,hich was undergoing a scheduled operating test, tripped on a false low lube oil pressure signal shortly aner starting (Ref.1). The test failure was the result of air entrainment into the instrument line for the lube oil piping curr.bir.:d v.ith !cw room temperature. Personnel determmed that these conditions (air ingress and cold room temperature), which were deemed sufucient to cause the 2B EDG to trip, existed for a combined total of 540 h. (The 540.h total was distributed over four separate occasions where the 72.h single EDG outage allowed by Technical Specifications was exceeded.) This long term unavailability of the 2B EDO could have affected the units' response to a loss of offsite power (LOOP). The estimated increase in the core damage probability (CDP) over the 540.h period for this event (ia., the importance)is 1.8 = 10. The base probability of core d mage 4

(the CDP) for the same period is 1.2 = 104 Event Description Unit 2 was at 100% power on February 6,1996. The 2B EDO was scheduled for a non prelubricated start test. The 2B EDO reached 95% of rated speed in 9 s (Ref. 2). The 2B EDO tripped on a low lube oil pressure signal 30 s later (39 : aner starting the EDG). Indicated pressure was 15-20 psig and decreasing; normal operating pressure is 40 psig. liowever, personnel detennined that the low lube oil pressure indication was false. The low pressure indication resuhed from a slow instrument response duc in air entrainmer.t into the instrument line for the lube oil piping, coupled with the low EDO room temperature. (An inadequate design l

of the instrument lines allowed for air to be introduced into the system. The lube oil pressure switch impulse line for the 2B EDG is -70 ft long. The licensee indicated in tne LER that this length is excessive.) The cool EDO room temperature added to the slow instrument response by increasing the viscosity of the oil in the instrument line. Since the low lube oil pressure trip signal is not bypassed on an emergency start of the EDGs, the failure was classified as a valid test failure.

The lowest recorded EDO room temperature in the 7 d preceding the EDG failure to start was 62'F. EDO room temperature was 68'Fjust before the test. On March 6,1996, the licensee determined that the 2b EDG should be considered inoperable with the current instrument line configuration when the EDO room temperature is < 71'F and the before and after (BAA) lube oil pump is not runrung. Lased on these criteria, t

all other station EDGs were determined to be operable at the time the 2B EDO failed its operating test. Based i

on a review of the log books containing the EDO room temperature readings, the licensee calculated that de 2B EDO was susceptible to this type of failure for a total of 666 h. Because the B&A lube oil pump runs for 1

-. ~ - - - -. - -. _

b LER No. 370/96-002 i

l$ min during each hour, the licensee estimated that the 2B EDO was susceptible to this type of failure only 75% of the time-a total of 499.5 h. Nuclear Regulatory Commission (NRC) inspectors,in NRC Inspection Report 50 370/96 02 (Ref. 2), noted that previous EDG trips occurred while the B&A lube oil pump was running. Therefore, the NRC inspectors discounted the assumption that running a B&A lube oil pump at the time of a start demand with the EDG room temperature below,l'F would have prevented this type of failure of the EDG to start. The 2B EDG was susceptible to these failure conditions on numerous separate occasions through the winter (for a total of 666 h), however, there were only four occurrences of the potential failure conditions that exceeded the EDG Technical Specification Action Statement limit of 72 h. The NRC inspection report (Ref. 2) tallied the total amount of time for the four occurrences that the room temperature dropped below 71'F and determined that the four susceptibility periods totaled 540 h.

Additional Event-Releted Information McGuire Nuclect Station maintains a Safe Shutdown Facility (SSF) designed to provide an alternate and i, dependent means to achiese and maintain hot standby conditions (Ref. 3). The facility includes an EDG that can be used to operate a positis e displacement pump to supply seal injection water to the reactor coolant pump (RCP) seals, preventing an RCP seal loss of coolant accident (LOCA). Credit for the SSF is included in the ASP models via a separate top event in the LOOP event tree.

The most important recovery action with respect to this condition assessment is the possibility of restoring ac powe; to Unit 2 from Unit i via a cross tie, given a station blackout at Unit 2. Because procedures exist detailing this operation, it is considered a viable option. Recovery via the cross tie is included as a basic event imbedded in several LOOP event fault trces.

There was a brief period (5.3 h) when both EDU. were technically out of service due to maintenance activities on Motor Contrc; Center IEMXH 1, which alTected ventilation. The 2A EDG was functionally available and would base performed its design function. Technical Specifications allow both EDGs to be out of senice for up to 8 h.

Modeling Assumptions Similar to the licensee's analysis of this event (Ref.1), the failure probability of the 2B EDG was set to 1,0 (TRUE) for this condition assessment. The duration was set to $40 h per the NRC inspection report.

r However, sensitivity studies were examined for the total time (666 h) the 2B EDG was determined to meet the low temperature criteria and the discounted time (499.5 h) the 2B EDG was determined to be unavailab!:

based on the hourly B&A pump operation (value assumed by the licensee).

The lic:nsee suggested that if aa actual failure to start occurred under circumstances similar to the conditions that existed since February 6, then a second start attempt would likely be successful (Ref.1). Therefore, the emergency power nonrecovery probability (EPS XHE NOREC) was adjusted from 1.0 to 0.34, as shown in Table I, to reficct the fact that the equipment appeared recoverable and was accessible (Recovery Class 2).

The 2B EDO failure appears to be a failure mode unique to the physical setup of the lube oil pressure instrumentation lines on the 2B EDG A similar failure of the A EDG was documented by special report

]

c--

-,n,..

-.ev,v

--r,,

1.ER No. 3*l0/96-002 25 months earlier (Ref. 4). The length of time between esents and, consequently, the number of successful suncillance tests between esents indicates that the two failures were random rather than having any common.

cause effects. Consequently, the common cause failure probability for the EDGs was not adjusted from the 5

nominal value of 1.1 = 10 shown in Table 1.

During the 5 h period that both EDGs were declared unavailable, the 2A EDG wa; functionally available and would have performed its design function. This 5 h period was not considered separately when calculating the increase in the CDP over the entire 540 h period because the importance (i e., the increase in the CDP) is less than the ASP cut off value of 1.0 = 10' Credit for the SSF at hicGuire was accounted for by adding a fault tree at the SSF branch point in the LOOP event tree shown in Fig 1. The nominal probability of SSF failure is 0.36 based on information in the plant's Individual Plant Eramination (Ref. 5) The nominal SSF failure probability is derived from the failure probabilities, listed in Table 1, for the basic events SSFEDG Fails (SSF DGN FC 1), Operator fails to Start SSFEDG Within 10 Afonutes (SSF XfiE XNi DGN), and SSF Unavailable Due to Alaintenance (SSF.X11E-hiAINT).

Additionally, ac power to the emergency buses was recoserable by implementing a cross tie to Unit 1. Based on a telephone comersation with the licensee (Ref. 6), it was assumed that personnel could cross tic the power buses at Unit I with the buses at Unit 2 in less than I h 50% of the time, and within 2 h 95% of the time. The recosery of power by implementing a cross tic to Unit I was modeled by adding the basic event Failure to Cross Tse Emergemy Power Wsthin 90 Afsn (OEP XilF, XTIE) to the hicGuire fault trees for failure to recover power before the core uncovering given an RCP seal LOCA (OP SL) and before battery depletion gisen no seal LOCA (OP BD). Failure to cross tic to Unit I wr,s modeled as a time-reliability correlation (TRC) as desenbed in Ref. 7. The probability distnbetion for this TRC is lognormal, with an error factor of 2.0 based on the liceruce time estimates (Ref 6). The median response time of 60 min was assumed to include any delays in initiating the cross tie procedure. Without power, a seal LOCA was assumed to occur aller 60 min, and the core would begin to uncover in an additional 30 min. The probability of crew failure at 90 min, estimated using this TRC and response time,is 0.17.

The actions to man the SSF and to cross tic emergency power were assumed to be independent for this analysis. This assumption would have to be confumed for an event occurring outside the day shift because it is unknown if sutTicient personnel would be available during the period betwei.n 5:00 p m and 8:00 a m.

to perform all the necessary actions in parallel.

Analysis Results 4

The increase in the CDP (i c., the importance) over a 540-h period for this event is 1.8 = 10 This is an increase over the nominal CDP of 1.2 = 10" The dominant core damage sequence for this event (sequence 41 on Fig.1) involves 3

9 LER No. 370/96-002 a postulated LOOP, a successful reactor trip, e

failure of emergency power, and failure of the auxiliary feedwater (AFW) system.

+

This sequence accounts for 38% of the total contribution to the increase in the CDP. Sequences 29 and 39 are similar, but LOOP sequence 39 involves a power operated relief valve (PORV) lift and successful reclosure. Combined, these two sequences account for an additional 36% of the total contribution to the increase in the CDP (Table 2). Core damage in these two sequences (29 2nd 39) is the result of a failure of the SSF and a resulting seal LOCA. Core damage results from battery depletion m two additional sequences (16% of the increase in the CDP) and results from a failure of a PORV to reclose in one other sequence (8%

of the increase in the CDP).

The increase in the CDP over a 666-h period for this event is 2.2 = 10 if the 2B EDG !s assumed to be 4

inoperable for the collective total time the 2B EDO room temperature was below 71'F as repceted by the liwnsee. This is sa increase oser the nominal CDP for 666 h of 1.5 = 104 The dominant core damage sequence for this, mi vity case study is the same as it is for the 540-h analysis. Similarly, if a 499.5 h period is assumed (as the licensee conunds is the most appropriate period when the operation of the B&A 4

pump is considered), the increase in the CDP is 1.6 = 10* over the nominal CDP for 499.5 h of 1.1 = 10.

These sensitivity studies show that there is not much difference with respect to the CDP e.mong unavailabilities of 499.5,540, and 666 h.

Definitions and probabilities for selected basic events are shown in Table 1. The conditional probabilities associated with the highest probability sequences are shown in Table 2. Table 3 lists the sequence logic associated with the sequences listed in Table 2. Table 4 describes the system names associated with the dommant sequences. Minimal cut sets associated with the dominant sequences are shown in Table 5.

Acronyms AFW auxiliary feed;.ater system B&A before and after lube oil pump CCDP conditional core damage probability CDP core damage probability EDO emergency diesel generator LOCA loss-of-coolant accident LOOP loss of offsite power NRC Nuclear Regulatory Commission PORV power operated relicf valve PWR pressurized water reactor RCP reactor coolant pump SGTR steam generator tube rupture SLOCA small break LOCA SSF safe shutdown facility TRANS transient

LER No. 370/96-002 References

1. LER 370/96 002, Rev. O,"Past inoperability of Emergency Diesel Generator 2B Due to Low Lube Oil Pressure Caused by Unanticipated Interaction of Systems and Components," March 29,1996.

2. NRC Inspection Report No. 50 370/96 02, inspection Conducted: March 11 - April 1,1996.

3. AnalSafety Analysis Report, McGuire Nuclear Station.

4.

Duke Pour Company, Dscscl Generator SpecialReport, McGuire Nuclear Station, Special Report 94 01 (PIP 2 M94 0242), March 15,1994.

5. McGuire Nuclear Station,IndmdualPlant & amination.

6.

Conference call with McGuire licensing and probabilistic risk assessment stalT, September i 1,1997.

7. E. M. Dougherty and J. R. Fragol., Human Relfabthty Analysts, John Wiley and Sons, New York,1988.

l l

1 5

LER No.370/96 002 If 555585885885588558855855858885585585888888

~

.......ssacaratstar.nnamanssassaamahaatse g

tll i

lgl l

I ll l

gl l ill i

l

(

g llll l

l!

ill!

t ll lil!

t E

Illi!

I lil I

l t

I!

l i

i:

I I

i lIl a

lit i

11ll1 1

Fig.1. Dominant core damage sequence for LER No. 370/96 002.

6

_, ~. -.

,.r

- -,, -,.--_- ~.-_-.-_

._y-.,-

3 LER No. 370/96-002 Table 1. Definitions and Probabilities for Selected Hasic Events for LER No.370/96-002 Modified Event Bue Current for this name Description probability probability Type event IE LOOP istaatmg Event-LOOP 9.3 E406 9.3 E 006 No l

IE SOTR trutisting Esent-Steam oenerator 1.6 E 006 16 E 006 No Tute Rupture IESLOCA initssteg Event-SLOCA 1.00006 100006 No IE TRANS Initiating E tent-Transient

$ 3 E 004 S.3 E404 No (TRANS)

Alv TDP-1C l A Turtrine Dmen AIW Pump Fails 3.2 E 002 12 E 002 No AlW XHE NORIC-EP Operator rails to Ruover AfW 3 4 E 001 3 4 E 001 No During a Station illackout (SBO)

EPS DON CF ALL Common Cauw Failure of EDOs 1.1 E 003 1.10003 No EPS. DON iC l A EDO A Iails 4.2 E 002 4 2 E402 No EPS-DON IC lB EDO B isite 4.2 E 002 10 E+000 TRUE Yes EPS X)lE NOREC Operator f ails to Recover 10E4000 3 4 E 001 Yes Emergency Power OEP X110 NOREC-BD Operator fails to Ruover OfTaite 9.7 E 002 9.7 E 002 No Power Before Battery Depletion OEP XilE NOREC SL Operator fails to Ruover O(hite 7 4 E 001 7 4 E 001 No Power During a sealIIEA OEP XilE XTIE Failure to Crou-Tie w Power I.7 E 001 1.7 E 001 NEW No from the Oppunite Urut PPR SRV CO SB0 IORVs Open Dunns an $80 3.7 E 001 3.7 E 001 No PPR SR"OO PRVi IORY l I ails to Rulow 2 0 E 003 2 0 E 003 No PPR SRV DO PRV2 IORY 2 Fails to Rwlow 2 0 E 003 2.0 E 00)

No PPR SRV CX1PRV3 IORV 3 Fails to Rwlow 2 0 E 003 2.0 E 003 No RCS-MDP LK SEALS RCP Seals f ail Without Cooling 2.3 E 001 2.3 E401 No and tryation Water SSF DON FC l

$$F EDO Fails 2 0 E 001 2 0 E-001 NEW No

$$F XHE MAINT

$$F Unevaihble Due to 6 i E402 6.1 E 002 NEW No Maintenarwe

$$F XHE XM.[X)N Operstor Fails to Start $$F EDO 1.0 E401 1.0 E 001 NEW No Withm 10 Mm 7

.....m

~. -., _..

. - --.= - -

t i

I LER No. 370/96-002 l

i Table 2. Sequence Conditional Probabilities for LER No. 370/96-002 i

Conditional Event tree Sequence ccre damage Core damage importance Percent name number probability probability (CCDP. CDP) contribution' (CCDP)

(CDP)

LOOP 41 8.0 E.007 1.2 E 007 6.7 E 007 38.3 LOOP 29 4.8 E 007 7.6 E 008 4.0 E.007 23.0 LOOP 39 2.8 E 007 4.4 E 008 2.3 E 007 13.4 LOOP 22 2.1 E.007 3.3 E 008 1.7 E 007 10.1 LOOP

5. 40 1.6 E 007 2.5 E 008 1.3 E.007 7.7 i

LOOP 32 1.2 E 007 a.9 E.008 1.0 E 007 5.9 Total (all sequences) 3.0 E 006 1.2 E.006 1.8 E 006 ki,

3

'l4nent contnhutnist to the totalimgwtarwe, 4

1 I

4 J

S

.. ~

9 LER No. 370/96 002 i

i Table 3. Sequence Logic for Dominant Sequences for LER No. 370/96 002 1

Event tree name Sequence Logic number

/RT L EP AFW L EP LOOP 41 LOOP 29

/RT.L. EP, /AFW.L.EP, /PORV.SBO, SSF, SEALLOCA, OP.SL i

5 LOOP 39

/RT.L. EP, /AFW.L.EP, PORV.SBO,

/PORV.EP, SSF, SEALLOCA, OP.SL LOOP 22

/RT.L. EP, /AFW.L.EP, /PORV.030, SSF,

/SEALLOCA, OP.BD LOOP 40

/RT.L, EP, /AFW.L.EP, PORV.S BO, PORV.EP LOOP 32

/RT.L. EP, /AFW.L.EP, PORV.SBO,

/PORV.EP, SSF, /SEALLOCA, OP.BD -

Table 4 System Names for LER No.370/96-002 System name Logic AFW.L.EP No or Insufficient AFW Flow During a Station Blackout EP Failure of Both Trains of Emergency Power OP.BD Operator Fails to Recover Offsite Powtr Before Battery Depletion OP.SL Operator Fails to Recover Offsite Power During a Seal LOCA PORV.EP PORVs Fail to Reclose (No Electric Power)

PORV.SBO PORVs Open During a Station Blackout RT L Reactor Fails to Trip During a LOOP SEALLOCA RCP Seals Fail During a LOOP SSF Safe Shut Down Facility Failure 9

eN==r--Tw-wwwwe wy-mwwww-w-rrwmW gassrww,-ww, e,w ww -w ww w vwi-w - ww wwwwam ww w,w &-eymy*

ww www--w-w-ur-y w--,,,---.r

---y-t waw-w rw V t my-w-s---

g-

• M W

'-19-WW'fM'@

q-W*-

w

---

u-Wgg F---

-1

... =-..

=.-

LER No. 370/96 002 Table 5. Conditional Cut Sets for Higher Probability Sequences for LER No. 370/96-002 Cut set Percent number contribution CCDP' Cut sets'

+>

LOOP Sequence 41 8.0 E 007 s

1 961 7.P E-007 EPS-DON FC.IA EPS-DGN FC.IB, EPS XI{E NOREC, AN TDP-FC lA, Af%X11E NOREC EP 2

2.6 2.0 E 008 EPS don.CF.ALL, EPS X1tE NOREC, Al%TDP-FC lA, AN XllE NOREC EP LOOP Sequence 29 4.8 E 007 1

53.9 2.6 E 007 EPS don rC 1 A, EPS-DON FC IB, EPS XilE.NOREC,

/PPR SRV CO-SBO, SSF DGN FC 1, RCS MDP LK SEALS, OLP X11E-NOREC SL,OEP XilE XTIE 2

27.0 1.3 E 007 EPS-DON FC lA,EPS DGN FC IB.EPS-XilE NOREC,

/PPR SRV CO.SDO, SSF X1tE XM DON, RCS-MDP LK4EALS, OEP XilE NOREC SL,OEP XIIE XTIE 3

16.5 8.0 E 008 EPS-DON IC l^, EPS-DGN-FC 1B, EPS X1tE NOREC,

/PPR SRV CO-SBO, SSF X1tE MAINT. RCS-MDP LK-SEALS, OEP X1tE NOREC SL,OEP XilE XTIE LOOP Sequence 39 2.8 E 007 1

53.9

-1.5 E 007 EPS-DON FC 1A, EPS DGN FC 1B, EPS XI{E NOREC, PPR SRV CO SBO, $$F DGN-FC 1, RCS-MDP LK SEALS, OEP X11E NOREC SL,OEP-X}iE XTIE 2

27.0 7 5 E-008 EPS DON FC lA,EPS-DON FC ID EPS XilE NOREC, PPR SRV CO SBO, SSF X11E XM l'GN, RCS-MDP LK SEA 1.S.

OEP X)iE NOREC SL,OEP XilE XTIE 3

16.5 4.6 E 008 EPS-DGN FC l A, EPS-DGN FC IB, EPS-XllE NOREC, PPR SRV CO SBO, SSF X11E MAINT, RCS MDP LK CALS, OEP XIIE NOREC SL,OEP XilE XTIE LOOP Sequence 22 2.1 E 007 1

53.9 1.1 E 007 EPS-DON FC IA, EPS-DON FC 1B, EPS X1tE NOREC,

/PPR SRV CO SBO, $$F DON FC l /RCS MDP LK SEALS, OEP X11E NOREC-BD,OEP X11E XTIE 2

27.0 5.7 E 008 EPS-DON FC IA, EPS-DON FC 1B, EPS XilE-NOREC,

/PPR SRV CO SBO, S$F X11E XM-DGN,/RCS MDP-LK SEALS.

OEP X11E NOREC BD,OEP X11E XTIE 10

LER No. 370/96-002 Table 5. Conditional Cut Sets for Higher Probability Sequences for LER No. 370/96-002 Cut set Percent number contribution CCDI" Cut sets' 3

16.5 3.5 E 008 EPS-DGN FC lA EPS DGN FC 1B EPS X}{E NOREC,

/PPR SRV CO-SBO,S$F X}{E htATNT,/RCS MDP LK SEALS, OEP XI{E-NOREC-BD,OEP XilE XTIE LOOP Sequence 40 1.6 E 007 1

32.5 5.3 E 008 EPS don rC 1A, EPS-DON FC 1B.EPS XilE-NOREC, PPR SRV CO SBO,PPR SRV OO PRV1 2

32.5 5.3 E 008 EPS DON FC 1A,EPS-DGN FC ID,EPS XllE-NOREC, PPR SRV CO-SBO, PPR SRV OO-PRV2 3

32.5 5.3 E 008 EPS-DON-FC 1 A, EPS DON FC 1B, EPS X}{E-NOREC, PPR SRV CO SBO, PPR SRV OO PRV3 LOOP Sequence 32 1.2 E 007 1

32.5 6.7 E 008 EPS-DGN FC l A, EPS DON FC IB, EPS X}{E NOREC, PPR SRV CO SBO, SSF DGN FC 1,/RCS MDP LK SEALS, OEP XilE-NOREC BD,OEP XllE-XTIE 2

32.5 3.3 E 008 EPS don FC lA, EPS-DON FC 18. EPS-XI{E NOREC, PPR SRV CO SBO,$$F XI!E XM DON,/RCS MDP LK SEALS, OEP XilE-NOREC BD,OEP X11E-XTIE 3

32 5 2.0 E 00g EPS DON TC 1A, EPS DON FC lB. EPS-X11E NOREC, PIR SRV40 SBO,SSF XilE-MAINT,RCS MDP tK SEALS, OEP XI!E.NOREC SL,OEP XIIE XFIE Total (all sequences) 3 0 E-006

• fhe CCDP is determmed by mul6 plying the probabihty that the portion of the sequence that makes the precursor visible (e g., the system with a failure is demanded) will uccur dursg the duration of the event by the probabihties of the remaining basic events in the minimal eut set 1,.is can te approsimated by 1 e*, where p is determm J by multiplying the expected number ofinitiators that occur dunng the duration of the event by the probabahties of the basic events in that mirumal cut set. The expected number of initiators is given by At, where A is the frequency of the initiating event (giwn on a per hour basis), and t is the daration time of the event ($40 h). This approximata is conservatne for precursors made sisible by the sutisting ennt. The frequency of interest for this ewnt is A o, =

t 9.3 a 10 % The importance is de* ermined by subtractag the CDP for the same renod but mth plant equipment assumed to be operstmg nominally.

" Basic ewat EPS-DON FC 1B is a type TRUE event This type of event is not normally included in the output of the fault tree reduction proceas but has been added to aid in understandmg the sequences to potential core damage associated with the event.

I1

~ - *

.n.,.,

LER No. 370/96-002 LER No. 370/96 002 Event

Description:

2B emergency diesel generator inopert.ble due to slow instrumentation response Date of Event: March 6,1996 Plant: McGuire Unit 2 Licensee Comments

Reference:

Letter from it B. Barron, Vice President, McGuire Nuclear Station, Duke Power Company, to U. S. Nuclear Regulatory Commission, "McGuire Faclear Station, Docket No. 370, Preliminary Accident Sequence Precursor," October 14,1997.

Comment 1:

The McGuire EDG design uses a pre lubrication pump called the Before and AAct tube oil pump. This pump starts automatically and runs for 15 minutes out of each hour to lubricate the engine jou: ant bearings and upper deck. The pump also runs for 20 minutes after engine shutdown. While operating, the lube oil header and instrumentation line is pressurized to about 11 psig The EDG was not susceptible to the low lube oil pressure trip on startup during the periods of time that the pump was running.

Although no formal documentation of the meeting minutes from the 4/15/96 Enforcement Conference could be found, the 499.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> of failure susceptibility (versus $40) was agreed to by those present based on taking c4 edit for Before and After (pre lubrication) lube oil pump operation 15 minutes out of each hour. Based on the observations by the Operator seseral seconds aner the event that tube oil pressure as read from the control panel gauge was 15 20 psig and decreasing rapidly, the EDG would have met its 33 psig lube oil pressure requirement had the pump been running prior to the start.

The trip referenced by the inspectors that occurred with the Before and AAer lube oil pump running was during post outage startup break in runs (with the EDG inoperable) after the lube oil system had been drained (with the header not completely vented) and is not directly comparable to this event. This trip occurred ten years ago and several modifications (e.g.,

adding 15 seconds to the delay before arming the low lube oil pressure trip) to improve lube oil pressure response have been made in the interim.

Therefore, the exposure time appropriate for the Accident Sequence Precursor analysis is 499.5 instead of the 540 hours0.00625 days <br />0.15 hours <br />8.928571e-4 weeks <br />2.0547e-4 months <br /> used in the preliminary analysis.

I

LER No. 370/96 002 Response 1:

The NRC inspector methodology for calculating the 2B EDG to be unavailable for $40 h did not im olve measuring the total time the 2B EDO met the low room temperature criteria and adjusting for the Before and After lube oil pump run time. The documented NRC methodology simply accounted for the four occasions when the 28 EDG was technically inoperable for longer than the 72 h allowed by the Technical Speci0 cations, which sununed to 540 h. This total was very close to the 499.5 h calculated by a methodology that accounts y

for the Before and After lube oil pump operation. Based on this and the results of the sensitivity study described below, assuming a total oi340 h was judged to be satisfactory.

Additionally, the probability of the operator failing to recover emergency power following a failure was adjusted from 1.0 to 0.34 (Recovery Class 2) to account for the likelihood of success on a second start attempt of the 28 EDO. This is based on the impact the initial start attempt has on the oil pressure sensed at the pressure transmitter. This adjustment to the emergency power non recovery probability would also encompass the pressure contribution of the Before and After lube oil pump to a successfulinitial start withoui directly modeling the pump itself.

The difference in the calculated unavailability times is explored in a sensitivny study and documented in the Analysis Results section of *he analysis. The importance (CCDP-CDP) calculated for the 540 h case (1.8 r 10+)is 2.0 = 10' greater than the importance calculated for the 499.5 h case s 6 = 104). The importance for the total 666 h unavailability time (2 2 = 10 ') is also explored based on the adjustment to the emergency power non recovery probability discussed previously. These sensitivity studies show that there is not much difference with respect to the impottance between an unavailability of 499.5 h and one of 666 h.

Comment 2:

The LOOP frequency in the preliminary analysis of 1.6E 05/hr translates to an annual frequency of 0.1/yr (based on 6250 hours0.0723 days <br />1.736 hours <br />0.0103 weeks <br />0.00238 months <br /> of interesv>T). This frequency is significantly higher compared to the industry average of approximately 0.03/>T (Pg xii & 2 22, EPRI TR-106306) or the hicGuire IPE LOOP frequency-0.07/yr (Table 2.13, MNS PRA). The current plant specine LOOP frequency for hicGuire is 0.057/>T. This valuc is based on industry experience for 1980 to 1995 and updated for hicGuire plant specific data. We request that the analysis be revised using a mo.e realistic LOOP frequency.

Response 2:

The analysis was revised using the hicGuire plant specific LOOP frequency of 0.057/yr (based on 6130 h ofinterest/>T).

2 l

(

LER No. 370/96 002 Comment 3:

In looking at the preliminary analysis, it appears that the McGuire plant capabilities following a LOOP esent with concurrent failure of the TDGs to be mitigated by use of the power from the other unit and the SSF has not been given appropriate consideration. There are two 7kV to 4kV shared transfc.rmers (SATA and SATB) at hkGuire. Normally one transformer is powered from unit I and the other shared transformer is powered from unit 2.

A total loss of offsite power to both units is needed to render the power from the shared transformers unavailable.

For an event involving a LOOP and a frilure of both EDGs, three independent options are available to mitigate the event and avoid a com damage condition:

a) Energize the vital 4 kV switchgear from the shared transformer energized by the other unit.

b) Use the SSF to maintain secondary side heat removal (SSHR) and RCP seal cooling, and c) Recover off site power.

m accident sequences 28,37, and 39 [ revised analysis sequences 29,39, and 4l], it appears that credit given for the S5F and cross-tying the units is not in line with McGuire's capabilities. For example, assuming reasonable and realistic values for LOOP, SSF, and cross tying the unit, the core damage probability can be approximated as follows:

C[C]DP = LOOP (0.05) = EDO fails (0.04) = Recover EDO (0.34) = SSF(0.2) Opposite Unit (0.17) = Recover Off site Power (0.05, failure to recover power during seal LOCA) = Exposure Time (0.08,500/6250) = 9.25E 08 C[C]DP = LOOP (0.05) = EDG fails (0.04) = Recoser EDG (0.34) = SSilR(0.032) =

Opposite Unit (0.17)

Recover Off site Power (0.2, failure to recover power with loss of SSHR) = Exposure Time (0.08,'00/6250) = 5.92E 08 The equivalent sequences in the preliminary analysis are 28 and 37 for the first sequence

[ revised analysis tequences 29 and 39) and 39 [ revised analysis sequence 41) for the second sequence. The preliminary analysis sequences hase a CDP [CCDP) of 2.4E 06 (1.5E-06 +

8.8E-07) and 1.4E 06, respectively. This is a substantial difference and should not occur if more realistic values are used. We request that the models and associated inputs be reexamined so that the accident sequences are a realistic quantification.

Response 3:

The preliminary analyse included the SSF capability and the cross-tic capability as part of the LOOP fiequency and : covery probabilities. Apparently, this was confusing when it was desired to identify tne individual SSF components and the specific cross tic components associated with a given sequence. Therefore, the preliminary model was reexamined and modified so that the LOOP frequency and the SSF capabilities were addressed separately.

3

t l

LER No. 370/96 002 The modified' ASP model factors the SSF facility into the LOOP event t ce as a separate top event in the event tree model. The SSF failure probability was set to 0.36 according to the McGuire IPE based on the probability of(1) the SSF EDG failing,(2) failing to man the SSF in a timely manner, and (3) the SSF being in maintenance when demanded The urtit cross-tie capability was factored into the linked fault trees concerning off site power restoration prior to battery depletion and core damage given a seal LOCA. The probability of failing to cross tie to unit I was calculated to be 0.17, which is the same value v. sed by McGuire in the abnvc approximations. Substituting appropriate values (LOOP frequency, exposure time, and off site power recovery) into the approdmation presented above yields values of the same order of magnitude (10') as those produced when running the revised model. The revised model allows easier identification of the three power alternatives at McGuire.

Comment 4:

As required by the design basis, the SSF is required to be staffed and operational within 10 minutes. Plant personnel have serified that the SSF can be staffed and operational within 10 minutes. The assumption of 30 minutes (page 3 of the analysis) is too long and should be modified to indicate a time less than 10 minutes.

Response 4:

In the revised analysis, the SSF is included as a top event on the revised LOOP event tree (Fig. I in the analysis). The associated SSF fault tree now includes an Operator Falls to Start SSF EDG Wuhin 10 Mmurcs basic event (SSF XHE XM DGN). The probability for this basic es ent (0.1) is taken from the McGuire IPE.

Comment 5:

The probabihty of SSF failure assumed in the McGuire preliminary analysis is 0.36. The failure velue was taken from the McGuire IPE report. This number includes both hardware failures (SSF DG fails to start or run) and operator errors (operators fail to start the SSF in time). Provided below are the top events from the SSF IPE model:

Description Value SSF EDG fails to run (12 hr mean failure) 1.70E 01 Operators fail to initiate SSF in time station 1.00E 01 blackout case SSF EDG in maintenance 5.20E-02 SSF left unavailable after maintenance 1.24E 02 SSF EDG fails to stait 1.30E 02 SSF RCP makeup components in maintenance 9.00E 03 4

LER No. 370/96-002 For the preliminary analysis, a failure probability that includes short term failures (start failures) end excludes the long term failures (SSF DG fails to run) and maintenance is appropriate. A failure probability of 0.2 is a reasonable value considering the short term failures. If the operator error for the SSF is used elsewhere in the ASP model, the value s'

should be 0.1. We request that the analysis be requantified using a SSF failure probability of 0.2 (0.1 if appropriate).

Response 5:

The SSF is now specifically included as a top event on the revised LOOP event tree (Fig.1 in the analysis). Both short term and long term failures are typically considered in event modeling; therefore, SSF EDO failure to run and maintenance components were included.

Operator errors involving the SSF are not includcJ elsewhere in the revised model. The values presented in the above table were used as the basis for the inputs for the SSF fault tree,iesulting in a nominal overall SSF failure probability of approximately 0.36.

Comment 6:

For cross tying the Unit I and Unit 2 buses, the preliminary analysis assumes that plant personnel could cross tic the units in I hr 5% of the time and within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 95% of the time.

From the conference call on September 11,1997, this assumption is based somewhat on the LOOP event at Catawba in which the operators took a long time to cross tic the units.

The Catawba event is not an appropriate event to use to estimate the failure probability for cross tying the units. The Catawba esent did not involve the need to cross tie since EDO power was available. For LOOPS with failure of EDO, operators will quickly get to the point in the emergency procedure that dirut the operators to perform the cross tie. The cross tie can be performed in a half hour.

We request that the HRA for cross tying the units be requantified based oc a time available over one hour. The time required is one half-hour. Attached for your information is a copy of the procedure for cross tying the units' power sources.

Response 6:

Based on the conference call on September 11,1997, it w as assumed that the operators could cross tic the units in I h 50% of the time and within 2 h 95% of the time. The median response time of 60 min was assumed to include any delays in initiating the cross tic procedure based on licensee information provided during the conference call. The recovery of power by implementing a cross-tie to Unit I was modeled by adding a basic event Failure to cross ric emergencypowcr withm 90 min (OEP XHE XTIE) to the McGuire fault trees for failure to recover power before the core uncovering given an RCP seal LOCA (OP SL) and before battery depletion given no seal LOCA (OP BD). Without power, a seal LOCA was assumed to occur after 60 min and the core would begin to uncover in an additional 30 min. The probability of failure to cross tic emergency power within 90 min, estimated using a lognormal time-reliability correlation and response time, is 0.17.

This correction 5

LER No. 370/96 002 significantly reduced the calculated CCDP from sequences 29,39, and 22 (sequences 28,37, and 21 in the preliminary analysis).

i Comment 7:

Sequences involving OEP XHE NOREC BD result in core damage after battery failure. We assume that this leads to a loss of secondary side heat removal in the preliminary analysis.

However, the turbine driven emergency feedwater pump at hicGuire can continue to operate without battery power since hil valves remain in their open position. Furthermore, the SSF can provide control power to the turbine-driven emergency feedwater pump and steam

,enerator level indication. In addition, the McGuire DC system is shared and the battery chargers can be supplied by either unit. Therefore, failure to recover power before battery failure would not necessarily lead to core damage at hicGuire. LOOP sequences 21 and 30

[ revised analysis sequer.:es 22 and 32] appear to be a failure of secondary side heat removal after failure of the batteries. These sequences should be removed or modified to account for McGuire capabilities.

Response 7:

The SSF was included as a top event on the revised LOOP crent tree (Fig.1 in the analysis).

Lc,ss of control power to the turbine driven emergency feedwater pump and steam generator level indication is not considered possible unless emergency power, the SSF, and battery power have all failed. Sequences 22 and 32 both involve a loss of emergency power and a failure of the SSF as shown in Trble,3 in the revised analysis. Sharing battery chargers between units i> not addressed in the McGuire IPE and no procedure was provided; therefore this possibility was not considered.

Comment 8:

LOOP sequence 38 [ revised analysis sequence 40] contains a failure of emergency power and failure of a PORV to re close after opening However, this sequence does not contain any events that would challenge the PORV such as failure of secondary side heat removal.

For a blackout at McGuire, the PORVs ne not expected to be challenged unless secondary side heat removal fails. These sequences should not be included in the analysis or additional failures should be included in the cut set.

Response 8:

Two events ofinterest impact the reactor coolant system pressure following a loss of offsite power: (1) a loss of non-cmergency power to the unit, and (2) a loss of forced flow in the reactor coolant system. The McGuire FSAR addresses both of these possibilities. The pressure response to a loss of non-cmergency power depicted in Figure 15 35 of the McGuire FSAR indicates a peak pressure of approximately 2,230 psig. This pressure is below all the PORV set points, though it is possible that, with set point drift, PORV NC 34 A could open based on rate compensation. However,in response to a loss of forced flow in the reactor coolant system due to a loss of ac power, a higher pressure peak of approximately 2,350 psig is s!m n in Figure 15 60 of the McGuire FSAR. This peak is above the set points 6

i.9 I

LER No. 370/96-001 of all three PORVs (identified on page 5 30 of the McGuire FSAR). Therefore, the possibility of a PORV lin following a station blackout exists at McGuire as identified in the accident analysis section of the McGuire FSAR.

A study of the safety analyses performed at several plants has suggested that there is a possibility of a PORV lifting at most plants. Based on this review, a probability (0.37) is assigacd to the potential for the PORVs being challenged (basic event PPR-SRV CO-SBO),

possibly leading to a failure of a PORV to re-close and a subsequent LOCA. This is the premise of LOOP sequence 40 shown in Figure 1 of the analysis.

7

_