ML21056A382

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Duane Arnold (LER 331-2020-001)
ML21056A382
Person / Time
Issue date: 03/04/2021
From: Fard M, Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter, Christopher - 301 415 1394
Shared Package
ML21056A382 List:
References
LER 331-2020-001
Download: ML21056A382 (33)
v  d  e


Text

Final ASP Analysis - Precursor Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Duane Arnold Loss of Offsite Power caused by High Winds during Derecho Energy Center LER: 331-2020-001-01 Event Date: 8/10/2020 CCDP = 8x10-4 IR: 05000331/2020003 General Electric Type 4 Boiling-Water Reactor (BWR) with a Mark I Plant Type:

Containment Plant Operating Mode Mode 1 (82% Reactor Power)

(Reactor Power Level):

Analyst: Reviewer: Completion Date:

Christopher Hunter Mehdi Reisi Fard 3/4/2021 1 EXECUTIVE

SUMMARY

On August 10, 2020, severe thunderstorms and high winds caused a grid perturbation that resulted in an automatic start of both emergency diesel generators (EDGs). The EDGs did not immediately energize their respective safety buses because offsite power remained available.

However, approximately 14 minutes later, a loss of offsite power (LOOP) occurred that resulted in a reactor trip. The output breakers for both EDGs automatically closed to reenergize the safety buses. The licensee declared an Unusual Event. All control rods successfully inserted.

Reactor inventory control was maintained by reactor core isolation cooling (RCIC) and the safety relief valves (SRVs) were used to remove decay heat to the torus.

The high winds resulted in minor damage to the reactor, turbine, and FLEX buildings, along with more severe damage to the nonsafety-related cooling towers. The licensee later determined that, although damaged, secondary containment remained functional throughout the event and if challenged, would have prevented a radiological release to the environment. However, when tested, the vacuum drawn in secondary containment by the standby gas treatment system was slightly below the technical specification (TS) limit.

In addition, the high winds resulted in increased debris loading to the essential service water (ESW) system, which caused clogging of the train B strainer and subsequent decrease of ESW flow of 300 gpm to EDG B. Operators successfully bypassed the strainer. The train A strainer was also challenged due to debris during the event; however, the differential pressure across the strainer reached a maximum of 11 psid, which is below the limit of 15 psid and, therefore, did not require to be bypassed. Although the operators declared EDG B inoperable according to TS, it did not experience any problems due to the use of unstrained ESW and ran successfully throughout the event. Operators restored offsite power to the safety buses approximately 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> after the LOOP occurred.

This accident sequence precursor (ASP) analysis reveals that the most likely core damage sequence is a weather-related LOOP initiating event and the subsequent (postulated) failure of both EDGs resulting in a station blackout (SBO) with the postulated failures of both high-pressure coolant injection (HPCI) and RCIC and the inability of operators to recover alternating current (AC) power within 30 minutes. This accident sequence accounts for approximately 35 percent of the total conditional core damage probability (CCDP) for this event. Although the 1

LER 331-2020-001 mean CCDP of 8x10-4 for this event was high, the risk of core damage was mitigated because defense-in-depth and plant-wide safety margins were maintained.

FLEX mitigation strategies were credited in this analysis and significantly affected the results.

Specifically, without the mitigation capabilities of the FLEX strategies would have resulted in a CCDP approximately a factor of 10 higher for this event. Throughout the review of this event, the analysis assumptions and results were systematically reviewed to identify necessary standardized plant analysis risk (SPAR) model changes that were implemented to realistically represent the event and expected plant response. In addition, analysis results were also used to identify key sources of uncertainty.

The risk of this event was significantly impacted by the SBO scenarios. The risk associated with the SBO scenarios is particularly high for this plant because of having only two safety-related EDGs and the inability to crosstie safety-related buses from another unit as Duane Arnold is a single unit site.

2 EVENT DETAILS 2.1 Event Description On August 10, 2020, severe thunderstorms and high winds caused a grid perturbation that resulted in an automatic start of both EDGs. The EDG did not immediately energize their respective safety buses because offsite power remained available. However, approximately 14 minutes later, a LOOP occurred resulting in a reactor trip. The output breakers for both EDGs automatically closed to reenergize the safety buses. The licensee declared an Unusual Event. All control rods successfully inserted. Reactor inventory control was maintained by RCIC and the SRVs were used to remove decay heat to the torus.

The high winds resulted in minor damage to the reactor, turbine, and FLEX buildings, along with more severe damage to the nonsafety-related cooling towers. The licensee later determined that, although damaged, secondary containment remained functional throughout the event and if challenged, would have prevented a radiological release to the environment. However, when tested, the vacuum drawn in secondary containment by the standby gas treatment system was slightly below the TS limit.

In addition, the high winds resulted in increased debris loading to the ESW system, which caused complete clogging of the train B strainer and subsequent decrease of ESW flow of 300 gpm to EDG B. Operators successfully bypassed the strainer. The train A strainer was also challenged due to debris during the event; however, the differential pressure across the strainer reached a maximum of 11 psid, which is below the limit of 15 psid and, therefore, did not require to be bypassed. Although the operators declared EDG B inoperable according to TS, it did not experience any problems due to the use of unstrained ESW and ran successfully throughout the event. Operators restored offsite power to the safety buses approximately 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> after the LOOP occurred. Additional information is provided in licensee event report (LER) 331-2020-001-01, Notice of Unusual Event and Unit Trip Due to Loss of Offsite Power Due to High Winds, (ADAMS Accession No. ML20283A373).

2.2 Cause The cause of the LOOP was a severe storm (called a Derecho) with heavy rains and very high winds. Wind speeds exceeded 80 mph for over 20 minutes with peak winds onsite of greater than 100 mph. The National Weather Service later estimated wind speed peaks were likely 2

LER 331-2020-001 near 130 mph. These high winds resulted in all six offsite power sources being damaged. A separate offsite line that powers non-essential plant loads was also damaged.

2.3 Sequence of Key Events Table 1 provides the sequence of key events:

Table 1. Sequence of Key Events August 10, 2020 1138 Licensee entered abnormal operation procedures after a severe weather watch was issued for the plant vicinity; hourly checks of the EDGs were initiated and the licensee suspended fuel movements.

1235 Grid perturbation caused the two EDGs to automatically start and run unloaded.

1249 LOOP caused a main generator trip on reverse power automatic reactor scram. Running EDGs repower safety-related buses.

1258 The licensee declared an Unusual Event.

2230 Shutdown cooling was initiated.

2240 Operators bypass train B ESW strainer due to high differential plugging.

August 11, 2020 1126 161-kilovolt (kV) Vinton offsite power line is restored.

1215 Startup transformer (SUT) is reenergized from offsite power.

1312 Safety bus A reenergized from offsite power.

1334 Safety bus B reenergized from offsite power.

1600 Plant exits Unusual Event.

2.4 Additional Information The following event details are provided as additional information about the event that was not explicitly accounted for in this analysis.

  • The main steam isolation valves (MSIVs) remained open throughout the event. During most LOOPs, the MSIVs will close due to the loss of power from the reactor protection system (RPS) motor generators. However, the starting of the EDGs due to the grid perturbation prior to the LOOP allowed for a faster reenergization of the safety buses prior to the voltage from RPS motor generators decreasing below the value that would result in a loss of power to the MSIVs. Because the MSIVs remained open, operators aligned the main steam line (MSL) drains to the condenser, which minimized the number of demands on the reactor SRVs (two SRVs each cycled open and closed one time).

The current SPAR models use a failure-to-close probability for SRVs of 9.6x10-2 taken from NUREG-1150, Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, (ADAMS Accession No. ML120960691). This probability accounts for multiple SRV demands; therefore, this probability was not changed given the two demands experienced during the event and the expected additional demands during a postulated SBO in which the MSIVs would close. NUREG/CR-7037, Industry Performance of Relief Valves at U.S. Commercial Nuclear Power Plants through 2007, (ADAMS Accession No. ML110980205) has an updated reliability estimate; however, the 3

LER 331-2020-001 adequacy of SRV testing that is included in these estimates has come into question.

Specifically, testing is performed to demonstrate that the SRVs will open to relieve pressure during design-basis accidents to prevent overpressure of the reactor coolant system. However, the closing capability of SRVs is not tested after passing steam. In addition, there are concerns about the demand data used in the stuck-open SRV probability provided in NUREG/CR-7037. The probability taken from NUREG-1150 is potentially conservative; however, the effect of the stuck-open SRV probability on this analysis is largely mitigated by the credit of the diesel-driven firewater pump and FLEX RPV makeup pumps for these scenarios.

  • During the event, the running spent fuel pool (SFP) cooling pump A tripped. Operators immediately started SFP cooling pump B.
  • Prior to the event, the licensee was loading fuel into a spent fuel canister. These fuel moves were stopped prior to the storms affecting the site; the fuel and canister were placed in a safe condition within the SFP.
  • On August 12, a small tear was discovered in the 5th floor wall of the reactor building that was the result of storm damage. A subsequent test of the secondary containment boundary identified that the vacuum of 0.24 inches of water was less that the technical specification requirement of 0.25 inches of water. At the time of discovery, the plant was is in Mode 4, which does not require secondary containment to be operable. However, it is very likely that the tear in the reactor building wall likely existed while the plant was in Mode 3 after the reactor scram and, therefore, secondary containment was inoperable during this period. Although considered inoperable, the licensee determined that a vacuum of 0.24 inches of water was sufficient to maintain the safety function of secondary containment.

3 MODELING 3.1 Basis for ASP Analysis The ASP Program performs independent analyses for initiating events. ASP analyses of initiating events account for all failures/degraded conditions and unavailabilities (e.g., equipment out for maintenance) that occurred during the event, regardless of licensee performance. 1 Additional LERs were reviewed to determine if concurrent unavailabilities existed during the August 10th event. No windowed events were identified.

The plant and licensee response to this event was evaluated by NRC inspectors as documented in inspection report 05000331/2020003, Duane Arnold Energy Center - Integrated Inspection Report 05000331/2020003 and 07200032/2020001, (ADAMS Accession No. ML20314A150).

Inspectors evaluated the licensee's immediate and follow-up corrective actions to this event.

The inspectors also determined that all equipment responded as expected with a few exceptions (e.g., loss of spent fuel pool cooling), and operators followed appropriate response procedures. The inspectors determined that the licensee's corrective actions to address this complex event were appropriate to the circumstances and commensurate with the potential safety significance. No findings or violations of more than minor significance were identified.

1 ASP analyses also account for any degraded condition(s) that were identified after the initiating event occurred if the failure/degradation exposure time(s) overlapped the initiating event date.

4

LER 331-2020-001 3.2 Analysis Type An initiating event analysis was performed using Revision 8.56 of the SPAR model for Duane Arnold Energy Center created in June 2019. This event was modeled as a weather-related LOOP initiating event.

3.3 SPAR Model Modifications The following modifications were required for this initiating event analysis:

  • Crediting FLEX Strategies. The probability of basic event FLX-XHE-XE-ELAP (operators fail to declare ELAP when beneficial) was set to its nominal value of 10-2 to activate the credit for FLEX mitigation strategies for postulated SBO scenarios for which an extended loss of AC power (ELAP) is declared. 2
  • FLEX Reliability Parameters. FLEX hardware reliability parameters suitable for inclusion in the NRC SPAR models is not yet available. Therefore, the base SPAR models currently use the reliability parameters of permanently installed equipment, which is inconsistent with the limited experience with the operation of FLEX equipment. As part of an NRC audit performed of preliminary FLEX hardware data provided by the Pressurized Water Reactor Owners Group (PWROG), Idaho National Laboratory reviewed the FLEX hardware parameters estimated by the PWROG. This review revealed that FLEX diesel generator failure-to-start (FTS) probability is 3 to 10 times higher and failure-to-run (FTR) rate is 2 to 5 times higher than permanently installed EDGs. The portable engine-driven centrifugal pump FTS probability is at least 8 times higher and FTR rate is at least 6 times higher than permanently installed pumps. See Table 1 in INL/EXT-20-58327, Evaluation of Weakly Informed Priors for FLEX Data, (ADAMS Accession No. ML20155K834) for additional information. Therefore, to provide a more representative estimate of the FLEX hardware reliability parameters, this analysis increased the hardware reliability by a factor of three in the best estimate case.

The use of the FLEX hardware multiplier is a key modeling uncertainty and is evaluated further in Section 4.3.

  • Removal of EDG Repair Credit for ELAP Scenarios. The base SPAR model provides credit for repair of postulated EDG failures for SBO scenarios. However, this potential credit is not applicable for scenarios where ELAP will be declared because (a.) operators will be focused on implementing the FLEX mitigation strategies and (b.) the DC load shedding activities could preclude recovery of EDGs. Therefore, credit for EDG repair credit was removed from the sequences if it is included after ELAP is likely declared (i.e., 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) via a change set containing the applicable EDG repair basic events.
  • HPCI Credit During ELAP Scenarios. The base SPAR model does not credit FLEX for scenarios where RCIC is failed, but HPCI is available. This assumption is likely conservative and, therefore, FLEX credit was applied by modifying the SBO event tree by transferring the SBO Sequence 6 to the SBO ELAP event tree (see Figure A-2 in Appendix A). Most of the FLEX information available, including thermal-hydraulic calculations, is focused on RCIC performance and does not consider HPCI as an 2 After the Derecho storm had passed the site, the licensee had the capability to pre-stage FLEX equipment.

However, after discussing this possibility, the decision was made to not move any FLEX equipment.

5

LER 331-2020-001 alternative high-pressure injection source. Therefore, this change is potentially nonconservative.

  • SBO-ELAP Event Tree Modification. The SBO-ELAP event tree was modified to include the query of containment venting in scenarios when reactor depressurization fails. The modified SBO-ELAP event tree is provided in Figure B-1 in Appendix B.
  • Additional Mitigation Credit for Stuck-Open SRV Scenarios. MELCOR calculations were performed to determine timing information for postulated stuck-open SRV scenarios.

Specifically, the time until RCIC/HPCI isolation on low steam pressure (75 psig) and times to core uncovery/damage were calculated. Based on these calculations, the RCIC or HPCI would isolate on low steam pressure in approximately 90 minutes given a single stuck-open SRV. Core damage is estimated to occur between 4-6 hours. For two stuck-open SRVs, RCIC/HPCI would isolate in less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and core damage would occur in approximately 90 minutes. Discussions with the licensee revealed that operators would have enough time to connect and initiate either firewater or FLEX reactor pressure vessel (RPV) makeup, which is not credited in the base SPAR model.

To provide this credit, the applicable sequences were transferred to the SBO-ELAP event tree. In addition, offsite power recovery times for the SBO-1 and SBO-2 event trees were changed to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, respectively, based on MELCOR calculation estimates. 3 These modified event trees are provided in Figures B-2 and B-3 in Appendix B.

  • 72-Hour AC Power Recovery Requirement. The base SPAR model requires AC power recovery within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for a safe/stable end state for ELAP scenarios with successful FLEX implementation. If AC power is not recovered in these scenarios, the SPAR models assume core damage. The American Society of Mechanical Engineers/American Nuclear Society (ASME/ANS) probabilistic risk assessment (PRA) standard definition for safe/stable end state does not require AC power recovery.

Because of the large uncertainty in modeling assumptions related to availability and reliability of components and strategies for mission times that are well beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and the unclear basis for requiring AC power recovery within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the 72-hour AC power requirement was eliminated in this analysis by inserting a new basic event, OPR-72HR-OFF (no 72-hr OPR requirement), under the top event in the OPR-72H fault tree and setting it to FALSE. This change is considered a key modeling uncertainty for this analysis. This modified fault tree is provided in Figure B-4 in Appendix B. As part of this change, the FTR events for FLEX diesel generators and pumps have a 72-hour mission time in the base SPAR model. These mission times were reset to be consistent with the 24-hour mission time used in the SPAR model.

  • Credit for Technical Support Center (TSC) Diesel Generator. The SBO-ELAP event tree currently credits the FLEX 480-volt (V) diesel generators in the FLEX-480 fault tree.

However, the plant has an additional TSC diesel generator that can also charge the safety-related batteries. Therefore, the FLEX-480 fault tree was modified by inserting the existing DG-TSC fault tree and changing the existing gate structure to ensure both the FLEX and TSC diesel generators are potentially available to provide battery charging. The two human failure events (HFEs) FLX-XHE-XM-480 (operators fail to 3 The associated EDG repair times were also changed. However, this change does not affect this analysis because EDG repair is not credited after ELAP is declared.

6

LER 331-2020-001 stage or run or load or refuel 480V portable flex diesel) and EPS-XHE-XM-TSC (operator action to align TSC DG to battery chargers) are treated as completely dependent in the SPAR model post-processing rules. This modified fault tree is provided in Figure B-5 in Appendix B.

  • Credit for Firewater Pump. The SBO-ELAP event tree currently credits FLEX RPV makeup in the FLEX-RPV fault tree. However, firewater is not currently credited.

Therefore, the FLEX-RPV fault tree was modified by inserting the existing FWS fault tree and changing the existing gate structure to ensure both firewater and the FLEX RPV makeup pumps are available to provide reactor inventory makeup. In the FWS fault tree, the human error probability (HEP) for existing HFE FWS-XHE-XM-ERRLT (operator fails to align firewater injection) was set to a screening value 0.1. 4 In addition, FWS-XHE-XM-ERRLT and existing basic event FWS-EDP-TM1P49 (diesel fire pump is unavailable because of maintenance) were moved under a new AND gate because the firewater pump was undergoing maintenance at the onset of the event; however, operators could clear the maintenance tags to restore the pump within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, if needed.

The two HFEs FWS-XHE-XM-ERRLT and FLX-XHE-XM-RPV (operators fail to stage or run or supply or refill FLEX RPV pump) are treated as completely dependent in the SPAR model post-processing rules. This modified fault trees are provided in Figures B-6 and B-7 in Appendix B.

  • Use of Environmental Common-Cause Failure (CCF) Parameters for ESW Strainers. To improve the realism in the modeling of potential CCF of the ESW strainers due to the increased debris loading experienced during the event, the alpha factors for ESW strainers were modified to those of environmental events (instead of all causes), which are more representative of the conditions experienced during the event. Specifically, the alpha factors ZA-STR-PG-SWS-02A01 (alpha factor 1 in group size 2 for component STR with failure mode PG:SWS) and ZA-STR-PG-SWS-02A02 (alpha factor 2 in group size 2 for component STR with failure mode PG:SWS) were changed from their nominal values to 0.874 and 0.126, respectively. 5
  • Credit for Ability to Bypass Clogged ESW Strainers. The ability for operators to bypass the clogged ESW strainers is not included in the base SPAR model. To provide this credit, new fault trees ESW-STRAINER-A (ESW pump A discharge strainer plugs) and ESW STRAINER-B (ESW pump A discharge strainer plugs) were created. These two new fault trees include the existing strainer independent failure and CCF basic events along with new HFE ESW-XHE-XM-BYPASS (operators fail to bypass plugged strainer),

which credits the ability of operators to bypass a clogged ESW strainer. These new fault trees are provided in Figures B-6 and B-7 in Appendix B. ESW-XHE-XM-BYPASS was evaluated using NUREG/CR-6883, The SPAR H Human Reliability Analysis Method, (ADAMS Accession No. ML051950061). The HEP for ESW-XHE-XM-BYPASS was calculated to be 1x10-3; see Appendix C for additional information. Fault tree ESW-STRAINER-A was inserted as a transfer tree in fault trees ESW-A and ESW-DGN-A to substitute for the existing strainer independent failure and CCF basic events. Likewise, 4

NUREG-1792, Good Practices for Implementing Human Reliability Analysis, (ADAMS Accession No. ML051160213) provides that 0.1 is an appropriate screening (i.e., typically conservative) value for most post-initiator HFEs.

5 These alpha factor changes also affect the residual heat removal (RHR) service water heat system strainers.

The RHR service water system takes its suction of the same pit as ESW.

7

LER 331-2020-001 fault tree ESW-STRAINER-B was inserted in fault trees ESW-B and ESW-DGN-B.

These modified fault trees are provided in Figures B-8 through B-13 in Appendix B.

  • Reactor Water Level Control During a LOOP. The existing HFEs for reactor water level control using RCIC (RCI-XHE-XO-ERROR, RCI-XHE-XM-OPERATE, RCI-XHE-XM-OPERATE2) and/or HPCI (HCI-XHE-XO-ERROR, HCI-XHE-XO-ERROR1) were not evaluated to account for the procedures directing operators to bypass the high reactor water level (Level 8) pump trips, raise reactor water level, and control level in a relatively narrow (10-inch) band when forced circulation is lost. With the pump trips bypassed, a failure to control level could result in flooding the pump turbines resulting in a loss of both high-pressure injection systems. To better represent this action, a new basic event RCS-XHE-XM-LEVEL (operators fail to control reactor water level during loss of forced circulation) was inserted in the applicable fault trees (HCI, HCI01, HCI02, RCI, RCI01, RCI02, FLX-TDP, FLX-TDP2) to replace the existing HFEs for LOOP scenarios. The HFE RCS-XHE-XM-LEVEL was evaluated using IDHEAS-ECA methodology because the performance shaping factors (PSFs) of the SPAR-H method do not represent control actions very well. The HEP for RCS-XHE-XM-LEVEL was calculated to be 2x10-2; see Appendix C for additional information.
  • SPAR Model Quantification Issues. A review of preliminary analysis results identified some SPAR model quantifications issues that required changes. First, the component ID was deleted from basic event FWS-EDP-TM-1P49 (diesel fire pump is unavailable because of maintenance) because it was causing calculation errors. Second, some event tree linkage rules were added to the SBO event tree. These rules substituted in initiator specific power recovery logic to facilitate more accurate calculation of success path cut sets.

3.4 Analysis Assumptions The following modeling assumptions were required to reflect the plant status and event circumstances for this initiating event assessment:

  • The probability of IE-LOOPWR (loss of offsite power (weather-related)) was set to 1.0 due to the loss of offsite power. All other initiating event probabilities were set to zero.
  • Basic event ESW-STR-PG-PDISB (ESW pump B discharge strainer 1S-89B plugs) was set to TRUE due to ESW train B strainer becoming clogged during the event.
  • Basic event FWS-EDP-TM-1P49 was set to TRUE because the pump was undergoing maintenance during the event. All other test and maintenance probabilities were kept at their nominal values.
  • Offsite power was recovered to the safety buses approximately 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> after the LOOP occurred. Based on the event information and discussions with Region 3 inspectors, it was determined that offsite power could have been restored to the safety buses shortly after the Vinton offsite power line was restored approximately 23 hours2.662037e-4 days <br />0.00639 hours <br />3.80291e-5 weeks <br />8.7515e-6 months <br /> after the LOOP occurred. Therefore, basic events OEP-XHE-XL-NR30MWR (operators fail to recover offsite power in 30 minutes), OEP-XHE-XL-NR01HWR (operators fail to recover offsite power in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />), OEP-XHE-XL-NR05HWR (operators fail to recover offsite power in 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />), OEP-XHE-XL-NR08HWR (operators fail to recover offsite power in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />),

OEP-XHE-XL-NR10HWR (operators fail to recover offsite power in 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />), and OEP-8

LER 331-2020-001 XHE-XL-NR012HWR (operators fail to recover offsite power in 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />) were set TRUE. The HEP for basic event OEP-XHE-XL-NR024HWR (operators fail to recover offsite power in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) was calculated to be 2x10-3; see Appendix C for additional information.

  • Both control rod drive (CRD) pumps were impacted by using the MSL drains to the condenser for cooldown. The operating CRD pump developed a seal leak and was secured. In addition, operators manually started the standby pump when it became vapor bound due to the high suction water temperature. Therefore, basic events CRD-MDP-FR-A (CRD pump A fails to run) and CRD-MDP-FS-B (CRD pump B fails to start) were set to TRUE. This modeling assumption is potentially conservative; however, the nonrecoverable failure of the CRD system results in negligible risk contribution for this analysis.

4 ANALYSIS RESULTS 4.1 Preliminary Results The mean CCDP for this analysis is preliminarily calculated to be 8x10-4. The ASP Program threshold for initiating events is a CCDP of 10-6 or the plant-specific CCDP of an uncomplicated reactor trip with a non-recoverable loss of feed water or the condenser heat sink, whichever is greater. This CCDP equivalent for Duane Arnold Energy Center is 1.8x10-6. Therefore, this event is a precursor. The parameter uncertainty results are provided below:

Table 2. Parameter Uncertainty Results 5% Median Pt. Estimate Mean 95%

1x10-4 6x10-4 6x10-4 8x10-4 2x10-3 4.2 Dominant Sequences 6 The dominant accident sequence is a weather-related LOOP sequence 38-09 (CDP

= 2.3x10-4), which contributes approximately 35 percent of the total CCDP. The sequences that contribute at least 5.0 percent to the total CCDP are provided in the following table. The event tree with the dominant sequence is shown graphically in Figures A-1 and A-2 of Appendix A.

Table 3. Dominant Sequences Sequence CDP  % Description LOOPWR 38-09 2.3x10-4 35.2% Weather-related LOOP with postulated failures of both EDGs results in SBO; RCIC and HPCI fail; AC power recovery within 30 minutes is assumed to fail LOOPWR 38-03-07 9.4x10-5 14.6% Weather-related LOOP with postulated failures of both EDGs results in SBO; RCIC is successful; FLEX DGs are successful, reactor depressurization is successful; containment venting fails; offsite power recovery within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is assumed to fail 6 The CCDPs provided in this section are point estimates.

9

LER 331-2020-001 Sequence CDP  % Description LOOPWR 38-03-17 6.1x10-5 9.5% Weather-related LOOP with postulated failures of both EDGs results in SBO; RCIC is successful; operators declare ELAP; FLEX DGs fail LOOPWR 38-03-20 4.8x10-5 7.5% Weather-related LOOP with postulated failures of both EDGs results in SBO; RCIC is successful; operators fail to declare ELAP LOOP 06 4.1x10-5 6.4% Weather-related LOOP; EDGs successfully provide power to at least one safety-related bus; either RCIC or HPCI are successful; suppression pool cooling fails; reactor depressurization is successful; low-pressure injection is successful; offsite power recovery within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> is assumed to fail; shutdown cooling fails; containment spray fails; containment venting succeeds; late injection fails LOOP 35 3.4x10-5 5.3% Weather-related LOOP; EDGs successfully provide power to at least one safety-related bus; both RCIC and HPCI fail; and operators fail to depressurize the reactor 4.3 Key Uncertainties The following are the key uncertainties of this ASP analysis. The results of any sensitivity analyses performed to evaluate these uncertainties are provided in Table 4.

  • The Amount of Credit for FLEX Mitigation Strategies. The crediting of FLEX mitigation strategies has as significant impact on these analysis results. A sensitivity analysis yields an increase in CCDP of approximately a factor of 10 without FLEX credit. While credit is appropriate, it is important to note that there are considerable uncertainties (as discussed below) associated with various aspects of FLEX modeling.
  • HPCI Credit During ELAP Scenarios. The base SPAR model does not credit FLEX for scenarios where RCIC is failed, but HPCI is available. This assumption is likely conservative and, therefore, FLEX credit was applied by modifying the SBO event tree.

Most of the FLEX information available, including thermal-hydraulic calculations, is focused on RCIC performance and does not consider HPCI as an alternative high-pressure injection source. Because the use of FLEX in scenarios that only HPCI is available has not been analyzed, crediting FLEX in such scenarios may be unrealistic and may overestimate the risk reduction achieved by crediting FLEX. A sensitivity analysis yields an increase in CCDP of approximately 120 percent without FLEX credit for scenarios where HPCI is successful and RCIC is unavailable/failed.

  • FLEX Hardware Reliability. As previously mentioned, hardware reliabilities for FLEX equipment are not currently available and, therefore, the SPAR model uses the reliability of permanently installed equipment, which is considered nonconservative. Based on preliminary data received from the PWROG, failure probabilities and rates for FLEX diesel generators and engine-driven centrifugal pumps are 2 to 10 times more likely to fail than permanently installed equipment. Therefore, sensitivity analyses were performed using the multiplier range of 2 to 10 times that of permanently installed equipment. These sensitivity analyses yield a decrease in CCDP of 3 percent for a multiplier of 2 and an increase in CCDP of approximately 18 percent and 57 percent for multipliers of 5 and 10, respectively.

10

LER 331-2020-001

  • FLEX Human Reliability. Detailed human reliability analysis was not performed for FLEX mitigation strategies for the SPAR models. Placeholder values for the HEPs that were judged to be reasonable by model developers are currently used. A review of these HEPs did not identify any significant issues and are judged to be reasonable for this analysis. Future HRA of these actions will likely result in HEP increases for some HFEs and decreases for others. Sensitivity analysis increasing and decreasing these HEPs by a factor of 5 results in an increase in CCDP of 135 percent and decrease in CCDP of 27 percent, respectively.
  • 72-Hour AC Power Recovery Requirement. This analysis eliminated the 72-hour AC power recovery credit for ELAP scenarios with successful implementation of the required FLEX mitigation strategies. Requiring AC power recovery within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> as originally included in the SPAR model results in an approximately 34 percent increase in CCDP without a clear technical basis. 7
  • Potential Effects of Bypassing ESW Strainer. During the event, operators successfully bypassed ESW train B strainer and EDG B successfully ran throughout the event (greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />). Operators monitored EDG B parameters and did not identify performance issues with the reduce ESW flowrate reduced by 300 gpm. However, cooling the EDG B with the strainer bypassed would result in an unknown decrease in reliability due to increase fouling/plugging potential with the EDG B coolers. A sensitivity case with the EDG B FTR probability doubled results in an increase in CCDP of approximately 89 percent.

Table 4. Key Uncertainty Sensitivity Results Key Uncertainty Mean CCDP  % Change No FLEX Credit 7.8x10-3 ~+900%

No FLEX Credit for Successful HPCI Scenarios 1.7x10-3 +120%

x2 increase 7.7x10-4 -3%

FLEX Hardware Reliability Multiplier x5 increase 9.3x10-4 +18%

x10 increase 1.2x10-3 +57%

x5 increase 1.9x10-3 +135%

FLEX HEPs x5 decrease 5.8x10-4 -27%

72-Hour AC Power Recovery Requirement 1.1x10-3 +34%

Potential Effects of Bypassing ESW Strainer 1.5x10-3 +89%

7 The HEP for basic event OEP-XHE-XL-NR072HWR (operators fail to recover offsite power in 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) was set to 2x10-3 for this sensitivity analysis.

11

LER 331-2020-001 Appendix A: Key Event Trees LOSS OF OFFSITE POWER REACTOR SHUTDOWN TRANSFER BRANCH SBO SRV'S CLOSE HIGH PRESSURE INJECTION SUPPRESSION POOL MANUAL REACTOR LOW PRESSURE INJECTION ALTERNATE LOW PRESS OFFSITE POWER RECOVERY SUPPRESSION POOL SHUTDOWN COOLING CONTAINMENT SPRAY CONTAINMENT VENTING LATE INJECTION # End State INITIATOR (WEATHER- (RCIC OR HPCI) FAILS COOLING (LATE) DEPRESS (CS OR LPCI) INJECTION FAILS IN 10 HRS COOLING (LATE) COOLING MODE OF RHR (Phas e - CD)

RELATED) FAILS FS = FTF-SBO IE-LOOPWR RPS EPS SRV HPI SPC DEP LPI VA OPR-10H SPC SDC CSS CVS LI 1 OK 2 OK 3 OK 4 OK 5 OK 6 CD LI03 7 OK 8 CD 9 OK 10 OK 11 OK 12 OK 13 CD SD1 LI01 14 OK CS1 15 CD 16 CD 17 CD 18 OK 19 OK 20 OK 21 OK 22 OK 23 CD LI03 24 OK 25 CD 26 OK 27 OK 28 OK 29 OK 30 OK 31 CD SP1 SD1 LI01 32 OK CS1 33 CD 34 CD 35 CD 36 LOOP-1 P1 37 LOOP-2 P2 38 SBO 39 ATWS Figure A-1. Weather-Related LOOP Event Tree A-1

LER 331-2020-001 TRANSFER BRANCH SBO SRV'S CLOSE RECIRC PUMP SEAL RCIC HPCI FAILS TO PROVIDE OFFSITE POWER RECOVERY DG RECOVERY # End State INTEGRITY ADEQUATE FLOW TO THE (Phase - CD)

RPV FS = FTF-SBO EPS SRV RPSI RCI HCI OPR DGR 1 SBO-OP OPR-LS 2 OK RCI02 3 SBO-ELAP OPR-LS DGR-LS 4 SBO-OP OPR-LS 5 OK HCI02 6 SBO-ELAP OPR-LS DGR-LS 7 SBO-OP RCI02 OPR-30M 8 OK HCI02 9 CD OPR-30M DGR-30M 10 SBO-1 11 SBO-1 P1 12 SBO-2 P2 Figure A-2. Modified SBO Event Tree A-2

LER 331-2020-001 Appendix B: Modified Event Trees and Fault Trees ELAP DECLARED ELAP IS DECLARED WHEN NEEDED FLEX DIESEL GENERATOR MANUAL REACTOR DEPRESS CONTAINMENT VENTING DURING FLEX RPV LOW- PRESSURE EXTENDED TDP (RCIC/HPCI) AC POWER RECOVERY WITHIN 24 AC POWER RECOVERY WITHIN 72 # End State OPERATION AND BUS ALIGNMENT DURING ELAP ELAP INJECTION PUMP IS OPERABLE OPERATION HOURS HOURS (Phase - CD)

FLEX ELAP FLEX-480 FLEX-DEP FLEX-CVS FLEX-RPV FLEX-TDP OPR-24HR OPR-72HR 1 OK 2 CD 3 OK 4 CD 5 CD 6 OK 7 CD FLEX-TDP2 OPR-12HR 8 CD FLEX-TDP2 9 OK 10 CD 11 CD 12 OK 13 CD FLEX-TDP2 OPR-12HR 14 CD FLEX-TDP2 15 OK 16 CD FLEX-TDP3 OPR-12HR 17 CD FLEX-TDP3 18 OK 19 CD FLEX-TDP3 OPR-12HR 20 CD FLEX-TDP3 Figure B-1. Modified SBO-ELAP Event Tree B-1

LER 331-2020-001 ONE STUCK OPEN SRV RCIC HPCI FAILS TO PROVIDE OFFSITE POWER RECOVERY OPERATOR FAILS TO # End State ADEQUATE FLOW TO THE RECOVER EMERGENCY (Phase - CD)

RPV DIESEL IN 3 HOURS P1 RCI HCI OPR DGR-03H 1 SBO-OP OPR-03H 2 SBO-OP RCI02 3 SBO-ELAP OPR-03H 4 SBO-OP OPR-03H 5 SBO-OP HCI02 6 SBO-ELAP RCI02 OPR-03H 7 CD HCI02 Figure B-2. Modified SBO-1 Event Tree B-2

LER 331-2020-001 TWO OR MORE SORVS RCIC HPCI FAILS TO PROVIDE OFFSITE POWER RECOVERY DG RECOVERY # End State ADEQUATE FLOW TO THE (Phase - CD)

RPV P2 RCI HCI OPR DGR 1 SBO-OP OPR-01H 2 OK RCI02 DGR-01H 3 SBO-ELAP OPR-01H DGR-01H 4 SBO-OP OPR-01H 5 OK HCI02 DGR-01H 6 SBO-ELAP RCI02 OPR-01H DGR-01H 7 CD HCI02 Figure B-3. Modified SBO-2 Event Tree B-3

LER 331-2020-001 Figure B-4. Modified OPR-72H Fault Tree B-4

LER 331-2020-001 Figure B-5. Modified FLEX-480 Fault Tree B-5

LER 331-2020-001 Figure B-6. Modified FLEX-RPV Fault Tree B-6

LER 331-2020-001 Figure B-7. Modified FWS Fault Tree B-7

LER 331-2020-001 Figure B-8. ESW-STRAINER-A Fault Tree Figure B-9. ESW-STRAINER-B Fault Tree B-8

LER 331-2020-001 Figure B-10. Modified ESW-DGN-A Fault Figure B-11. Modified ESW-DGN-B Fault Tree Tree B-9

LER 331-2020-001 Figure B-12. Modified ESW-A Fault Tree Figure B-13. Modified ESW-B Fault Tree B-10

LER 331-2020-001 Appendix C: Evaluation of Key HFEs Table C-1. Qualitative HFE Information for ESW-XHE-XM-BYPASS HFE Name ESW-XHE-XM-BYPASS Definition Operators fail to bypass plugged strainer prior to loss of EDG safety function.

When ESW strainer differential pressure reaches 5 psid, operators receive an alarm. The alarm response procedure directs operators to bypass the strainer if Description/Context low flow condition exists or if differential pressure across the strainer reached 15 psid.

Success Criteria Operators open strainer bypass valve prior to loss of EDG safety function.

Key Cue(s) Strainer high differential pressure alarm (6 psid)

Procedural Guidance Alarm Response Procedure for Panel 1C03B Table C-2. SPAR-H PSF Evaluation for ESW-XHE-XM-BYPASS Multiplier PSF Notes Diagnosis/Action Time Available 0.01 / 1 Based on the event information, the ESW train B strainer alarmed approximately 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> after the LOOP began. An auxiliary operator (AO) was sent in accordance with the alarm response procedure. When the operator arrived, the ESW train B strainer differential pressure reached 15 psid and was directed by the main control room operators to bypass the strainer. This was completed within 15 minutes.

Therefore, the nominal time for this HFE is assumed to be 5 minutes for diagnosis and 10 minutes for action.

Although ESW train B flow to its respective EDG had decreased dropped from 1100 to 800 gpm, operators did not observe any degradation in EDG B performance. It is believed that strainer debris loading peaked at this level (as indicated by the ESW train A not increasing after reaching 11 psid even though its strainer was not bypassed). It is possible that EDG B would have continued to run satisfactorily with the plugged strainer with a differential pressure of 15 psid. For this event assessment, it is assumed that operators would have approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to bypass the strainer, which is could be potential conservative. Since the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> available for diagnosis is greater than 2x nominal time and greater than 30 minutes, the diagnosis PSF for available time is set to Expansive.

Enough time exists to perform the action component for this operator action; therefore, the action PSF for available time is set to Nominal. See INL/EXT-10-18533, SPAR-H Step-by-Step Guidance,(ADAMS Accession No. ML112060305) for guidance on apportioning time between the diagnosis and action components of an HFE.

C-1

LER 331-2020-001 Multiplier PSF Notes Diagnosis/Action Stress, 1/1 No event information is available to warrant a change in Complexity, these PSFs (diagnosis or action) from Nominal for this HFE.

Procedures, Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes Diagnosis HEP = 0.01 (Base Diagnosis HEP) x 0.01 (PSF Multiplier) = 1x10-4 Action HEP = 0.001 (Base Diagnosis HEP) x 1 (PSF Multiplier) = 1x10-3 Total HEP = 1x10-3 C-2

LER 331-2020-001 Table C-3. Qualitative HFE Information for RCS-XHE-XM-LEVEL HFE Name RCS-XHE-XM-LEVEL Operators fail to control reactor water level using RCIC and/or HPCI during a Definition loss of forced circulation During loss of forced circulation scenarios, plant procedures direct operators to bypass the high-level (Level 8) RCIC/HPCI pump trips and raise/control reactor Description/Context water level to a 10-inch band that is approximated 12 inches below the MSLs.

With the pump trips bypassed, a failure to control level could result in flooding the pump turbines resulting in a loss of both high-pressure injection systems.

Success Criteria Operator successfully maintain reactor water below the MSL lines.

  • Reactor water level Key Cue(s)
  • Level 8 signal
  • Loss of Forced Circulation Procedure Table C-4. IDHEAS-ECA Evaluation for RCS-XHE-XM-LEVEL Although procedures direct the bypassing of the high-level (Level 8) RCIC/HPCI pump trips and raise/control reactor water level to a 10-inch band that is Critical Task(s) approximated 12 inches below the MSLs, the only critical task for this HFE is that operators maintain reactor water level below the MSLs.

The five IDHEAS-ECA macro-cognitive functions (MCFs) have base PIFs (e.g.,

scenario familiarity, task complexity, etc.) that are required to be evaluated.

Other PIFs (e.g., staffing, environmental factors, procedures and guidance, etc.) can be evaluated if they are applicable within the context of the HFE. The applicable PIFs for the four evaluated MCFs for this HFE are provided below:

Detection

  • Scenario Familiarity-No impact
  • Task Complexity-No impact
  • The other PIFs were evaluated to not have a significant impact on this HFE.

Understanding

  • Scenario Familiarity-No impact
  • Information Completeness and Reliability-No impact Performance
  • Task Complexity-No impact Influencing
  • The other PIFs were evaluated to not have a significant impact on this HFE.

Factors (PIFs)

Decisionmaking

  • Scenario Familiarity-No impact
  • Information Completeness and Reliability-No impact
  • Task Complexity-No impact
  • The other PIFs were evaluated to not have a significant impact on this HFE.

Action

  • Scenario Familiarity-No impact
  • Task Complexity-C35, long-lasting action, repeated discontinuous manual control
  • The other PIFs were evaluated to not have a significant impact on this HFE.

Inter-Team

  • This MCF was not evaluated because multiple teams are not involved.

C-3

LER 331-2020-001 The timing model for IDHEAS-ECA is not applicable to continuous control Time actions and, therefore, timing was not explicitly considered. Note that the time Consideration considerations are considered somewhat in the Task Complexity.

Recovery is not credited for the HFE because the failure to control level could result in flooding the pump turbines. There is evidence from the Fukushima Recovery accident that turbine-driven pumps could survive the pumping two-phase flow.

Therefore, this assumption is potentially conservative.

Calculated HEP 2x10-2 C-4

LER 331-2020-001 Table C-5. Qualitative HFE Information for OEP-XHE-XL-NR024HWR HFE Name OEP-XHE-XL-NR024HWR Definition Operators fail to restore power to safety bus within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Once the 161-kV Vinton offsite power line is restored, operator would need to manually align power to the SUT. Once the SUT is reenergized, a low-Description/Context voltage condition on either safety bus result in the automatic alignment to repower the affected bus.

Success Criteria Operators reenergize the SUT from the Vinton line prior to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Key Cue(s) Deenergized SUT and safety buses Procedural Guidance Abnormal Operating Procedure 301, Loss of Essential Electrical Power Table C-6. SPAR-H PSF Evaluation for ESW-XHE-XM-BYPASS Multiplier PSF Notes Diagnosis/Action Time Available 0.01 / 1 The operators would need a maximum of 15 minutes to perform the action component of restoring 161-kV offsite power to the SUT. Therefore, the minimum time for diagnosis is approximately 68 minutes. Therefore, available time for the diagnosis component for the 24-hour recovery is assigned as Expansive Time (i.e., x0.01; time available is >2 times nominal and >30 minutes).

Enough time exists to perform the action component for this operator action; therefore, the action PSF for available time is set to Nominal. See INL/EXT-10-18533, SPAR-H Step-by-Step Guidance,(ADAMS Accession No. ML112060305) for guidance on apportioning time between the diagnosis and action components of an HFE.

Stress 2/2 The PSF for diagnosis and action stress was set to High (i.e.,

x2) because the most severe scenario involves a postulated SBO where recovery of offsite power is required to prevent core damage.

Complexity, 1/1 No event information is available to warrant a change in Procedures, these PSFs (diagnosis or action) from Nominal for this HFE.

Experience/Training, Ergonomics/HMI, Fitness for Duty, Work Processes Diagnosis HEP = 0.01 (Base Diagnosis HEP) x 0.02 (PSF Multiplier) = 2x10-4 Action HEP = 0.001 (Base Diagnosis HEP) x 2 (PSF Multiplier) = 2x10-3 Total HEP = 2x10-3 C-5

LER 331-2020-001 Appendix D: Comments and Responses on Preliminary Analysis The NRC provided the licensee (NextEra) the preliminary ASP analysis in accordance with Regulatory Issue Summary 2006-24, Revised Review and Transmittal Process for Accident Sequence Precursor Analyses, (ADAMS Accession No. ML060900007) to formally review the analysis because the preliminary mean CCDP was 1x10-3. In addition, the Office of Nuclear Reactor Regulation (NRR) and Region 3 were solicited to formally comment on the preliminary analysis. The NextEra provided comments on the preliminary ASP analysis on February 9, 2021 (ADAMS Accession No. ML21042A079). All comments from the NextEra, NRR, and Region 3 are provided either verbatim or summarized below. In addition, the Office of Nuclear Regulatory Research (RES) response is provided for the applicable comments.

D.1 Comments not Requiring Response or Change

  • NRR, Section 3.3: We believe increasing the hardware failure rate by a factor of three using insights from INL/EXT-20-58327 was reasonable although potentially non-conservative considering some of the failure rates for certain equipment could be even higher.
  • NRR, Section 3.3: We noted that the analysis credited HPCI during ELAP scenarios, even though most Final Integrated Plans (FIPs) only discuss crediting RCIC only and the SPAR models only credit RCIC. We understand that the decision to credit HPCI averted undue conservatism. The decision to credit HPCI was researched and even informed by thermal-hydraulic analysis. We believe this approach to increase realism of the PRA analysis is a strength.
  • NRR, Section 3.3: We noted that the analysis adjusted the portable FLEX equipment to a 24-hour mission time to estimate FTR probability. While we understand a 72-hour mission time would be overly conservative, would a 24-hour mission time be potentially non-conservative? However, since the analysis has identified failure probabilities of FLEX equipment as a key uncertainty and performed appropriate sensitivity analysis, we do not consider this observation as a substantive comment.
  • NRR, Section 4.1: The use of a mean value rather than a point estimate is acceptable and supported by references such as NUREG-1489, and NUREG-1855.

D.2 Comments Requiring Response or Change

  • Region 3, Executive Summary: The Executive Summary states the following: Although the preliminary mean CCDP of 1x10-3 for this event currently meets the criterion for a significant precursor, the risk to the public remained very low because defense in depth and plant-wide safety margins were maintained. This sentence is simultaneously describing the risk as both high and low. In the interest of clarity and consistency of our message about the high safety significance of this issue, consider changing the wording. One possible alternative would be: the risk of core damage was mitigated because defense in depth and plant-wide safety margins were maintained.

RES Response/Action: The suggested change was implemented in the final report.

  • Region 3, Executive Summary and Section 2.1: Consider deleting the sentence There was no clogging or fouling of safety-related heat exchangers. The heat exchangers were D-1

LER 331-2020-001 not inspected and there is no information as to their condition, other than they worked acceptably during the event which is already discussed in the report.

RES Response/Action: The sentence was deleted in the final report.

  • Region 3, Executive Summary and Section 2.1: Based on the reading of the draft ASP analysis, the challenge to A train of ESW does not appear to be described. Recall that the B train ESW strainer reached 15 psid and required bypassing due to debris loading. The A train strainer reached 11 psid and did not require bypassing but represented a potential challenge or a near miss. This challenge to both trains of ESW is one of the main drivers of the high CCDP and the reason that the LIC-504 effort was started. Consider adding these insights in the Executive Summary and the Event Description that describes how both service water trains were simultaneously affected. This would have the benefit of (a.)

increasing transparency for those reading the ASP analysis and (b) provide a better technical basis for adjustment of the common-cause failure alpha factors described in Section 3.3.

RES Response/Action: A description of the challenge to the train A ESW strainer was added to the Executive Summary and Section 2.1 of the final report.

  • Region 3, Executive Summary and Section 2.1: Considered changing the following sentence: The licensee later determined that damage to the reactor building resulted in the secondary containment being inoperable according to TS due to insufficient vacuum.

Suggested replacement: The licensee later determined that, although damaged, secondary containment remained functional throughout the event and if challenged, would have prevented a radiological release to the environment. However, when tested, the vacuum drawn in secondary containment by the standby gas treatment system was slightly below the very conservative technical specification limit.

RES Response/Action: The suggested change was implemented in the final report.

  • Region 3, Section 2.1: The control rod drive (CRD) pumps were impacted by using the main steam line drains to the condenser for cooldown. The operating CRD pump developed a seal leak. The standby pump was started, and the pump became vapor bound due to the high temperature at the suction of the pump. Consider whether the report should discuss this impact and model as appropriate given that CRD is a BWR alternate injection source for late injection. While this condition would not impact the current dominant sequences, it could impact other LOOP core damage sequences.

RES Response/Action: The degradation of both CRD pumps was modeled explicitly in the analysis and documented in the final report (Section 3.4). Note that this change has a negligible effect on the result because four additional systems (ESW, residual heat removal service water, firewater, and general service water) are credited for late injection during a LOOP.

  • Region 3, Section 2.2: Consider deleting the following sentence: The event was not considered a beyond design basis event. It is not relevant to the risk analysis of the event.

Similarly delete the point about winds being within the limits of a design basis tornado.

RES Response/Action: These two sentences were deleted in the final report.

D-2

LER 331-2020-001

  • Region 3, Section 3.1: Consider deleting the following sentence: The assessment did not identify any loss of the plants three fission product barriers or the key safety functions supporting them. The report accurately captures the plant impacts necessary for modeling the risk significance of the event.

RES Response/Action: The sentence was deleted in the final report.

  • NRR, Section 3.3: We recommend not referring to NEI 16-06 to justify FLEX failure probability multipliers since the screening values provided in NEI 16-06 were generated prior to evaluating any specific FLEX failure rate data. Sufficient explanation and justification of adjusting FLEX hardware reliability was provided with the discussion of INL/EXT-20-58327, which used actual (albeit) limited operating experience.

RES Response/Action: The applicable text, including the corresponding footnote, was deleted in the final report.

  • Region 3, Section 3.3: Consider changing the language to footnote #2. As it is currently written, the sentence is not factually correct. After the Derecho storm had passed the site, the licensee had the capability and flexibility to pre-stage the FLEX equipment. On the day of the event, after the Derecho had passed, the licensee appropriately debated whether to position FLEX emergency diesel generators. One of the two in-plant EDG had been declared inoperable but ultimately the licensee made the decision not to pre-position FLEX equipment. It should not be implied that the licensee was bound by procedural constraints that did not exist.

RES Response/Action: The footnote was revised as After the Derecho storm had passed the site, the licensee had the capability to pre-stage FLEX equipment. However, after discussing this possibility, the decision was made to not move any FLEX equipment.

  • NRR, Section 3.3: We noted that the analysis adjusted the portable FLEX equipment to a 24-hour mission time to estimate FTR probability. While we understand a 72-hour mission time would be overly conservative, would a 24-hour mission time be potentially non-conservative? However, since the analysis has identified failure probabilities of FLEX equipment as a key uncertainty and performed appropriate sensitivity analysis, we do not consider this observation as a substantive comment.

RES Response/Action: We believe that if the applicable FLEX strategies are fulfilling their safety function at 24-hours, we believe that is sufficient to declare safe/stable end state.

  • NRR, Section 3.3: We understand the decision to remove the credit for EDG repair during ELAP scenarios. Our comment would be that this is appropriate to do on a case-by-case basis, it would be useful to show a sensitivity showing how much of an effect this had on the results.

RES Response/Action: A sensitivity case crediting EDG repair for ELAP scenario estimates a mean CCDP 6x10-4 (a decrease of approximately 20 percent). The issue of crediting EDG repair in the base SPAR models could be reconsidered. It is a typical SPAR model practice to not credit strategies not included in the licensee PRAs, yet less than a third of licensee PRAs include credit for EDG repair. In addition, the nonrecovery probabilities are calculated by INL using data extracted from unplanned unavailability times from MSPI (typically normal operations with only a single EDG to troubleshoot). During the D-3

LER 331-2020-001 Level 3 PRA project, industry peer review members questioned the basis for crediting repair of the EDGs, which had been adopted from the SPAR models. Subsequently, it was decided to remove EDG repair from the Level 3 PRA because the staff questioned whether repair data collected under normal conditions is applicable to SBO scenarios where conditions may be different (e.g., reduced lighting, increased stress, staffing constraints) and there would be multiple EDG failures to troubleshoot. Although there could also be factors (e.g., increased priority, elimination of restrictive licensee processes) that reduce the repair time.

  • NextEra, Section 3.4: The preliminary ASP analysis used the timeline that was developed for the LER to note that power was not restored to the safety buses from an offsite power source until twenty-five hours after the LOOP occurred1. However, the Vinton 161-kV line was restored as a power source at 11:26. As the plant was in a safe and stable configuration the ensuing period was taken up with coordinating a deliberate and uninterrupted transfer of power from the EDGs to the offsite power supply. Had an EDG failed at any point after 11:26, offsite power was available to re-energize emergency busses.

Therefore, offsite power was available to be restored to the safety buses approximately 22.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> after the event started and not 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />.

RES Response/Action: Based on this comment and subsequent discussion with Region 3 inspectors, we agree that credit for offsite power recovery at 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> should be provided.

The applicable text in the Analysis Assumptions (Section 3.4) has been revised. This change results in the mean CCDP decreasing from 1x10-3 to 8x10-4.

D.3 Comments Concerning Base SPAR Model Considerations

  • NextEra: The SPAR models utilize generic data out of the NRC Reactor Operating Experience Database. The PWROG recently reviewed the component reliability data and identified that the FTR data used in the SPAR models is potentially over-estimating the probability of diesel failures. The PWROG, when reviewing this data, showed that the rate for diesel generators FTR could be reduced from 1.4x10-3 per hour to 8.4x10-4 per hour.

RES Response/Action: This data issue, along with others previously reported in PWROG-18026-P, Component Reliability Data Issues and Strategies, is currently being reviewed by the NRC and INL. In the interim, INL performed a revised calculation for the EDG FTR rate using data from the 2010-2019 period and consistent with existing Institute of Nuclear Power Operations (INPO) guidance. This calculation resulted in mean failure rate of 1.32x10-3 per hour (103 failures in 82,768 hours0.00889 days <br />0.213 hours <br />0.00127 weeks <br />2.92224e-4 months <br />). Note that the number of run hours from failures to load/run (FTLR) failure mode (i.e., failures to run within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />) is not deducted from the run hours in the FTR failure mode in the above calculation. This revised failure rate is only 13 percent lower than the current EDG FTR rate of 1.52x10-3 per hour. Since this revised rate is within a reasonable uncertainty range of the FTR rate used in the analysis and is not expected to make a significant impact on the overall CCDP, the EDG FTR rate was not changed in the best estimate case.

  • NextEra: The preliminary ASP analysis assumes that core damage would occur without accounting for the specific failure modes that were present in the cut sets. The most significant conservatism was that FTR events (e.g., EDG or RCIC), were assumed to occur at the start of the event (i.e., t = 0). However, this failure mode does not align with the generic SPAR data as an FTR event is noted as occurring after the first hour and up to D-4

LER 331-2020-001 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Incorporating this time dependence would allow for additional credit for FLEX mitigation strategies.

RES Response/Action: The treatment of FTR events in the SPAR models is consistent with the current state-of-practice. The assumption that failures occur at the start of the event is in part addressed by applying factors related to convolution of EDG FTR events.

However, this convolution credit does not meaningfully affect the analysis for this event largely due to the long time (~23 hours) until offsite power could be recovered. It is recognized that this treatment is conservative, but the proper treatment of FTR failure would likely require aspects of dynamic PRA, which is beyond the scope of this analysis.

  • NRR, Section 3.3: We agree with the basis to eliminate the 72-hour AC power recovery requirement since that assumption introduces an unnecessary conservatism. This raises an issue in the opinion of at least this analyst that we should follow-up on. Should we consider eliminating this conservatism from SPAR models to enhance their accuracy after further discussions among cognizant stakeholders (NRR\DRA, RES\DRA, SRAs, and INL staff)?

RES Response/Action: This issue will be discussed with internal stakeholders to determine if there is a consensus opinion to eliminate the 72-hour AC power recovery requirement in all SPAR models.

  • Region 3, Section 3.3: HPCI credit during ELAP and SBO-ELAP event tree changes to query containment venting if reactor depressurization fails. If these model changes are applied for this event, they should be made to other BWR SPAR models.

RES Response/Action: RES will consider similar SPAR model modifications to applicable plants, as appropriate.

D-5

Retrieved from "https://kanterella.com/w/index.php?title=ML21056A382&oldid=3413903"