LER 263/2008-005, Monticello, Partial Loss of Offsite Power Event with HPCI High Level Instrument Trip Failures

ML092380380
Person / Time
Site:	Monticello
Issue date:	09/03/2009
From:	Office of Nuclear Regulatory Research
To:
Hunter C, 251-7575 RES/DRA
Shared Package
ML092380378	List: ML092380380
References
LER 263/2008-005
Download: ML092380380 (12)
v • d • e

Text

Final Precursor Analysis Accident Sequence Precursor Program - Office of Nuclear Regulatory Research Partial Loss Of Offsite Power Event With HPCI High Level Monticello Instrument Trip Failures Event Date: 09/11/2008 LER: 263/2008-005 CCDP = 1x10-5 EVENT

SUMMARY

Event Description. On September 11, 2008, Monticello Nuclear Generating Plant experienced a line fault on the supply line to the 2R Transformer. The 1R Transformer was out-of-service for planned maintenance when the event started. With both the 1R and 2R Transformers unavailable, the offsite electrical power supply to the non-safety buses was lost, resulting in a reactor scram with loss of the normal heat sink. The unit also experienced Group 1, 2 and 3 isolations of containment and the reactor pressure vessel. The 1AR Transformer remained available and the safety buses automatically transferred to that source as designed. Both emergency diesel generators (EDGs) started and were running, but did not load as offsite power was available to the safety buses.

Since the normal heat sink was lost as a result of main steam isolation valve (MSIV) closure and loss of electrical power to support equipment, operators used the reactor core isolation cooling system (RCIC),

the high pressure coolant injection (HPCI), the safety relief valves (SRVs) and the torus cooling system for pressure and level control. The licensee decided to place the plant in Mode 4 (Cold Shutdown) pending assessment of the transient. Subsequently, the licensee restored the 1R Transformer and returned power to the non-safety buses.

The licensee documented their event details in Reference 1. NRC conducted a special inspection of the event; inspection findings are documented in Reference 2.

Cause. The root cause of the event was the A and B phase conductors supplying power to the 2R Transformer faulted to ground, resulting in the 34.5 kV breaker opening as designed to protect equipment from fault current damage. The opening of the 34.5 kV Breaker with the 1R Transformer out of service resulted in a loss of normal offsite power and a reactor scram. Due to the destruction of the failed insulation (splice and cable), the exact failure mechanism was not determined.

Additional Event Details. The HPCI turbine failed to trip at the +48 inch reactor vessel level signal.

Operators manually isolated the steam line for the turbine. HPCI was declared inoperable. An investigation determined the failure of the HPCI to trip was due to three effects: (1) the trip solenoid valve had been misassembled, (2) no periodic maintenance on the valve, and a battery voltage well above the minimum required, but slightly below the normally observed voltage.

In addition, Division I of Residual Heat Removal Service Water (RHRSW) was out of service for maintenance at the onset of the reactor trip and during event recovery.

Recovery Opportunities. The licensee determined that recovery of the 1R Transformer was possible within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Reference 1).

LER 263/08-005 Analysis Rules. The ASP program uses Significance Determination Process (SDP) results for degraded conditions when available. However, the ASP program performs independent initiating event analysis when an initiator occurs and a condition analysis when there are no performance deficiencies identified for a particular event. In addition, the ASP program analyzes separate degraded conditions that were present during the same period and similar degraded conditions on an individual system or component that had different performance deficiencies.

Five GREEN findings have been identified for this event and are described in Reference 2. Therefore, this analysis focuses solely on the risk of the reactor trip and loss of offsite power to the non-safety buses that occurred.

ANALYSIS RESULTS Conditional Core Damage Probability. The point estimate conditional core damage probability (CCDP) value for this event is 1.4x10-6. The results of an uncertainty assessment on the event CCDP are summarized below.

5% Mean 95%

-6 -5 CCDP 1.9x10 1.4x10 4.5x10-5 The Accident Sequence Precursor Program acceptance threshold is a CCDP of 1x10-6 or the CCDP equivalent of an uncomplicated reactor trip with a non-recoverable loss of secondary plant systems (e.g., feed water and condensate), whichever is greater. This CCDP equivalent for Monticello is 2x10-6.

Dominant Sequence. The dominant accident sequence, Loss of Condenser Heat Sink (LOCHS)

Sequence 62 (CCDP = 1.1x10-5) contributes 78.6% of the total internal events CCDP. Additional sequences that contribute at least 1% of the total internal events CCDP are provided in Appendix A (GEM Worksheet).

The dominant sequence is shown graphically in Figure B-1 (Appendix B). The events and important component failures in LOCHS Sequence 62 are:

LOCHS occurs due to loss of offsite power to the non-safety buses, reactor scram succeeds, SRVs successfully close (if opened),

main feedwater fails, high-pressure injection (HPCI/RCIC) fails, manual reactor depressurization succeeds, condensate injection fails, low-pressure injection (LPCI/CS) fails, and alternate low-pressure injection fails.

LER 263/08-005 GEM Worksheet. The GEM analysis worksheet contained in Appendix A provides the following:

Modified basic events and initiating event frequencies, including base and change case probabilities/frequencies.

Dominant sequences (including CCDPs).

Sequence logic for all dominant sequences.

Fault tree definitions.

Sequence cutsets.

Definitions and probabilities for key basic events.

MODELING ASSUMPTIONS Analysis Type. The Revision 3-Plus (Change 3.45) of the Monticello Standardized Plant Analysis Risk (SPAR) model (Reference 3) created in June 2008 was used for this event analysis. This event was modeled as a loss of condenser heat sink initiating event with the unavailability of offsite power to the non-safety buses.

Unique Design Features. Monticello has the following unique design features that are pertinent to this event assessment:

Reserve Auxiliary Transformer 1AR. Auxiliary power is supplied by the Station Auxiliary Transformer 2R during normal power operation. However, provisions are made for an automatic, fast transfer of the auxiliary load to the Reserve Transformer 1R. In the event Reserve Transformer 1R is unable to accept load, the essential buses are automatically transferred to the Reserve Auxiliary Transformer 1AR. Reserve Auxiliary Transformer 1AR is sized to provide only the plants essential 4160 V buses and connected loads.

Control Rod Drive System. Modifications made to the control rod drive (CRD) return flow required analysis and testing to ensure this source of high-pressure water flow was not reduced below a water boil-off rate due to decay heat generation 40 minutes following shutdown from rated power and the maximum leakage rate from the primary system. The analysis was redone using up-to-date thermal power and decay heat curve. This analysis indicates that a flow rate of 100.9 gpm is required to maintain the water level above the top of the active fuel. Additional flow to the vessel can be obtained by opening the two outboard isolation valves to the reactor water cleanup return line. In this mode of operation, one CRD pump can be used to add as much as 150 gpm to reactor vessel.

Modeling Assumptions. The following modeling assumptions were determined to be vital to this event analysis:

Loss of Condenser Heat Sink Initiating Event. This analysis models the September 11, 2008 reactor scram at Monticello as a loss of condenser heat sink initiating event. A loss of offsite power to the non-safety buses resulted in the unavailability of the feedwater, condensate, recirculation, and circulating water systems. In addition, the unavailability of both the 1R and 2R Transformers caused a Group 1 isolation (i.e., the MSIVs automatically closed).

LER 263/08-005 Power Recovery to Non-Safety Bus. Offsite power recovery to a non-safety bus was possible six hours after the initiating event occurred. To reenergize a non-safety bus, Reserve Transformer 1R would need to be placed back into service from the ongoing maintenance activity. In this analysis, time for recovery is assumed to be available if high-pressure injection (HPCI/RCIC) is successful.

Failure of HPCI/RCIC High Reactor Vessel Level Trip. The high reactor vessel level automatic trip for HPCI/RCIC failed during event recovery. Operator action was required to prevent over-filling the reactor vessel and prevent the unavailability and potential damage to RCIC and HPCI turbine-driven pumps.

Division I RHRSW Unavailable. Division I of RHRSW was unavailable due to maintenance and was assumed to be non-recoverable during the event.

Fault Tree Modifications. The following fault tree modifications were necessary to perform this event analysis:

Condensate. The condensate pumps fault tree (CDS-PMPS) was modified to account for initial loss of the condensate system (i.e., it balance-of-plant function) due to the loss of power to the non-safety buses. However, if HPCI and/or RCIC were initially available, condensate could be available later. The AND Gate CDS-LOOP1 and the subsequent logic (including basic event (OPR-XHE-XL-NONVITAL) were added to model the initial loss of condensate and the potential recovery of the low-pressure injection function of the condensate system. See Figure C-1 (Appendix C) for modified CDS-PMPS fault tree.

HPCI and RCIC. The basic event TDP-XHE-XL-LEVEL was added to the HPCI and RCIC turbine-driven pump faults trees to account for the required operator action to secure the pumps due to the failure of the automatic high reactor vessel level trip. See Figure C-2 (HCI-TDP) and Figure C-3 (RCI-TDP) in Appendix C for the modified HPCI and RCIC fault trees.

Basic Event Probability Changes. The following initiating event frequencies and basic event probabilities were modified for this event analysis:

IE-LOCHS set to 1.0. The loss of condenser heat sink (LOCHS) initiating event frequency was set 1.0 to represent the operational event that occurred at Monticello on September 11, 2008.

All other initiating events frequencies were set to zero.

LOOP-NONVITAL was set to TRUE. This event was set to TRUE because Monticello experienced a loss of offsite power to the non-safety buses during the event.

OPR-XHE-XL-NONVITAL. This event represents the probability of operators failing to restore power to a non-safety bus given successful high-pressure injection (HPCI/RCIC). This event was evaluated using the SPAR-H Method (Reference 4). It was determined that this human failure event required diagnostic activity. All diagnostic performance shaping factors were determined to be nominal; therefore, the failure probability was calculated as 1.0x10-2.

RSW-MDP-TM-TRNA and RSW-MDP-TM-TRNC were set to TRUE. These basic events were set to TRUE because Division I RHRSW was unavailable due to maintenance

LER 263/08-005 TDP-XHE-XL-LEVEL was set to 1.0x10-2. This event represents the probability of operators failing to terminate HPCI/RCIC flow prior to overfilling the reactor vessel into the steam piping and potentially damaging the pumps. This event was evaluated using the SPAR-H Method (Reference 4). It was determined that this human failure event required diagnostic activity. All diagnostic performance shaping factors were determined to be nominal; therefore, the failure probability was calculated as 1.0x10-2.

REFERENCES

1. Xcel Energy, LER 263-2008-005, Rev. 0, Reactor Scram due to Loss of Normal Offsite Power, Event Date of September 11, 2008, dated November 07, 2008.

2. U.S. Nuclear Regulatory Commission, Monticello Nuclear Generating Plant Special Inspection Report 05000263/2008009, dated December 16, 2008.

3. Idaho National Laboratory, Standardized Plant Analysis Risk Model for Monticello, Revision 3.45, dated June 2008.

4. Idaho National Laboratory, NUREG/CR-6883: The SPAR-H Human Reliability Analysis Method, dated August 2005.

5. U.S. Nuclear Regulatory Commission, RASP Handbook: Internal Events, Revision 1.01, dated January 2008.

LER 263/08-005 APPENDIX A GEM WORKSHEET SAPHIRE Code Version: 7.27.0.41 SPAR Model Version: Monticello 3.45 (June 2008)

Analysis Type: Initiating Event Assessment Event

Description:

Loss of Condenser Heat Sink (LOCHS) With Loss of Offsite Power to the Non-Safety Buses.

Total CCDP: 1.4E-5 (Point Estimate & Mean)

Basic Event Changes Base Current Event Name Description Probability Probability IE-IORV Inadvertent Open Relief Valve 2.0E-002 0.0E+000 IE-ISL-RHR ISLOCA (2-MOV RHR Interface) 4.0E-006 0.0E+000 IE-LLOCA Large LOCA 1.0E-005 0.0E+000 IE-LOACB-A Loss of Vital Bus A 4.5E-003 0.0E+000 IE-LOACB-B Loss of Vital Bus B 4.5E-003 0.0E+000 IE-LOCHS Loss of Condenser Heat Sink 2.0E-001 1.0E+000 IE-LODCB-A Loss of Vital DC Bus A 6.0E-004 0.0E+000 IE-LODCB-B Loss of Vital DC Bus B 6.0E-004 0.0E+000 IE-LOIAS Loss of Instrument Air 1.0E-002 0.0E+000 IE-LOMFW Loss of Feedwater 1.0E-001 0.0E+000 IE-LOOP Loss of Service Water 4.0E-004 0.0E+000 IE-MANSD Manual Shutdown 1.7E+000 0.0E+000 IE-MLOCA Medium LOCA 1.0E-004 0.0E+000 IE-SLOCA Small LOCA 6.0E-004 0.0E+000 IE-TRANS General Plant Transient 8.0E-001 0.0E+000 IE-XLOCA Excessive LOCA (Vessel Rupture) 1.0E-007 0.0E+000 LOOP-NONVITAL Loss of Offsite Power to Non-Safety Buses 0.0E+000 TRUE OPR-XHE-XL-NONVITAL Operator Fails to Restore Power to a Non-Safety Bus IGNORE 1.0E-002 RSW-MDP-TM-TRNA RHRSW Train A Is Unavailable Due to Maintenance 0.0E+000 TRUE RSW-MDP-TM-TRNC RHRSW Train C Is Unavailable Due to Maintenance 0.0E+000 TRUE TDP-XHE-XL-LEVEL Operator Fails To Secure TDPs Prior to Water Induction 0.0E+000 1.0E-002 Dominant Sequences Event Tree Sequence CCDP  % Contribution LOCHS 62 1.1E-005 78.6 LOCHS 19 1.8E-006 12.9 LOCHS 39 3.9E-007 2.8 LOCHS 69 3.1E-007 2.2 Sequence Logic Event Tree Sequence Logic LOCHS 62 /RPS /SRV MFW HPI /DEP CDS LPI VA LOCHS 19 /RPS /SRV MFW /HPI SPC /DEP /CDS SDC CSS PCSR CVS LI01 LOCHS 39 /RPS /SRV MFW /HPI SPC DEP CRD LOCHS 69 /RPS /SRV MFW HPI DEP CRD A-1

LER 263/08-005 Fault Tree Descriptions Fault Tree Description CDS Condensate CRD CRD Injection (2 Pumps)

CSS Containment Spray CVS Containment Venting DEP Manual Reactor Depress HPI High Pressure Injection (RCIC or HPCI)

LI01 Monticello Late Injection Fails LPI Low Pressure Injection (CS or LPCI)

MFW Main Feedwater PCSR Power Conversion System Recovery RPS Reactor Shutdown SDC Shutdown Cooling SPC Suppression Pool Cooling SRV SRVs Close VA Alternate Low Press Injection Sequence Cutsets Sequence: LOCHS 62 CCDP: 1.1E-005 CCDP  % Cutset Cutset Events 1.0E-005 88.45 LPI-XHE-XO-LVLCTL TDP-XHE-XL-LEVEL 1.8E-007 1.59 HCI-MOV-CC-IVFRO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT LPI-XHE-XO-LVLCTL RCI-TDP-TM-TRAIN 1.3E-007 1.11 HCI-MOV-CC-IVFRO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT LPI-XHE-XO-LVLCTL RCI-TDP-FS-TRAIN 8.4E-008 0.74 LPI-XHE-XO-LVLCTL HCI-TDP-TM-TRAIN RCI-TDP-FS-TRAIN 7.4E-008 0.65 HCI-MOV-CC-IVFRO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT LPI-XHE-XO-LVLCTL RCI-TDP-FR-TRAIN 7.0E-008 0.62 LPI-XHE-XO-LVLCTL RCI-TDP-TM-TRAIN HCI-TDP-FS-TRAIN Sequence: LOCHS 19 CCDP: 1.8E-006 CCDP  % Cutset Cutset Events 1.0E-006 55.96 RHR-XHE-XO-CHR 5.5E-007 30.78 CVS-XHE-XM-RVENT PCS-XHE-XL-LTLCHS CFAILED OPR-XHE-XE-IDSHED CFAILED1 1.3E-007 7.39 HCI-MOV-CC-IVFRO CVS-XHE-XM-RVENT HCI-XHE-XL-INJECT PCS-XHE-XL-LTLCHS OPR-XHE-XE-IDSHED CFAILED1 Sequence: LOCHS 39 CCDP: 3.9E-007 CCDP  % Cutset Cutset Events 1.1E-007 28.41 OPR-XHE-XM-INJEC OPR-XHE-XE-IDSHED 6.1E-008 15.63 ADS-XHE-XM-MDEPR OPR-XHE-XE-IDSHED CRD-XHE-XM-BRKRS 4.4E-008 11.36 ADS-XHE-XM-MDEPR CRD-MDP-TM-TRNA OPR-XHE-XE-IDSHED 4.4E-008 11.36 ADS-XHE-XM-MDEPR CRD-MDP-TM-TRNB OPR-XHE-XE-IDSHED 2.0E-008 5.16 SPC-MOV-CC-LOOPB OPR-XHE-XM-INJEC 1.1E-008 2.84 ADS-XHE-XM-MDEPR CRD-MDP-FS-TRNB OPR-XHE-XE-IDSHED A-2

LER 263/08-005 Sequence: LOCHS 69 CCDP: 3.1E-007 CCDP  % Cutset Cutset Events 1.0E-007 31.97 OPR-XHE-XM-INJEC TDP-XHE-XL-LEVEL 5.5E-008 17.58 ADS-XHE-XM-MDEPR TDP-XHE-XL-LEVEL CRD-XHE-XM-BRKRS 4.0E-008 12.79 ADS-XHE-XM-MDEPR CRD-MDP-TM-TRNB TDP-XHE-XL-LEVEL 4.0E-008 12.79 ADS-XHE-XM-MDEPR CRD-MDP-TM-TRNA TDP-XHE-XL-LEVEL 1.0E-008 3.20 ADS-XHE-XM-MDEPR CRD-MDP-FS-TRNA TDP-XHE-XL-LEVEL 1.0E-008 3.20 ADS-XHE-XM-MDEPR CRD-MDP-FS-TRNB TDP-XHE-XL-LEVEL 1.0E-008 3.20 ESF-ACT-FC-LEVEL OPR-XHE-XM-INJEC 5.0E-009 1.60 ADS-XHE-XM-MDEPR RBC-MOV-OO-ISOL TDP-XHE-XL-LEVEL 5.0E-009 1.60 ADS-XHE-XM-MDEPR TDP-XHE-XL-LEVEL CRD-XHE-XM-PUMP Basic Events (Cutsets Only)

Current Event Name Description Probability ACP-BAC-LP-DII Division II AC Power Buses Fail 9.6E-006 ADS-XHE-XM-MDEPR Operator Fails To Depressurize the Reactor 5.0E-004 CFAILED Containment Failure Causes Loss of All Low-Pressure Injection 5.0E-001 CFAILED1 Containment Failure Causes Loss of CRD/FW Injection 1.0E-001 CRD-MDP-FS-TRNA CRD Pump P-201A Fails To Start 2.0E-003 CRD-MDP-FS-TRNB CRD Pump P-201B Fails To Start 2.0E-003 CRD-MDP-TM-TRNA CRD Train A Is Unavailable Because Of Maintenance 8.0E-003 CRD-MDP-TM-TRNB CRD Train B Is Unavailable Because Of Maintenance 8.0E-003 CRD-XHE-XM-BRKRS Operator Fails To Close CRD-RBCW Breakers 1.1E-002 CRD-XHE-XM-PUMP Operator Fails To Start the Standby CRD Pump 1.0E-003 CVS-XHE-XM-RVENT Operator Fails To Vent Containment (Remote Operation) 1.0E-003 DCP-BAT-LP-BATTB Division II Battery Fails 4.8E-005 DCP-XHE-XL-BRKRS Operator Fails To Close DC Powered Breakers Locally 3.4E-001 ESF-ACT-FC-LEVEL ESF Actuation Fails 1.0E-003 HCI-MOV-CC-IVFRO HPCI Injection Valve (MOV HPCI-2061) Fails To Reopen 1.5E-001 HCI-MULTIPLE-INJECT Probability of Multiple HPCI Injections 1.5E-001 HCI-TDP-FS-TRAIN HPCI Pump P-209 Fails To Start 7.0E-003 HCI-TDP-TM-TRAIN HPCI Train Is Unavailable Because Of Maintenance 1.2E-002 HCI-XHE-XL-INJECT Operator Fails To Recover HPCI Injection Valve Reopening 8.0E-001 LPI-XHE-XO-LVLCTL Operator Fails to Control Level Using Low-Pressure Injection 1.0E-003 OPR-XHE-XE-IDSHED Operator Fails To Identify Load Shedding As Cause of Failure 1.1E-002 OPR-XHE-XM-INJEC Operator Fails To Detect Need for Injection within 45 Minutes 1.0E-005 PCS-XHE-XL-LTLCHS Operator Fails To Recover the PCS in the Long Term 1.0E+000 RBC-MOV-OO-ISOl RBCCW Isolation Valve Fails To Close 1.0E-003 RCI-TDP-FR-TRAIN RCIC Pump P-207 Fails To Run Given That It Started 4.1E-003 RCI-TDP-FS-TRAIN RCIC Pump P-207 Fails To Start 7.0E-003 RCI-TDP-TM-TRAIN RCIC Pump Train Is Unavailable Because Of Maintenance 1.0E-002 RHR-XHE-XO-CHR Operator Fails To Start/Control RHR (Dependent Event) 1.0E-006 RHR-XHE-XO-ERROR Operator Fails To Start/Control RHR 5.0E-004 SPC-MOV-CC-LOOPB SPC Injection Valves LPCI-2007 and LPCI-2009 Fail To Open 2.0E-003 TDP-XHE-XL-LEVEL Operator Fails To Secure Pumps Prior To Water 1.0E-002 A-3

LER 263/08-005 APPENDIX B EVENT TREE WITH DOMINANT SEQUENCE HIGHLIGHTED LOSS OF REACTOR SRV'S FEEDWATER HIGH SUPPRESSION MANUAL CRD CONDENSATE LOW ALTERNATE SUPPRESSION MANUAL SHUTDOWN CONTAINMENT POWER CONTAINMENT LATE CONDENSER SHUTDOWN CLOSE PRESSURE POOL REACTOR INJECTION PRESSURE LOW PRESS POOL REACTOR COOLING SPRAY CONVERSION VENTING INJECTION HEAT SINK INJECTION COOLING DEPRESS (2 PUMPS) INJECTION INJECTION COOLING DEPRESS SYSTEM (RCIC or HPCI) (EARLY) (CS or LPCI) RECOVERY IE-LOCHS RPS SRV MFW HPI SPC DEP CRD CDS LPI VA SPC DEP SDC CSS PCSR CVS LI # END-STATE 2 OK 3 OK 4 OK 5 OK 6 OK 7 CD 8 OK 9 OK 10 OK 11 OK LI01 12 CD 13 OK 14 OK 15 OK 16 OK 17 OK 18 OK LI01 19 CD 20 OK 21 OK 22 OK 23 OK 24 CD 25 OK LI01 26 CD 27 OK 28 OK SD1 29 OK CS1 30 OK 31 OK LI01 32 CD 33 CD 34 OK 35 OK 36 OK 37 OK LI01 38 CD 39 CD 40 OK 41 OK 42 OK 43 OK 44 OK 45 OK LI01 46 CD 47 OK 48 OK 49 OK 50 OK 51 OK 52 CD 53 OK LI01 54 CD 55 OK 56 OK SP1 57 OK SD1 58 OK CS1 59 OK 60 OK LI01 61 CD 62 CD 63 OK 64 OK 65 OK 66 OK 67 OK LI01 68 CD 69 CD P1 70 T 1SORV 71 T ATWS Figure B-1: Loss of Condenser Heat Sink Event Tree (w/ Dominant Sequence Highlighted).

B-1

LER 263/08-005 APPENDIX C MODIFIED FAULT TREES CONDENSATE PUMP TRAINS ARE UNAVAILABLE CDS-PMPS CONDENSATE PUMPS CONDENSATE PUMPS NO POWER TO CONDENSATE PUMP FAIL FROM COMMON FAIL FROM COMMON CONDENSATE PUMPS TRAINS FAIL CAUSE TO RUN CAUSE TO START 2.136E-6 8.620E-5 CDS-MDP-CF-RUN CDS-MDP-CF-START CDP-LOOP CDS-PMPS-1 LOSS OF OFFSITE RECOVERY OF CDS PUMP A FAILS CDS PUMP B FAILS POWER TO NON-SAFETY OFFSITE POWER BUSES HAS OCCURRED TO NONVITAL BUSES IN A TIMELY MANNER TRUE LOOP-NONVITAL CDS-LOOP1 CDS-PMPS-2 CDS-PMPS-3 OPERATOR RESTORES CDS train A FAILURE OF HPCI/RCIC CONDENSATE PUMP CDS PUMP A FAILS CONDENSATE PUMP CDS PUMP B FAILS POWER TO NONVITAL fails due to PRECLUDES CREDIT P-1A FAILS TO TO START P-1B FAILS TO TO START BUS initiating event FOR CDS RECOVERY RUN RUN (default value is FALSE) 1.000E-2 FALSE 1.200E-4 2.000E-3 1.200E-4 2.000E-3 OPR-XHE-XL-NONVITAL CDS-LOOP2 CDS-MDP-A-IE-FA CDS-MDP-FR-PUMPA CDS-MDP-FS-PUMPA CDS-MDP-FR-PUMPB CDS-MDP-FS-PUMPB HPCI FAILS TO RCIC FAILS TO PROVIDE SUFFICIENT PROVIDE SUFFICIENT FLOW TO RX VESSEL FLOW TO REACTOR HCI RCI Figure C-1: Modified CDS-PMPS Fault Tree.

C-1

LER 263/08-005 HPCI PUMP TRAIN IS UNAVAILABLE HCI-TDP HPCI INJECTION HPCI INJECTION HPCI TRAIN IS OPERATOR FAILS TO HPCI INJECTION HPCI FAILS TO HPCI FAILS TO CHECK VALVE HPCI-18 VALVE (HPCI-2067) UNAVAILABLE BECAUSE SECURE TDPs PRIOR TO VALVE FAILS TO START RUN FAILS TO OPEN CAUSES FAILURE OF MAINTENANCE WATER INDUCTION REOPEN TO START 1.200E-5 1.000E-3 1.200E-2 1.000E-2 HCI-CKV-CC-18 HCI-MOV-CC-INJEC HCI-TDP-TM-TRAIN TDP-XHE-XL-LEVEL HCI-TDP-1 HCI-TDP-2 HCI-TDP-3 OPERATOR FAILS HPCI PUMP P-209 OPERATOR FAILS HPCI INJECTION PROBABILITY OPERATOR FAILS HPCI PUMP P-209 TO RECOVER HPCI FAILS TO RUN TO RECOVER HPCI VALVE (MOV HPCI-2061) OF MULTIPLE HPCI TO RECOVER HPCI FAILS TO START FAILURE TO START GIVEN IT STARTED FAILURE TO RUN FAILS TO REOPEN INJECTIONS INJECTION VALVE REOPENING 7.000E-3 TRUE 4.102E-3 TRUE 1.500E-1 1.500E-1 8.000E-1 HCI-TDP-FS-TRAIN HCI-XHE-XL-START HCI-TDP-FR-TRAIN HCI-XHE-XL-RUN HCI-MOV-CC-IVFRO HCI-MULTIPLE-INJECT HCI-XHE-XL-INJECT Figure C-2: Modified HCI-TDP Fault Tree.

C-2

LER 263/08-005 RCIC RCI-TDP RCIC INJECTION RCIC INJECTION RCIC INJECTION RCIC PUMP TRAIN OPERATOR FAILS TO RCIC FAILS TO RCIC PUMP FAILS RCIC PUMP FAILS RESTART OF RCIC CKV 22 FAILS MOV RCIC-2106 MOV RCIC-2107 IS UNAVAILABLE SECURE TDPs PRIOR TO TRANSFER DURING TO START TO RUN FAILS IF REQUIRED TO OPEN FAILS TO OPEN FAILS TO OPEN BECAUSE OF MAINTENANCE WATER INDUCTION RECIRCULATION 1.200E-5 1.000E-3 1.000E-3 1.000E-2 1.000E-2 RCI-CKV-CC-22 RCI-MOV-CC-2106 RCI-MOV-CC-2107 RCI-TDP-TM-TRAIN TDP-XHE-XL-LEVEL RCI-TDP-1 RCI-TDP-2 RCI-TDP-3 RCI-TDP-4 OPERATOR FAILS RCIC PUMP P-207 OPERATOR FAILS RCIC FAILS TO OPERATOR FAILS RCIC FAILS TO OPERATOR FAILS RCIC PUMP P-207 RESTART OF RCIC TO RECOVER RCIC FAILS TO RUN TO RECOVER RCIC RESTART GIVEN TO RECOVER RCIC TRANSFER DURING TO RECOVER SUCTN FAILS TO START IS REQUIRED FAILURE TO START GIVEN THAT IT FAILURE TO RUN START AND SHORT-TERM FAILURE TO RESTART RECIRCULATION XFER FAILURE STARTED RUN 7.000E-3 TRUE 4.102E-3 TRUE 1.500E-1 8.000E-2 2.500E-1 7.968E-3 2.500E-1 RCI-TDP-FS-TRAIN RCI-XHE-XL-START RCI-TDP-FR-TRAIN RCI-XHE-XL-RUN RCI-RESTART RCI-TDP-FS-RSTRT RCI-XHE-XL-RSTRT RCI-MOV-FC-XFER RCI-XHE-XL-XFER Figure C-3: Modified RCI-TDP Fault Tree.

C-3