ML062710038
ML062710038 | |
Person / Time | |
---|---|
Site: | River Bend |
Issue date: | 05/16/2006 |
From: | Demoss G NRC/RES/DRASP/DDOERA/OEGI |
To: | |
References | |
LER-04-005-01 | |
Download: ML062710038 (36) | |
Text
1 For the initiating event assessment, the parameter of interest is the measure of the CCDP. This is the value obtainedwhen calculating the probability of core damage for an initiating event with subsequent failure of one or more components followingthe initiating event. The value reported here is the mean value.
1Final Precursor AnalysisAccident Sequence Precursor Program -- Office of Nuclear Regulatory ResearchRiver Bend StationAutomatic Reactor Trip Due to Loss of Non-Vital 120VInstrument BusEvent Date 12/10/2004LER: 458/04-005-01 CCDP 1 =2.7 x 10
-5May 16, 2006Event Summary On December 10, 2004, at 1:17p.m. CST, with the unit operating at 100% power, a capacitorshorted on the static switch control board of the non-safety-related ELGAR (ModelUPS-503-1-102) static inverter BYS-INV01B (See Figure 1). As a result, power was lost to 120V Instrument Bus VBN-PNL01B1 (References 1, 2). This resulted in: a loss of control power to the feedwater regulating valves, and a downshift in the speed setting for the B Reactor Recirculation pump, as well as a loss of indication to several instruments powered by the Instrument Bus. The loss of control power to the feedwater regulating valves resulted in them "locking-up" in place. This resulted in an overfeed condition and the additional cold water caused in increase in thermal neutron power. The lowering recirculation system flow causedthe Average Power Rate Meter (APRM) power-to-flow setpoint to lower. The reactor then automatically tripped on high APRM power level.With the main feedwater regulating valves locked-up in their full power position, excessfeedwater was delivered to the reactor pressure vessel (RPV) causing a high level in the RPV.
This resulted in an automatic high RPV water level trip of the running feedwater pumps (Reference 2). In response to this, operators initiated Reactor Core Isolation Cooling (RCIC) to maintain post-trip reactor water level, which should have lowered rapidly had the feedwaterregulating valves not been locked up in the 100% flow position before the feedwater pumpstripped. Immediately after RCIC was initiated, it shut down approximately 11 seconds later andthe RCIC turbine steam supply valve closed as designed in response to the high RPV level trip signal. The operators then prepared to re-initiate RCIC once the high level trip cleared as the reactor continued to generate steam through the main turbine bypass valves to the main condenser. While the RCIC was idle, an alarm actuated indicating presence of water in the RCIC turbine exhaust line drain trap.Wide range reactor water level recorders B21-R623A and B21-R623B digital indicationscontinued to rise above the top of scale +60 inches. The indication stopped rising at +150 inches. The operators questioned further use of RCIC for water level control because they were concerned that the main steam lines might be filled with water. The main steam linesleave the RPV at approximately +95 inches. The operators discussed an operating experience event during which operators at another plant started RCIC with water in the steam line. In that LER 458/04-005-01 2instance, the turbine tripped on overspeed and required local action to reset the turbine trip.Also, complicating the operators' decision making process was the loss of the only valid indication of reactor water level: the upset range indicator, which was directly lost due to the loss of 120V Instrument Bus VBN-PNL01B1 and the unexpected RCIC alarms. This resulted ina situation in which there were totally contradictory level indications presented to the operatorsfrom the main control board.As a result, when the RPV level returned on-scale on the wide range and narrow range reactorwater level instruments, the operators used the High Pressure Core Spray (HPCS) for reactor water level control. This complicated the operators' response to the event, since HPCS draws water from condensate storage and adds water to the suppression pool when it is not used to add water to the RPV. As a result, the operators had to start the RHR system in thesuppression pool cooling to facilitate rejecting water from the suppression pool to radwaste tomaintain suppression pool level below high level action points.The 120V Instrument Bus VBN-PNL01B1 was shifted to an alternate power source by placingthe UPS in the manual bypass mode (See Figure 1). The feedwater regulating system wasrestored to service at approximately 4:57 p.m. CST on the same day, and the HPCS was secured and returned to its normal standby configuration.Analysis Results
!Conditional Core Damage Probability (CCDP)This event was modeled as a general plant transient with additional failures caused by the lossof 120V Non-Vital Instrument Power. The additional failures included: loss of ability toautomatically regulate feedwater flow (which caused a high RPV water level condition and led to tripping of all running feedwater pumps and the RCIC) and the loss of several RPV level indications on the main control board which complicated the operators' response to the event.The CCDP for this event was calculated as 2.7 x10
-5 (point estimate). An uncertainty analysiswas performed to assess the effects of parameter uncertainties. The results of the uncertainty analysis are summarized below.
CCDP5%Mean95%River Bend Station3.5 x 10
-6 2.7 x 10-5 9.1 x 10-5!Dominant SequencesAppendix A provides the event tree models used in this analysis. The actual event sequence ofthe December 10, 2004 event is similar to Sequence 10, shown in Figure A-1 of Appendix A. If additional system or component failures had occurred, a core damage sequence could occur.
LER 458/04-005-01 3There is one dominant accident sequence (See Table 1) which accounts for 99% of the totalCCDP. All other accident sequences account for less than 1% of the total CCDP.The dominant sequence involves a transient shutdown followed by the failure of all highpressure makeup systems (main feedwater, HPCS, RCIC), and then a failure to manuallydepressurize the RPV and go on to low pressure makeup systems.
!Results Tables SThe conditional probabilities for the dominant sequences are shown in Table 1.
SThe event tree sequence logic for the dominant sequences are presented in Table 2a.
STable 2b defines the nomenclature used in Table 2a.
SThe most important cut sets for the dominant sequences are listed in Table 3a and 3b.
SDefinitions and probabilities for modified or dominant basic events are provided inTable 4.Modeling Assumptions
!Analysis TypeThe event was analyzed as an event analysis using the River Bend SPAR Model Revision 3.12(Reference 3). Revision 3.12 is an updated SPAR model prepared by INEL in response to a request to separate the feedwater and main condenser functions in the event tree model.
!Unique Design FeaturesRiver Bend is a General Electric BWR-6, with a Mark III containment. It differs in design fromGrand Gulf in the following areas: (a) the main feedwater pumps are electric motor driven pumps which can provide makeup to the RPV without a supply of steam, and (b) there is no capability for containment venting as a means of decay heat removal.
!Modeling Assumptions SummaryKey modeling assumptions. The key modeling assumptions are listed below and discussedin detail in the following sections. These assumptions are important contributors to the overallrisk.*Loss of 120V Instrument Bus VBN-PNL01B1 resulted in an event which canbe simulated as a general transient event, requiring reactor trip, continued RPV makeup to match boil-off, and pressure control/decay heat removal.
In order to properly simulate the event sequence, basic event IE-TRANS is setTRUE, and all other initiating events are set FALSE.
- Loss of 120V Instrument Bus VBN-PNL01B1 "locked-up" the feedwaterregulating valves in the 100% power position resulting in a high RPV water level trip of all feedwater pumps immediately following the reactor trip.
LER 458/04-005-01 4This was simulated by adding basic event FWLCS-OVERFILL (set to TRUE) tothe main feedwater and RCIC fault tree models as described in Figure B-1 ofAppendix B.
- In the event that all other makeup sources were unavailable, emergencyRPV makeup could be provided by restarting one of the electric motor driven feedwater pumps and cycling them on/off as needed to maintain water level. This is modeled by incorporation of a base event for non-recovery of the feedwater system: MFW-XHE-RESTART as shown in Figure B-1 ofAppendix B.
- The RCIC system, initially started by the operators to control post-trip RPVwater level, automatically tripped after 11 seconds due to high RPV water level and operators did not restart it out of concerns of water in the steam lines. This was simulated by adding basic event FWLCS-OVERFILL (set toTRUE) to the RCIC fault tree model as described in Figure B-2 of Appendix B.
- Operators were concerned about the possibility of water in the RCIC steamline and were focused on avoiding damage to the RCIC steam turbine due to water induction. Because of this: after the RCIC tripped there was nointent to attempt restarting the RCIC. Operators were initially confused intheir response to the event due to the trip of the feedwater pumps and RCICpump on high level, the offscale high RPV water on the narrow and wide range level indicators and the offscale low RPV water level on the upset range level indicators. The additional alarm registered for water in the RCIC turbine exhaust moisture trap would only serve to increase concerns about water induction.
Because of this, recovery of RCIC is not considered in the analysis
.*The High Pressure Core Spray (HPCS) was manually started to maintainpost-trip RPV water level. In the event operators failed to start HPCS as RPVwater levels trended lower, the HPCS would automatically start on low RPV levelbased on one out of two taken twice coincidence logic (Section 6.3.2.2.1,Reference 4). The HPCS auto-start logic is not modeled in the current SPAR model but its operation is critical in a situation where operators are confused about actual RPV water levels. Because specific details on the design of the logic are not presented in the updated FSAR (Reference 4) an assumption is made that the logic has a failure probability of no worse than 1E-3. This ismodeled by incorporation of basic event HPCS-LOGIC-FAILURE into the HPCSfault tree as is shown in Figure B-3 of Appendix B. Sensitivity studies wereperformed on the effects of alternate basic event probabilities and the 1E-3failure probability is judged to be reasonable for periodically tested safety-gradeinstrumentation.
- Throughout the event, RPV pressure control/decay heat removal wasprovided by steam bypass to the main condenser. (Reference 1,2) Becauseof this, there were no actual challenges to the safety/relief valves (SRVs). Had LER 458/04-005-01 5RPV water level trends resulted in MSIV operation, the SRVs would have cycledand discharged steam to the suppression pool. The operators when they started HPCS additionally started suppression pool cooling (RHR) as a precaution -although it was not necessary.
- Fault Tree ModificationsThe following basic events were added to the SPAR model:
- Basic Event FWLCS-OVERFILL was added to both the main feedwater fault tree(Figure B-1 of Appendix B) and RCIC fault tree (Figure B-2 of Appendix B) tosimulate the effects of the locked-up feedwater regulating valves which caused the tripping of both the main feedwater pumps and the RCIC on high RPV level.*Basic Event MFW-XHE-RESTART was added to the main feedwater fault tree(Figure B-1 of Appendix B) to simulate the possibility of operators manuallyrestarting a feedwater pump to provide emergency RPV makeup. This basicevent is subsequently replaced via Sequence Cutset Recovery Rules described in Appendix C.*The failure of RPV water level functional recovery is modeled as a single basicevent: RPV-XHE-LEVEL. RPV water level recovery can be accomplished byeither restarting a motor driven feedwater pump, starting HPCS, or by manuallydepressurizing the RPV and injecting water from either: the condensate pumps, the low presure core spray pumps (LPCS), or the low pressure coolant injection (LPCI or RHR) pumps. The pr obability of operators failing RPV functional waterlevel recovery is treated by sequence cutset recovery rules documented inAppendix C. The probability of basic event RPV-XHE-LEVEL is developed in theHuman Reliability in Appendix D.*Basic Event HPCS-LOGIC-FAILURE was added to the HPCS fault tree (FigureB-3 of Appendix B) to simulate the automatic start capability of the HPCS givensensed one of two - taken twice - low RPV level signals. The base case SPAR Model (Reference 3), as a simplification does not model the automatic start capability of HPCS. In many cases this c apability is not significant tounderstanding the risk of operating events. For situations where both feedwaterand RCIC have tripped due to high level trips and the level instrumentation is providing contradictory indications to operators, the automatics start capability ofHPCS must be incorporated into the assessment in order to properly characterize the risk.
!Basic Event Probability ChangesTable 4 provides all the basic events that were modified to reflect the best estimate ofthe conditions during the event. IE-TRANS is set TRUE, and all other initiating events LER 458/04-005-01 6are set FALSE. No other changes were made to Base Case SPAR basic eventprobabilities.!SPAR Model CorrectionsThe base case River Bend SPAR model Revision 3.11 was based upon a simplificationthat feedwater and main condenser are treated as one event tree decision node and that the failure of either system fails both. This simplification does not properlyrepresent actual BWR emergency operating procedures in which feedwater can be used for makeup despite loss of the main condenser, or the use of RCIC or HPCS as a makeup source when the feedwater system has failed and the main condenser is beingused for decay heat removal/RPV pressure control. INEL personnel were contacted to make a modification to the general plant transient event tree. This resulted in River Bend SPAR Model 3.12 (Reference 3).
!Sensitivity AnalysesSensitivity analyses were performed to determine the effects of data and modeling uncertaintieson the CCDP point estimate result which is treated as the base case. To assess data uncertainties, an Importance Analysis using Fussel-Vesely and Risk Increase Ratio importance measures was conducted to identify the most sensitive parameters. The Fussel-Vesely importance measure ranks basic events according to the weight of the cutsets in which theyappear. The Risk Increase Ratio Importance identifies those parameters which if they vary from the current value to 1.0 (failed) cause the largest increase in CCDP. This analysisidentified that the CCDP is particularly sensitive to the following basic events:HPCS-LOGIC-FAILUREHPCS actuation logic failure1.0E-003RPV-XHE-LEVELFailure of Operators to restore RPV level2.5E-003HCS-MDP-TM-TRAIN HPCS Pump test/maintenance unavailability 7.0E-003HCS-MDP-FS-HPCSHPCS Pump fails to start1.5E-003The HPCS logic failure probability (1.0E-3) is recognized as a modeling assumption used in lieuof creating a detailed fault tree model. The documentation on the logic design for River Bend Station is not available to support such model development. To evaluate the effects of this modeling assumption, a parametric study bound the entire range of possible failure probabilities(e.g., 0.0 - 1.0) was performed. The results of this sensitivity study are shown graphically in Figure 2. Figure 2 shows that as the failure probability of the logic becomes less than 1E-3, ithas no effect on the results. This is because for values smaller than this, other faults dominate the overall failure probability of HPCS (e.g., failure to start, test/maintenance unavailability, andfailure to run, etc.). The likelihood that the actual HPCS logic failure probability is larger thanthe assumed value (e.g., 1.0E-3) is considered remote because of the following considerations:
the logic is safety grade, "one out of two taken twice" redundant, and is subject to periodic surveillance and technical specification operability requirements.The other base events failure probabilities are developed in the SPAR model documentation(Reference 3) or in the Human Reliability Assessment in Appendix D based on the SPAR-H LER 458/04-005-01 7Process. The following table provides the results of the parameter sensitivity analyses and howthe resultant CCDP changed from the base case value of 5.4 x 10
-6 as a result of singleparameter changes. In all cases, the base case values were increased by a factor of x 5.0 which is considered to be a maximum upper bound value.SensitivityStudyModificationCCDP 1 1RPV-XHE-LEVEL (Failure of Operators to restoreRPV level) failure probability increased by x 5.02.6 x 10-4 2HCS-MDP-TM-TRAIN (HPCS Pumptest/maintenance unavailability) unavailabilityincreased by x 5.01.2 x 10-4 3HCS-MDP-FS-HPCS (HPCS Pump fails to start)failure probability increased by x 5.06.9 x 10-5Note 1: CCDP sensitivity study calculations are based on point estimate values.The conclusion from these sensitivity studies is that relatively large changes in the mostsensitive base event probability values results in effects that are within the 90% bounds.
LER 458/04-005-01 8References 1.David N. Norfing (Entergy), "Unplanned Automatic SCRAM Due to Loss of Non-Vital120V Instrument Bus", LER 458/04-005-01, issued June 22,2005, ML051790232.2.David N. Graves (USNRC) to Paul D. Hinnenkamp (Entergy), "River Bend Station - NRCIntegrated Inspection Report 05000458/2004005, issued February 14, 2005, ML050450486.3.Robert Buell and John Schroeder (INEL), "Standardized Plant Analysis Risk Model forRiver Bend (ASP BWR C)" Revision 3.12, issued August 24, 2005.4.Entergy,"River Bend Station Updated Safety Analysis Report", Revision 17, issuedAugust 27, 2000.
LER 458/04-005-01 9Figure 1. River Bend Station 120V Non-Vital Instrument Bus LER 458/04-005-01 10Figure 2. Results of CCDP Sensitivity Study on HPCS Logic FailureProbability LER 458/04-005-01 11Table 1. Conditional core damage probabilities of dominating sequences.Event treenameSequence no.CCDP 1ContributionTRAN562.7 x 10
-5 99%Total (all sequences) 2 2.7 x 10-5 100%1. Values are point estimates.2. Total CCDP includes all sequences (including those not shown in this table)
.Table 2a. Event tree sequence logic for dominant sequence.Event treenameSequence no.Logic("/" denotes success; see Table 2b for top event names)TRAN56/RPS/SRVMFWHCSRCIDEPTable 2b. Definitions of top events listed in Table 2a.Top EventDefinitionRPSREACTOR SHUTDOWN FAILS SRVONE OR MORE SRVS FAIL TO CLOSEHCSHPCS FAILS TO PROVIDE SUFFICIENT FLOW TO RX VESSELMFWMAIN FEEDWATERRCIREACTOR CORE ISOLATION COOLINGDEPMANUAL DEPRESSURIZATION FAILS LER 458/04-005-01 12Table 3a. Conditional cut sets for the dominant sequences.
CCDPPercentContributionMinimum Cut Sets (of basic events)Event Tree: TRAN Sequence 561.8E-00565.03HCS-MDP-TM-TRAINRPV-XHE-LEVEL3.8E-00613.94HCS-MDP-FS-HPCSRPV-XHE-LEVEL 2.5E-0069.29HCS-MOV-CC-INJECRPV-XHE-LEVEL 1.5E-0065.57HCS-MOV-FT-SUCTRRPV-XHE-LEVEL 1.3E-0064.78HCS-MDP-FR-HPCSRPV-XHE-LEVEL 2.7 x 10-599%Total (all cutsets)
- 11. Total Importance includes all cutsets (including those not shown in this table).Table 4. Definitions and probabilities for modified and dominant basic events.Event NameDescriptionProbability/Frequency(per year)ModifiedHCS-MDP-FR-HPCSHPCS PUMP FAILS TO RUN5.2E-004HCS-MDP-FS-HPCSHPCS PUMP FAILS TO START1.5E-003HCS-MDP-TM-TRAINHPCS IS UNAVAILABLE BECAUSE OFMAINTENANCE7.0E-003HCS-MOV-CC-INJECHPCS INJECTION VALVE FAILS TO OPEN1.0E-003HCS-MOV-FT-SUCTRHPCS SUCTION TRANSFER FAILS6.0E-004HCS-XHE-XM-RCOOLOPERATOR FAILS TO ESTABLISH ROOMCOOLING WITH1.0E-003HPCS-LOGIC-FAILUREFAILURE OF HPCS 1/2 TAKEN TWICE AUTOSTART LOG1.0E-003YES(1)IE-IORVINADVERTENT/STUCK OPEN RELI1.5E-002 +0.0E+000FALSEYESIE-ISL-RHRISLOCA IE 2-MOV RHR interfac1.4E-007 +0.0E+000FALSEYESIE-LLOCALARGE LOCA3.0E-005 +0.0E+000FALSEYESIE-LOCHSLOSS OF CONDENSER HEAT SINK2.0E-001 +0.0E+000FALSEYES LER 458/04-005-01Event NameDescriptionProbability/Frequency(per year)Modified 13IE-LOIALOSS OF INSTRUMENT AIR6.0E-003 +0.0E+000FALSEYESIE-LOMFWLOSS OF FEEDWATER1.0E-001 +0.0E+000FALSEYESIE-LOOPLOSS OF OFFSITE POWER0FALSEYESIE-MLOCAMEDIUM LOCA4.0E-005 +0.0E+000FALSEYESIE-SLOCASMALL LOCA4.0E-004 +0.0E+000FALSEYESIE-TDCBLOSS OF VITAL DC BUS2.5E-003 +0.0E+000FALSEYESIE-TMVBLOSS OF VITAL MEDIUM VOLTAGE4.0E-002 +0.0E+000FALSEYESIE-TRANSGENERAL PLANT TRANSIENT8.0E-001 1.0E+000TRUEYESIE-TSWSLOSS OF SERVICE WATER4.0E-004 +0.0E+000FALSEIE-XLOCAEXCESSIVE LOCA (VESSEL RUPTU1.0E-007 +0.0E+000FALSERPV-XHE-LEVEL OPERATORS FAIL TO CONTROL RPV LEVEL (2)NOTES:1. Value is a conservative estimate of HPCS logic performance
- 2. Value is based on Human Reliability Analysis - See Appendix D.
LER 458/04-005-01Appendix AEvent Tree ModelsShowing Dominant Sequences LER 458/04-005-01 15Figure A-1. Transient Event Tree Showing Dominant Sequence LER 458/04-005-01Appendix BFault Tree Models Showing Changes LER 458/04-005-01 17Figure B-1. Feedwater Fault Tree ShowingModifications LER 458/04-005-01 18Figure B-2. RCIC Fault Tree Showing Modifications LER 458/04-005-01 19Figure B-3. HPCS Fault Tree Showing Modifications LER 458/04-005-01Appendix CModifications to SPAR Sequence CutsetRecovery Rules LER 458/04-005-01 21ll TECH SPEC SECTION
l l The following rule removes maintenance combinations prohibited by Tech Specs. The logic l was generated using the ME-TECHSPECS fault tree. Cutset removal using the rules here is l much faster than using ME-TECHSPECS as a mutually exclusive top event.
l if (SSW-MDP-TM-TRND
- SSW-MDP-TM-TRNA +
SSW-MDP-TM-TRND
- SSW-MDP-TM-TRNB +
SSW-MDP-TM-TRNA
- SSW-MDP-TM-TRNB +
SSW-MDP-TM-TRND
- SSW-MDP-TM-TRNC +
SSW-MDP-TM-TRNA
- SSW-MDP-TM-TRNC +
SSW-MDP-TM-TRNB
- SSW-MDP-TM-TRNC +
LCS-MDP-TM-TRAIN
- SSW-MDP-TM-TRNC +
SSW-MDP-TM-TRNA
- RHR-MDP-TM-TRNB
- RHR-MDP-TM-TRNC +
SSW-MDP-TM-TRNA
- EPS-DGN-TM-DGB +
SSW-MDP-TM-TRNC
- RHR-MDP-TM-TRNB
- RHR-MDP-TM-TRNC +
SSW-MDP-TM-TRNC
- EPS-DGN-TM-DGB +SSW-MDP-TM-TRND
- RHR-MDP-TM-TRNA +
SSW-MDP-TM-TRNB
- RHR-MDP-TM-TRNA +
RHR-MDP-TM-TRNA
- RHR-MDP-TM-TRNB
- RHR-MDP-TM-TRNC +
RHR-MDP-TM-TRNA
- EPS-DGN-TM-DGB +SSW-MDP-TM-TRND
- EPS-DGN-TM-DGA +SSW-MDP-TM-TRNB
- EPS-DGN-TM-DGA +
RHR-MDP-TM-TRNB
- RHR-MDP-TM-TRNC
- EPS-DGN-TM-DGA +EPS-DGN-TM-DGA
- EPS-DGN-TM-DGB +
LCS-MDP-TM-TRAIN
- SSW-MDP-TM-TRNA
- RHR-MDP-TM-TRNB +
LCS-MDP-TM-TRAIN
- RHR-MDP-TM-TRNA
- RHR-MDP-TM-TRNB +
LCS-MDP-TM-TRAIN
- RHR-MDP-TM-TRNB
- EPS-DGN-TM-DGA +LCS-MDP-TM-TRAIN
- SSW-MDP-TM-TRNA
- RHR-MDP-TM-TRNC +
LCS-MDP-TM-TRAIN
- RHR-MDP-TM-TRNA
- RHR-MDP-TM-TRNC +
LCS-MDP-TM-TRAIN
- RHR-MDP-TM-TRNC
- EPS-DGN-TM-DGA +SSW-MDP-TM-TRND
- LCS-MDP-TM-TRAIN +
LCS-MDP-TM-TRAIN
- SSW-MDP-TM-TRNB +
LCS-MDP-TM-TRAIN
- RHR-MDP-TM-TRNB
- RHR-MDP-TM-TRNC +
LCS-MDP-TM-TRAIN
- EPS-DGN-TM-DGB +
RCI-TDP-TM-TRAIN
- SSW-MDP-TM-TRNC +
CCS-ACX-TM-FANA
- CCS-ACX-TM-FANB +
CCS-ACX-TM-FANA
- CCS-ACX-TM-FANC +
CCS-ACX-TM-FANB
- CCS-ACX-TM-FANC +
FWS-EDP-TM-TRNA
- FWS-EDP-TM-TRNB +
SLC-MDP-TM-TRNA
- SLC-MDP-TM-TRNB +
SLC-EPV-TM-TRNA
- SLC-EPV-TM-TRNB +
LCS-MDP-TM-TRAIN
- EPS-DGN-TM-DGC +
LCS-MDP-TM-TRAIN
- HCS-MDP-TM-TRAIN +
RCI-TDP-TM-TRAIN
- EPS-DGN-TM-DGC +
LER 458/04-005-01 22RCI-TDP-TM-TRAIN
- HCS-MDP-TM-TRAIN ) then DeleteRoot; endifll HEP DEPENDENCY RULES SECTION -----------------------------------------
lll High Pressure Injection
lzRCI = RCI-XHE-XO-ERROR;zHCS = HCS-XHE-XO-ERROR;if zRCI
- zHCS then DeleteEvent = HCS-XHE-XO-ERROR; AddEvent = HCS-XHE-XO-ERROR1; endifll Early Low-Pressure Injection
lzCDS = CDS-XHE-XO-ERROR;zVA = OPR-XHE-XM-ALPI;if zCDS
- zVA then DeleteEvent = OPR-XHE-XM-ALPI; AddEvent = OPR-XHE-XM-ALPI4; endifll Residual Heat Removal/Venting
ll No dependent event substitutions required.
ll Late Low-Pressure Injection
lzCRD = CRD-XHE-XM-VLVS + CRD-XHE-XM-PUMP;zVA1 = OPR-XHE-XM-ALPI1; zVA2 = OPR-XHE-XM-ALPI2; LER 458/04-005-01 23if zCRD
- zVA1 then DeleteEvent = OPR-XHE-XM-ALPI1; AddEvent = OPR-XHE-XM-ALPI5; elsif zCRD
- zVA2 then DeleteEvent = OPR-XHE-XM-ALPI2; AddEvent = OPR-XHE-XM-ALPI6; elsif zCDS
- zVA2 then DeleteEvent = OPR-XHE-XM-ALPI2; AddEvent = OPR-XHE-XM-ALPI7; endif LER 458/04-005-01Appendix DHuman Reliability Analysis LER 458/04-005-01Reviewer:____________________HRA Worksheets for At-PowerSPAR HUMAN ERROR WORKSHEETPlant: River BendInitiating Event: IE-TRANS Basic Event: RPV-XHE-LEVELEvent Coder: ______John Bickel
___________________Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using somecombination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI,or condensate pumpsBasic Event
Description:
Failure to Restore, Maintain post-trip RPV water levelDoes this task contain a significant amount of diagnosis activity? YES (start with Part I -Diagnosis) NO (skip Part I - Diagnosis; start with Part II - Action) Why?
PART I. EVALUATE EACH PSF FOR DIAGNOSISA. Evaluate PSFs for the Diagnosis Portion of the Task, if any.
LER 458/04-005-01Reviewer:____________________PSFsPSF LevelsMultiplier forDiagnosisPlease note specific reasons forPSF level selection in this column.AvailableTimeInadequate timeP(failure) = 1.0From a condition of high RPVwater level, there is substantialadditional time for the operators tomake a decision on restoringwater level and selecting thepumps to accomplish the intent ofthe procedures.Barely adequate time (2/3 x nominal)10Nominal time1Extra time (between 1 and 2 x nominal and >than 30 min)0.1Expansive time (> 2 x nominal and > 30 min)0.01Insufficient information1Stress/StressorsExtreme5High2Nominal 1Insufficient Information1ComplexityHighly complex5Moderately complex2Nominal 1Obvious diagnosis0.1Insufficient information1Experience/TrainingLow10Operators routinely drill on RPVlevel restoration procedure insimulator trainingNominal1High0.5Insufficient information1ProceduresNot available50RPV level restoration procedure isbased on BWROG emergencyprocedure guidelines which aresymptom oriented.Incomplete20Available, but poor5Nominal1Diagnostic/symptom oriented0.5Insufficient information1 LER 458/04-005-01PSFsPSF LevelsMultiplier forDiagnosisPlease note specific reasons forPSF level selection in this column.Reviewer:____________________Ergonomics/HMIMissing/Misleading50The combination of off-scale highRPV level readings with failedoff-scale low RPV level readingscaused by the 120V instrumentbus loss contributed to someconfusion but operators wentahead with use of HPCS tomaintain RPV level based uponsymptoms.Poor 10Nominal1Good0.5Insufficient Information1Fitness forDutyUnfitP(failure) = 1.0Degraded Fitness5Nominal 1Insufficient information1WorkProcessesPoor2Nominal 1Good0.8Insufficient information1 LER 458/04-005-01Reviewer:____________________Plant: River BendInitiating Event: IE-TRANSBasic Event: RPV-XHE-LEVELEvent Coder:
Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using somecombination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI,or condensate pumpsBasic Event
Description:
Failure to Restore, Maintain post-trip RPV water level B. Calculate the Diagnosis Failure Probability.(1) If all PSF ratings are nominal, then the Diagnosis Failure Probability = 1.0E-2(2) Otherwise, the Diagnosis Failure Probability is: 1.0E-2 x Time x Stress or Stressors xComplexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x ProcessesDiagnosis: 1.0E-2 x 0.1_ x _1.0_ x 1.0_ x _0.5_ x 0.5_ x 10_ x 1.0 x 1.0_ =C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs arePresent.When 3 or more negative PSF influences are present, in lieu of the equation above, you mustcompute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-2 for Diagnosis. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:HEPNHEPPSFNHEPPSFcompositecomposite=+..()11Diagnosis HEP with Adjustment Factor = D. Record Final Diagnosis HEP.
If no adjustment factor was applied, record the value from Part B as your final diagnosis HEP. If an adjustment factor was applied, record the value from Part C.Final Diagnosis HEP = 2.5E-3N/A1.25E-2 LER 458/04-005-01Reviewer:____________________Plant: River BendInitiating Event: IE-TRANSBasic Event: RPV-XHE-LEVELEvent Coder: John Bickel Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using somecombination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI,or condensate pumpsBasic Event
Description:
Failure to Restore, Maintain post-trip RPV water level PART II. EVALUATE EACH PSF FOR ACTIONA. Evaluate PSFs for the Action Portion of the Task, if any.PSFsPSF LevelsMultiplier forDiagnosisPlease note specific reasons forPSF level selection in this column.AvailableTimeInadequate timeP(failure) = 1.0The required actions: startingHPCS, a feedwater pump,depressurizing and starting LPCSor LPCI are relatively simple andquick to undertake once adecision has been reached to doso.Time available is the time required10Nominal time1Time available > 5x the time required0.1Time available is > 50x the time required0.01Insufficient information1Stress/StressorsExtreme5High2Nominal 1Insufficient Information1ComplexityHighly complex5Moderately complex2Nominal 1Insufficient information1Experience/TrainingLow3Operators regularly drill on RPVlevel restoration post-trip.Nominal1High0.5Insufficient information1 LER 458/04-005-01PSFsPSF LevelsMultiplier forDiagnosisPlease note specific reasons forPSF level selection in this column.Reviewer:____________________ProceduresNot available50Incomplete20Available, but poor5Nominal 1Insufficient information1Ergonomics/HMIMissing/Misleading50Poor10Nominal 1Good0.5Insufficient Information1Fitness forDutyUnfitP(failure) = 1.0Degraded Fitness5Nominal 1Insufficient information1WorkProcessesPoor5Nominal 1Good0.5Insufficient information1 LER 458/04-005-01Reviewer:____________________Plant: River BendInitiating Event: IE-TRANS Basic Event: RPV-XHE-LEVELEvent Coder:
Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using somecombination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI,or condensate pumpsBasic Event
Description:
Failure to Restore, Maintain post-trip RPV water level B. Calculate the Action Failure Probability.(1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3(2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors xComplexity x Experience or Training x Procedures x Ergonomics or HMI x Fitness for Duty x ProcessesAction: 1.0E-3 x 0.01 x 1.0_ x 1.0 x 0.5_ x 1.0_ x 1.0 x 1.0 x _1.0_ =C. Calculate the Adjustment Factor IF Negative Multiple (> 3) PSFs arePresent.When 3 or more negative PSF influences are present, in lieu of the equation above, you mustcompute a composite PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:Action HEP with Adjustment Factor = D. Record Final Action HEP.
If no adjustment factor was applied, record the value from Part B as your final action HEP. If anadjustment factor was applied, record the value from Part C.Final Action HEP = 5.0E-6HEPNHEPPSFNHEPPSFcompositecomposite=+..()11N/A5.0E-6 LER 458/04-005-01Reviewer:____________________Plant: River BendInitiating Event: IE-TRANSBasic Event: RPV-XHE-LEVELEvent Coder:
Basic Event Context: Failure to Restore, Maintain post-trip RPV water level using somecombination of feedwater, RCIC, HPCS - or - manual depressurization and use of: LPCS, LPCI,or condensate pumpsBasic Event
Description:
Failure to Restore, Maintain post-trip RPV water level PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding theDiagnosis Failure Probability from Part I and the Action Failure Probability from Part II. Ininstances where an action is required without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP 2.5E-3 + Action HEP 5.0E-6_
= Part IV. DEPENDENCYFor all tasks, except the first task in t he sequence, use the table and formulae below tocalculate the Task Failure Probability With Formal Dependence (Pw/d).If there is a reason why failure on previous tasks should not be considered, such as it isimpossible to take the current action unless the previous action has been properly performed, explain here:
2.5E-3 LER 458/04-005-01ConditionNumberCrew(same ordifferent)Time (closein time ornot close intime)Location(same ordifferent)Cues(additional or noadditional)DependencyNumber of Human Action Failures Rule - Not Applicable. Why? 1scsnacompleteWhen considering recovery in a seriese.g., 2 nd , 3 rd, or 4 th checkerIf this error is the 3 rd error in thesequence, then the dependency is atlease moderate.If this error is the 4 th error in thesequence, then the dependency is atleast high.2acomplete3dnahigh4ahigh5ncsnahigh6amoderate7dnamoderate8alow9dcsnamoderate10amoderate11dnamoderate12amoderate13ncsnalow14alow15dnalow16alow17zeroUsing Pw/od = Probability of Task failure Without Formal Dependence (calculated in Part III):For Complete Dependence the probability failure is 1.For High Dependence the probability of failure is (1+ Pw/od/2)For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7For Low Dependence the probability of failure is (1+19 x Pw/od)/20For Zero Dependence the probability of failure is Pw/odCalculate Pw/d using the appropriate values:
Pw/d = (1 + (
- ))/
=